honeypot

Nepenthes hands-on

Before nepenthes
p/s: this is using default settings with minor configuration.
—————————————————-

salax@zulfiqar:~$ nmap 192.168.2.10

Starting Nmap 4.53 ( http://insecure.org ) at 2010-01-09 00:11 MYT
Interesting ports on 192.168.2.10:
Not shown: 1711 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
631/tcp open ipp

Nmap done: 1 IP address (1 host up) scanned in 0.075 seconds

———————————-

Firing up nepenthes:

salax@zulfiqar:~$ sudo /etc/init.d/nepenthes start
[sudo] password for salax:
Starting nepenthes: nepenthes.

——————————————————-

After nepenthes:

salax@zulfiqar:~$ nmap 192.168.2.10

Starting Nmap 4.53 ( http://insecure.org ) at 2010-01-09 00:11 MYT
Interesting ports on 192.168.2.10:
Not shown: 1690 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
42/tcp open nameserver
53/tcp open domain
80/tcp open http
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
143/tcp open imap
220/tcp open imap3
443/tcp open https
445/tcp open microsoft-ds
465/tcp open smtps
631/tcp open ipp
993/tcp open imaps
995/tcp open pop3s
1023/tcp open netvenuechat
1025/tcp open NFS-or-IIS
2105/tcp open eklogin
3372/tcp open msdtc
5000/tcp open UPnP
10000/tcp open snet-sensor-mgmt
17300/tcp open kuang2

Nmap done: 1 IP address (1 host up) scanned in 0.075 seconds

———————————————————————–

List open files shows as below :

salax@zulfiqar:/etc/nepenthes$ sudo lsof -i | grep nepenthes
[sudo] password for salax:
nepenthes 7246 nepenthes 6u IPv4 29655 TCP *:smtp (LISTEN)
nepenthes 7246 nepenthes 7u IPv4 29656 TCP *:pop3 (LISTEN)
nepenthes 7246 nepenthes 8u IPv4 29657 TCP *:imap2 (LISTEN)
nepenthes 7246 nepenthes 9u IPv4 29658 TCP *:imap3 (LISTEN)
nepenthes 7246 nepenthes 10u IPv4 29659 TCP *:ssmtp (LISTEN)
nepenthes 7246 nepenthes 11u IPv4 29660 TCP *:imaps (LISTEN)
nepenthes 7246 nepenthes 12u IPv4 29661 TCP *:pop3s (LISTEN)
nepenthes 7246 nepenthes 13u IPv4 29662 TCP *:2745 (LISTEN)
nepenthes 7246 nepenthes 14u IPv4 29663 TCP *:6129 (LISTEN)
nepenthes 7246 nepenthes 15u IPv4 29664 TCP *:loc-srv (LISTEN)
nepenthes 7246 nepenthes 16u IPv4 29665 TCP *:microsoft-ds (LISTEN)
nepenthes 7246 nepenthes 17u IPv4 29666 TCP *:1025 (LISTEN)
nepenthes 7246 nepenthes 18u IPv4 29667 TCP *:ftp (LISTEN)
nepenthes 7246 nepenthes 19u IPv4 29668 TCP *:https (LISTEN)
nepenthes 7246 nepenthes 20u IPv4 29669 TCP *:17300 (LISTEN)
nepenthes 7246 nepenthes 21u IPv4 29670 TCP *:2103 (LISTEN)
nepenthes 7246 nepenthes 22u IPv4 29671 TCP *:eklogin (LISTEN)
nepenthes 7246 nepenthes 23u IPv4 29672 TCP *:2107 (LISTEN)
nepenthes 7246 nepenthes 24u IPv4 29673 TCP *:3372 (LISTEN)
nepenthes 7246 nepenthes 25u IPv4 29674 UDP *:ms-sql-m
nepenthes 7246 nepenthes 26u IPv4 29675 TCP *:3127 (LISTEN)
nepenthes 7246 nepenthes 27u IPv4 29676 TCP *:netbios-ssn (LISTEN)
nepenthes 7246 nepenthes 28u IPv4 29677 TCP *:3140 (LISTEN)
nepenthes 7246 nepenthes 29u IPv4 29678 TCP *:5554 (LISTEN)
nepenthes 7246 nepenthes 30u IPv4 29679 TCP *:1023 (LISTEN)
nepenthes 7246 nepenthes 31u IPv4 29680 TCP *:27347 (LISTEN)
nepenthes 7246 nepenthes 32u IPv4 29681 TCP *:5000 (LISTEN)
nepenthes 7246 nepenthes 33u IPv4 29682 TCP *:webmin (LISTEN)
nepenthes 7246 nepenthes 34u IPv4 29683 TCP *:nameserver (LISTEN)
nepenthes 7246 nepenthes 35u IPv4 29684 TCP *:www (LISTEN)
nepenthes 7246 nepenthes 36u IPv4 29685 TCP *:10002 (LISTEN)

