Honeypotting with Nepenthes

If you’ve got an interest in information security, then there is a good chance that you’ve got a good handle on malware in all it’s (in)glorious forms. The books, articles and war stories are nice, interesting and can result in some improved knowledge but to get a real feel for malware nothing beats live samples. Best way to get live samples? Get infected! To manage this without bringing your network and organisation to it’s knees best practice is a honeypot, in one (or more) of it’s various forms.
For exactly this purpose I’ve been running the Nepenthes application for around 10 months. Nepenthes is a low interaction honeypot which emulates several known vulnerabilities across multiple services in an attempt to capture live malware samples as it is ‘exploited’. The Nepenthes services advertise known vulnerabilities, emulate service interaction to the point of exploit and final store the shellcode/binary provided by the malicious system.
If my honeypot system is any indication, these systems will and do get pounded heavily from prospective intruders, over the lifetime of my honeypot systm I have collected in excess of 850 unique malware samples. In fact when the system was first installed it captured it’s first malicious binary within 30 minutes of gaining a live network connection (in this case an IRC bot).
Nepenthes has the ability to automate a fair chunk of the analysis process by automatically submitting any collected binaries to one of several sandboxes (for example the Norman Sandbox). This can provide analysts with an immediate indication as to the type of malware being dealt with, and perhaps most significantly prevent analysts from utilising resources analysing essentially the same binary/malware. One word of caution however is that the submit process does not always work 100% (this hasn’t been investigated in too much detail, could be Nepenthes, could be the sandboxes not accepting/reviewing the file, could be the winds of fate. As with many things, your mileage may vary.)
As an example of the interactions and logging processed by Nepenthes, below is a log snippet of a malware sample that has just (literally) ‘exploited’ my honeypot. (N.B. IPs edited to protect the guilty):
[12042009 16:36:51 warn module] Unknown NETDDE exploit 76 bytes State 1
[12042009 16:36:51 warn module] Unknown SMBName exploit 0 bytes State 1
[12042009 16:36:51 info handler dia] Unknown DCOM request, dropping
[12042009 16:36:57 info sc handler] i = 1 map_items 2 , map = port
[12042009 16:36:57 info sc handler] bindfiletransfer::amberg -> 9988
[12042009 16:36:57 info sc handler] bindfiletransfer::amberg -> w.x.y.z:9988
[12042009 16:36:57 info down mgr] Handler creceive download handler will download creceive://w.x.y.z:9988/0
[12042009 16:37:12 info mgr submit] File 9604e9c99768c5cd2deb108935356196 has type MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
VirusTotal analysis of this file (MD5 hash: 9604e9c99768c5cd2deb108935356196) indicates it is a member of the Rbot family of malware. When working with and investigating the malware collected by Nepenthes I have found the VirusTotal Hash Search feature to be particularly useful as it allows analysts the ability to search VirusTotal’s extensive database to gain analysis of the file in question purely from the binary’s hash value. This means that you don’t need to transfer the binary itself between systems to upload to the VirusTotal for actual analysis, removing the potential for an unintended double-click causing havok on a network. And if VirusTotal hasn’t seen the file in question you may have something new and exciting to analyse yourself (or an old polymorphic binary….)
The downside of using a low interaction honeypot like Nepenthes is that you are not going to be collecting on the bleeding edge. As the process suggests, as Nepenthes emulates known vulnerabilities, the vulnerabilities in question need to be known and coded into Nepenthes before it will collect any malware exploit the vulnerability. For instance, dispite all the recent hype and media attention this honeypot system as not captured any sample of Conficker/DownAdUp. However, as most new malware will still utilise old vulnerabilities to increase potential targets this isn’t a major limiration (Conficker was somewhat unique in that it originally limited itself to the ms08-067 vulnerability, before expanding it’s repertoire with subsequent variants.)
Honeypots (of any variety) also provide a good return on investment even in environments where the analysis of malware isn’t a primary (or even secondary) concern. As the honeypot server has no legitimate services then the only traffic targetted at the honeypot should be malicious. Placed externally, this can provide an early warning system for attacks that eventually target legitimate systems and can give system administrations a better indication of the types and frequency of attacks that will be directed at live services. Placed internally they can help identify any internal infections, as compromised systems sweep the internal networks for other vulnerable hosts and trigger the honeypot. These logs can also help identify the root cause of any infectiona and potentially the initial infection vector.
Ultimately honeyput systems of all varieties have a myriad of beneficial uses. There is an enormous wealth of high quality information available from the various honey pot organisations, for example Shadowserver, the Honeynet Project and Carnivore.IT (home of Nepenthes).
–Andrew Waite
‘If you know your enemy and know yourself, you need not fear the result of a hundred battles’ – Sun Tzu

