mimic-nepstats.py

As I discussed in my last post about Dionaea I am really impressed with the improvements to logging capabilities over Nepenthes. I’ve now had a Dionaea system online for ~24hours, which while it isn’t enough data to draw any meaningful statistics, it has provided enough data to work on some new tools. I had been intending to extend my Nepenthes tools to parse the logs and enter data into a database for additional and simpler analysis. This was promptly squashed with the migration to Dionaea, but the theory has proven to be a good one as Dionaea’s default logging to an SQLite database has made development much quicker and easier.
To get a feel for the new system, and to keep my capabilities up to speed, I’ve spent this evening writing a script to provide the same information for a Dionaea system that my Nepenthes statistics script provided previously. As usual, the script can be found over at InfoSanity, here. An initial set of results from my system is below for an example:

Statistics engine written by Andrew Waite – www.infosanity.co.uk
Number of submissions: 11
Number of unique samples: 10
Number of unique source IPs: 8
First sample seen: 2009-11-09 14:19:15.518382
Last sample seen: 2009-11-10 18:35:28.235052
SystemrRunning: 1 day, 4:16:12.716670
Average daily submissions: 11.0
Most recent submissions:
2009-11-10 18:35:28.235052, 195.90.106.212, emulate://, a4dde6f9e4feb8a539974022cff5f92c
2009-11-10 16:23:12.925538, 195.93.135.67, tftp://195.93.135.67/ssms.exe, 1d419d615dbe5a238bbaa569b3829a23
2009-11-10 16:00:14.846435, 195.170.57.28, tftp://195.170.57.28/ssms.exe, fd28c5e1c38caa35bf5e1987e6167f4c
2009-11-10 15:39:48.598303, 195.46.34.91, http://zonetech.info/61.exe, beee7a74712b2e3c84182c1bf18750ae
2009-11-10 13:00:29.916721, 195.95.170.138, emulate://, ddf1259a8fcef0776054460ebdf3cae4

Andrew Waite

Starting with Dionaea

As my previous post states, my Nepenthes system has been retired. In it’s place I’m building up a Dionaea system. The new features proposed by Dionaea should go a long way to improving on a couple of Nepenthes’ shortcomings, a good comparison of the two systems can be found on the Nepenthes blog (post October 27th). But what really caught my attention was the recent post on November 6th detailing the improved logging capabilites that are going to be built into Dionaea. I intend to cover these features at a later date once I’ve had more time to get used to the new system.
I must admit that I was shocked with the ease of installation and compilation. The instructions on Dionaea’s home page look a bit long winded to me, especially as I’m used to the ease of ‘apt-get’ and past experience with manual compilation of source code always leaves me expecting a headache. This was doubled when I discovered my available hardware is starting to show signs of it’s age, and was unable to successfully complete a fresh install of the latest Ubuntu, resulting in some of my components not quite meeting the written requirements. Some how though I manage to muddle through the compilation instructions without issue, and now have a working Dionaea install.
Getting the system started was also a breeze, one-line command as prescribed in the documentation and the system is live. Unsurprisingly it didn’t take long get my first hits, retrieving my first binary within 40 minutes of first starting the system. As I restarted several times whilst playing with config settings it could be that I missed a compromise that would have shortened this time frame in the real world.
So far I have only made a couple of changes the config, replacing the dev’s email with my own to recieve sandbox reports for collected binary samples (thanks for pointing that out in the mailing lists, probably would have missed it) and enabling the ihandler for p0f to try and take advantage of the system’s included fingerprinting capabilities.
As I’ve always liked statistics from honeypot systems, here is what I’ve got so far:

  • Running approximately 4 hours
  • Logged 20 unique attacks
  • Retrieved 4 unique malware binaries (and received the third party sandbox reports)
  • Generated 10,000+ log entries

Finally, thanks to the dev team for continuing to build and improve systems that I love to use. Couldn’t do halve of what I do without quality systems to work with.
Andrew Waite

Last Nepenthes Statistics

Following on from the move from Nepenthes to Dionaea, I’m decomissioning my Nepenthes server to start afresh with Dionaea. As such I thought I’d share the final statistics using InfoSanity’s statistic script for Nepenthes.