——————————————————————-

Take a look in /var/log/nepenthes/logged_downloads:

salax@zulfiqar:/var/log/nepenthes$ cat logged_downloads
[2010-01-08T03:21:15] 60.48.72.2 -> 192.168.2.10 link://60.48.72.2:11965/qcxYEw==
[2010-01-08T03:23:37] 60.48.98.64 -> 192.168.2.10 ftp://a:a@60.48.98.64:11460/Win15763.exe
[2010-01-08T22:27:49] 60.47.49.168 -> 192.168.2.10 link://60.47.49.168:29913/GDAo+A==
[2010-01-09T21:59:29] 60.48.196.174 -> 192.168.2.10 ftp://1:1@0.0.0.0:5895/wint.exe
[2010-01-09T22:20:08] 60.167.120.190 -> 192.168.2.10 ftp://1:1@60.167.120.190:9495/ssms.exe
[2010-01-09T22:26:00] 60.56.171.98 -> 192.168.2.10 tftp://0.0.0.0/ssms.exe
[2010-01-09T22:31:08] 60.47.211.135 -> 192.168.2.10 link://60.47.211.135:57271/46juBw==
[2010-01-09T22:54:40] 60.48.196.174 -> 192.168.2.10 ftp://1:1@0.0.0.0:5895/wint.exe
[2010-01-09T23:20:02] 60.48.206.249 -> 192.168.2.10 ftp://1:1@60.48.206.249:31018/wingate32.exe
[2010-01-09T23:23:05] 60.53.58.190 -> 192.168.2.10 ftp://1:1@0.0.0.0:15639/WinSec.exe
[2010-01-09T23:42:31] 60.48.206.249 -> 192.168.2.10 link://60.48.206.249:50408/EWYNew==
[2010-01-10T11:48:14] 60.44.18.223 -> 192.168.2.10 blink://60.44.18.223:40579/GLJK+A==
[2010-01-10T12:10:59] 60.48.192.35 -> 192.168.2.10 blink://60.48.192.35:42750/GIAo+A==
[2010-01-10T12:21:05] 60.48.192.35 -> 192.168.2.10 blink://60.48.192.35:33106/GIAo+A==
[2010-01-10T12:22:13] 69.207.61.212 -> 192.168.2.10 http://74.77.18.116:4662/x.exe
[2010-01-10T12:31:20] 60.48.192.35 -> 192.168.2.10 blink://60.48.192.35:41373/GIAo+A==
[2010-01-10T13:13:55] 60.42.119.172 -> 192.168.2.10 blink://60.42.119.172:29703/mPKeAQ==
[2010-01-10T13:15:21] 60.43.40.208 -> 192.168.2.10 link://60.43.40.208:46158/OHwf/g==
[2010-01-11T00:36:28] 60.48.103.18 -> 192.168.2.10 ftp://1:1@60.48.103.18:62984/wingate32.exe
[2010-01-11T00:42:24] 60.36.30.127 -> 192.168.2.10 ftp://1:1@0.0.0.0:45513/ssms.exe
[2010-01-11T00:51:16] 60.48.221.25 -> 192.168.2.10 ftp://1:1@60.48.221.25:40959/wingate32.exe
[2010-01-11T00:56:31] 60.48.103.18 -> 192.168.2.10 ftp://1:1@60.48.103.18:62984/wingate32.exe
[2010-01-11T20:10:07] 60.48.245.153 -> 192.168.2.10 link://60.48.245.153:64395/EGYNAw==
[2010-01-11T20:15:19] 60.48.245.153 -> 192.168.2.10 ftp://1:1@0.0.0.0:44154/wingate32.exe
[2010-01-11T20:18:03] 60.249.204.192 -> 192.168.2.10 tftp://0.0.0.0/ssms.exe
[2010-01-11T20:24:11] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T21:22:43] 60.48.70.175 -> 192.168.2.10 ftp://x:x@60.48.70.175:27517/hqghumea.dll
[2010-01-11T21:37:35] 60.41.138.161 -> 192.168.2.10 link://60.41.138.161:35057/4/idCA==
[2010-01-11T21:51:23] 60.48.70.175 -> 192.168.2.10 ftp://x:x@60.48.70.175:27517/hqghumea.dll
[2010-01-11T21:51:35] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T22:00:17] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T22:10:43] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:24841/0
[2010-01-11T22:10:43] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:24841/0
[2010-01-11T22:14:19] 60.48.70.175 -> 192.168.2.10 ftp://x:x@60.48.70.175:27517/hqghumea.dll
[2010-01-11T22:16:52] 60.48.103.192 -> 192.168.2.10 ftp://1:1@60.48.103.192:28894/wingate32.exe
