Tuesday, August 17, 2010
Modifying Nepenthes to Prevent Nmap Enumeration
I decided to build a Linux KVM honeypot using nepenthes. From earlier tests, I knew that nmap could detect a nepenthes honeypot via a string in the fake FTPd service. Unfortunately, a second signature has been added. The two signatures in the nmap-service-probes file are:
match ftp m|^220 ---freeFTPd 1\.0---warFTPd 1\.65---\r\n| p/Nepenthes HoneyTrap fake vulnerable ftpd/ ,
and
match netbios-ssn m|^\x82\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$| p/Nepenthes fake honeypot netbios-ssn/ .
One can use a hex editor to alter the affected string in the vuln-ftpd.so binary, but it's practically impossible to do the same for the vuln-netdde.so binary. Therefore, I undertook the exercise of modifying the source code. After wasting several hours modifying the original source code, I finally found an easy solution. It should take less than an hour to modify and build a nepenthes Debian binary package with these directions assuming that the source code isn't too old using the g++-4.4 compiler.
1. Uncomment the deb-src entry in /etc/apt/sources.list or debian.list in /etc/apt.sources.d. Then type the following commands to create a directory and download the source:
# mkdir -p /tmp/source
# cd /tmp/source
# apt-get update ; apt-get source nepenthes
2. You will then have a new subdirectory called nepenthes-0.2.2 and three other files called nepenthes_0.2.2-5.diff.gz, nepenthes_0.2.2.orig.tar.gz, and nepenthes_0.2.2-5.dsc.
3. Install the following files to meet any package dependencies:
# apt-get install libcurl3-dev libmagic-dev libpcre3-dev libadns1-dev libpcap0.8-dev iptables-dev autoconf automake1.9 autotools-dev libtool libpcap-dev libssh-dev bison flex libcap2-dev dpatch
4. Change directory to nepenthes-0.22/modules/vuln-ftpd
# cd nepenthes-0.22/modules/vuln-ftpd
5. Using your favorite editor, alter the following line in vuln-ftpd.cpp,
const char * banner1 = "220 ---freeFTPd 1.0---warFTPd 1.65---\r\n";
to
const char * banner1 = "220 ---fbsdFTPd 1.0---warFTPd 1.65---\r\n";
6. Repeat steps four and five on the NETDDEDialogue.cpp file in the vuln-netdde modules subdirectory (../nepenthes-0.22/modules/vuln-netdde/NETDDEDialogue.cpp). In the following switch statement,
case NETDDE_NULL:
{
char reply[64];
memset(reply,0,64);
reply[0]=0x82;
msg->getResponder()->doRespond(reply,64);
m_State = NETDDE_SHELLCODE;
}
break;
change reply[0]=0x82; to reply[0]=0x81; so that it looks like this:
case NETDDE_NULL:
{
char reply[64];
memset(reply,0,64);
reply[0]=0x81;
msg->getResponder()->doRespond(reply,64);
m_State = NETDDE_SHELLCODE;
}
break;
7. Repeat step 6 on the MSMQDialogue.cpp file in the vuln-msmq module. The same switch statement was also used in that file as well. If you don't change it, the netbios-ssn nmap signature will be triggered on tcp ports 2103, 2105, and 2107.
case MSMQ_NULL:
{
char reply[64];
memset(reply,0,64);
reply[0]=0x82;
msg->getResponder()->doRespond(reply,64);
m_State = MSMQ_SHELLCODE;
m_Buffer->clear();
}
break;
Change reply[0]=0x82; to reply[0]=0x81; so that it looks like this:
case MSMQ_NULL:
{
char reply[64];
memset(reply,0,64);
reply[0]=0x81;
msg->getResponder()->doRespond(reply,64);
m_State = MSMQ_SHELLCODE;
m_Buffer->clear();
}
break;
8. Change directory to the sqlhandler-postgres subdirectory within the modules directory. In the sqlhandler-postgres.cpp file, add the cstdlib include statement
#include "<"cstdlib">" (w/o quotation marks)
as the last include statement before the using namespace nepenthes; statement.
9. Change directory to the parent source directory, i.e. /tmp/source/nepenthes-0.22. Execute
dpkg-buildpackage -rfakeroot -uc -b, i.e.
