Attacks which are identified correctly are rather boring, failing attacks are interesting, as they provide some more information on the problem.
Within the umbrella of The Honeynet Project I've had two students working on dionaea as a GSoC2010 project this year.
The projects were:
For today, let's focus on the SMB stack improvements.
This article was written by Tan Kean Siong during his gsoc2010 project - improving dionaeas smb stack - I just fixed some typos and formatted it - Markus
The Metasploit Framework is one of the most popular open source penetration testing framework with the world's largest database of public, tested exploits. Metasploit was created in 2003 using the Perl scripting language, lateron the framework was rewritten in the Ruby programming language.
The usage of the framework is user-friendly and the exploitation can be done by the workflow of:
choosing the exploit
configuring the payload
execute the exploit.
This modularity, allowing all combinations of any exploit with any payload is the major advantage of the Framework. It facilitates the tasks of attackers, exploit writers, and payload writers, thus it emerge as the de facto vulnerability development framework in these days.
During the exploitation process, it is often required to know the exact version of the target’s operating system. Often exploits need to be customized to adapt to the particular OS environment, therefore knowing the remote operating system increase success rate of the attack.
Metasploit has includes comprehensive OS fingerprinting support for the Microsoft Windows operating system.
Metasploit can retrieve:
the version of the operating system
version of the service pack
and the installed network services.
Dionaea need to support these fingerprinting method, as malware may adapt this remote version fingerprinting in the future.
While messing with the protocol, I found 2 bugs in smb client implementations, nothing fancy, but I really appreciate buggy implementations of this protocol, therefore …
Some days ago I pushed some code to store files which get uploaded via smb file sharing to dionaea.
Yesterday I merged some beautified dce rpc code which was written by Tan Kean Siong during his gsoc 2010 dionaea-project.
Today, I got some captures which may provide some assistance when looking at dionaea log files.
I just had a look on the Novell Netware exploit published by Laurent Gaffié, and I'm glad other people have problems parsing smb correctly too.
Contrary to other exploit - addressing Microsofts SMB stack - this one exploits a parsing bug instead of a DCE Remote Procedure Call.