[2010-01-11T22:17:08] 60.48.103.192 -> 192.168.2.10 ftp://1:1@60.48.103.192:28894/wingate32.exe
[2010-01-11T22:17:41] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T22:27:00] 60.42.243.214 -> 192.168.2.10 link://60.42.243.214:48588/+RnAEQ==
[2010-01-11T22:35:05] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T22:52:24] 60.48.103.192 -> 192.168.2.10 ftp://1:1@60.48.103.192:28894/wingate32.exe
[2010-01-11T22:52:29] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T22:54:18] 60.48.103.192 -> 192.168.2.10 ftp://1:1@60.48.103.192:28894/wingate32.exe
[2010-01-11T23:01:11] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T23:07:43] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:13110/0
[2010-01-11T23:07:46] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:6464/0
[2010-01-11T23:15:04] 60.48.70.250 -> 192.168.2.10 ftp://1:1@60.48.70.250:23241/WinSec.exe
[2010-01-11T23:17:46] 60.48.70.175 -> 192.168.2.10 ftp://x:x@60.48.70.175:27517/hqghumea.dll
[2010-01-11T23:17:55] 60.48.103.192 -> 192.168.2.10 ftp://1:1@60.48.103.192:28894/wingate32.exe
[2010-01-11T23:18:34] 60.48.76.255 -> 192.168.2.10 link://60.48.76.255:51319/TzxtYQ==
[2010-01-11T23:21:10] 60.48.70.175 -> 192.168.2.10 ftp://x:x@60.48.70.175:27517/hqghumea.dll
[2010-01-13T03:19:57] 60.48.98.181 -> 192.168.2.10 ftp://a:a@0.0.0.0:3987/igxdfdfds.com
[2010-01-13T03:27:39] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T03:28:57] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T03:30:20] 60.48.216.206 -> 192.168.2.10 ftp://1:1@60.48.216.206:59898/wingate32.exe
[2010-01-13T03:32:24] 60.48.98.181 -> 192.168.2.10 ftp://a:a@60.48.98.181:4078/Win15763.exe
[2010-01-13T03:37:06] 60.48.98.181 -> 192.168.2.10 ftp://a:a@60.48.98.181:4078/Win15763.exe
[2010-01-13T03:37:54] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T03:40:13] 60.48.98.181 -> 192.168.2.10 ftp://1:1@0.0.0.0:12506/wingate32.exe
[2010-01-13T03:43:58] 60.48.98.181 -> 192.168.2.10 ftp://1:1@0.0.0.0:12506/wingate32.exe
[2010-01-13T03:50:13] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T03:50:21] 60.48.216.206 -> 192.168.2.10 ftp://1:1@60.48.216.206:59898/wingate32.exe
[2010-01-13T03:54:50] 60.48.216.206 -> 192.168.2.10 ftp://1:1@60.48.216.206:59898/wingate32.exe
[2010-01-13T04:02:31] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T04:59:55] 60.48.216.206 -> 192.168.2.10 ftp://1:1@60.48.216.206:59898/wingate32.exe
[2010-01-13T05:07:36] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T05:34:57] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T05:48:38] 60.42.253.163 -> 192.168.2.10 link://60.42.253.163:54497/+BkAgw==
[2010-01-13T05:50:41] 60.48.89.89 -> 192.168.2.10 ftp://1:1@60.48.89.89:59451/wingate32.exe
[2010-01-13T05:57:08] 60.48.89.89 -> 192.168.2.10 tftp://60.48.89.89/runwin32.exe
[2010-01-13T05:57:30] 60.48.89.89 -> 192.168.2.10 ftp://1:1@60.48.89.89:59451/wingate32.exe
[2010-01-13T06:26:55] 60.48.189.130 -> 192.168.2.10 ftp://1:1@0.0.0.0:45506/wingate32.exe
[2010-01-13T06:27:07] 60.48.89.89 -> 192.168.2.10 tftp://0.0.0.0/runwin32.exe
[2010-01-13T06:27:30] 60.48.89.89 -> 192.168.2.10 ftp://1:1@0.0.0.0:59451/wingate32.exe
[2010-01-15T22:13:10] 124.12.75.2 -> 192.168.2.10 tftp://124.12.75.2/ssms.exe

