Monday, June 28, 2010

Dionaea : Patch needed for Nmap nse

For Dionaea to parse the Nmap NSE well, a simple patch need to apply to Nmap. This is due to the reason that Nmap has fixed the "Alloc hint" value in the DCE_RPC request packet. Dionaea need this value to parse the following StubData.

For the moment, there is no any official changes from Nmap. We need make this simple change manually in /nselib/msrpc.lua

Here the diff

Thank Markus to the patch

SMB script in Nmap Scripting Engine (NSE)

Nmap Scripting Engine (NSE) is one of the powerful features of Nmap. In default installation, Nmap contain quite big numbers of NSE script that useful for almost all the scanning and reconainsence purpose. It can be easily use with the switch --script when execute the Nmap. Example:

$nmap -sT -v --script=smb-enum-shares.nse -p445

For Week5 in GSOC project, I play with this nse with a fresh Windows XP images. The original setting in WinXP as below :

Local Policies : Security Options
Account : Guest account status = Disabled

Network access : Sharing and securiy model for local accounts = Guest only - local users authenticate as Guest

User Rights Assignment
Deny access to this computer from network = SUPPORT_388945a0, Guest

Result :
I have use 2 nse which is smb-enum-users and smb-enum-shares for the scannig purpose.
1. With default WinXP setting, the smb-enum-users scanning will not obtain any result, but the smb-enum-shares return nicely.

2. With the modification in User Right Assignment, i remove the "Guest" in parameter "Deny access to this computer from network", both nse scanning result still the same as Test 1.

3, After I activate the Guest account in the XP images, it made the difference! smb-enum-user return the user account and smb-enum-shares return the shares same as Test 1 and Test 2.

4. Once I add the Guest to Administrators group, more details has shown, including description, commens, etc.


Sunday, June 20, 2010


Quote from

<13> Section There is no supported configuration in which Windows servers of this protocol (for example, a DC) return nonzero values for the SupportedFeatures field. However, Windows clients running Windows XP, Windows Vista, and Windows 7 are implemented to behave as specified earlier. For example, after calling SamrCreateUser2InDomain (section, Windows NT 4.0–style client applications assume that the RID returned by SamrCreateUser2InDomain can be concatenated with the domainSID in which the user was created to obtain the SID of the newly created user. This assumption limits the server's ability to create SIDs that differ in format from this assumption, and thus limits the number of accounts ever created to 2^32 (the maximum size of an unsigned integer, which is the datatype of a RID). For more information about the extensible structure of SIDs, see [MS-SECO] section 2.3.

To allow servers (in future implementations) to generate SIDs such that the RID is not an unsigned integer (for example, a 64-bit value), the SupportedFeatures value of 1 specifies to the client that the SamrRidToSid method must be called to obtain the SID of a RID value returned from this protocol. In this scenario, the RID returned from the protocol is modeled as a "handle" to the account that SamrRidToSid uses to return the SID value.

win2k - RID --> SamrRidtoSid --> SID
Samr Connect 4 ( SupportedFeatures = 1)

winxp, vista, win7 - no SamrRidtoRid
Samr Connect 5 ( SupportedFeatures = 0)

Thursday, June 17, 2010

SAMR and SRVS support for Dionaea

SAMR - Security Account Manager Remote protocol

According to MSDN site, the goal of this protocol is to enable IT administrators and end users to manage users, groups, and computers. The object-based perspective shows that the protocol exposes five main object abstractions: a server object, a domain object, a group object, an alias object (an "alias" being a type of group), and a user object. A client obtains a "handle" (an RPC context handle) to one of these objects and then performs one or more actions on the object.

The method-based perspective is used to show a common set of operations for each object type. The operations fall into patterns. For example, Open Pattern need to specify a specific access for the handle in the request, and using the returned handle to call other methods that require the returned handle along with the associated access.

Example of the SAMR call :

The call sequence from the client appears as follows (with the parameter information removed for brevity):

(a) Send a SamrConnect5 request; receive the SamrConnect5 reply.

(b) Send a SamrOpenDomain request; receive the SamrOpenDomain reply.

(c) Send a SamrSetInformationDomain request; receive the SamrSetInformationDomain reply.

(d) Send a SamrCloseHandle request; receive the SamrCloseHandle reply.

(e) Send a SamrCloseHandle request; receive the SamrCloseHandle reply.

SRVS-Server Service Remote Protocol

From MSDN. it is a remote procedure call (RPC)–based protocol that is used for remotely enabling file and printer sharing and named pipe access to the server through the Server Message Block (SMB) Protocol. It is designed for remotely querying and configuring a Server Message Block (SMB)server on a remote computer. By using this protocol, a client can query and configure information on the server such as active connections, sessions, shares, files, and transport protocols. The standard assignments for the Pipe name is \PIPE\srvsvc

For malwares, that is a lot cases where it will make a IPC$ connection to the target, enumerate user,share, then brute force with the common username and passwd. Agrobot served as the best example

To handle these connection with Dionaea, it need to support SAMR and SRVS protocol. Several SAMR methods is necessary such as

a. Connect4 or Connect5
b. EnumDomains
c. LookupDomain
d. OpenDomain
e. EnumDomainUsers
f. Close

And, 2 SRVS protocol menthods need to be added for the network share enumeration and addition:
a. NetshareEnumAll
b. NetShareAdd

For the past 3 weeks from the official GSOC coding date, I managed to commit some codes to made this SAMR and SRVS methods support. And now, Dionaea is able to handle these few methods well.

To do: code quality improve and move to next features!