Version 0.2.2
==================
This release has been overdue for a long time.
It should compile using g++4.2 (and automake 1.10).
Nepenthes
FIXES and ADDITIONS
-----
* DownloadManager
* 0.0.0.0 is local
* if replace_local_ips is not set, local downloads will be dropped
* SocketManager
* adding sockets during send or recv increases the .size() of m_Sockets,
therefore the pollfd set is read beyond its borders, prevent this
Modules
FIXES and ADDITIONS
-----
* submit-norman
* submit to cwsandbox too, add a new config var urls,
which is a list of urls to post to
* download-ftp
* big endian fixes (rui)
* shellcode-signatures
* sparc64 fixes (rui
* log-prelude
* various fixes (yoann)
* sqlhandler-postgres
* support options
* submit-norman
* use captchaless url
* log-surfnet
* prevent attack insert failures from messing up following attacks using the same socket ptr
* update attack severity for delayed attacks
* erase closed sockets from the socket tracker if there is no outstanding query to process
* download-curl
* new curl api
NEW
---
* vuln-sav
* added
* log-hexdump
* added, external module now
* compile with --enable-debug-logging and load loghexdump.so
* sumbit-mwserv
* added (oxff)
* submit-http
* added (Niklas Schiffler)
* module-honeytrap
* added
Version 0.2.0
==================
Indepent from the codebase, we cleaned up the compile process,
now every module is linked only on the libraries it relies on.
Nepenthes
FIXES and ADDITIONS
-----
* Nepenthes
* check for nepenthes in signal handler before logging
* dont handle SIGUSR1/2
* create LogManager in constructor, so we can use it right from the beginning to the bitter end
* added mips & arm to MY_ARCHES
* handle SIGCHLD & SIGPIPE
* add -D daemonize flag for start as daemon
* use proper types for uid/gid
* dont change user/group if not necessary
* clean up startup code
* GeoLocationManager
* removed
* UploadManager
* removed
* LogManager
* clear() loggers on destruction
* check for registerd loggers before logging, if no handlers re registerd, log using printf
* Socket
* allow hw address lookup using /proc/net/arp in Socket::getRemoteHWA(string *address)
* UDPSocket
* fix source based routing for udp, bind local address for connect' connections
* memset() our sockaddr_in before we use em
* TCPSocket
* add event on binding a port
* memset() our sockaddr_in before we use em
* SQLManager
* added
* ModuleManager
* unload modules in reverse order
* LogHandler
* added setOwnership()
* LogManager
* added bool LogManager::delLogger(LogHandler *lh), return true on success, false else
Modules
FIXES and ADDITIONS
-----
* shellcode-signatures
* changed the build process to use the yacc & flex files
* fix bug in sch_namespace_base64, credits go to Nelson William for pointing this out
* log-prelude
* fixes & classification changes by Harald Lampesberger
* should produce valid idmef now
* vuln-bagle
* fixed endless loop on closed connection
* vuln-mydoom
* fixed endless loop on closed connection
* log-irc
* can set filters now
* use LogManager::delLogger(LogHandler *lh) on ::Exit
* shellemu-winnt
* improve ftp.exe commandline parsing
problem was, when the host/anonymous flag was specified on the command line,
after the script
* log-surfnet
* log remote mac address to table if its availible
* use sqlhandler-postgres, to offer autoreconnect etc etc etc
* download-ftp
* workaround problems with PORTs command where the virus would parse the wrong port
* download-creceive
* fix a bug where the downloads source is equal to the downloads destionation
* vuln-mydoom
* fix destionation ip
* proper url
* submit-norman
* submit to cwsandbox too, add a new config var urls,
which is a list of urls to post to
NEW
---
* vuln-realvnc
* handles alphanumeric keystrokes
* clipboard actions
* module-honeytrap
* idea is taken from honeytrap.sf.net by Werner Tillmann
* detect incoming connections using pcap/ipq/ipfw
* bind unbound ports
* create a mirror connection between to the attacker to "emulate" the vuln using the attackers own weakness
* able to log incoming connections as pcap files
* module-bridge
* basic exploit & command detection to the accept() Dialogue,
* handle recognized attacks, downloads what has to be downloaded
* sqlhandler-postgres
* can use domains
* nonblocking, even in conjunction with domains
* autoreconnect
* x-9
* example on the sqlmanager/handler
* submit-postgres
* submit samples & context information to a postgres database
* requires the sqlhandler-postgres
* compatible to libpq 7.4 and 8.x
* spooling with bencoded files
* module-peiros
* 'construction site'
GONE WITH THE WIND
------------------
*
* geolocation-*
* x-8 (geolocation example)
* upload-http
* submit-xmlrpc
Version 0.1.7
==================
Nepenthes
FIXES and ADDITIONS
-----
* Nepenthes
* default install wont spam the console, use --enable-debug-logging if you want the console spam pary
* --version dumps information about operating system
* --help is better
* log exit reason to file
* prevent crash on startup when running in changeroot
without changing process user and/or group id, -> changeroot _after_ we
chowned the logfiles
* support for linux capabilities
* SocketManager
* support for if:ethN for default bind address by interface
* removed RAWSocket
* GeolocatioManager
* add return value in Exit()
* UploadHandler
* g++ 4.1 fixes
* DownloadHandler
* g++ 4.1 fixes
* ModuleManager
* use dlopen() with RTLD_LOCAL, osx has RTLD_GLOBAL as default and
segfaults therefore when unloading modules
Modules
FIXES and ADDITIONS
-----
* vuln-ftpd
* can handle NAT for active ftp
* vuln-kuang
* log remote ip, not local ip
* x-6
* free the mallocs
* module-portwatch
* removed port 21 from portwatch list
* added 25 to portwatch list
* shellcode-generic
* detect wget in xmlrpc exploit attempts
* log-irc
* send irc server pass
* infinite retries to resolve server/tor domain
* x-7
* dropped
* dnsresolve-adns
* g++ 4.1 fixes
* submit-norman
* g++ 4.1 fixes
* download-curl
* g++ 4.1 fixes
* vuln-netdde
* removed shellcodehandler, moved to shellcode-signatures
* vuln-msmq
* removed shellcodehandler, moved to shellcode-signatures
* vuln-dcom
* removed shellcodehandler, moved to shellcode-signatures
* vuln-asn1
* removed shellcodehandler, moved to shellcode-signatures
* vuln-sasserftpd
* removed shellcodehandler, moved to shellcode-signatures
* vuln-wins
* removed shellcodehandler, moved to shellcode-signatures
* vuln-iis
* removed shellcodehandler, moved to shellcode-signatures
* vuln-lsass
* removed shellcodehandler, moved to shellcode-signatures
* vuln-mydoom
* use CL_ASSIGN_AND_DONE when done (for log-surfnet)
* vuln-bagle
* use CL_ASSIGN_AND_DONE when done (for log-surfnet)
NEW
---
* submit-gotek
* submit files to the mwcollect alliance via the gotek 1 protocol
* log-prelude
* fixed by Harald Lampesberger
* vuln-ftpd
* emulation for various bugs in windows ftp daemons
* contributed by Harald Lampesberger
* shellcode-signatures
* ported almost _all_ shellcodes from shellcode-generic
Version 0.1.6
=============
We made sure the source compiles on
* cygwin
* linux (tested debian on x86, fedora core 3 on amd64, suse 9 enterprise server on powerpc)
* openbsd (tested on openbsd 3.8 on x86)
* netbsd (tested on netbsd 2.0.2 on x86)
For cygwin we had to cast many int32_t to int, and many int32_t * to int too (104 times)... and include sys/socket.h (26 times)
OpenBSD enforced including sys/types.h nearly everywhere (37 times)
64bit fedora made us use intptr_t instead of int to point to memory (19 times)
The other focus was adding some new shellcode handlers,
and we added a new download handler for the broken by design rcp protocol
Nepenthes
FIXES and ADDITIONS
-----
* DownloadManager
* as long as BIG_ENDIAN is not coverd by autoconf, dont rely it on here.
* UploadManager
* fixed includes
* DNSManager
* errno fix
* DownloadUrl
* fixed inclues
* Buffer
* casting int for amd64
* Nepenthes
* getopt int casting
* no logfiles chown own cygwin
* no filetype on cygwin, dont rely on it
* cygwin needs int main()
* no signals for cygwin (yet)
* SocketManager
* interface to request tcp connect sockets with provided local port ( for download-rcp )
* TCPSocket
* new constructor for connect sockets which allows setting a local port
Modules
FIXES and ADDITIONS
-----
* many modules
* fixed wrong module names/descriptions
* shellcode-generic (picchio contributed the analysis for them, we are really glad about his work)
* added sch_generic_winexec
* pinnebergConnect added
* sch_generic_xor schoenberg xor added
* schoenenberg bind added
* ravensburg bind added
* rosengarten xor added
* schauenburg bind added
* schauenburg xor added
* leimbach xor family added
* lichtenfels xor & connectback
* submit-xmlrpc
* using geolocation submit-xmlrpc resolved the locals geolocation,
now we resolve the remotes
* log-irc
* channel pass fix
* upon request - reply nepenthes version to !version
* shellemu-winnt
* added VFSCommandRCP for rcp.exe
NEW
---
* download-rcp
* created, downloads files via the undocumented rcp protcoll
Version 0.1.5
=============
Bugfix release/minor features.
