Comments on: Dionaea – Low interaction honeypot http://www.ethicalhack3r.co.uk/security/dionaea-low-interaction-honeypot/ Fri, 03 Feb 2012 00:36:13 +0000 hourly 1 http://wordpress.org/?v= By: ash http://www.ethicalhack3r.co.uk/security/dionaea-low-interaction-honeypot/comment-page-1/#comment-239934 ash Sun, 04 Dec 2011 20:01:29 +0000 http://www.ethicalhack3r.co.uk/?p=506#comment-239934 i want explanation of this file.can any one tell me? linux-sqos:/opt/nepenthes/var/log # cat nepenthes.log [18032007 02:26:03 info module] 76 4 [18032007 02:26:03 info module] SMB Session Request 76 H CKFDENECFDEFFCFGEFFCCACACACACACA [18032007 02:26:03 warn module] Unknown NETDDE exploit 76 bytes State 1 [18032007 02:26:03 module] Stored Hexdump var/hexdumps/850745ec6a9f3cc3d7ce4bdd7294e468.bin (0x0809fa80 , 0x0000004c). [18032007 02:26:03 warn module] Unknown SMBName exploit 0 bytes State 1 [18032007 02:26:03 info handler dia] Unknown DCOM request, dropping [18032007 02:26:11 crit sc handler] MATCH linkxor::link matchCount 5 map_items 5 [18032007 02:26:11 info sc handler] i = 1 map_items 5 , map = size [18032007 02:26:11 info sc handler] i = 2 map_items 5 , map = size [18032007 02:26:11 info sc handler] i = 3 map_items 5 , map = key [18032007 02:26:11 info sc handler] i = 4 map_items 5 , map = post [18032007 02:26:11 info sc handler] Found linkbot XOR decoder, key 0x1b, payload is 0x00b2 bytes long. [18032007 02:26:11 info sc handler] connectbackfiletransfer::linktransfer -> 64.182.172.15:56330 [18032007 02:26:11 info sc handler] connectbackfiletransfer::linktransfer -> 64.182.172.15:56330, key 0xaeed1ff8. [18032007 02:26:11 info down mgr] Handler link download handler will download link://64.182.172.15:56330/ru0f+A== [18032007 02:26:13 info handler dia] Download via linkbot filetransferr done! ( download is 114176 bytes) [18032007 02:26:13 info mgr submit] File b6c9254853a642e90756cfb04efd67ea has type PE executable for MS Windows (GUI) Intel 80386 32-bit [18032007 02:26:13 warn dia] Unknown ASN1_SMB Shellcode (Buffer 172 bytes) (State 0) [18032007 02:26:13 dia] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a1a40 , 0x000000ac). [18032007 02:26:13 warn module] Unknown PNP Shellcode (Buffer 172 bytes) (State 0) [18032007 02:26:13 module] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a1638 , 0x000000ac). [18032007 02:26:13 warn module] Unknown LSASS Shellcode (Buffer 172 bytes) (State 0) [18032007 02:26:13 module] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a08f0 , 0x000000ac). [18032007 02:26:13 warn handler dia] Unknown DCOM Shellcode (Buffer 172 bytes) (State 0) [18032007 02:26:13 handler dia] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x0809fa80 , 0x000000ac). linux-sqos:/opt/nepenthes/var/binaries # ls -l b6c9254853a642e90756cfb04efd67ea -rw-r--r-- 1 root root 114176 Mar 18 02:26 b6c9254853a642e90756cfb04efd67ea linux-sqos:/opt/nepenthes/var/binaries # file b6c9254853a642e90756cfb04efd67ea b6c9254853a642e90756cfb04efd67ea: PE executable for MS Windows (GUI) Intel 80386 32-bit linux-sqos:/opt/nepenthes/var/binaries # cd /opt/nepenthes/var/hexdumps linux-sqos:/opt/nepenthes/var/hexdumps # ls -l 16e9e789e405a1bc1e69a3a7f302416b.bin -rw-r--r-- 1 root root 172 Mar 18 02:26 16e9e789e405a1bc1e69a3a7f302416b.bin linux-sqos:/opt/nepenthes/var/hexdumps # file 16e9e789e405a1bc1e69a3a7f302416b.bin 16e9e789e405a1bc1e69a3a7f302416b.bin: data linux-sqos:/opt/nepenthes/var/hexdumps # xxd -g 1 -u 16e9e789e405a1bc1e69a3a7f302416b.bin 0000000: 00 00 00 A8 FF 53 4D 42 72 00 00 00 00 08 01 40 .....SMBr......@ 0000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2C 03 ..............,. 0000020: 02 08 10 3E 00 85 00 02 50 43 20 4E 45 54 57 4F ...>....PC NETWO 0000030: 52 4B 20 50 52 4F 47 52 41 4D 20 31 2E 30 00 02 RK PROGRAM 1.0.. 0000040: 4D 49 43 52 4F 53 4F 46 54 20 4E 45 54 57 4F 52 MICROSOFT NETWOR 0000050: 4B 53 20 31 2E 30 33 00 02 4D 49 43 52 4F 53 4F KS 1.03..MICROSO 0000060: 46 54 20 4E 45 54 57 4F 52 4B 53 20 33 2E 30 00 FT NETWORKS 3.0. 0000070: 02 4C 41 4E 4D 41 4E 31 2E 30 00 02 4C 4D 31 2E .LANMAN1.0..LM1. 0000080: 32 58 30 30 32 00 02 4C 41 4E 4D 41 4E 32 2E 31 2X002..LANMAN2.1 0000090: 00 02 4E 54 20 4C 41 4E 4D 41 4E 20 31 2E 30 00 ..NT LANMAN 1.0. 00000a0: 02 4E 54 20 4C 4D 20 30 2E 31 32 00 .NT LM 0.12. linux-sqos:/opt/nepenthes/var/hexdumps # i want explanation of this file.can any one tell me?

