Archive for May, 2010

Amun statistics

Amun has been running away quite happily in my lab since initial install. From a statistic perspective my wor has been made really easy as Miguel Cabrerizo has previously taken one of the InfoSanity statistic scripts written for Nepenthes and Dionaea and adapted it to parse Amun’s submission.log files.

Results generated from the script in my environment are below, if you’re wanting to get an overview of submissions from another Amun sensor the script has been uploaded alongside the other InfoSanity resources and is available here.

~$ cat /opt/amun/logs/submissions.log* | ./

Statistics engine written by Andrew Waite ( modified by Miguel Cabrerizo (

Number of submissions      : 25
Number of unique samples   : 25
Number of unique source IPs: 18

Origin of the malware:
Ukraine :     1
None :     7
Poland :     2
Romania :     1
United States :     8
Russian Federation :     2
Hungary :     1
Norway :     1
Bulgaria :     2

Vulnerabilities exploited:
MS08067 :    13
DCOM :    12

Most recent submissions:
2010-05-31, 11:37:22,, 63.exe, acf5c09d547417fe53c163ec09199cab, MS08067
2010-05-30, 19:23:09,, 63.exe, 89b578839f1c39f79d48e5f9e70b5e2f, MS08067
2010-05-28, 10:27:03,, 63.exe, f7c4f677218070ab52d422b3c018a4ba, MS08067
2010-05-27, 16:23:14,, ssms.exe, 1f8a826b2ae94daa78f6542ad4ef173b, DCOM
2010-05-24, 19:46:35,, 63.exe, 53979f1820886f089a75689ed15ecf6e, MS08067

A comment on a recent post asked for a comparison between different honeypots, while this is far from conclusive and only focuses on a single aspect of the technologies one of InfoSanity’s Nepenthes sensors ‘saw’ more attacks in the last 24hrs than my Amun installation did in the almost three weeks shown above. As both are running within the same, small, IP allocation I think I’m safe in assuming that one IP isn’t actually receiving a disproportionate level of interest from the badguys and bots that are out there.

— Andrew Waite

Starting with Amun

No single technology can do or handle every situation; the same holds true with honeypot sensors which is why I’m always interested in finding new systems to add to my environment. I’d had Amun on my list of potentials for a while, but after reading a short blog post by Miguel Cabrerizo that suggested install and setup was relatively quick and painless, it got moved up the to-do list.

As suggested the install was quick and easy, with no real problems. Since being installed the system has done what it says on the tin, emulating vulnerabilities and logging interaction with attacking sources. The sensor has been active for around 5 days and has collected 14 unique malware samples to date. Whilst not immediately being indicative of any comparison, three of these samples have not also been ensnared by Nepenthes or Dionaea sensors running within the same IP space.

The Amun log directory shows some interesting information, with logging being split between several different files. From initial results there is some interesting information collected by the system. One aspect of the logging that I’m unsure if I like is that Amun rotates it’s log files on a daily basis, so far this is resulting in my log directory getting cluttered with rotated files. For the curious available log files are:

  • amun_request_handler.log
  • amun_server.log
  • download.log
  • exploits.log
  • logging.log
  • shellcode_manager.log
  • shellemulator.log
  • submissions.log
  • successfull_downloads.log
  • unknown_downloads.log
  • vulnerabilities.log

Going forward there are a number of installation and configurations options available from Amun that I intend to experiment with; high up this list is the ability to log to a MySQL database, I’m hoping that this will provide both a convenient and powerful way to search and analyse the information collected by the sensor. In the meantime Miguel has extended one of InfoSanity’s submission_stats to gather similar statistics from Amun sensors, Miguel’s work is available here.

— Andrew Waite

amun01:/opt/amun# ls -l malware/md5sum/
total 2512
-rw-r–r– 1 root root 155648 2010-05-13 10:53 0cc3c16497214997a9aca72e387c9d9b.bin
-rw-r–r– 1 root root 444416 2010-05-12 15:43 146d61fca77d748f5a5ecff53afd30e4.bin
-rw-r–r– 1 root root 158720 2010-05-11 07:43 14a09a48ad23fe0ea5a180bee8cb750a.bin
-rw-r–r– 1 root root 159744 2010-05-11 00:29 1d419d615dbe5a238bbaa569b3829a23.bin
-rw-r–r– 1 root root 153600 2010-05-15 13:41 53098aa3e420a1be0a5e6a992dc30f3b.bin
-rw-r–r– 1 root root 176128 2010-05-10 23:35 5a951d625eb10b900eb7001892edfa77.bin
-rw-r–r– 1 root root 159744 2010-05-13 19:16 6366b14ed66bf79d6ece8ed8cb116838.bin
-rw-r–r– 1 root root 153600 2010-05-12 13:36 98eb0fdadf8a403c013a8b1882ec986d.bin
-rw-r–r– 1 root root 172032 2010-05-13 06:22 9b1bec8e5fbc9696c60422a031147d07.bin
-rw-r–r– 1 root root 159744 2010-05-13 19:16 a7b197e90b2c5d63b19dfb4797ef7710.bin
-rw-r–r– 1 root root 147456 2010-05-14 07:04 b407982b9eea8c8af3ff4f52ee71c44a.bin
-rw-r–r– 1 root root 147456 2010-05-11 07:09 b786ad96a1dfb330e05595e4657d8a61.bin
-rw-r–r– 1 root root 160768 2010-05-12 14:46 bb39f29fad85db12d9cf7195da0e1bfe.bin
-rw-r–r– 1 root root 152576 2010-05-11 00:00 fd28c5e1c38caa35bf5e1987e6167f4c.bin

