WannaCry detection

[Mato-Z]

ISSUE TYPE

• Feature Idea

DIONAEA VERSION

latest

OS / ENVIRONMENT

• Debian 8.0

SUMMARY

Hello, do you think about modification for WannaCry and SambaCry CVE 2017-7494 detection? It is described here https://www.honeynet.org/node/1353 and changes are in this repository https://github.com/gento/dionaea/commits/master - last three commits.

Thank you.

[phibos]

I had the same idea a few hours ago and I have already started to merge the commits. Feel free to have a look at #104. It still needs some testing and I think dionaea is unable store the payload at the moment, but I think I will fix this soon

[gento]

Hey @phibos , thanks for the merges about the SMB patches!

By the way, we can test the SMB patches with:

• WannaCry example: Metasploit module https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit/blob/master/eternalblue_doublepulsar.rb . Well, this module is not installed by default in official Metasploit. We may need to copy this file to Metasploit working dir.

• SambaCry example: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/samba/is_known_pipename.rb . This module included in the official Metasploit framework now.

Dionaea should be able to store the payloads from these 2 modules. Again, thanks for the good works!

[phage-nz]

@phibos, I observed files failing to save due to a missing key - 'downloads' - on line 665 of smb.py:

dir = g_dionaea.config()['downloads']['dir'] + "/"

If replaced with the following:

dionaea_config = g_dionaea.config().get("dionaea")
download_dir = dionaea_config.get("download.dir")

Along with replacing occurrences of 'dir' with 'download_dir', files are saved into the standard 'binaries' directory (or whatever the user has configured in their dionaea.conf).

My first hit was: https://www.virustotal.com/en/file/c05e2dab77349cd639aa837e7e121710b8a0718d8fc93fb4cc6458ae90e5c597/analysis/

Am still seeing a lot of occurrences of: 'SMB dionaea/smb/smb.py:112-critical: === SMB did not get enough data' in my log however... but that could well be standard background noise.

[fe7ch]

@phage-nz Thanks for your tip. That exaplains why my dionaea instance didn't save payloads yesterday. Finally, it saved a payload after applying your suggested changes.

[Tigzy]

Hey, after applying the change above I have a payload however the store.py module always say the file already exists. Are we bypassing store.py with that change?

[Tigzy]

I've fixed the thing by adding '.tmp' to the file path downloaded into binaries. So then when the store.py gets called it will just create a hardlink to it.

[phibos]

I have merged the support for WannaCry and SambaCry into the master branch. Thanks for all your work and comments.