linux-sqos:/opt/nepenthes/var/log # cat nepenthes.log

[18032007 02:26:03 info module] 76 4
[18032007 02:26:03 info module] SMB Session Request 76
H CKFDENECFDEFFCFGEFFCCACACACACACA
[18032007 02:26:03 warn module] Unknown NETDDE exploit 76 bytes State 1
[18032007 02:26:03 module] Stored Hexdump var/hexdumps/850745ec6a9f3cc3d7ce4bdd7294e468.bin (0x0809fa80 , 0x0000004c).
[18032007 02:26:03 warn module] Unknown SMBName exploit 0 bytes State 1
[18032007 02:26:03 info handler dia] Unknown DCOM request, dropping
[18032007 02:26:11 crit sc handler] MATCH linkxor::link matchCount 5 map_items 5
[18032007 02:26:11 info sc handler] i = 1 map_items 5 , map = size
[18032007 02:26:11 info sc handler] i = 2 map_items 5 , map = size
[18032007 02:26:11 info sc handler] i = 3 map_items 5 , map = key
[18032007 02:26:11 info sc handler] i = 4 map_items 5 , map = post
[18032007 02:26:11 info sc handler] Found linkbot XOR decoder, key 0x1b, payload is 0x00b2 bytes long.
[18032007 02:26:11 info sc handler] connectbackfiletransfer::linktransfer -> 64.182.172.15:56330
[18032007 02:26:11 info sc handler] connectbackfiletransfer::linktransfer -> 64.182.172.15:56330, key 0xaeed1ff8.
[18032007 02:26:11 info down mgr] Handler link download handler will download link://64.182.172.15:56330/ru0f+A==
[18032007 02:26:13 info handler dia] Download via linkbot filetransferr done! ( download is 114176 bytes)
[18032007 02:26:13 info mgr submit] File b6c9254853a642e90756cfb04efd67ea has type PE executable for MS Windows (GUI) Intel 80386 32-bit
[18032007 02:26:13 warn dia] Unknown ASN1_SMB Shellcode (Buffer 172 bytes) (State 0)
[18032007 02:26:13 dia] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a1a40 , 0x000000ac).
[18032007 02:26:13 warn module] Unknown PNP Shellcode (Buffer 172 bytes) (State 0)
[18032007 02:26:13 module] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a1638 , 0x000000ac).
[18032007 02:26:13 warn module] Unknown LSASS Shellcode (Buffer 172 bytes) (State 0)
[18032007 02:26:13 module] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x080a08f0 , 0x000000ac).
[18032007 02:26:13 warn handler dia] Unknown DCOM Shellcode (Buffer 172 bytes) (State 0)
[18032007 02:26:13 handler dia] Stored Hexdump var/hexdumps/16e9e789e405a1bc1e69a3a7f302416b.bin (0x0809fa80 , 0x000000ac).

