Tuesday, August 17, 2010

Error: Dionaea thread problem?

Yesterday, when I checked my dionaea's fruit, I found that the sensor stop function again. It is the second time as the problem happened previously as I blogged. Again, let's read the dionaea.log and I found the overall flow as below:

1. [16082010 21:03:08] logsql dionaea/logsql.py:410-info: accepted connection from 118.100.XXX.XX:61456 to 192.168.1.99:445 (id=186021)

2. ... NTLMSSP Authentication with GSSAPI...

3. [16082010 21:03:11] rpcservices dionaea/smb/rpcservices.py:64-info: Calling SRVSVC NetPathCanonicalize (1f) maybe MS08-67 exploit?
[16082010 21:03:11] rpcservices dionaea/smb/rpcservices.py:73-warning: DCERPCValueError path is too long (b"\\\x00FUnMLEvdNzjntXznAvcOSD......")

4. ... NTLMSSP Authentication without GSSAPI...
SMB_COM_TREE_CONNECT_ANDX
SMB NTcreate AndX Request

5. [16082010 21:03:28] rpcservices dionaea/smb/rpcservices.py:66-info: Calling SVCCTL OpenSCManagerA (1b)
[16082010 21:03:29] rpcservices dionaea/smb/rpcservices.py:66-info: Calling SVCCTL CreateServiceA (18)
-PSEXESVC
-%SystemRoot%\\System32\\PSEXESVC.EXE\
[16082010 21:03:29] rpcservices dionaea/smb/rpcservices.py:66-info: Calling SVCCTL CloseServiceHandle (0)

6. SMB Close

7. SMB Sessionsetup ESEC AndX ( For NTLMSSP without GSSAPI)

8. SMB_COM_TREE_CONEECT_ANDX
-\\118.100.XX.XX\IPC$
-\\118.100.XX.XX\ADMIN$

9. SMB Treeconnect AndX Response Extended (First time i saw this layer has used!)

[16082010 21:03:35] incident incident.c:185-debug: incident 0xa6aedc8 dionaea.download.offer
[16082010 21:03:35] incident incident.c:203-debug: con: (ptr) 0xa3bab20
[16082010 21:03:35] incident incident.c:203-debug: url: (string) smb://124.47.XX.163/system32\dumpsys.exe

[16082010 21:03:47] incident incident.c:210-debug: reporting 0xa1c0940
[16082010 21:03:47] incident incident.c:185-debug: incident 0xa1c0940 dionaea.download.offer
[16082010 21:03:47] incident incident.c:203-debug: con: (ptr) 0xa3bab20
[16082010 21:03:47] incident incident.c:203-debug: url: (string) smb://124.47.XX.163/System32\PSEXESVC.EXE

10.
[16082010 21:04:22] logsql dionaea/logsql.py:410-info: accepted connection from 124.47.XX.163:4715 to 192.168.1.99:445 (id=186026)

11. The error happen and the sensor stop.
[16082010 21:04:25] thread threads.c:90-critical: Threadpool is crowded 3/2, suspending *all* activity
[16082010 21:04:25] thread threads.c:90-critical: Threadpool is crowded 3/2, suspending *all* activity

12. The captures as recorded in var/dionaea/binaries
-rw------- 1 root root 60K 2010-08-16 21:03 8b48f59fb263b1b3ed5f9f2a8cd8fd26
-rw------- 1 root root 92K 2010-08-16 21:02 4a6e5980ad7d1a4bbe71ec46fa96755e

To do:
Keep observe the problem. If the problem happen again, it is time to dig the flaw. Thread problem due to OS issues? any dependencies issues? RPC call inproper reply such as SVCCTL CreateServiceA?

Thursday, August 5, 2010

Metasploit OS fingerprinting based on SMB

This is the way Metasploit perfoming OS fingerprinting based on SMB Protocol, interesting.

To simplify the explanation in determine the OS version and language, I put all in a flow chart.

Monday, August 2, 2010

Different between NTLMv1 and NTLMv2

In Metasploit source, we can see the clear difference between NTLM and NTLMv2, is about the self.challenge key and self.extended_security flag. This can be observed during the negotiate protocol process, where the server will response with SMB Negotiate Protocol response. From this response, we can check the existence of challenge_key or the extended_security flag.


# Authenticate and establish a session

----def session_setup(*args)
--------if (self.dialect =~ /^(NT LANMAN 1.0|NT LM 0.12)$/)
------------if (self.challenge_key)
----------------return self.session_setup_ntlmv1(*args)
------------end
------------if ( self.extended_security )
----------------return self.session_setup_ntlmv2(*args)
------------end
--------end
--------return self.session_setup_clear(*args)
----end

Too bad blogspot cant display the spacing well and I need to replace it with --- arghh..

Metasploit /lib/rex/proto/smb/client.rb