Statistics engine written by Andrew Waite – www.InfoSanity.co.uk
Number of submissions: 4189
Number of unique samples: 1189
Number of unique source IPs: 2024
First sample seen on 2008-05-09
Last sample seen on 2009-10-31
Days running: 540
Average daily submissions: 7

Andrew Waite

Sad news: RIP Str0ke – Update, was hoax

UPDATE:
Turns out this was a hoax, @Str0ke:

I’m not dead yet, just being trolled.

Whoever started it, you got me. Hope the laughs you got from claiming a guy is dead was worth it. Get A Life.
Original Post
Sad news for the information security community today; it seems that Str0ke, the creator and maintainer of Milw0rm, has passed on. The Black Security blog reports a heart condition.
I didn’t know Str0ke personally, but like many I have benefitted from the work and effort placed into the Milw0rm framework over the years.
Condolences and best wishes to Str0ke’s remaining family, rest in piece.
Andrew Waite

EuroTrash Security podcast is live

The first episode of EuroTrash Security has been released this week. The stated goal is to create an infomation security podcast focused on happenings within Europe. Which provides one of the best taglines for a podcast I’ve heard: Security with funny accents.
EuroTrashSec is made up of a four-man team; Wim, Chris, Dale and Craig. With intro and outro music provided by c64 and Int Eighty of DualCore Music. The first episode can be found at the episode listings page.
The first episode was good, in my mind hitting the target perfectly. Focusing on the UK’s attempt at a infosec ‘talent show‘, UK-based conferences and a review of the recent security bloggers meet-up, which was organised by Dale.
Keep up the good work guys, I’m looking forward to the next episode.
Andrew Waite

Nepenthes is Dead, Long live Dionaea

As regular readers will know (do I have any of those?) I’ve been running a Nepenthes honeypot for a while. Current statistics show that the server ran for 540days, was ‘exploited’ 4189 times, collecting 1189 unique samples (based on MD5 hash) from 2024 source IP addresses.
The latest post (dated October 27th 2009) on the Nepenthes site indicates that development on Nepenthes is coming to a close, stating 7 reasons preventing newer features being implemented with Nepenthes. As a result I’m stopping development on my statistics scripts for parsing the Nepenthes’ log files. The good news is that work on Nepenthes’ spiritual successor is well underway, in the form of Dionaea.
I’m hopefully going to get a Dionaea box up and running in the near future to continue were I’ve left off with Nepenthes, watch this space…
Andrew Waite

SuperMondays – Barcamp style

This months SuperMondays was a deviation from the usual format; rather than speaker followed by Q&A the event was run in a similar format to Barcamp. This meant that there were several simultaneous conversations ongoing at any one time with attendees floating between discussions and chipping in as appropriate.
SuperMondays Logo
For my part the first talk I attended was on cloud computing, which regular readers will know is something I’ve spent some time looking at recently. General consensus was that cloud may be the future, but no one was willing to place their critical data in the cloud just yet.
Second up was a discussion on encryption. This discussion started slowly, whilst there were several people present, most had some interest in encryption and had wanted to learn more from those more knowledgeable. Basic outcome: encryption is something you want to be doing for critical data.
Third and final discussion I got to was a comparison of open vs closed source development. In all honesty I was expecting an argument, with plenty of MS bashing all around. The discussion was remarkably calm and impartial, with a general consensus of ‘both have their place depending on circumstances’.
Some of the other talks included web development frameworks, a demo of Google Wave and a discussion of requirements for new start-ups.
Overall I think the event worked well with some interesting discussions but I do think I prefer the more traditional format. At least from the talks I attended I don’t think those new to a topic would have walked away with any usable information, likewise the ‘knowledgeable’ attendees likely didn’t hear anything to change their opinions or beliefs.
There were some interesting announcements, including that which can’t be discussed (hint: if you want the inside scoop, some stuff gets announce at SuperMondays events before getting released in public domain, shhh!).

