Monday, January 23, 2006

Nepenthes Installation

I've been interested in trying Nepenthes since I saw it added to the FreeBSD ports collection as net/nepenthes. According to the Nepenthes Web site, "Nepenthes is a versatile tool to collect malware. It acts passively by emulating known vulnerabilities and downloading malware trying to exploit these vulnerabilities."

I tried to install Nepenthes using the precompiled package for FreeBSD, like this:

janney:/root# setenv PACKAGESITE ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/Latest/

janney:/root# pkg_add -vr nepenthes

I ran into two problems. First, I had to install the ftp/curl port manually since the package seemed unavailable.

cd /usr/ports/ftp/curl
make
make install

Second, and more problematic, I found that the package which offered Nepenthes 0.1.5 did not work properly. Using the package, I could not get my Nepenthes client to connect to a specific IRC channel protected by a key.

I decided to install Nepenthes using the FreeBSD port. I made these changes to make the ports tree install version 0.1.6 instead of the older 0.1.5:

janney:/usr/ports/net/nepenthes# diff Makefile.orig Makefile
9c9
< PORTVERSION= 0.1.5
---
> PORTVERSION= 0.1.6
janney:/usr/ports/net/nepenthes# diff distinfo.orig distinfo
1,3c1,3
< MD5 (nepenthes-0.1.5.tar.gz) = d7eae244a5adef66ca504a233f1c51e1
< SHA256 (nepenthes-0.1.5.tar.gz) = 7c74614cb3027f0c9a409f68ed81baed4793673509e09138bd6296d72b04b08a
< SIZE (nepenthes-0.1.5.tar.gz) = 780788
---
> MD5 (nepenthes-0.1.6.tar.gz) = 317afd3dc86d57a22570632bdf839ef2
> SHA256 (nepenthes-0.1.6.tar.gz) = f9bae290d49df9658b7f27a2f4c304fd671cc1f2f344a3b960a181c12416d94b
> SIZE (nepenthes-0.1.6.tar.gz) = 794938

Once Nepenthes was installed, I began editing configuration files in /usr/local/etc/nepenthes.

First I edited log-irc.conf to log to my IRC channel of choice.

janney:/usr/local/etc/nepenthes# diff log-irc.conf.orig log-irc.conf
21,23c21,23
< nick "nep-noname";
< ident "nepenthes";
< userinfo "http://nepenthes.sf.net";
---
> nick "mynep";
> ident "mynep";
> userinfo "mynep";
29,30c29,30
< name "#nepenthesirc";
< pass "foo";
---
> name "#myfakeircchannel";
> pass "myfakepw";

Note that the default log-irc.conf wants to use Tor. I show how I set that up in a future post. To disable using Tor, change

use-tor "1";

to

use-tor "0";

Next I made changes to nepenthes.conf to reflect using /var/log instead of var/log.

janney:/usr/local/etc/nepenthes# diff nepenthes.conf.dist nepenthes.conf
91,92c91,92
< ring_logging_file "var/log/nepenthes/nepenthes.%d.log";
< file_logging_file "var/log/nepenthes/nepenthes.log";
---
> ring_logging_file "/var/log/nepenthes/nepenthes.%d.log";
> file_logging_file "/var/log/nepenthes/nepenthes.log";
104c104
< filesdir "var/nepenthes/binaries/";
---
> filesdir "/var/nepenthes/binaries/";
120c120
< hexdump_path "var/nepenthes/hexdumps/";
---
> hexdump_path "/var/nepenthes/hexdumps/";
125c125
< cache_path "var/cache/nepenthes/geolocation/";
---
> cache_path "/var/cache/nepenthes/geolocation/";

I made similar changes to log-download.conf.

janney:/usr/local/etc/nepenthes# diff log-download.conf.orig log-download.conf
3,4c3,4
< downloadfile "var/log/logged_downloads"; // log download attempts
< submitfile "var/log/logged_submissions"; // log successfull downloads
---
> downloadfile "/var/log/logged_downloads"; // log download attempts
> submitfile "/var/log/logged_submissions"; // log successfull downloads

And submit-file.conf:

janney:/usr/local/etc/nepenthes# diff submit-file.conf.orig submit-file.conf
3c3
< path "var/binaries/";
---
> path "/var/nepenthes/binaries/";

And submit-norman.conf:

janney:/usr/local/etc/nepenthes# diff submit-norman.conf.orig submit-norman.conf
4c4
< email "malware@mac.com";
---
> email "myemail@gmail.com";

download-nepenthes.conf needed a more radical change because I don't have /share/hda3/opt/ on FreeBSD.

janney:/usr/local/etc/nepenthes# diff download-nepenthes.conf.orig download-nepenthes.conf
5c5
< filespath "/share/hda3/opt/nepenthes";
---
> filespath "/var/nepenthes/";

Next I create directories needed by Nepenthes.

janney:/root# mkdir -p /var/nepenthes/binaries
janney:/root# mkdir /var/log/nepenthes
janney:/root# touch /var/log/nepenthes/nepenthes.log

When done I was able to start Nepenthes with the simple command 'nepenthes'. I recommend running it in the foreground within script(1). By default Nepenthes generates a ton of debug info.

