search

DinoTools / dionaea

Home of the dionaea honeypot
https://dionaea.readthedocs.io/
GNU General Public License v2.0
700 stars 182 forks source link

Wannacry detection #133

Open des32 opened 7 years ago

des32 commented 7 years ago
ISSUE TYPE
DIONAEA VERSION
master
CONFIGURATION

SMB server configured as Windows 7, with default values.

OS / ENVIRONMENT
SUMMARY

I've tried to test wannacry detection by configuring a SMB server on Dionaea as Windows 7. To test it, two possible exploits have been used: the one from Elevenpaths (one recommended in #104 ), and the one from Metasploit. Both of them recognized the SMB server as exploitable, but neither of them left any payload on /binaries.

STEPS TO REPRODUCE

Exploit https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit/blob/master/eternalblue_doublepulsar.rb

EXPECTED RESULTS

Payload stored in /binaries

Is Dionaea implementation supposed to record payload on Wannacry attack?. Best regards

fe7ch commented 7 years ago

dionaea does capture payloads that uploaded via DoublePulsar backdoor, but I'm not sure if it could play well with initial EthernalBlue exploit. Maybe @gento could answer it.

gento commented 7 years ago

@des32, I just did a quick check with Dionaea and eternalblue_doublepulsar.rb (ElevenPaths). It is working on my new Dionaea installation from https://github.com/DinoTools/dionaea. I had the payload sitting in /binaries after the check.

I am wondering what is the possible root cause for your setup.

I have not try with the latest Metasploit official ms17-101 module.

ixiliae commented 6 years ago

I can confirm I captured some wild samples through Dionea.

Vincebye commented 4 years ago

I try the windows/smb/ms17_010_eternalblue of metasploit,but it not work.It shows " Exploit completed, but no session was created.",and the /binaries is empty.

ItsaSHE commented 3 years ago

I try the windows/smb/ms17_010_eternalblue of metasploit,but it not work.It shows " Exploit completed, but no session was created.",and the /binaries is empty.

Hi, have you figured it out? Because i have the same problem. Kind regards!

ItsaSHE commented 3 years ago

@des32, I just did a quick check with Dionaea and eternalblue_doublepulsar.rb (ElevenPaths). It is working on my new Dionaea installation from https://github.com/DinoTools/dionaea. I had the payload sitting in /binaries after the check.

I am wondering what is the possible root cause for your setup.

I have not try with the latest Metasploit official ms17-101 module.

Hi, i need to verify that i can upload samples, how did you do exactly to manage that? Kind regards!