#dpkg-buildpackage -rfakeroot -uc -b
You should not get any errors during the package build. If you do, they will be either unmet package dependencies and the dpkg-buildpackage program will tell you which packages you are missing and to run apt-get install to fix them, or you will get a make error which causes program termination. Take note of what error caused make to terminate. Chances are that you are missing an include statement that is not patched with the current source code patches by dpkg-buildpackage (see step 8). Note the file that the error occurred in. Search Google with words from the error message. If it is a scope error, google the keyword word in single quotes along with C++, i.e. "malloc C++" to find the library that defines the keyword malloc.
10. Once dpkg-buildpackage is finished, the deb package, nepenthes_0.2.2-5_amd64.deb in my case, will be found in the source directory /tmp/source. You can install it with dpkg:
#dpkg -i nepenthes_0.2.2-5_amd64.deb
11. Run nmap to test your installed modified honeypot:
#nmap -sV 192.168.1.6
Starting Nmap 5.21 ( http://nmap.org ) at 2010-08-16 23:30 CDT
Nmap scan report for 192.168.1.6
Host is up (0.00078s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp
22/tcp open ssh OpenSSH 5.5p1 Debian 4 (protocol 2.0)
25/tcp open smtp?
42/tcp open nameserver?
80/tcp open http?
110/tcp open pop3?
135/tcp open msrpc?
139/tcp open netbios-ssn?
143/tcp open imap?
443/tcp open https?
445/tcp open microsoft-ds?
465/tcp open smtps?
993/tcp open imaps?
995/tcp open pop3s?
1023/tcp open netvenuechat?
1025/tcp open NFS-or-IIS?
2103/tcp open zephyr-clt?
2105/tcp open eklogin?
2107/tcp open unknown
3372/tcp open msdtc?
5000/tcp open upnp?
6129/tcp open unknown
10000/tcp open snet-sensor-mgmt?
6 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi
Update (08/24/10): To test hexdump functionality, use netcat to send arbitrary text strings to test hexdump functionality. For example,
nc localhost 445
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Ctrl-C
should suffice, then ls -al /var/lib/nepenthes/hexdumps to see if a bin file exists. One can also do tail -20 /var/log/nepenthes.log to verify that nepenthes logged the hexdump capture. Performing the netcat test from my laptop to the honeypot showed that my changes did not affect the download functionality. It seems however that Verizon is filtering traffic because I am not seeing any hexdumps thus far.
match ftp m|^220 ---freeFTPd 1\.0---warFTPd 1\.65---\r\n| p/Nepenthes HoneyTrap fake vulnerable ftpd/ ,
and
match netbios-ssn m|^\x82\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0$| p/Nepenthes fake honeypot netbios-ssn/ .
One can use a hex editor to alter the affected string in the vuln-ftpd.so binary, but it's practically impossible to do the same for the vuln-netdde.so binary. Therefore, I undertook the exercise of modifying the source code. After wasting several hours modifying the original source code, I finally found an easy solution. It should take less than an hour to modify and build a nepenthes Debian binary package with these directions assuming that the source code isn't too old using the g++-4.4 compiler.
1. Uncomment the deb-src entry in /etc/apt/sources.list or debian.list in /etc/apt.sources.d. Then type the following commands to create a directory and download the source:
# mkdir -p /tmp/source
# cd /tmp/source
# apt-get update ; apt-get source nepenthes
2. You will then have a new subdirectory called nepenthes-0.2.2 and three other files called nepenthes_0.2.2-5.diff.gz, nepenthes_0.2.2.orig.tar.gz, and nepenthes_0.2.2-5.dsc.
