Blog postings from honeynet.org

RE-Google - or how Grandma started Reverse Engineering

felix.leder — Sun, 15 Nov 2009 17:20:07 -0500

Some people say "Reverse Engineering is an art". Well, this might be true if you consider stuff like mathematics as art. It is more an application of standard methods that evolve constantly. Actually, everybody can learn these methods and start to RE executables. With the RE-Google plugin for IDA Pro, even your granny can start reversing :)

Giraffe Chapter

United Arab Emirates Chapter

lance.spitzner — Tue, 15 Sep 2009 07:31:47 -0400

We are excited to announce the latest chapter coming on Board, the United Arab Emirates Chapter, hosted and formed by aeCERT. This is the very first Chapter to be joining from the middle-east, we are very excited to have them on board and expect great things from them!

Shucran!

lance

Iteolih: RPC vulnerability implementation party

mark.schloesser — Tue, 25 Aug 2009 12:33:00 -0400

The Dionaea honeypot got more and more mature during the last weeks. As Markus blogged in Iteolih: Miles and More the software is now able to detect shellcode via libemu and generates a nice shellcode profile out of this.

The SMB / DCERPC implementation also got fairly mature and is now able to cope with all packet types and also most caveats and differences of implementations in exploits. As I registered more and more RPC vulnerabilities in the module, it was definitely time to give libemu something to eat! :)

Giraffe Chapter

A Brief Introduction to Qebek

chengyu.song — Mon, 17 Aug 2009 11:03:25 -0400

Here is a brief introduction on Qebek, answering some questions.

Iteolih: Miles and More

markus.koetter — Tue, 11 Aug 2009 08:10:33 -0400

We got a new milestone due:

10.08.2009

thread-pool works
stream recording works
shellcode detection using libemu works
shellcode emulation using libemu works
compiles on linux&openbsd

An exploit taken from a public repository, run against the software, is detected and emulated.

To shorten things, basically all required points are hit with current svn.

So, given the time we just saved, some words about how it works.

GSoC Project #10 - Develop and Improve the effectiveness of low Interaction Honeypots

What's new on PHoneyC (4): Try it out!

zhijie.chen — Mon, 10 Aug 2009 15:19:38 -0400

Hi all:

I have finished almost all the coding stuff of Project #1, now you can try out the new PHoneyC with shellcode/heapspray detection here:

http://code.google.com/p/phoneyc/source/browse/phoneyc#phoneyc/branches/phoneyc-honeyjs

Please feel free to report any bug or suggestion on shellcode/heapspray detection to me.

Chinese Chapter

Glastopf retrospection

lukas.rist — Mon, 10 Aug 2009 00:18:27 -0400

Today I make a retrospection on my work on the Glastopf Web Honeypot during the Google Summer of Code Program. My goal was to push forward the development on a Honeypot for an attack vector in web security which is really underestimated in current discussions. The main objectives could be merged into one intention: Increasing our attractiveness and answering every request as close as possible to a real world system. This got achieved with the new PHP file parser and the dynamic Google dork list which we provide for the Google crawler.

Native Language Spam

tillmann.werner — Sun, 9 Aug 2009 03:55:59 -0400

Today I received a spam email from "Sicherheits-Center" ("security center") with subject "Vorsicht! Ihr Paypal-Konto wurde begrenzt!" ("Attention! Your paypal account has been restricted!"). Not only the subject but the whole message was in really bad German - I am sure everybody had the chance to delete similar spams and you know what they look like. The advertised link was already down and also already included in Google's "Safe Browsing" list of malicious URLs. But the message contained a piece of interesting information which I think is interesting.

Honeybrid testing

robin.berthier — Fri, 7 Aug 2009 14:26:20 -0400

Second milestone reached! Honeybrid has now all its functionalities working and it's time for testing. In order to check that everything works efficiently, I deployed a Windows honeypot to receive traffic from five /24 unused subnets during half an hour. Here are the details of this experiment.

Configuration

Here is a overall diagram of the testing architecture:

(Internet) <=====> [NATing Gateway with Honeybrid] <-------> [Windows Honeypot]

The NATing gateway was configured with the following iptables rules:

GSoC Project #6 - Develop Hybrid Honeypot Architecture

Quick Update

thibaut.gadiolet — Wed, 5 Aug 2009 11:35:23 -0400

Hi Folks,

I worked on the Front-End to make my interface more user-friendly, I don't detail every modifications, we can split them in three:

Profile Management
Organisation Management
Honeyclient Management

My code is under Honeynet Subversion so you can consult it if you're curious !
I also corrected a lot of bugs even if some of them are a bit persistent....

GSoc Project #9 - Managing Honeypot Clients