Categories: Honeypot, InfoSec, Tool-Kit

Book Review: 7 Deadliest Web Application Attacks

A while ago I was offered an excellent opportunity to read and review Mike Shema’s contribution to Syngress’s Seven Deadliest series focused on web application security. My first impression was very positive, and now I’ve had a chance to get my hands on the finished product I haven’t been disappointed.

As with the rest of the Seven Deadliest series the book is broken down into sever chapters, each focusing on a key attack vector. Covered in Web Application Attacks is:

  1. Cross-Site Scripting (XSS)
  2. Cross-Site Request Forgery (CSRF)
  3. SQL Injection
  4. Server Misconfiguration and Predictable Pages
  5. Breaking Authentication Schemes
  6. Logic Attacks
  7. Malware and Browser Attacks

I’ll be the first to admit that web application security isn’t my forte. Rather than let that put me off this was the appeal of the Seven Deadliest series, given the target topic the books aim is to succinctly cover the core issues and let the reader quickly get to grips with the subject material. Shema does this brilliantly; before I reading the book I (thought I) was comfortable with my understanding of web application security issues, after reading I’m now confident in both my theoretical understanding and, crucially, the technical implementation of the attack vectors discussed.

While the material is accessible to a new comer to web application security Shema wasn’t able to cover all subjects touched on during the book. For example, character encoding sets are discussed quite heavily during the cross-site scripting, but isn’t explained indepth at a low level. As a result, what a reader is able to take away from the book will likely be dependent on the experience and knowledge that the reader is able to bring to the material. In my case I was more comfortable with the chapters covering server misconfiguration (chapter 4) and malware (chapter 7).

After re-reading the material I would recommend this book to anyone that deals with web sites in anyway (that’s you), especially considering the price of the Severn Deadliest books. I’d also take a look at the rest of the series, covering:

— Andrew Waite

(oh, and if you won’t take my word for it, pay attention to the recommendation on the back….)

“The threats highlighted should be understood by Web developers, administrators, and general users alike. If you use the Web in any way then this should be on your bookshelf. In addition to detailing the threat Shema also provides countermeasures to minimize or remove the risk, but be warned; you may never look at a Web site in the same way again.”

Andrew Waite, Security Researcher, InfoSanity Research

Gain and maintain passion for infosec

I’ve had this post in the back of my mind for a while, but have held back as it is a quite a personal topic. When talking to anyone working in infosec one aspect remains constant from the rockstars at the top of the media game, the guys in the trenches or the newbies looking for a break; that constant is passion. Ultimately passion is what makes the difference between a job and a career, and in a world with the extra curricular requirements, continued professional development and somewhat crazy work hours that are related to the infosec world passion can be easy to lose and the daily grind results in the infamous burn-out. This makes it really important to have a few ways to remind you why you do what you do.

Looking back it’s easy to identify moments of my life that resulted in an interest for information security, even if the consequences weren’t obvious at the time.

Hackers (yes, the film)

Okay, I’ll come out of the closet on this one. When I rented the film this was my first introduction to the ideas of information security and the world of hacking. No, the film isn’t completely accurate, but what do you expect from Hollywood? What the film did do was start a burning desire to learn more, and as a kid geek who didn’t like the idea of being able to pull Miss Jolie with a laptop and elite skillz? As a result I spent the next few years Googling (OK, searching, Google wasn’t around at the time) hacking and reading any number of ‘how to start hacking’ files. Every now and then I still take the DVD from the box and re-watch the film that, for me, started it all. Hack-the-planet…


While this game was causing controversy at the time it was responsible for my learning computer basics and, in hindsight, the first time I circumvented access controls. The story is thus:

One Christmas (I was 8 ) my family got our first Windows PC (BBC Micro B with tape drive prior to this), after playing around and gaining my MCSE (Minesweeper Champion and Solitaire Expert) I found the icon for this thing called DooM on the desktop, and it was good. When parents spotted me playing it and reacted to the media controversy and removed the game (well the shortcut), a while later I’d found my way around an MS-DOS shell and was executing doom.exe from commandline. This lasted a couple of weeks before I was spotted again; after I was ‘persuaded’ to explain how I was still playing I had to teach my parents how to actually delete programs. Which did nothing but provide the opportunity for me to pick my first lock to get the install floppies from the disk box, but that’s another story.

