It has reached the mid-term evaluation of the Google Summer of Code 2010. I glad that it is a nice learning curve for me and my work has improved Dionaea features from time to time. This could be a good way to take note about my progress for the past 8 weeks til today, before I forgot.
My work simply more focus on the smb rpc stack improvement as this is the lack-off part for Dionaea. Here the summary of the progress :
Prior to week 1
We have seen that some malware will try to propagate with ipc connection. It is crucial for Dionaea to support these IPC sessions, such as response to the ipc connection, network sharing enumeration and addition, user enumeration and file copying across the network.
- Intensive reading for theory
- POC for ipc connection, share and user enumeration, share addition and file copying
Week 1 (24-30 May)
- Support for several RPC SRVSVC calls has added
- The ipc connection and user enumeration worked.
- For the network share enumeration, Dionaea has support the SRVSVC SHARE_INFO_1 struct which can be tested with smbclient. I have added the support for SHARE_INFO_502 struct for the detailed network enumeration
Week 2 (31-6 June)
- Support for network share addition and file copy over the network functions have done.
- SRVSVC SHARE_INFO_2 struct has added as it is needed for NetShareAdd. For now, Dionaea may support SHARE_INFO_1, 2 and 502.
Week 3 (7-13 June)
- Receive and study the beauty code of RPC call by Markus.
- Made change of the original 'ugly and raw' code implementation of the past 2 weeks.
Week 4 (14-20 June)
- Code cleaning has done, as several classes for RPC SAMR and SRVSVC have added. This classes have made the further SAMR and SRVSVC support easier as the classes have reused in several handler.
- NDR support for RPC_UNICODE_STRING has added
Week 5 (21-27 June)
- Start moving in to work on Dionaea support for NMAP NSE. The main focuses is smb-enum-users.nse and smb-enum-shares.nse.
- several SAMR and LSARPC classes added
- smb-enum-user.nse support has completed
Week 6 (28-4 July)
- Continue the Dionaea support for NMAP NSE
- SRVSVC SHARE_INFO_0 support has added as it is needed to response correctly for smb-enum-shares.nse. Up to now, Dionaea able to support SHARE_INFO_0,1,2 and 502 struct
- smb-enum-shares.nse and smb-enum-domains.nse done
Week 7 (5-11 July)
- Add the part for NTLM authentication without OID
- Add the ASN BER identifier encoding function which is used to construct the SecurityBlob of NTLMv2 authentication
- Dionaea repo has encountered faulty merge as conflict happened between different commits. Revert the reverted merge solve the problem . Nice reference
Week 8 (12-18 July)
- Start work on dionaea support for metasploit exploit
- Determined the msf OS fingerprinting method
- Dionaea can support and response well to metasploit ms08-067 exploit, with the correct OS type and language fingerprint
More to go for the coming weeks..