—————————————————————————————
Take a look also in /var/log/nepenthes/logged_submissions :

salax@zulfiqar:/var/log/nepenthes$ cat logged_submissions
[2010-01-08T22:28:05] 60.47.49.168 -> 192.168.2.10 link://60.47.49.168:29913/GDAo+A== a881dd13336137c7c0a346a0e95a28cb
[2010-01-09T22:26:53] 60.56.171.98 -> 192.168.2.10 tftp://60.56.171.98:69/ssms.exe 98eb0fdadf8a403c013a8b1882ec986d
[2010-01-09T23:42:44] 60.48.206.249 -> 192.168.2.10 link://60.48.206.249:50408/EWYNew== f6a0747f321da6905d7f117b1a0491bc
[2010-01-10T11:48:15] 60.44.18.223 -> 192.168.2.10 blink://60.44.18.223:40579/GLJK+A== cf39a0e99513d242b516facffcf0149a
[2010-01-10T12:11:16] 60.48.192.35 -> 192.168.2.10 blink://60.48.192.35:42750/GIAo+A== fd0a67fb35667fabc7cba1be174a66a0
[2010-01-10T12:21:12] 60.48.192.35 -> 192.168.2.10 blink://60.48.192.35:33106/GIAo+A== fd0a67fb35667fabc7cba1be174a66a0
[2010-01-10T12:31:35] 60.48.192.35 -> 192.168.2.10 blink://60.48.192.35:41373/GIAo+A== fd0a67fb35667fabc7cba1be174a66a0
[2010-01-10T13:13:56] 60.42.119.172 -> 192.168.2.10 blink://60.42.119.172:29703/mPKeAQ== 6560050cb210e159c9cfb5a50fe6dd63
[2010-01-10T13:15:38] 60.43.40.208 -> 192.168.2.10 link://60.43.40.208:46158/OHwf/g== 714c1bf115fe97b19a4556d40de2fec1
[2010-01-11T20:18:48] 60.249.204.192 -> 192.168.2.10 tftp://60.249.204.192:69/ssms.exe fd28c5e1c38caa35bf5e1987e6167f4c
[2010-01-11T22:10:46] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:4921 7dc73bfa4d78284155dd5101991eeb34
[2010-01-11T22:10:46] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:4923 7dc73bfa4d78284155dd5101991eeb34
[2010-01-11T23:07:46] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:4735 7dc73bfa4d78284155dd5101991eeb34
[2010-01-11T23:07:48] 60.48.103.192 -> 192.168.2.10 creceive://60.48.103.192:3297 7dc73bfa4d78284155dd5101991eeb34
[2010-01-13T06:22:38] 60.48.89.89 -> 192.168.2.10 tftp://60.48.89.89/runwin32.exe 1eb2ae9acb444fd275f4ff1d55f4a54c
[2010-01-15T22:14:52] 124.12.75.2 -> 192.168.2.10 tftp://124.12.75.2/ssms.exe 1f8a826b2ae94daa78f6542ad4ef173b

—————————————————————————————————————-

I looked into binaries files stored:

salax@zulfiqar:/var/lib/nepenthes/binaries$ ls
1eb2ae9acb444fd275f4ff1d55f4a54c 714c1bf115fe97b19a4556d40de2fec1 a881dd13336137c7c0a346a0e95a28cb fd0a67fb35667fabc7cba1be174a66a0
1f8a826b2ae94daa78f6542ad4ef173b 7dc73bfa4d78284155dd5101991eeb34 cf39a0e99513d242b516facffcf0149a fd28c5e1c38caa35bf5e1987e6167f4c
6560050cb210e159c9cfb5a50fe6dd63 98eb0fdadf8a403c013a8b1882ec986d f6a0747f321da6905d7f117b1a0491bc

——————————————————————————————
And i’ve got lots from hexdump :

salax@zulfiqar:/var/lib/nepenthes/hexdumps$ ls
03040d7e4a4b43a51e16e23e8db372cc.bin
03b7c83b1097ec2103457238292d2c64.bin
047508ec910bbdd22bbd5b57735653cc.bin
0970bdd79407182c9b4528ea09482766.bin
0b246cefe406d265e33336b5614f03b8.bin
0bdbf63d3280cc4148dc431ee8ff9e67.bin
0cfc77783bc087dfdbc93eb848434785.bin
0e260b4030f9e03af889964cf08f1c31.bin
2b3ae3f7588a4f5598c35ccf85c57038.bin
2bed2846c40be4d0b54bd8e6570f5d65.bin
f9dc4a724a268dc50f599d91414a25a8.bin
2f25328714f52ceeb150474f9bd41ca3.bin
fc5752c2b644cf41132beac523653d6f.bin
32389a3b6d15c6b658c8c0ad0869e617.bin
33103e04b2b192f40a1a78091bb7fe5a.bin
fff4bb5b930ca56719bea26e22152165.bin
34557adc8990ee198c75a6446916f9fc.bin
——8<------------------------------------8<---------------------cutted-----8<

