Sunday, May 23, 2010

smbclient to Dionaea

To test the Dionaea SMB Share Enumeration function, I used smbclient connect to Dionaea with

smbclient -L \\localhost


Error happened all the time as the message error has showed the empty sharing list.


And, if make the put file connect with smbclient, it showed the file transfer successfully.

smbclient '\\localhost\test'


The solution for this problem is simple. I found that the smbclient version in my Ubuntu is 2:3.4.0-3ubuntu5.0. When I upgrade it to 2:3.4.0-3ubuntu5.6, the problem solved. Now i manage get the Share Enumeration correct which provided in handle_NetShareEnum.


Move on.

Thursday, May 13, 2010

Dionaea new XMPP features - sample live sharing

As committed by Markus today, the Dionaea XMPP has added a new feature : Sample Live Sharing. Previously, the purpose of the XMPP implementation in Dionaea wish to create the distributed network and setup for the captured data. Multiple parties can run Dionaea sensor and multiple parties can run the backend for specified purpose such as data logging, data analysis, data collection and etc.

For me, the new "Sample Live Sharing" feature will be a cool idea to go. Usually single sensor captures the malware piece if the attack has triggered. Yet the amount of the capture is limited and the capture has bounded to a small scale network. For research or education purpose, distributed sample sharing network will be a great boast and a huge collection of sample can be obtained. This new features has fit the purpose.

Every sensor that joins the xmpp channel will shares its captured sample with others. The file will be streamed to the channel and other sensors may download it and store in their own local machine. There is no any central repository for the malware storage as all sample sharing is a live stream. once the sample has downloaded to the sensor's machine, further process can be executed such as send to Sandbox for further analysis

To get my feet wet with the feature, I connected my xmpp client Psi to Dionaea XMPP Server sensors.carnivore.it.

Psi setting


Psi connect to XMPP server successfully

Service Discovery to find the Chatrooms. We can see how many sensor and non-sensor client such as Psi that connected to the server.

Alternative way to join the GroupChat by configuration. The setting below is to join the anon-files groupchat(channel)

Ideally if any Dionaea sensor has joined the channel, it will download the shared sample by live stream. But I get my non-Dionaea xmpp client Psi to join the channel, any sample sharing will be represented in base64 format data.

The screenshot here show a live sharing sample. The AAAAAAA buffer is the exploit code for certain buffer overflow.

As the sensor will join the channel in visitor role, the message that has sent to the server will not relay to own sensor for the bandwidth saving purpose. To see further data, we can use the XML console that provided by Psi.

Sunday, May 9, 2010

Git useful command

As the Google Summer of Code 2010 is on, I will used Git as this is the version control system for The Honeynet Project. I will strive hard to improve the low interaction honeypot - Dionaea for this coming few months.

By spent a day study about git, here i make a summary of the Git useful command list.

"Git is a distributed revision control system with an emphasis on being fast. Git was initially designed and developed by Linus Torvalds for Linux kernel development.

Every Git working directory is a full-fledged repository with complete history and full revision tracking capabilities, not dependent on network access or a central server.
" From Wikipedia

Git Useful Command

$git log
view the history of the commit

$git log HEAD
view the most recent commit

$git log HEAD~
view the previous commit

$git log HEAD~2
view the previous 2 commits back in history

$git log --since="2 weeks ago" --until="yesterday"

$git log -p -n 1 1275f994b
$git show 1275f994b
both command may view the actual patch content of each change

$ git log net/ieee80211/ieee80211_module.c
list the changesets belonging to a specific file

$git branch
view the branch
There is a default "master" branch in any git repository,"HEAD" which always refers to the current branch.

$git branch -r
view the remote-tracking branch

$git status
view all changes in working dir (not really show the actual change)

$git diff
to know the actual code changes that we have made to the files

$git diff HEAD
display changes since last commit

$git config --global user.name "Your Name"
$git config --global user.email "you@example.com"
set your name and email address

$git add
if new files need to be committed for the first time.

$git commit -a
commit the changes

$git commit --amend
amend the broken commit message

$git reset HEAD~2
make the last 2 commits dissapear

$git pull
pulling changes from the original repository

The "git pull" command shown in the previous section is conceptually the combination of two commands, "git fetch" and "git merge".

$ git fetch
Using "git fetch" and "git merge" let us achieve exactly what "git pull" did, but we were able to stop in the middle to examine the situation, (and we could have decided to reject the changes and not merge them---leaving our master branch unchanged).

Eg. The new changes have been "fetched" into the current repository and are stored into "origin/master" and have not been into the current "master" branch. This operation never changes any of our own branches and is safe to do without changing our working copy.

$git merge origin
Let's assume we are happy with the changes and we want to include them into our master branch, since we at the master branch for the moment.

$git merge "Merge work in mybranch" HEAD mybranch
merge the work from mybranch to the HEAD, with the message "Merge work in mybranch"

$git remote
pulling the change from any remote repository.
Example :
Let's assume you are going to be working in the new-remote repository and you'd like to pull changes from the new-pull repository, where your friend "fred" has been making changes
$cd new-remote
$git remote add fred ../new-pull
$git fetch fred

$git checkout 0a633bf5
checking out previous version

$ git checkout master
return back to the tip of the master by check out master branch

$ git push ../new-bare --all
pushing changes to another repository

$ git push ../new-bare
the --all can be omitted after the first time


When I try to update my repo with "$git pull", the terminal has showed the the error as below,

Git pull: error: Entry 'filename' not uptodate. Cannot merge.

It means means I have changes in my local files that haven't been committed to the local repository. The solution as these:

$git stash
$git pull
$git stash apply

It temporary puts your local changes into another place. Then you can pull, to grab the latest changes. And then you can get your local changes back.




Creating a new branches


$ git checkout -b mybranch
create a new branch based at the current HEAD position, and switch to it.

$ git checkout -b mybranch earlier-commit
start new branch at some other point in the history than the current HEAD,

$ git checkout master
Jump back to your original master branch

$ git branch [startingpoint]
create a new branch _without_ actually checking it out and switching to it

Merging 2 branches


$ git checkout mybranch
$ echo "Work, work, work" >>hello
$ git commit -m 'Some work.' -i hello

$ git merge "Merge work in mybranch" HEAD mybranch

Get the "upstream changes" back to your branch, if needed

$ git checkout mybranch
$ git merge "Merge upstream changes." HEAD master

Reference
A tour of git: the basics
http://cworth.org/hgbook-git/tour/

A short git tutorial
https://kernel.org/pub/software/scm/git-core/docs/v1.2.6/core-tutorial.html