Where Wizards Stay Up Late

One of many hacking related books I ended up reading in my initial search for information was Where Wizards Stay Up Late. If you’ve not read it the book documents the history of the internet, from the early days of DARPA onwards. For me this book provided the belief that computers could be a valid career path and contrary to my teacher’s belief at the time, not just something that kids play with.  All self-respecting geeks should know the history of their craft and the people that made it possible, so if the names Licklider, Larry Roberts, Frank Heart, Honeywell or BBN mean nothing to you I strongly recommend that you pick a copy of the book up.

Ethical Hacker Network

EH-Net was my first introduction to actually communicating with others doing infosec in the real world. The forums are an excellent source of information, discussion and support, and unlike many ‘hacker’ forums newbies and outsiders will be welcomed and supported as they find their feet rather than being ridiculed and ignored for asking ‘stupid’ questions. The support and discussions I received when I first became an active member of the forums gave me the belief and confidence that I could make an information security career a possibility, and I’ve made some great friends and contacts as a result. My biggest regret at the moment is that I don’t have enough time to be anywhere near as active in the forums as I once was, although I do intend to change this.

The best individual resource on EH-Net that I found for gaining and maintaining my passion for an infosec career is Don’s presentation DIY Career in Ethical Hacking. The slides and audio are here, I strongly suggest you take an hour to listen to the advice Don shares. In my case when I first heard the talk I took Don’s advice and had a serious look at my career and where I wanted to be in a few years; as a result I registered a week later. I still listen to the audio every 6-12 months to ensure I can stay on track. Thanks Don 😀

Conscience of a Hacker (Hackers Manifesto)

Possibly on of the best known piece of ‘hacker’ literature was released in Phrack back in 1986. Written by ‘The Mentor’ aka Loyd Blankenship it provides a unique and hard-hitting explanation of why some hackers are hackers, and for the typically introverted geek can help explain some very deep feelings to those that don’t understand. For a number of years I have owned a copy of the DVD recording of Blankenship’s presentation at 2600’s H2K2 conference and always find it inspirational, the story of a kid that showed his parent’s the article and stated ‘this is how I feel at school’ really highlights the power the article can have. Whether you’re already familiar with the article or haven’t encountered it before I’d suggest both reading the original and listening to Blankenship’s recitation and discussion of the article here[.mp3].


That’s my list; whenever the daily grind starts getting on top I can always count on one of the above resources to remind me why I want a career in infosec, or more importantly why I want to turn my hobby and passion into a career.

If you’ve got similar stories, or additional inspirational resources to share I’d love hear them.

— Andrew Waite

Categories: InfoSec, Reading

Determining connection source from honeyd.log – cymruwhois version

2010/05/03 1 comment

InfoSanity’s script has been useful for analysing the initial findings from a HoneyD installation, but one of weaknesses identified in the geolocation database used by the script was that a large proportion of the source IP addresses connecting to the honeypot environment weren’t none within the database. Markus pointed me in the direction of the cymruwhois (discussed previously)python module as an alternative. I’ve re-written the initial script, below:

from cymruwhois import Client
import sys

logfile = open('/var/log/honeypot/honeyd.log', 'r')
source = []
for line in logfile:
    source.append(line.split(' ')[3])

src_country = []
src_count = []


for res in results:
    country = results[res].cc
        pos = src_country.index( country )
        src_count[pos] += 1
        src_country.append( country )
        src_count.append( 1 )

for i in range( 0, ( len( src_country ) - 1 ) ):
    sys.stdout.write( "%s:\t%i\n" %( src_country[i], src_count[i] ) )

So far this has resulted in far fewer unknown source locations, 249 using geoip compared to 3 using cymruwhois. The downside unfortunately is performance, the cymruwhois communicates with a remote host to gather information compared with the geolocation database that is already stored locally on the machine. Both perform some local caching of results/data however so I would expect the performane difference to decrease as larger datasets are analysed.

Using the newer script, based on the same 24hr data set, the top ten host countries communicating with InfoSanity’s honeyd environment are:

RU:     397
US:     234
TW:     179
BR:     158
CN:     123
RO:     107
DE:     101
IT:     96
JP:     91
AR:     86

— Andrew Waite

Team Cymru Whois

2010/05/03 1 comment

Since posting my Python whois class it’s lead to a (relatively) high volume of search hits pointing people to it. So I’d like to apologise for inflicting my code on other people. After a recent post with the script I was pointed in the direction Team Cymru’s whois service and accompanying python script. If you’ve not come across the stuff released by Team-Cymru I would strongly suggest that you take a look. I always manage to find some interesting new info, three overall sections Monitoring, Services and Reading Room.

Making my life easier, Justin Azoff has released a Python module hosted on github for the service. Using the client is incredible simple as the sample code included in the package shows:

>>> import socket
>>> ip = socket.gethostbyname("")
>>> from cymruwhois import Client
>>> c=Client()
>>> r=c.lookup(ip)
>>> print r.asn
>>> print r.owner
GOOGLE - Google Inc.

Overall Justin’s client works faster than my own attempt, especially has it has functions specifically designed for bulk lookups. If you’re working with IP, whois or geolocation data I’d suggest giving the cymruwhois utility a look. Thanks to Justin and the Team Cymru people for releasing tools and info that make my work easier.

–Andrew Waite

Categories: InfoSec, Python, Tool-Kit