3. Install the following files to meet any package dependencies:
# apt-get install libcurl3-dev libmagic-dev libpcre3-dev libadns1-dev libpcap0.8-dev iptables-dev autoconf automake1.9 autotools-dev libtool libpcap-dev libssh-dev bison flex libcap2-dev dpatch
4. Change directory to nepenthes-0.22/modules/vuln-ftpd
# cd nepenthes-0.22/modules/vuln-ftpd
5. Using your favorite editor, alter the following line in vuln-ftpd.cpp,
const char * banner1 = "220 ---freeFTPd 1.0---warFTPd 1.65---\r\n";
to
const char * banner1 = "220 ---fbsdFTPd 1.0---warFTPd 1.65---\r\n";
6. Repeat steps four and five on the NETDDEDialogue.cpp file in the vuln-netdde modules subdirectory (../nepenthes-0.22/modules/vuln-netdde/NETDDEDialogue.cpp). In the following switch statement,
case NETDDE_NULL:
{
char reply[64];
memset(reply,0,64);
reply[0]=0x82;
msg->getResponder()->doRespond(reply,64);
m_State = NETDDE_SHELLCODE;
}
break;
change reply[0]=0x82; to reply[0]=0x81; so that it looks like this:
case NETDDE_NULL:
{
char reply[64];
memset(reply,0,64);
reply[0]=0x81;
msg->getResponder()->doRespond(reply,64);
m_State = NETDDE_SHELLCODE;
}
break;
7. Repeat step 6 on the MSMQDialogue.cpp file in the vuln-msmq module. The same switch statement was also used in that file as well. If you don't change it, the netbios-ssn nmap signature will be triggered on tcp ports 2103, 2105, and 2107.
case MSMQ_NULL:
{
char reply[64];
memset(reply,0,64);
reply[0]=0x82;
msg->getResponder()->doRespond(reply,64);
m_State = MSMQ_SHELLCODE;
m_Buffer->clear();
}
break;
Change reply[0]=0x82; to reply[0]=0x81; so that it looks like this:
case MSMQ_NULL:
{
char reply[64];
memset(reply,0,64);
reply[0]=0x81;
msg->getResponder()->doRespond(reply,64);
m_State = MSMQ_SHELLCODE;
m_Buffer->clear();
}
break;
8. Change directory to the sqlhandler-postgres subdirectory within the modules directory. In the sqlhandler-postgres.cpp file, add the cstdlib include statement
#include "<"cstdlib">" (w/o quotation marks)
as the last include statement before the using namespace nepenthes; statement.
9. Change directory to the parent source directory, i.e. /tmp/source/nepenthes-0.22. Execute
dpkg-buildpackage -rfakeroot -uc -b, i.e.
#dpkg-buildpackage -rfakeroot -uc -b
You should not get any errors during the package build. If you do, they will be either unmet package dependencies and the dpkg-buildpackage program will tell you which packages you are missing and to run apt-get install to fix them, or you will get a make error which causes program termination. Take note of what error caused make to terminate. Chances are that you are missing an include statement that is not patched with the current source code patches by dpkg-buildpackage (see step 8). Note the file that the error occurred in. Search Google with words from the error message. If it is a scope error, google the keyword word in single quotes along with C++, i.e. "malloc C++" to find the library that defines the keyword malloc.
10. Once dpkg-buildpackage is finished, the deb package, nepenthes_0.2.2-5_amd64.deb in my case, will be found in the source directory /tmp/source. You can install it with dpkg:
#dpkg -i nepenthes_0.2.2-5_amd64.deb
11. Run nmap to test your installed modified honeypot:
#nmap -sV 192.168.1.6
Starting Nmap 5.21 ( http://nmap.org ) at 2010-08-16 23:30 CDT
Nmap scan report for 192.168.1.6
Host is up (0.00078s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp
22/tcp open ssh OpenSSH 5.5p1 Debian 4 (protocol 2.0)
25/tcp open smtp?
42/tcp open nameserver?
80/tcp open http?
110/tcp open pop3?
135/tcp open msrpc?
139/tcp open netbios-ssn?
143/tcp open imap?
443/tcp open https?
445/tcp open microsoft-ds?
465/tcp open smtps?
993/tcp open imaps?
995/tcp open pop3s?
1023/tcp open netvenuechat?
1025/tcp open NFS-or-IIS?
2103/tcp open zephyr-clt?
2105/tcp open eklogin?
2107/tcp open unknown
3372/tcp open msdtc?
5000/tcp open upnp?
6129/tcp open unknown
10000/tcp open snet-sensor-mgmt?
6 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi
Update (08/24/10): To test hexdump functionality, use netcat to send arbitrary text strings to test hexdump functionality. For example,
nc localhost 445
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Ctrl-C
should suffice, then ls -al /var/lib/nepenthes/hexdumps to see if a bin file exists. One can also do tail -20 /var/log/nepenthes.log to verify that nepenthes logged the hexdump capture. Performing the netcat test from my laptop to the honeypot showed that my changes did not affect the download functionality. It seems however that Verizon is filtering traffic because I am not seeing any hexdumps thus far.
Labels: obfuscate nmap enumeration nepenthes
