Thursday, June 17, 2010

SAMR and SRVS support for Dionaea

SAMR - Security Account Manager Remote protocol

According to MSDN site, the goal of this protocol is to enable IT administrators and end users to manage users, groups, and computers. The object-based perspective shows that the protocol exposes five main object abstractions: a server object, a domain object, a group object, an alias object (an "alias" being a type of group), and a user object. A client obtains a "handle" (an RPC context handle) to one of these objects and then performs one or more actions on the object.

The method-based perspective is used to show a common set of operations for each object type. The operations fall into patterns. For example, Open Pattern need to specify a specific access for the handle in the request, and using the returned handle to call other methods that require the returned handle along with the associated access.

Example of the SAMR call :

The call sequence from the client appears as follows (with the parameter information removed for brevity):

(a) Send a SamrConnect5 request; receive the SamrConnect5 reply.

(b) Send a SamrOpenDomain request; receive the SamrOpenDomain reply.

(c) Send a SamrSetInformationDomain request; receive the SamrSetInformationDomain reply.

(d) Send a SamrCloseHandle request; receive the SamrCloseHandle reply.

(e) Send a SamrCloseHandle request; receive the SamrCloseHandle reply.


SRVS-Server Service Remote Protocol

From MSDN. it is a remote procedure call (RPC)–based protocol that is used for remotely enabling file and printer sharing and named pipe access to the server through the Server Message Block (SMB) Protocol. It is designed for remotely querying and configuring a Server Message Block (SMB)server on a remote computer. By using this protocol, a client can query and configure information on the server such as active connections, sessions, shares, files, and transport protocols. The standard assignments for the Pipe name is \PIPE\srvsvc

For malwares, that is a lot cases where it will make a IPC$ connection to the target, enumerate user,share, then brute force with the common username and passwd. Agrobot served as the best example http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=37776

To handle these connection with Dionaea, it need to support SAMR and SRVS protocol. Several SAMR methods is necessary such as

a. Connect4 or Connect5
b. EnumDomains
c. LookupDomain
d. OpenDomain
e. EnumDomainUsers
f. Close


And, 2 SRVS protocol menthods need to be added for the network share enumeration and addition:
a. NetshareEnumAll
b. NetShareAdd

For the past 3 weeks from the official GSOC coding date, I managed to commit some codes to made this SAMR and SRVS methods support. And now, Dionaea is able to handle these few methods well.

To do: code quality improve and move to next features!

Link:
http://msdn.microsoft.com/en-us/library/cc245482%28v=PROT.13%29.aspx

Commit:
http://src.carnivore.it/dionaea/commit/?id=9e68bb24717068531e88f4a97c100e91dbc2b1a3

No comments:

Post a Comment