linux-sqos:/opt/nepenthes/var/binaries # ls -l b6c9254853a642e90756cfb04efd67ea
-rw-r–r– 1 root root 114176 Mar 18 02:26 b6c9254853a642e90756cfb04efd67ea
linux-sqos:/opt/nepenthes/var/binaries # file b6c9254853a642e90756cfb04efd67ea
b6c9254853a642e90756cfb04efd67ea: PE executable for MS Windows (GUI) Intel 80386 32-bit
linux-sqos:/opt/nepenthes/var/binaries # cd /opt/nepenthes/var/hexdumps
linux-sqos:/opt/nepenthes/var/hexdumps # ls -l 16e9e789e405a1bc1e69a3a7f302416b.bin
-rw-r–r– 1 root root 172 Mar 18 02:26 16e9e789e405a1bc1e69a3a7f302416b.bin
linux-sqos:/opt/nepenthes/var/hexdumps # file 16e9e789e405a1bc1e69a3a7f302416b.bin
16e9e789e405a1bc1e69a3a7f302416b.bin: data
linux-sqos:/opt/nepenthes/var/hexdumps # xxd -g 1 -u 16e9e789e405a1bc1e69a3a7f302416b.bin
0000000: 00 00 00 A8 FF 53 4D 42 72 00 00 00 00 08 01 40 …..SMBr……@
0000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2C 03 …………..,.
0000020: 02 08 10 3E 00 85 00 02 50 43 20 4E 45 54 57 4F …>….PC NETWO
0000030: 52 4B 20 50 52 4F 47 52 41 4D 20 31 2E 30 00 02 RK PROGRAM 1.0..
0000040: 4D 49 43 52 4F 53 4F 46 54 20 4E 45 54 57 4F 52 MICROSOFT NETWOR
0000050: 4B 53 20 31 2E 30 33 00 02 4D 49 43 52 4F 53 4F KS 1.03..MICROSO
0000060: 46 54 20 4E 45 54 57 4F 52 4B 53 20 33 2E 30 00 FT NETWORKS 3.0.
0000070: 02 4C 41 4E 4D 41 4E 31 2E 30 00 02 4C 4D 31 2E .LANMAN1.0..LM1.
0000080: 32 58 30 30 32 00 02 4C 41 4E 4D 41 4E 32 2E 31 2X002..LANMAN2.1
0000090: 00 02 4E 54 20 4C 41 4E 4D 41 4E 20 31 2E 30 00 ..NT LANMAN 1.0.
00000a0: 02 4E 54 20 4C 4D 20 30 2E 31 32 00 .NT LM 0.12.
linux-sqos:/opt/nepenthes/var/hexdumps #

]]> By: ash http://www.ethicalhack3r.co.uk/security/dionaea-low-interaction-honeypot/comment-page-1/#comment-239931 ash Sun, 04 Dec 2011 19:59:46 +0000 http://www.ethicalhack3r.co.uk/?p=506#comment-239931 how to read log file of dionaea? how to read log file of dionaea?