As configured, Nepenthes is listening on a slew of ports:

janney:/usr/local/etc/rc.d# sockstat -4 | grep nep
root nepenthes 7669 3 udp4 *:50838 *:*
root nepenthes 7669 6 tcp4 *:21 *:*
root nepenthes 7669 7 tcp4 *:25 *:*
root nepenthes 7669 8 tcp4 *:110 *:*
root nepenthes 7669 9 tcp4 *:143 *:*
root nepenthes 7669 10 tcp4 *:220 *:*
root nepenthes 7669 11 tcp4 *:465 *:*
root nepenthes 7669 12 tcp4 *:993 *:*
root nepenthes 7669 13 tcp4 *:995 *:*
root nepenthes 7669 14 tcp4 *:2745 *:*
root nepenthes 7669 15 tcp4 *:6129 *:*
root nepenthes 7669 16 tcp4 *:135 *:*
root nepenthes 7669 17 tcp4 *:445 *:*
root nepenthes 7669 18 tcp4 *:1025 *:*
root nepenthes 7669 19 tcp4 *:443 *:*
root nepenthes 7669 20 tcp4 *:17300 *:*
root nepenthes 7669 21 tcp4 *:2103 *:*
root nepenthes 7669 22 tcp4 *:2105 *:*
root nepenthes 7669 23 tcp4 *:2107 *:*
root nepenthes 7669 24 tcp4 *:3372 *:*
root nepenthes 7669 25 udp4 *:1434 *:*
root nepenthes 7669 26 tcp4 *:3127 *:*
root nepenthes 7669 27 tcp4 *:139 *:*
root nepenthes 7669 28 tcp4 *:3140 *:*
root nepenthes 7669 29 tcp4 *:5554 *:*
root nepenthes 7669 30 tcp4 *:1023 *:*
root nepenthes 7669 31 tcp4 *:27347 *:*
root nepenthes 7669 32 tcp4 *:5000 *:*
root nepenthes 7669 33 tcp4 *:10000 *:*
root nepenthes 7669 34 tcp4 *:42 *:*
root nepenthes 7669 35 tcp4 *:80 *:*

The system running Nepenthes has a private IP and it sits behind my Comcast cable modem. I decided to tell my router connected to the cable modem to forward ports 80 and 443 to the Nepenthes system.

Now, if I connect to port 80 on my router, Nepenthes handles the connection.

janney:/root# nc -v bej.dyndns.org 80
Connection to bej.dyndns.org 80 port [tcp/http] succeeded!
HEAD / HTTP/1.0
janney:/root#

Here is what Nepenthes reports:

[ debug net mgr ] Socket TCP (bind) 0.0.0.0:0 -> 0.0.0.0:80
DialogueFactory ASN1 Dialogue Factory creates dialogues for the SMB and IIS flaw
killbill showed us could Accept a Connection
[ spam net handler ]
[ spam net handler ] Socket TCP (accept) 192.168.2.1:55966 -> 192.168.2.7:80
[ spam net handler ] Adding Dialogue ASN1 Dialogue Factory
[ spam mgr event ]
[ debug net mgr ] Accepted Connection Socket TCP (accept) 192.168.2.1:55966 -> 192.168.2.7:80
32 Sockets in list
[ spam net handler ]
[ spam mgr event ]
[ spam net handler ] doRecv() 16
[ debug net handler ] Dialogue IISDialogue inactive, returned CL_DROP
[ debug net handler ] Socket TCP (accept) 192.168.2.1:55966 -> 192.168.2.7:80
has no active Dialogues left, closing
[ debug net mgr ] Deleting Socket TCP (accept) 192.168.2.1:55966 -> 192.168.2.7:80
due to closed connection
[ spam net handler ]
[ spam net handler ] Socket TCP (accept) 192.168.2.1:55966 -> 192.168.2.7:80
clearing DialogueList (1 entries)
[ spam net handler ] Removing Dialog "IISDialogue"
[ warn dia ] Unknown IIS 16 bytes State 0
[ dia ] =------------------[ hexdump(0x0808c300 , 0x00000010) ]-------------------=
[ dia ] 0x0000 48 45 41 44 20 2f 20 48 54 54 50 2f 31 2e 30 0a HEAD / H TTP/1.0.
[ dia ] =-------------------------------------------------------------------------=

If I find anything interesting, I will pass it on. Here I just wanted to document what I had to do to get Nepenthes running.

6 comments:

Anonymous said...

I was wondering how it compares with mwcollect. I got a rather impressive collection of malware with mwcollect, but which one them does a better job ?

Austin said...
This comment has been removed by a blog administrator.
Anonymous said...

any recommendations on a rc.d script to start nepenthes?

Richard Bejtlich said...

I would pick a simple existing script and modify it for Nepenthes.

Clint said...

Anyone get it running on Mac OS X 10.4.8? I'm having no luck. -- Clint

MichaJP said...

This page was helpful for me too. Installed from ports at a FreeBSD 6.1-SECURITY box, after the here mentioned adjustments, it is up and running fine. Thanks!