Even though I'm not the only reporting attacks on MSSQL, I've had no shiny attacks addressing the brand new mssql code for dionaea yet, I think due to protocol bugs. But I've had some nfq gathered bistreams which could be replayed to the mssql service.
The bistream replayed was collected on 2010-08-09 and was contributed by 182.236.160.29 to my port 1433/tcp. I choose this bistream for its size, which is 245625bytes, and the largest bistream I captured for mssql.
After resolving some issues, I was able to dump the commands send to the database into a text file.
Within the umbrella of The Honeynet Project I've had two students working on dionaea as a GSoC2010 project this year. The projects were:
For today, let's focus on the SMB stack improvements.
As mentioned earlier, I can see strange packets.
And I'm looking for others who share this phenomenon.
The content of this strange packets is this:
RSP/1.0 STUN_CLI_FIREWALLPING aguid:f8923c21083c4bb69e462f8ace0e6e0d
This article was written by Tan Kean Siong during his gsoc2010 project - improving dionaeas smb stack - I just fixed some typos and formatted it - Markus
The Metasploit Framework is one of the most popular open source penetration testing framework with the world's largest database of public, tested exploits. Metasploit was created in 2003 using the Perl scripting language, lateron the framework was rewritten in the Ruby programming language.
The usage of the framework is user-friendly and the exploitation can be done by the workflow of:
This modularity, allowing all combinations of any exploit with any payload is the major advantage of the Framework. It facilitates the tasks of attackers, exploit writers, and payload writers, thus it emerge as the de facto vulnerability development framework in these days.
During the exploitation process, it is often required to know the exact version of the target’s operating system. Often exploits need to be customized to adapt to the particular OS environment, therefore knowing the remote operating system increase success rate of the attack. Metasploit has includes comprehensive OS fingerprinting support for the Microsoft Windows operating system. Metasploit can retrieve:
Dionaea need to support these fingerprinting method, as malware may adapt this remote version fingerprinting in the future.
I noticed my account balance for my voip provider to drop by ~10€ during the last 3 days, even though I did not make that much calls. So I had a look on the list of outgoing calls, which is stored by the provider. The list showed me lots of phone numbers I did not know.
Looking at the list of connected phones to my account, there were only the phones I used myself, a Grandstream GXP 2000 and a Siemens Gigaset C450 IP DECT phone.
So it was rather obvious somebody else was connected to the base station of my C450 DECT phone, making calls on my costs.
If the laws would have permitted it, I might have setup tcpdump on the gate, capturing all traffic from and to the C450 base station.
I wanted this person to pay for his calls, so my first step was looking at the numbers he called, by comparing the numbers with numbers from my own phone book, this was really time consuming, and in the end he owned more than 95% of all calls.
I noticed a lengthy call to a number which was known by google, and associated with a sex toy shops telephone order service, and lots of calls to a single mobile number.
If the laws would have permitted it, I'd have copied the pcap file from the router to a desktop with wireshark installed, and using wiresharks great VoIP replay, the conversation could have revealed the unknown person using my base station ordered drugs for 30€, the drug dealer complained about the bad quality, where the unknown replied he was using a wifi-phone.
I tried to 'call myself', hoping his phone would ring too, so I could talk to him about his phone being connected to my base station, but nobody accepted the call. So, I decided to call the most often called number, using my mobile. This number turned out to be the unknowns girlfriend, who got really cooperative when I mentioned the police, she turned over her boyfriends address.
Some minutes after the call, the unknown tried to call me on my mobile, but he dialed the wrong number.
If the laws would have permitted it, I'd have listend to this call by using wireshark on the pcap. Somebody calling an unknown, telling a story about his girlfriend calling him, claiming she was called by an unknown who said somebody who called he was using his phone, while the called always said he did not know anything about 'phone' but could get his own girlfriend on the phone. It would have been a hilarious dialogue.
So, having his address, and the amount he owed me, I decided to give the unknown a visit.
He was expecting me, and even tipped me for my time spent on this.
The phone he used was a Fritz!Fon MT-F, which connected to my base station right after one turned it on.
After making sure there is no way to see the associated handsets on my C450 IP base station, I decided to get over DECT, turning the base station off.
For whatever reason python lacks a binding for getifaddrs. For dionaea I created the binding myself, but the code can not be used without dionaea, and I don't like having to install additional bindings to get some basic functionality.
Therefore, I decided to create the functionality provided by the dionaea getifaddrs binding using python ctypes, easy to install, no compiling, copy&paste does the trick.
The code works with python2/3, Linux works, Darwin/OSX may work, Windows? good question.
the git-daemon activity for the dionaea.git repository, pull and uniq hosts/day, basically 5-10 users update their software daily.
Often the most complex part in data visualization is the processing before you can provide the data in a format your visualization software understands.
I choose the git-daemon logs as an example of such an case.
One could have used sshd logs as an example too, but I choose this, as I'm pretty sure there is no parser for the git-daemon logfiles.
In doubt, I'm pretty confident, one could adjust this git-daemon parser to deal with sshd too.
A friend of mine recently tried to visit research.microsoft.com, he was unable to. He spent some time on it, and came up with the following scenario:
I could reproduce this myself, for my setup research.microsoft.com did not work too, but I felt I would not loose too much anyway.
After some time he provided some pcap dumps for all possible combinations and scenarios, so I felt guilty and finally gave it a shot.
So what is wrong with research.microsoft.com?
Current dionaea trunk is metasploitable.
Getting this working was pretty nasty:
While messing with the protocol, I found 2 bugs in smb client implementations, nothing fancy, but I really appreciate buggy implementations of this protocol, therefore …
Some days ago I pushed some code to store files which get uploaded via smb file sharing to dionaea.
Yesterday I merged some beautified dce rpc code which was written by Tan Kean Siong during his gsoc 2010 dionaea-project.
Today, I got some captures which may provide some assistance when looking at dionaea log files.
