Sunday, May 8, 2011

ATSVC support for Dionaea

For SMB/NETBIOS hacking, one of the usual ways to execute the payload in remote machine is via Task Scheduler. In Windows environment, we could use the 'at' command to schedule the related tasks on specific time. AT command can be executed, for example:

To view the scheduled task on remote machine :
-at \\ip

To scheduled the task on 2300 hours on the remote machine:
-at \\ip 23:00 command

Recently, I take a look on the possibilities to add the ATSVC service support for Dionaea as mentioned by Markus in his blog when observed over MS11-020 vulnerability http://carnivore.it/2011/04/19/rumors. As usual procedure, with a couple of checks over MSDN and wireshark, it is interesting to observe the different between legitimate connection and Dionaea response.

Legitimate SMB connection over 2 Windows machine:
1. Negotiate Procol Request/Response
2. Session Setup AndX Request/Response with NTLMSSP authentication
3. Tree Connect AndX Request/Response
4. NT Create AndX Request/Response
5. Trans2 Request/Response......

Connection between a Windows machine and Dionaea:
1. Negotiate Protocol Request/Response
2. Session Setup AndX Request/Response with NTLMSSP authentication
3. Tree Connect AndX Request/Response
4. Tree Disconnect Request/Response

The connection would terminated after this response. How can it be?!

I spent quite some time to figure out the root cause for the issue, by checking every single packet layer, field value and etc. With quite a long time of tweaking and troubleshooting, upon the edge of nearly giving up, the NBNS queries and response which transfered even before the SMB negotiation caught my attention. I noticed that at.exe would need to have NETBIOS protocol support, which currently not available for Dionaea. Dionaea mainly support for SMB procotol which is run on Port TCP/445, whereas at.exe would require the NETBIOS support which run on port UDP/137.

To execute at.exe remotely over the network, the normal connection flow as below :
1. NBNS queries/responses
2. Negotiate Procol Request/Response
3. Sssion Setup AndX Request/Response with NTLMSSP authentication
4. Tree Connect AndX Request/Response
.....[continue]

At the initial stage, several NBSN (NETBIOS Name Services) queries will be communicated on port UDP/137 prior the SMB negotiation took place. I believe that at.exe as one of the legacy binary which existed since Window NT, would depend on NBSN queries to determine the continuity of the further action. The culprit found.

Screenshot:
Legitimate connection of 2 windows hosts

Failed connetion of Windows host and Dionaea


Move on.

Friday, January 14, 2011

Dionaea SIP module test

Here is the listing of my test of Dionaea SIP module with sipvicious. Tool sipvicious is one of the de-facto sip auditing tool based VOIP system. The testing has performed with svmap.py and specifying the some common scanning method that supported by a legitimate VOIP system.

I have listed the sipvicious output,followed by Dionaea response of each method:


C:\sipvicious>python svmap.py -s session1 -v 192.168.56.101

INFO:DrinkOrSip:Db does sync
INFO:DrinkOrSip:trying to get self ip .. might take a while
INFO:root:start your engines
INFO:DrinkOrSip:unknown:unknown -> 192.168.56.101:5060 -> unknown
-> 3CXPhoneSystem
INFO:root:we have 1 devices
| SIP Device | User Agent | Fingerprint |
-----------------------------------------------------
| 192.168.56.101:5060 | unknown | 3CXPhoneSystem |

INFO:root:Total time: 0:00:03.223000

C:\sipvicious>python svmap.py -m OPTIONS 192.168.56.10

| SIP Device | User Agent | Fingerprint |
-----------------------------------------------------
| 192.168.56.101:5060 | unknown | 3CXPhoneSystem |

C:\sipvicious>python svmap.py -m CANCEL 192.168.56.101

| SIP Device | User Agent | Fingerprint
|
--------------------------------------------------------------------------------
-----------
| 192.168.56.101:5060 | unknown | Viceroy 1.2 / T-Com Speedport W500V / Firmw
are v1.37 |
| | | MxSF/v3.2.6.26 / ET747-a3
|

[14012011 00:11:13] sip dionaea/sip.py:1118: Received CANCEL
[14012011 00:11:15] connection connection.c:3825: connection 0x9b35cb8 none/udp/none [192.168.56.101:5060->192.168.56.1:5060] state: none->close
[14012011 00:11:15] connection connection.c:3825: connection 0x9b35cb8 none/udp/close [192.168.56.101:5060->192.168.56.1:5060] state: close->close
[14012011 00:11:15] logsql dionaea/logsql.py:574: attackid 21567 is done

Note : Wireshark show the malformed packet.


C:\sipvicious>python svmap.py -m REGISTER 192.168.56.101

WARNING:root:found nothing

C:\sipvicious>python svmap.py -m INVITE 192.168.56.101

WARNING:root:found nothing
[14012011 00:08:33] sip dionaea/sip.py:833: SIP Session created
[14012011 00:08:33] sip dionaea/sip.py:975: Received INVITE
[14012011 00:08:33] sip dionaea/sip.py:1183: Mandatory header content-type not in message

C:\sipvicious>python svmap.py -m ACK 192.168.56.101

WARNING:root:found nothing
[14012011 00:10:55] sip dionaea/sip.py:833: SIP Session created
[14012011 00:10:55] sip dionaea/sip.py:1061: Received ACK
[14012011 00:10:55] sip dionaea/sip.py:1069: Given Call-ID does not belong to any session: exit

C:\sipvicious>python svmap.py -m BYE 192.168.56.101

WARNING:root:found nothing
[14012011 00:12:42] sip dionaea/sip.py:833: SIP Session created
[14012011 00:12:42] sip dionaea/sip.py:1101: Received BYE
[14012011 00:12:42] sip dionaea/sip.py:1109: Given Call-ID does not belong to any session: exit

C:\sipvicious>python svmap.py -m PRACK 192.168.56.101

WARNING:root:found nothing

C:\sipvicious>python svmap.py -m SUBSCRIBE 192.168.56.101

WARNING:root:found nothing

C:\sipvicious>python svmap.py -m NOTIFY 192.168.56.101

WARNING:root:found nothing

C:\sipvicious>python svmap.py -m PUBLLISH 192.168.56.101

WARNING:root:found nothing

C:\sipvicious>python svmap.py -m INFO 192.168.56.101
WARNING:root:found nothing

C:\sipvicious>python svmap.py -m REFER 192.168.56.101

WARNING:root:found nothing

C:\sipvicious>python svmap.py -m UPDATE 192.168.56.101
WARNING:root:found nothing

C:\sipvicious>python svmap.py -m MESSAGE 192.168.56.101

WARNING:root:found nothing

[14012011 00:16:27] sip dionaea/sip.py:966: Unknown SIP header (supported: INVITE, ACK, OPTIONS, BYE, CANCEL, REGISTER and SIP responses

From the quick these, the current Dionaea SIP module managed to support OPTIONS and CANCEL method well. Several SIP method can be improved for DIonaea SIP module such as INVITE, ACK, BYE, REGISTER, which include the support of the request and reply with the correct response. I will work on it soon.

Reference:
How to use svmap
http://code.google.com/p/sipvicious/wiki/SvmapUsage
List of SIP request methods
http://en.wikipedia.org/wiki/SIP_Requests