Monday, November 15, 2010

Simple steps to improve Dionaea SMB stack

SMB protocol is one of the core protocol that supported by Dionaea. The attacks on Port 445 will be received and logged in the sqlite database. Dioanea emulates SMB protocol and the related functions in SMB stack have written in Python. If you are running Dionaea and you found the unsupported RPC calls, you are most welcomed to improve Dionaea's SMB stack.

This is my work out. The process:
1. Dig out the unsupported function, in this case is the unsupported RPC call
2. Refer to MSDN Library for further detail about the function call
3. Find the application/test suite that can trigger the function well. Observe the original request and reply of the function, by using a clean Windows Image
4. Code it out!
5. Test, debug, test, debug, BINGO!!
6. Commit to the tree

1. Recently I found that this lines always appear in /opt/dionaea/var/log/dionaea.log, and I realised this unsupported RPC SRVSVC call with Opnum 21 hit my sensor frequently.
[13112010 09:02:07] rpcservices dionaea/smb/ 
Unknown RPC Call to SRVSVC 21
[13112010 12:21:37] rpcservices dionaea/smb/
Unknown RPC Call to SRVSVC 21
[13112010 13:38:34] rpcservices dionaea/smb/
Unknown RPC Call to SRVSVC 21

With the query to database /opt/dionaea/var/dionaea/logsql.sqlite, 68 hits of such unsupported RPC call attacked the sensor that running not more than 72 hours.
Here the database query result:
COUNT(*) | dcerpcrequest_uuid | dcerpcrequest_opnum | dcerpcservice_name 
68 4b324fc8-1670-01d3-1278-5a47bf6ee188 21 SRVSVC
1 12345778-1234-abcd-ef00-0123456789ac 34 samr

2. Refer to MSDN Library, it is the NetServerGetInfo method which used to retrieve current configuration information for the targeted server. The method structure quite simple:

NET_API_STATUS NetrServerGetInfo(
[in, string, unique] SRVSVC_HANDLE ServerName,
[in] DWORD Level,
[out, switch_is(Level)] LPSERVER_INFO InfoStruct

3. With some googling time, I managed to find the way that I can observe the original request and response of such NetServerGetInfo method. Here the simple Win32 program that can be used to test the NetServerGetInfo method. It worked well with a clean WindowsXP image as target and packet detail can be studied with Wireshark.

Note: To make this simple program work, the targeted WindowsXP need Guest account to be enabled. This spend me quite some time to figure it out as the System error 17XX keep appeared.

4. It is the time to code the method and let Dionaea support it! The RPC methods has resided in and it seperated clearly in classes such as ATSVC, DCOM, IOXIDResolver,lsarpc and others. Find the SRVSVC class and define the NetServerGetInfo handler.

5. Test the code with the Win32 program that compiled previously. Observed the packet in Wireshark. Test, debug, test, debug.. and it worked well as similiar with the Windows image. Further code test can be done by put it into the real network. The code works!

Observation with

2010-11-14 10:30:16
connection 21150 pcap tcp reject <- 118.X.180.91:47775
2010-11-14 10:30:16
connection 21151 smbd tcp accept <- 118.X.180.91:47774
dcerpc bind: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188'
(SRVSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
dcerpc request: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188'
(SRVSVC) opnum 15 (NetShareEnum ())
dcerpc request: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188'
(SRVSVC) opnum 21 (NetServerGetInfo ())

Waiting next coming attack :)

6. Commit to the tree. Example :

7. After the commit, the added handler need to observe from time to time. Sometime the real world attack will be different from what what have coded. It need minor changes in certain packet field to make it work.

This is one of the ways to improve SMB stack. Simple and exciting. Feel free to write yours. If you need the git tree access, feel free to contact Markus


No comments:

Post a Comment