During the last weeks I have been working on SMB and specifically DCERPC support for the Dionaea next generation low-interaction honeypot (buzz!).
SMB / CIFS is a huge protocol with several protocol versions and a lot of message types. The CIFS technical reference and the Implementing CIFS book have been constant companions for me since the beginning of the project.
Conficker contains a piece of code that has been object of speculation: It does not infect boxes located in the Ukraine. Before sending an exploit, it performs a lookup against Maxmind's GeoIP database, which is freely available, and skips the host if the returned country code is UA. While the B variant comes with a copy of the database embedded, the A variant downloads the file from Maxmind's server. A couple of days ago Felix had the idea to deliver a specially crafted database that maps every IP address to the Ukrain.
|Info:||See <https://www.honeynet.org/gsoc/project1> for
|Author:||Zhijie Chen (Joyan) <firstname.lastname@example.org>|
|Description:||Mid-term Report on PHoneyC GSoC project 1. This report
describes what I have done on the PHoneyC's libemu integration
for shellcode and heapspray detection during the first half of
the GSoC. Till now, the main ideas on this feature has been
fast-implemented (actually I mean poor coding style) and the
whole flow works well, with some code rewriting and performance
optimization needed in the future.
What is TIP? TIP stands for Tracking Intelligence Project. In my most beautiful dreams, TIP should be an information gathering
framework whose purpose is to autonomously collect Internet threat
trends. It's entirely written in Python using Twisted and bound to the Django framework in order to abstract the underlying database and to easily build a web interface to the data.
Honeypots have been actively used by the security community for over ten years now. They are used for a variety of purposes, but now a days primarily for information gathering. When honeypots first were being used they generated a great deal of discussion about the legal issues. However, through the years this debate has died down, most organizations feeling these issues are minor. I just wanted to share an update on these thoughts.
This week I completed an important step which is to integrate a parser in Honeybrid. There are now two new files in the source code:
This phenomenon is first observed when I tried the NtReadFile test last week, sometimes when the postNtReadFile is called, the handle value, buffer address and buffer size got from the stack is quite different from values got in preNtReadFile. I didn't pay much attention to this problem that time, but, when I tried to debug the NtSecureConnectPort API with WinDBG today, this phenomenon appeared again. So I did a further study on it.
First, I set a break point at nt!NtSecureConnectPort:
This is supposed to be the first Qebek blog, but unfortunately, it cannot pass the check of mod_security (even today), so I posted here.
I know I said that I would post a screenshot a week ago, but it's been a little busy, but here's an older attached image. One of the reasons there was a delay is that the code that I was using was based on one of the wxPython demo programs, hence the RunDemo title bar. I'm in the process of revamping that code into something that's a little more standalone.