Join us for the Honeynet Workshop 2024: May 27th–29th, Copenhagen, Denmark

GSoC 2017 Project Summary: major SNARE/Tanner improvements

23 Oct 2017 Roberto Tanara gsoc snare-tanner
Student Ravinder Nehra contributed this post as a project summary of his GSoC2017 experience

MySQL Emulator

Previously, Tanner supported SQL Injection using SQLITE but since MySQL is widely used so it is badly needed in my opinion. Also with MySQL, Time-based Blind SQLI can be emulated which can’t be done in SQLITE based emulator. It is implemented using aiosql library using the same approach used in SQLITE emulation previously.

  1. MySQLI emulator
  2. Change default DB and update documentation
  3. Add new SQLI tests

Command Execution Emulator

This emulator emulates Command Execution/Injection vulnerability.It is implemented using docker considering its safety features. I used Busybox as default docker image which provides a nice Linux shell, file system and most importantly very light in size. Attack is identified using the regex .*(alias|cat|cd|cp|echo|exec|find|for|grep|ifconfig|ls|man|mkdir|netstat|ping|ps|pwd|uname|wget|touch|while).* and then injected in the busbox docker image to get command injecion results.

  1. Command exec emulator
  2. Docs
  3. Fix Docker freezing
  4. Tests

Base Emulator Architecture

The previous base emulator didn’t specify a standard way of adding new emulator and the addition of each new emulator make it messier. So I designed a new architecture. This architecture follows find and emulate approach where each emulator has a scan method.

  • The base emulator calls scan method of each emulator against each GETPOSTparameter and COOKIE value.
  • Then the base emulator calls the emulator’s handle which returned a positive response.
  • The handle method returns payload and a boolean value that tells whether we have to inject the payload into the same page or a new page.
  • Depending upon the boolean value, the payload is injected into the most recently visited page.
  1. Architecture
  2. Cookie support for attacks
  3. Payload Injection page

Padding Oracle Emulator

I’m thinking of implementing padding oracle emulator through cookies but Tanner didn’t support attacks through cookies, so first I implemented this feature. But then I was a little confused about what cookie should I set which can be attacked. It becomes a difficult task as we don’t have an authentication mechanism which uses cookies. Currently, it has been left on hold.

  1. Issue #154

LFI Emulator

Previously LFI emulator didn’t support proc emulation. So to fix it and make LFI emulator more efficient LFI emulator is reimplemented using docker.

  1. Code

Tanner API

It involves improving the functionality of tanner api by adding more methods to it. The following new functionalities were added:

  • Get a session info from its sess-uuid
  • Get all the sessions using the filters iptime-durationuser-agent , owner-typeattack_type
  • Get stats of a snare using its snare-uuid A new API server is formed to make it accesible only from localhost.
  1. API functions
  2. API docs
  3. New API Server
  4. Tests

Tanner UI

It involves building a UI for tanner so that data captured by the honeypot can be shown in a well-formatted manner. The following pages were developed :

  • Page showing list of all snares connected to the Tanner
  • Page showing stats of a particular snare
  • Page showing list of session affiliated to a snare with custom filters
  • Page showing detailed information about a session

Jinja template along with aiohttp server are used for development.

  1. UI code
  2. Docs
  3. Improvements

PHP Code Injection Emulator

It emulates PHP code injection vulnerability. Usually, this type of vulnerability is found where user input is directly passed to functions like evalassert. To mimic the functionality, user input is converted to the following code <?php eval('$a = user_input'); ?> and then passed to phpox to get php code emulation results.

  1. Code

Snare-Tanner Communication

It provides a defined format of how Tanner’s response should be structured so that snare can parse it easily. This is the new response structure. This also added the functionality to return payload in headers.

Case 1 (where you need to return the page normally)detection = {		type : 1        }Case 2 (inject payload in the page)detection = {		type : 2,payload = {		page : ‘/vuln.php’,		value : ‘<script>alert(1)</script>’		headers : {				new_header : ‘new_header_value’			     }	      }        }Case 3 (where input cause some error so return related to the type of error produced   e.g if input takes more time than expected then return 50X) detection = {		type : 3,                payload = {		                  status_code : 500/504                                 }        }
  1. Tanner Code
  2. Fix
  3. Snare code

CRLF Emulator

It emulates CRLF vulnerability. The attack is detected using \r\n pattern in the input. The parameter which looks suspicious is injected as a header with parameter name as header name and param value as header value.

  1. Code
  2. Tests
  3. Docs


  1. Fix docker issue
  2. Fix session’s attack type attribute bug
  3. The databases (used in SQLI) and dockers (used in LFI and CMD EXEC) remain in the system even after shutdown. It deletes these unwanted things.
  4. Make emulator set flexible. Now user can select which vulnerabilities Tanner will emulate using config file easily.
  5. Fix config structure
  6. Add an option in config so that user can specify the size of poolsize used for Redis connection.
  7. Add an option to get phpox address from config and return tanner version to snare