Testing Nepenthes Works

To check that Nepenthes actually works, and more importantly that any server side applications that rely on it receive data correctly it’s useful to test whether Nepenthes works.

Firstly enable the following lines in nepenthes.conf

//  "x1.so",                       "x-1.conf",                     "",
//  "x2.so",                       "x-2.conf",                     "",

This enables us to connect to the x-2 example module, that provides a simple shell and the x-3 example module that adds a file-handler that reads data from /dev/urandom.

Start Nepenthes and using netcat connect on the port specified in x-2.conf. This is 10002 by default.

You should have a prompt now:

joe@nepenthes ~ $ nc 127.0.0.1 10002
Welcome to dong Shell

Enter download file://127.0.0.1:53421//dev/urandom and hit return.

In the nepenthes log file should see something close to the following:

[23072008 01:57:18 crit module] Downloading file from "file://127.0.0.1:53421//dev/urandom"
[23072008 01:57:18 info down mgr] Handler urandom download handler will download file://127.0.0.1:53421//dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 debug info fixme] read 2048 bytes from /dev/urandom
[23072008 01:57:18 info mgr submit] File 4a05e1a3a5658274c04409ea5b1a3227 has type data
[23072008 01:57:27 debug info fixme] File info submitted (4a05e1a3a5658274c04409ea5b1a3227, file://127.0.0.1:53421//dev/urandom)
[23072008 01:57:27 debug info fixme] File upload requested (4a05e1a3a5658274c04409ea5b1a3227, file://127.0.0.1:53421//dev/urandom)
[23072008 01:57:31 debug info fixme] Submitted file 4a05e1a3a5658274c04409ea5b1a3227 to sandbox http://www.norman.com/microsites/nsic/Submit/Special/45773/
[23072008 01:57:31 debug info fixme] Submitted file 4a05e1a3a5658274c04409ea5b1a3227 to sandbox http://luigi.informatik.uni-mannheim.de/submit.php?action=verify

Check your filesystem if using the submit-file module or your logging system!

July 22nd, 2008
By Joe | filed under Honeypot, Nepenthes | No Comments »

Nepenthes submit-http server (with file upload!).

Simple server for the submit-http module within Nepenthes. This saves the details of the attack into a MySQL Database and sticks the captured binary into a folder.

The submit-http handler, submits the attack data via an HTTP Post, including: URL, Trigger, MD5, SHA512, FileType, SourceHost, TargetHost, Filename and File.

Save the code below as submit.php and edit submit-http.conf to point to it. Make sure you read the issues below!

<?php

$user = "";
$passwd = "";
$db = "";
$server = "";

$filepath = "binaries/";

if($_FILES['file']['size'] > 0)
{
	if(!is_uploaded_file($_FILES['file']['tmp_name']))	{
		die("S_ERROR");
	}

	storeFile($_POST['md5']);
	echo "S_FILEOK";
}
else
{
	storeData($_POST,$_SERVER['REMOTE_ADDR']);

	if(fileExists($_POST['md5']))	{
		echo "S_FILEKNOWN";
	}
	else	{
		echo "S_FILEREQUEST";
	}
}

function fileExists($file)	{
	file_exists($filepath . $file);
}

function queryDB($query)	{
	global $user, $passwd, $db, $server;
	$con = mysql_connect($server, $user,$passwd);
	if (!$con)	{
 		die('Could not connect: ' . mysql_error());
	}
	mysql_select_db($db, $con);

	$result = mysql_query($query,$con);	

	if (!$result)	{
  		die('Error: ' . mysql_error());
  	}
	mysql_close($con);

	return $result;
}

function storeData($data, $sensor)	{
	$remotehost = $sensor;

	foreach ($_POST as $key => $value)
	{
			switch ($key) {

			case 'url':
			$url = $value;
			break;
			case 'trigger':
			$trigger = $value;
			break;
			case 'md5':
			$md5 = $value;
			break;
			case 'sha512':
			$sha512 = $value;
			break;
			case 'filetype':
			$filetype = $value;
			break;
			case 'source_host':
			$sourcehost = $value;
			break;
			case 'target_host':
			$targethost = $value;
			break;
			case 'filename':
			$filename = $value;
			break;
		default:
			break;
			}
	}

	$query = "INSERT INTO submission (`RemoteHost`, `URL`, `Trigger`, `MD5`, `SHA512`, `FileType`, `SourceHost`,
           `TargetHost`, `Filename`, `Submitted`)  VALUES ('$remotehost', '$url', '$trigger', '$md5', '$sha512', '$filetype',
           '$sourcehost', '$targethost', '$filename', NOW())";

	queryDB($query);
}

function storeFile($file)	{
	global $filepath;
	if(!move_uploaded_file($_FILES['file']['tmp_name'], $filepath . $file))	{
		die("S_ERROR");
	}
}

?>

You can test it works correctly with a simple HTML file as below. Save the file as submit.html.

<html>
<head>
</head>
<body>
<form action="submit.php" method="post" enctype="multipart/form-data">
  <p>URL
    <input type="text" name="url">
    <br>
Trigger
<input type="text" name="trigger">
<br>
MD5
<input type="text" name="md5">
<br>
SHA512
<input type="text" name="sha512">
<br>
FileType
<input type="text" name="filetype">
<br>
SourceHost
<input type="text" name="source_host">
<br>
TargetHost
<input type="text" name="target_host">
<br>
Filename
<input type="text" name="filename">
  </p>
  <p>
    <label>File
    <input type="file" name="file" id="file">
    </label>
  </p>
  <p>
    <input type="submit" value="Submit">
    </p>
</form>
</body>
</html>

For an example that simply writes to a file, see the UK Honeynet Project submit-http handler. Credit for the submit-http patch and the idea for this post go to Niklas Schiffler!

Current issues with this implementation:

  • There is no input checking, it’s SQL injection madness. Run it behind HTTP-Auth and add your own sanity checking!
  • It’s not the best way of coding it!
July 21st, 2008
By Joe | filed under Honeypot, Nepenthes | No Comments »