Thursday, September 9, 2010

Write-up for Google Summer of Code 2010

.....continued

Another writeup for the Dionaea project as the Google Summer of Code 2010 has officialy completed on 16 August 2010

Week 9 (19-24 July)
- Tried to add dionaea suppport for windows task scheduler command utility "AT"
- Spend whole week to figure out how it works, as AT not able further process SMB_Tree_Connect_AndX response from Dionaea
- Tried every possible solution (eg, modify fields by fields, immidate exactly same field as the legitimate AT to windows xp connection)
- The culprit found! AT utility, such a oldies from Windows 2000 needs the NETBIOS support in port 139, and Dionaea only work with SMB for port 445. Voila!
- Better give up the idea to add support for AT. Move on!

Good stuff during the analysis, I found a Wireshark bug as it not able to dissect SMB Tree_Connect_Andx request and response properly if 'Extended Response' flag (0x0008) has set in the request. A simple patch has commited http://www.mail-archive.com/wireshark-bugs@wireshark.org/msg23038.html

Week 10 (26-1 August)
- fix SMB Share name to be look alike as default windows OS, such as ADMIN$,C$,IPC$
- add support for nmap -sC scanning
- fix SMB_Negociate_Protocol_Response() to return unicode-based DomainName and ServerName

Interesting point during the fix of unicode-based DomainName and ServerName field, Markus and I discussed the issues as nmap and wireshark both show different dissection for this 2 field. At the beginning, we suspect it may due to nmap or wireshark mess up with these 2 unicode and non-unicode based. Some reading works went on..

At the end, we only realised both of us reading the different version of [MS-SMB].pdf. This is the reason that confused us about the field either unicode or non-unicide.

Big Lesson for the week : alway and alway make sure, triple checked the documentation version, grad the latest version!

Week 11 (2-8 August)

- Documentation on the work : Dionaea-NMAP NSE support, Metasploit fingerprinting supprt
- add 'Windows XP SP3' support, so Dionaea can declared itself as Windows XP SP 0/1, 2 or 3 according to the user preference.

Weeek 12 (9-16 August)

- Finish another documentation : Dionaea-NTLM Authentication
- Final week for Summer of Code, it is great to be with Dionaea!

Thing that I love the most during GSoC
It is good to squeeze the head to code and contribute to the project. And after all, I only realise these little contribution from my dorm room is worth as Dionaea has widely used and implemented by security researchers globally.

It is great to have the project guided by Markus Koetter as mentor. At the beginning of the project, we had done some expectation setting (eg, types of repository, communication medium and period, etc). The cool expectation setting cleared the doubt and I able to work on track instantly. The constant and prompt, I would say almost instant responses from him all the time has cherished my journey. He even wrote me some beautiful and quality code sample for the reference purpose. Thank you Markus for the guidance and inspiration!

Toughest moment during GSoC
Ermm.. AT issues during week 9. It take me days and nights for the whole week to figure out the source of error. Lots of frustration, anticipation, excitement and disappointment again during the week. The moment when the culprit showing up, all hard works were worth ever!! Tough learning experience..


Best summer with Dionaea, The Honeynet Project.

More works to go...

No comments:

Post a Comment