]]> By: Fhrobro http://www.ethicalhack3r.co.uk/security/dionaea-low-interaction-honeypot/comment-page-1/#comment-129202 Fhrobro Thu, 23 Dec 2010 22:06:57 +0000 http://www.ethicalhack3r.co.uk/?p=506#comment-129202 Catch those hackas! XD Catch those hackas! XD

]]> By: Andrew http://www.ethicalhack3r.co.uk/security/dionaea-low-interaction-honeypot/comment-page-1/#comment-122487 Andrew Tue, 16 Nov 2010 13:19:12 +0000 http://www.ethicalhack3r.co.uk/?p=506#comment-122487 Hello, I am having great difficulty running dionaea on ubuntu, I can't seem to capture anything, I have taken all security features away and taken the firewall down on my router. Thanks Hello, I am having great difficulty running dionaea on ubuntu, I can’t seem to capture anything, I have taken all security features away and taken the firewall down on my router.

Thanks

]]> By: Mona http://www.ethicalhack3r.co.uk/security/dionaea-low-interaction-honeypot/comment-page-1/#comment-82286 Mona Mon, 17 May 2010 18:43:52 +0000 http://www.ethicalhack3r.co.uk/?p=506#comment-82286 Hello there, I have installed Dionaea properly however I am facing some troubles when i try to run it? Please help. Thank you, Hello there,

I have installed Dionaea properly however I am facing some troubles when i try to run it? Please help.

Thank you,

]]> By: Ambrose http://www.ethicalhack3r.co.uk/security/dionaea-low-interaction-honeypot/comment-page-1/#comment-76173 Ambrose Tue, 04 May 2010 11:47:42 +0000 http://www.ethicalhack3r.co.uk/?p=506#comment-76173 Hi there, Can you tell me please, where I can find some forums or email conferences where are discussed any problems with installing and compiling not only dionaea but also dependencies (like libemu...)... Thanks for any response... Hi there,
Can you tell me please, where I can find some forums or email conferences where are discussed any problems with installing and compiling not only dionaea but also dependencies (like libemu…)…
Thanks for any response…

]]> By: iVictor http://www.ethicalhack3r.co.uk/security/dionaea-low-interaction-honeypot/comment-page-1/#comment-38424 iVictor Sun, 07 Mar 2010 12:23:03 +0000 http://www.ethicalhack3r.co.uk/?p=506#comment-38424 Going to try it this week. Looks like the home page is down(?). Checking out at ohloh (http://www.ohloh.net/p/dionaea). Best Regards. Going to try it this week. Looks like the home page is down(?). Checking out at ohloh (http://www.ohloh.net/p/dionaea).

Best Regards.

]]> By: Lukas http://www.ethicalhack3r.co.uk/security/dionaea-low-interaction-honeypot/comment-page-1/#comment-14108 Lukas Tue, 26 Jan 2010 16:53:48 +0000 http://www.ethicalhack3r.co.uk/?p=506#comment-14108 Hi Ryan, you are right, to get hits on Glastopf you have to set up a domain (FQDN > subdomains) and wait for a google crawler. Contact me if there are other questions. Greetings, Lukas Hi Ryan,

you are right, to get hits on Glastopf you have to set up a domain (FQDN > subdomains) and wait for a google crawler.

Contact me if there are other questions.

Greetings,
Lukas

]]> By: d0s http://www.ethicalhack3r.co.uk/security/dionaea-low-interaction-honeypot/comment-page-1/#comment-10275 d0s Sun, 17 Jan 2010 19:51:06 +0000 http://www.ethicalhack3r.co.uk/?p=506#comment-10275 Nice results I plan to set up a honeypot in a VM. Dionaea looks pretty cool. I know malware & rootkits tend to act differently in VM's but it would be interesting to see the results. D Nice results
I plan to set up a honeypot in a VM.
Dionaea looks pretty cool.
I know malware & rootkits tend to act differently in VM’s but it would be interesting to see the results.

D

]]>