Join the conversation

24 Comments

  1. I am running a nepenthes now, but I still get nothing until now. Do you have any resources about it?

  2. How long has your nepenthes service been live? I can sometimes go several hours without a hit, don’t expect instant results.

    Also confirm from an external source that the route through to the emulated services is available. For example you’re not going to get many hits if the ports are protected by a corporate firewall (unless you’re internal network is a malware zoo, which is another issue entirely).

    Hit me up if you’re still having problems.
    — Andrew Waite

  3. How long has your nepenthes service been live? I can sometimes go several hours without a hit, don’t expect instant results.

    Also confirm from an external source that the route through to the emulated services is available. For example you’re not going to get many hits if the ports are protected by a corporate firewall (unless you’re internal network is a malware zoo, which is another issue entirely).

    Hit me up if you’re still having problems.
    — Andrew Waite

  4. I have run my nepenthes for 24 hours now, but still get nothing. I make an experiment, I use metasploit to exploit 143 port of my nepenthes. And I still get nothing in /var/log/nepenthes diretory. I thought that if someone exploit my nepenthes, I will get log in /var/log/nepenthes directory, am I right?
    I have disabled my ufw firewall on ubuntu. I wonder what is wrong.
    my gmail is : niuzhen.sdu@gmail.com

  5. I have run my nepenthes for 24 hours now, but still get nothing. I make an experiment, I use metasploit to exploit 143 port of my nepenthes. And I still get nothing in /var/log/nepenthes diretory. I thought that if someone exploit my nepenthes, I will get log in /var/log/nepenthes directory, am I right?
    I have disabled my ufw firewall on ubuntu. I wonder what is wrong.
    my gmail is : niuzhen.sdu@gmail.com

  6. I’m assuming that Metasploit claimed it was successful?

    What output do you receive from the console output or nepenthes.log file (location may vary depending on install, mine is: /opt/nepenthes/var/log/nepenthes.log) whilst running the metasploit exploit? Assuming that the exploit is successful then there should also be entries in the log/logged_submission file and the payload binary should be located in var/binaries/

    Additionally I’ve seen some, unknown and non-repeatable, issues where I’ve started the nepenthes process and everything looked good, but nothing was listening on the emulated ports. Try a ‘netstat -antp’ to ensure that the nepenthes services is creating the expected traps.

    Hope this helps

  7. I’m assuming that Metasploit claimed it was successful?

    What output do you receive from the console output or nepenthes.log file (location may vary depending on install, mine is: /opt/nepenthes/var/log/nepenthes.log) whilst running the metasploit exploit? Assuming that the exploit is successful then there should also be entries in the log/logged_submission file and the payload binary should be located in var/binaries/

    Additionally I’ve seen some, unknown and non-repeatable, issues where I’ve started the nepenthes process and everything looked good, but nothing was listening on the emulated ports. Try a ‘netstat -antp’ to ensure that the nepenthes services is creating the expected traps.

