Open sbrws opened 6 years ago
Thanks for reporting the issue.
Reseting the connection is logical because dionaea is low interaction honeypot and It wouldn't establish the connection. But not capturing binaries is strange. How you are exploiting MS08067 from metasploit you are taking reverse shell or some thing else ?
Hello, Has anyone found a workaround for this issue? I have tried installing Dionaea 0.6.0 in Ubuntu 14.04 and Dionaea 0.8.0 in Ubuntu 16.04 and am not getting any binaries in the binaries folder. I can also confirm that I have completed the steps described above by "sbrws". Thanks,
@ahezza have you test your environment whether is vulnerable or not ?
I have created a guide for testing the environment have a look through it.
https://docs.google.com/document/d/1PctBZW1w4wlIyY-uWAtnQXM-ngwrGL5v6oHUJvP-hlg/edit?usp=sharing
Hi there,
I have been able to verify that my dionaea instance is vulnerable to SMB attacks - see below:
Starting Nmap 7.60 ( https://nmap.org ) at 2019-03-13 15:20 CET Nmap scan report for (x.x.x.x.) Host is up (0.00051s latency).
PORT STATE SERVICE 445/tcp open microsoft-ds
Host script results: | samba-vuln-cve-2012-1182: | VULNERABLE: | SAMBA remote heap overflow | State: VULNERABLE | IDs: CVE:CVE-2012-1182 | Risk factor: HIGH CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) | Samba versions 3.6.3 and all versions previous to this are affected by | a vulnerability that allows remote code execution as the "root" user | from an anonymous connection. |
---|---|---|---|---|---|---|---|---|---|
Disclosure date: 2012-03-15 | |||||||||
References: | |||||||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1182 | |||||||||
_ http://www.samba.org/samba/security/CVE-2012-1182 | |||||||||
smb-vuln-ms08-067: | |||||||||
VULNERABLE: | |||||||||
Microsoft Windows system vulnerable to remote code execution (MS08-067) | |||||||||
State: VULNERABLE | |||||||||
IDs: CVE:CVE-2008-4250 | |||||||||
The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, | |||||||||
Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary | |||||||||
code via a crafted RPC request that triggers the overflow during path canonicalization. | |||||||||
Disclosure date: 2008-10-23 | |||||||||
References: | |||||||||
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250 | |||||||||
_ https://technet.microsoft.com/en-us/library/security/ms08-067.aspx | |||||||||
_smb-vuln-ms10-054: false | |||||||||
_smb-vuln-ms10-061: ERROR: Script execution failed (use -d to debug) |
Nmap done: 1 IP address (1 host up) scanned in 113.15 seconds ~
The guide has all the useful material and things you want.
Hello Waseem,
Turns out OVH is blocking Port 445 at a network level on all of their infrastructure. This must be why I am unable to receive binaries.
Thanks for your help.
ISSUE TYPE
DIONAEA VERSION
CONFIGURATION
No changes to default config file in 0.6.0
Using HPfeeds to send data to MHN server.
MHN successfully receives logged text alerts, but does not receive payload data (logs or binaries).
OS / ENVIRONMENT
SUMMARY
Binaries are not captured, connection appears to be reset by Dionaea before anything can transfer.
Update Did not specify here originally, the issue was with SMB. I have since verified it is dropping FTP connections as well.
STEPS TO REPRODUCE
Initiated t2.micro instance on AWS EC2. Configured AWS security group to allow all connections.
Ran the below to install:
Confirmed curl had been updated:
Uncommented SMB.yml to allow for spoofing a Win7 box.
Start Dionaea:
Verify port is open and vulnerable:
From another box, initiated
ms08_067_netapi
in Metasploit and sent to the Dionaea install. Exploit fails and Wireshark confirms that Dionaea reset the connection.I wondered if Amazon/DO were blocking a crafted exploit such as this, but could find no confirmation of any sort. Outside of my test exploits, this install hasn't received any other binaries, at all.
tl;dr
Installed v0.6.0 from the PPA, per the official instructions, on a t2.micro VM on AWS. Updated curl to 7.5.0 as has been suggested in other issues. Ports verified as open, AWS firewall configured to allow connections. SMB.yml is uncommented allowing for connections. Nmap shows vulnerability for MS08-067 and confirms port 445 is actually open.
Using Metasploit to send the exploit, the connection is reset by Dionaea (verified this with Wireshark), and the exploit binary is never received.
Was able to replicate on Digital Ocean as well, also Ubuntu 14.04.
EXPECTED RESULTS
Binary captured and stored in /opt/dionaea/var/dionaea/binaries
ACTUAL RESULTS
Connection reset and binaries folder remains empty.
Output of dionaea.log: