Honey Potting for MS11-083
MS11-083 has arrived and people are getting both excited and scared, it looks like its going to be the next MS08-067. Which if you remember, Conficker used to bend windows over and have a jol. Time for a honeypot?
In anycase I took a moment and decided to write a script that would capture potential MS11-083 traffic in an attempt to capture this exploit in the wild (once its out there, might as well start looking). According to the security bulletin “The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system”. So that’s exactly what I looked at, I used netstat -un and -lun to find all open and listening ports and filtered them out. UDP packets to a closed port normally results in a ICMP Port Unreachable response or no response at all, so I’ve ignored them.
The code is commented and you need the little bash script in the same folder to get the ports. Remember to make it executable (sudo chmod +x getports.sh) and run ms11-083_sniffer.py as root. It will create a pcap file named theand any UDP traffic heading towards a closed port will be logged.
Once you have some pcaps and you think they might contain exploit traffic remember that sharing is caring and karma is a bitch, don’t share if it was just Chuck Testa. My code is dirty and I wrote it quickly so don’t hate, feel free to modify and make it better.
I’ll try and add my nmap enumeration script tomorrow, it does a portscan and OS fingerprint on a given host and inserts that data into a sqlitedb. That way you can check if the traffic was coming from a windows host.
ms11-083_sniffer.py
getports.sh
MS11-083 has arrived and people are getting both excited and scared, it looks like its going to be the next MS08-067. Which if you remember, Conficker used to bend windows over and have a jol. Time for a honeypot?
In anycase I took a moment and decided to write a script that would capture potential MS11-083 traffic in an attempt to capture this exploit in the wild (once its out there, might as well start looking). According to the security bulletin “The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system”. So that’s exactly what I looked at, I used netstat -un and -lun to find all open and listening ports and filtered them out. UDP packets to a closed port normally results in a ICMP Port Unreachable response or no response at all, so I’ve ignored them.
The code is commented and you need the little bash script in the same folder to get the ports. Remember to make it executable (sudo chmod +x getports.sh) and run ms11-083_sniffer.py as root. It will create a pcap file named theand any UDP traffic heading towards a closed port will be logged.
Once you have some pcaps and you think they might contain exploit traffic remember that sharing is caring and karma is a bitch, don’t share if it was just Chuck Testa. My code is dirty and I wrote it quickly so don’t hate, feel free to modify and make it better.
I’ll try and add my nmap enumeration script tomorrow, it does a portscan and OS fingerprint on a given host and inserts that data into a sqlitedb. That way you can check if the traffic was coming from a windows host.
ms11-083_sniffer.py
getports.sh
With the bash script, just remove the .txt file extension (my hosting is being annoying). Below is the code if you want to have a peek.
from pcapy import *
from impacket import ImpactDecoder, ImpactPacket
from socket import *
import fcntl
import struct
import os
import time
class Sniffer:
def __init__(self):
self.promiscuous = True
self.called = 0 #silly habits
self.interface = 'eth0'
self.max_bytes = 65535 # Theoretical max size for a UDP packet
self.read_timeout = 100
self.ip = self.get_ip_address(self.interface)
self.bpf = 'ip dst host %s and not src net 192.168.1.0/30'%self.ip
print "\n---------------------------------------------------"
print "Sniffing for unsolicited UDP packets to closed ports."
print " \"Open ports are for losers\" - MS11-083"
print "Pcap log started, listening from %s"%time.strftime("%d:%m:%Y %H:%M:%S", time.localtime())
print "---------------------------------------------------"
def get_ip_address(self, ifname):
s = socket(AF_INET, SOCK_STREAM)
return inet_ntoa(fcntl.ioctl(s.fileno(), 0x8915, struct.pack('256s', ifname[:15]))[20:24])
def start(self):
self.reader = open_live(self.interface, self.max_bytes, self.promiscuous, self.read_timeout)
# Pcapy uses BPF to filter packets, not src net 192.168.1.0/30
# should be changed, it just filters out 1.0, 1.1, 1.2 and 1.3
# which I use for diffrent gateways and dont want traffic
# from the router hitting the logs.
self.reader.setfilter(self.bpf)
# Run the packet capture loop
self.reader.loop(0, self.callback)
def callonce(self):
self.dumper = self.reader.dump_open(time.strftime("%d-%m-%Y_%H-%M-%S.pcap", time.localtime()))
self.called = 1
def callback(self, hdr, data):
# Parse the Ethernet packet
decoder = ImpactDecoder.EthDecoder()
ether = decoder.decode(data)
# Parse the IP packet inside the Ethernet packet, typep
iphdr = ether.child()
udphdr = iphdr.child()
# First check that the packets are not comming from the local host
# Then check that it is a UDP packet (incase you changed the BPF) also
# Check that the destination port for the packet is a closed port on the host
if (iphdr.get_ip_src() != self.ip):
self.refresh_portlist()
if (iphdr.get_ip_p() == ImpactPacket.UDP.protocol and udphdr.get_uh_dport() not in self.portlist):
if self.called == 0:
self.callonce()
print "Incoming UDP packet from %s"%iphdr.get_ip_src()
self.dumper.dump(hdr, data)
def refresh_portlist(self):
# bash script to get all the open and listening UDP ports
# used in the callback function as criteria for logging traffic
output = os.popen("./getports.sh")
pl = output.readlines()
self.portlist = []
for p in pl:
self.portlist.append(int(p))
def main():
snf = Sniffer()
snf.start()
if __name__ == "__main__":
main() via:blog.rootentropy
Category Article Honeypot
تقوم بجميع خدمات التنظيف ومنها تنظيف
والشوائب الخزانات بجدة وايضا شركة تنظيف خزانات بالمدينة المنورة متخصصة في مجال تنظيف الخزانات وكذلك شركة غسيل خزانات بالمدينة سواء كانت العلوية أو السفلية وتعقيمها تعقيم تام بأفضل أنواع المطهرات
أيضا لدينا في شركتنا من أهم الخدمات الخاصة بتنظيف خزانات المياه اطلب من شركة تنظيف خزانات بجدة خدمات متنوعة فنحن تقوم بعمل كشف على خزانك ولو وجد خلل بالخزان تقوم بتصليح خزانك ونقوم بعمل اللازم وعمل عزل كامل للخزان من الداخل لمنع تسربات المياه من الخزانات شركة صيانة خزانات بجدة نضمن لك عزيزي العميل بان تكون عملية الصيانة والتنظيف تتم على أكمل وجه فلدينا فريق محترف خاص بعملية عزل الخزانات بجدة واخلاءها من الأتربة والترسبات الموجودة بقاع الخزان وترك الخزان نظيف تماما من جميع الأتربة الموجودة بالقاع .
فلدى شركة لمسات جدة خدمات أخرى متمثلة في تنظيف المنازل من الداخل لأن عمليات تنظيف المنازل من الأمور الصعبة التي تحتاج الى مكالمة شركة تنظيف منازل بجدة لصعوبة عملية التنظيف المنزلية ولدينا ايضا قسم خاص بتنظيف وغسيل المفروشات والسجاد والكنب بالبخار في شركة تنظيف كنب بالبخار بجدة نتميز بالدقة العالية لاستخدامنا أفضل أنواع المطهرات والمعقمات للمفارش والكنب المصرح بها عالميا
وقد تعاملنا في جدة باحترافية في شركة تنظيف بجدة للحصول على خدمات تنظيف متميزة
وايضا في مجال التنظيف في مكة لدينا شركة تنظيف منازل بمكة متميزة ومتخصصة وعلى خبرة كبيرة بكل مجالات التنظيف
تتميز شركتنا شركة تنظيف خزانات بجدة
بعدة عوامل هامة تجعلنا أفضل شركة تنظيف خزانات بجدة