    Hope this helps

  8. I use metasploit to exploit my nepenthes agin, I can find sonthging in /var/log/nepenthes.log, and it write sth in directory /var/lib/nepenthes/hexdumps but nothing in /var/lib/nepenthes/binaries. I think that nepenthes should get some shellcode, and store them below /var/lib/nepenthes/binaries.
    Besides, metasploit tell me my exploit failed, so if I failed to exploit it, how could hackers exploit it successfully.
    I use: exploit/windows/smb/ms04_011_lsass eneric/debug_trap
    and I get:
    12:22:18 – ms04_011_lsass [*] Launching exploit windows/smb/ms04_011_lsass…
    12:22:29 – ms04_011_lsass [-] Exploit failed: Login Failed: The SMB server did not reply to our request

  9. I use metasploit to exploit my nepenthes agin, I can find sonthging in /var/log/nepenthes.log, and it write sth in directory /var/lib/nepenthes/hexdumps but nothing in /var/lib/nepenthes/binaries. I think that nepenthes should get some shellcode, and store them below /var/lib/nepenthes/binaries.
    Besides, metasploit tell me my exploit failed, so if I failed to exploit it, how could hackers exploit it successfully.
    I use: exploit/windows/smb/ms04_011_lsass eneric/debug_trap
    and I get:
    12:22:18 – ms04_011_lsass [*] Launching exploit windows/smb/ms04_011_lsass…
    12:22:29 – ms04_011_lsass [-] Exploit failed: Login Failed: The SMB server did not reply to our request

  10. I found this in /var/log/nepenthes.log:
    [04052009 20:01:03 debug info fixme] Submitting via http post to http://sandbox.norman.no/live_4.html
    [04052009 20:01:03 debug info fixme] Submitting via http post to http://luigi.informatik.uni-mannheim.de/submit.php?action=verify

    It said “…via http post..”, I wonder if something is wrong, subimit failed, otherwise, I should receive a email about shellcode.

    I also find something wrong, I uncomment the line “logirc.so”,”log-irc.conf” in nepenthes.conf. I get this in irc:
    (19时57分28秒) nep-noname: Handler http download handler will download http://213.92.8.7:31204/
    (19时57分32秒) nep-noname: HTTP ERROR header found 12
    Do you know what is wrong?

  11. I found this in /var/log/nepenthes.log:
    [04052009 20:01:03 debug info fixme] Submitting via http post to http://sandbox.norman.no/live_4.html
    [04052009 20:01:03 debug info fixme] Submitting via http post to http://luigi.informatik.uni-mannheim.de/submit.php?action=verify

    It said “…via http post..”, I wonder if something is wrong, subimit failed, otherwise, I should receive a email about shellcode.

    I also find something wrong, I uncomment the line “logirc.so”,”log-irc.conf” in nepenthes.conf. I get this in irc:
    (19时57分28秒) nep-noname: Handler http download handler will download http://213.92.8.7:31204/
    (19时57分32秒) nep-noname: HTTP ERROR header found 12
    Do you know what is wrong?

  12. The ‘Submitting via http…’ config lines show that Nepenthes has grabbed a malware sample and has sent it to Norman and Infomatik. Double check that you have a valid email address in the etc/nepenthes/submit-* config files. Assuming everything is in place you should receive an analysis response in due time. (often takes several days after initial submission).

    Haven’t come across the HTTP header error you describe, from a review of my logs I’ve seen several payloads fail to be capture the payload successfully. I’m *assuming* (anyone actually know, feel free to correct me) that this is due to the malware using some bizare upload methods that aren’t implemented in the Nepenthes shellcode handlers. If this is causing you a major issue, I’d suggest throwing it open to the nepenthes mailing list.

    Hope this helps, let me know how you’re getting on.

  13. The ‘Submitting via http…’ config lines show that Nepenthes has grabbed a malware sample and has sent it to Norman and Infomatik. Double check that you have a valid email address in the etc/nepenthes/submit-* config files. Assuming everything is in place you should receive an analysis response in due time. (often takes several days after initial submission).

    Haven’t come across the HTTP header error you describe, from a review of my logs I’ve seen several payloads fail to be capture the payload successfully. I’m *assuming* (anyone actually know, feel free to correct me) that this is due to the malware using some bizare upload methods that aren’t implemented in the Nepenthes shellcode handlers. If this is causing you a major issue, I’d suggest throwing it open to the nepenthes mailing list.

    Hope this helps, let me know how you’re getting on.

  14. hi everybody…i'm playing with nepenthes but i am having a problem… the tool is able to download binaries, but the hexdump directory remains empty…my configuration file is the default one…has someone an idea of the possible error? (it is running under "nobody" user and on an opensuse 11.1 system)…thanks

  15. hi everybody…i'm playing with nepenthes but i am having a problem… the tool is able to download binaries, but the hexdump directory remains empty…my configuration file is the default one…has someone an idea of the possible error? (it is running under "nobody" user and on an opensuse 11.1 system)…thanks

  16. Hi,

    hexdumps issue is similar to my system, I collect binaries but no shellcode (which was what I wanted when the system was first set up).

    I've been meaning to look at getting shellcodes added to my system for a while so I'll this as a kick to give it a closer look and let you know if I find anything.

    If you get a solution (or anyone else knows what we're missing) I'd appreciate a heads up.

    –Andrew

  17. Hi,

    hexdumps issue is similar to my system, I collect binaries but no shellcode (which was what I wanted when the system was first set up).

    I've been meaning to look at getting shellcodes added to my system for a while so I'll this as a kick to give it a closer look and let you know if I find anything.

    If you get a solution (or anyone else knows what we're missing) I'd appreciate a heads up.