————————————————————————————————————————
Then, scanning using ClamAV:

salax@zulfiqar:/var/lib/nepenthes$ clamscan binaries/
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days! ***
LibClamAV Warning: *** Please update it as soon as possible. ***
LibClamAV Warning: **************************************************
LibClamAV Warning: ***********************************************************
LibClamAV Warning: *** This version of the ClamAV engine is outdated. ***
LibClamAV Warning: *** DON’T PANIC! Read http://www.clamav.net/support/faq ***
LibClamAV Warning: ***********************************************************
binaries/fd0a67fb35667fabc7cba1be174a66a0: OK
binaries/cf39a0e99513d242b516facffcf0149a: OK
binaries/714c1bf115fe97b19a4556d40de2fec1: W32.Virut.sa FOUND
binaries/7dc73bfa4d78284155dd5101991eeb34: Trojan.SdBot-730 FOUND
binaries/1f8a826b2ae94daa78f6542ad4ef173b: Trojan.SdBot-4763 FOUND
binaries/fd28c5e1c38caa35bf5e1987e6167f4c: Trojan.SdBot-4763 FOUND
binaries/f6a0747f321da6905d7f117b1a0491bc: OK
binaries/98eb0fdadf8a403c013a8b1882ec986d: Trojan.SdBot-4763 FOUND
binaries/a881dd13336137c7c0a346a0e95a28cb: W32.Virut-17 FOUND
binaries/1eb2ae9acb444fd275f4ff1d55f4a54c: OK
binaries/6560050cb210e159c9cfb5a50fe6dd63: OK
binaries/df51e3310ef609e908a6b487a28ac068: Trojan.SdBot-4763 FOUND

———– SCAN SUMMARY ———–
Known viruses: 572978
Engine version: 0.94.2
Scanned directories: 1
Scanned files: 12
Infected files: 7
Data scanned: 1.30 MB
Time: 2.564 sec (0 m 2 s)

to be continued….lot’s to learn here :D and also for dionae………

By salawank on January 15, 2010 | Uncategorized | 1 comment
Tags: , ,

Dionaea — new low-interaction server honeypot

Hi there, hope all is well..

Last week, I’ve been given opportunity to learn on configuring and play around with Dionaea, the successor for nepenthes. It’s been great honor for a newbie like me to join the training and learn together with other staffs.

To begin with, I’m actually new to this.. With Nepenthes, I just managed / able to install and configure the program, and never really had chance to understand how the program works, and don’t have many experience with it (one of the reason is because I’m tooo lazy, yes, I admit it :-p). Install, configure, and put in public IP at my home.. and waits for some alerts to come out..

For Dionaea, I’ve followed the tutorial at their main page http://dionaea.carnivore.it/ , and managed to install / configure all the dependencies.. Once installed, I try to test with some exploits / nmapping .. cool :) also have Http server under /opt/dionaea/var/dionaea/wwwroot , for fast http server. Frankly speaking, during the training, I can’t catch all of the explanations , the codes (since i’m a N0ob in programming), and bla2.. But I’m amazed by how the program works.. they( the developers) must be some kind of beautiful mind person for developing this ;-p

I’ve done my installation/configuration on top of Ubuntu 9.04.. This shouldn’t be problem for *buntu and Debian users.. other distros I don’t know, haven’t try.

If you would like to try it out:

http://dionaea.carnivore.it/

http://carnivore.it/2009/12/02/dionaea_first_tc_kul_12-09  (blog)

screenshot when dionaea in action:

dioneaDetect

By salawank on December 7, 2009 | Uncategorized | A comment?
Tags: , , ,

9 visitors online now
9 guests, 0 members
Max visitors today: 10 at 11:17 am GMT-8
This month: 10 at 09-09-2010 11:17 am GMT-8
This year: 21 at 03-24-2010 06:49 pm GMT-8
All time: 43 at 10-20-2009 08:17 am GMT-8

salawank is Digg proof thanks to caching by WP Super Cache