  • SuperChristmas has now been organised in partnership with other local networking groups, December 17th for all those in need of additional festivities.
  • North East Blog Directory: as part of SuperMondays the group is compiling a list of local technical blogs.
  • SuperMondays Google Groups: The Google Groups section for SuperMondays is starting to pick up pace. If you want to keep upto date with the group, suggest a topic of generally discuss the event sign up and join in.

That’s all for this month, as usual thanks for a good night and see you all at the next one.
Andrew Waite

Dissecting the Hack

When I first heard about Jayson’s book, Dissecting the Hack: The F0rb1dd3n Network I was really looking forward to getting my hands on a copy. Without going through the backstory, getting a copy could now be difficult.
The community response to the situation has been outstanding, I don’t think any other industry would pull together to completely re-write some of a books material with original content. A new security community has been created to facilitate taking Dissecting the Hack forward, so head over to the forums and help out if you can. (And don’t forget to say ‘Hi’ if you do)
Props to Jayson for keeping positive and still being productive throughout.
Andrew Waite

Automated Malware & ESXi frustrations

I recently read Christian Wojner’s excellent paper on Mass Malware Analysis and it re-ignited my desire to build an automated environment to improve and speed up my current malware analysis capabilities. The paper details a step by step for duplicating Wojner’s environment, but I as I don’t have any spare equipment I’ve been looking for alternative routes.
Fortunately the paper also explains the theory, thought process and design of the system so that the reader can modify to suit their own requirements. To achieve this I’ve been trying replace the Xubuntu and Virtual Box host with my existing  ESXi environment detailed in previous posts.
With a bit of Googling the vSphere CLI became the obvious choice to replace the control component for the infected machine in the automated malware environment. vmware-cmd.pl provides the functionality to both stop/start virtual guests and to revert the guest to previous snapshots, exactly what is needed for the malware analysis environment. The commands to be utilised would be (– is a double dash):

vmware-cmd.pl –server <ESXi Host> –username <user> –password <pass> /path/to/guest.vmx getstate
vmware-cmd.pl –server <ESXi Host> –username <user> –password <pass> /path/to/guest.vmx start
vmware-cmd.pl –server <ESXi Host> –username <user> –password <pass> /path/to/guest.vmx stop
vmware-cmd.pl –server <ESXi Host> –username <user> –password <pass> /path/to/guest.vmx revertsnapshot

This should have been enough to adapt Wojner’s control scripts to use ESXi instead of Virtual box, but it appears that for the first time I’ve encountered a crippled feature not available in the VMware’s free offering. Running the stop/start/revert commands results in the below exception:

Fault:
SOAP Fault:
———–
Fault string: fault.RestrictedVersion.summary
Fault detail: RestrictedVersionFault

So that’s that, unless I happen to win the lottery (which I don’t play) or someone is able and willing to provide a full ESX license to a struggling researcher (which I don’t expect to happen) I’m back to looking for a replacement Wojner’s VirtualBox control process. On with the next…
Andrew Waite

Rapid7 Acquire Metasploit

I’d guess this won’t be breaking news to anyone as it was always going to generate a buzz once announced, but for anyone who has missed today’s revelations; Metasploit has been acquired by Rapid7 with HDM and Egypt joining the company.
Since the news broke the Metasploit IRC channel (#metasploit, on irc.freenode.net) has been alive with conversation and debate, some good wishes for the team’s future, and others concerned by the future of the project. One aspect that has been stated by all parties is that the Metasploit framework is to remain open source. The blog posting released by Rapid7 attempts to allay any fears or concerns that may be created by the news.
As no one can see the future it is impossible to determine if the move will be a boon or problem for the industry as a whole, or what lies in store for the future of the framework, I won’t try to comment, especially as those better placed than me seemed as in the dark as the rest of us.
Congratulations to HD Moore and the team; regardless of the future, the work they have put into the project has been of great assistance to the community, and provided freely at the expense of free time. Given past history I’ll trust that the project will continue to assist the community as it has previously.
Thank you for your efforts to this point.
Andrew Waite