    –Andrew

  18. Anyone got a brief idea of the basics going on in the below code 😛
    linux-sqos:/opt/nepenthes/var/log # cat nepenthes.log
    [18032007 02:26:03 info module] 76 4
    [18032007 02:26:03 info module] SMB Session Request 76
    H CKFDENECFDEFFCFGEFFCCACACACACACA
    [18032007 02:26:03 warn module] Unknown NETDDE exploit 76 bytes State 1
    [18032007 02:26:03 module] Stored Hexdump var/hexdumps/850745ec6a9f3cc3d7ce4bdd7294e468.bin (0x0809fa80 ,
    0x0000004c).
    [18032007 02:26:03 warn module] Unknown SMBName exploit 0 bytes State 1
    [18032007 02:26:03 info handler dia] Unknown DCOM request, dropping
    [18032007 02:26:11 crit sc handler] MATCH linkxor::link matchCount 5 map_items 5
    [18032007 02:26:11 info sc handler] i = 1 map_items 5 , map = size
    [18032007 02:26:11 info sc handler] i = 2 map_items 5 , map = size
    [18032007 02:26:11 info sc handler] i = 3 map_items 5 , map = key
    [18032007 02:26:11 info sc handler] i = 4 map_items 5 , map = post
    [18032007 02:26:11 info sc handler] Found linkbot XOR decoder, key 0x1b, payload is 0x00b2 bytes long.
    [18032007 02:26:11 info sc handler] connectbackfiletransfer::linktransfer -> 64.182.172.15:56330
    [18032007 02:26:11 info sc handler] connectbackfiletransfer::linktransfer -> 64.182.172.15:56330, key 0xaeed1ff8.
    [18032007 02:26:11 info down mgr] Handler link download handler will download link://64.182.172.15:56330/ru0f+A==
    [18032007 02:26:13 info handler dia] Download via linkbot filetransferr done! ( download is 114176 bytes)
    [18032007 02:26:13 info mgr submit] File b6c9254853a642e90756cfb04efd67ea has type PE executable for MS Windows (GUI)
    Intel 80386 32-bit
    [18032007 02:26:13 warn dia] Unknown ASN1_SMB Shellcode (Buffer 172 bytes) (State 0)
    [18032007 02:26:13 dia] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a1a40 , 0x000000ac).
    [18032007 02:26:13 warn module] Unknown PNP Shellcode (Buffer 172 bytes) (State 0)
    [18032007 02:26:13 module] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a1638 ,
    0x000000ac).
    [18032007 02:26:13 warn module] Unknown LSASS Shellcode (Buffer 172 bytes) (State 0)
    [18032007 02:26:13 module] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a08f0 ,
    0x000000ac).
    [18032007 02:26:13 warn handler dia] Unknown DCOM Shellcode (Buffer 172 bytes) (State 0)
    [18032007 02:26:13 handler dia] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x0809fa80 ,
    0x000000ac).
    linux-sqos:/opt/nepenthes/var/binaries # ls -l b6c9254853a642e90756cfb04efd67ea
    -rw-r–r– 1 root root 114176 Mar 18 02:26 b6c9254853a642e90756cfb04efd67ea
    linux-sqos:/opt/nepenthes/var/binaries # file b6c9254853a642e90756cfb04efd67ea
    b6c9254853a642e90756cfb04efd67ea: PE executable for MS Windows (GUI) Intel 80386 32-bit
    linux-sqos:/opt/nepenthes/var/binaries # cd /opt/nepenthes/var/hexdumps
    linux-sqos:/opt/nepenthes/var/hexdumps # ls -l 16e9e789e405a1bc1e69a3a7f302416b.bin
    -rw-r–r– 1 root root 172 Mar 18 02:26 16e9e789e405a1bc1e69a3a7f302416b.bin
    linux-sqos:/opt/nepenthes/var/hexdumps # file 16e9e789e405a1bc1e69a3a7f302416b.bin
    16e9e789e405a1bc1e69a3a7f302416b.bin: data
    linux-sqos:/opt/nepenthes/var/hexdumps # xxd -g 1 -u 16e9e789e405a1bc1e69a3a7f302416b.bin
    0000000: 00 00 00 A8 FF 53 4D 42 72 00 00 00 00 08 01 40 …..SMBr……@
    0000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2C 03 …………..,.
    0000020: 02 08 10 3E 00 85 00 02 50 43 20 4E 45 54 57 4F …>….PC NETWO
    0000030: 52 4B 20 50 52 4F 47 52 41 4D 20 31 2E 30 00 02 RK PROGRAM 1.0..
    0000040: 4D 49 43 52 4F 53 4F 46 54 20 4E 45 54 57 4F 52 MICROSOFT NETWOR
    0000050: 4B 53 20 31 2E 30 33 00 02 4D 49 43 52 4F 53 4F KS 1.03..MICROSO
    0000060: 46 54 20 4E 45 54 57 4F 52 4B 53 20 33 2E 30 00 FT NETWORKS 3.0.
    0000070: 02 4C 41 4E 4D 41 4E 31 2E 30 00 02 4C 4D 31 2E .LANMAN1.0..LM1.
    0000080: 32 58 30 30 32 00 02 4C 41 4E 4D 41 4E 32 2E 31 2X002..LANMAN2.1
    0000090: 00 02 4E 54 20 4C 41 4E 4D 41 4E 20 31 2E 30 00 ..NT LANMAN 1.0.
    00000a0: 02 4E 54 20 4C 4D 20 30 2E 31 32 00 .NT LM 0.12.
    linux-sqos:/opt/nepenthes/var/hexdumps #

    1. It’s fairly straightforward, but as there’s a few red flags from the content you’ve sent (Nepenthes is now obsolete, run Dionaea instead; timestamps are old (2007); if you can get Nepenthes running, you should be able to work out the above). Convince me I’m not doing your homework for you first…..

Leave a comment

Leave a Reply to Andrew Waite Cancel reply

Your email address will not be published. Required fields are marked *