Nepenthes
FIXES and ADDITIONS
-----
* none
Modules
FIXES and ADDITIONS
-----
* shellcode-generic
* sch_generic_cmd added \r\n as lineterminator
* shellcode-generic.conf.dist langenfeldConnect pcre added
* sch_generic_xor
* deggendorf & langenfeld xor added,
* removed possible off by n <=3 byte in the 4 byte xor
* vuln-dcom
* made it less aggressive, if it does not look like dcom, dont handle it
* shellemu-winnt
* VFSCommandSTART added
* VFSCommandTFTP proper var checks added
* added handling of the escape var ^ for the shell
* VFSCommandFTP can download >1 file per batch now
* VFSCommandFTP can handle "cd" now
* download-http
* handle downloads with 0 byte bodysize as broken
* download-ftp
* can send CWD now
* fixed missing \r on sending RETR
* geolocation-hostip
* the address to look the address up changed, so we adjusted it
* geolocation-ip2location
* tarball lacked config file
NEW
---
* vuln-msdtc
* emulation for the ms05-051 exploit by swan
Version 0.1.4
=============
Bugfix release/minor features.
Nepenthes
FIXES and ADDITIONS
-----
* FileLogger logged to somewhere after config file was deleted as he lacked a valid path
Modules
FIXES and ADDITIONS
-----
* download-nepenthes
* NULL pointer bug fixed
* shellcode-generic
* rewrapped xor code,
* added some bindshell codes
* parthenstein
* wackerow
* kaltenborn
* geolocation-ip2location
* now makes use of the real ip2location c api you can download on their homepage,
setting the lib up sucks, but it works
* log-surfnet
* moduledescription changed, as we log to postgres, not to mysql
* dnsresolve-adns
* added modulename and description
Version 0.1.3
=============
Bugfix release/minor features.
FIXME
* fixed some g++ 3.2 include issues
* Autoconf
* improved configure.ac
* added --enable-* to configure
* geolocation is optional
* dump ./configure configuration to stdout
* Nepenthes core
* DownloadManager & Download & DownloadCallback
* changed structure so we can specify a DownloadCallback for internal downloads
* intrested in a downloads result, ask the downloadmanager to download it, provide a DownloadCallback
the DownloadManager will pass the information encapsulated in a Download to its DownloadHandler
the DownloadHandler will try to download it and pass the Download as result to the DownloadCallback
* DNSManager DNSQuery DNSHandler DNSResult DNSCallback
* made DNSResolver Service modular, only module so far availible is dnsresolve-adns
* now modules providing resolver capabilties are now called 'DNSHandler'
anything which is intrested in its dns resolution result is a DNSCallback now
(before there was no DNSCallback, no modularity, and we called classes intrested in DNS DNSHandler)
* intrested in resolving some domain, ask the DNSManager and provide a DNSCallback
the DNSManager will form a DNSQuery from the request, pass it to its DNSHandler
the DNSHandler will try to resolve the domain and pass result as a DNSResult to the
DNSCallback
* Event
* use uint8_t as Eventid instead of event_type
* added ShellcodeEvent & DialogueEvent
* EventManager
* allow internal Event registration
* GeoLocationManager GeoLocationQuery GeoLocationHandler GeoLocationResult GeoLocationCallback
* created
* GeoLocationHandler register with the GeoLocationManager
* intrested in GeoLocation lookups, ask the GeoLocationManager and provide a GeoLocationCallback
the GeoLocationManager will form a GeoLocationQuery from the request, pass it to its GeoLocationHandler
the GeoLocationHandler will try to resolve it and pass the GeoLocationResult to the GeoLocationCallback
* added caching of results
* LogManager
* filelogger is the default logger again, so logrotate can do its job
* force ringbuffer logger usage with -R
* log-ringbuffer
* added
stop wasting diskspace with logs
* sets correct permissions on destination files
* uses path to log to from nepenthes.logmanager.ring_logger_file
* log-file
* uses path to log to from nepenthes.logmanager.file_logger_file
* Nepenthes
* improved the init, better errorhandling
* -f can do dirs
* ShellcodeManager
* hooks a ShellcodeEvent on success
* SocketManager TCPSocket UDPSocket RAWSocketListener
* decreased poll timeout
* moved ports to uint16_t
* use nepenthes.socketmanager.bind_address instead of binding INADDR_ANY for bind & connect
(suggested by Michael H. Warfield)
* TCPSocket
* hooks a DialogueEvent on success
* UploadManager UploadQuery UploadHandler UploadResult UploadCallback
* created
* intrested in uploading something to somewhere, ask the UploadManager and provide a UploadCallback
the UploadManager will form a UploadQuery from the request, pass it to its UploadHandler
the UploadHandler will try to upload the data it and pass reply to the UploadResult to the
UploadCallback
* Utilities
* added escapeXMLString(char *)
* Modules
FIXES and ADDITIONS
-----
* shellemu-winnt
* fixed sending shell header on accept shells
* VFSCommandFTP handle -A flag for anonymous logins
* fixed crash with -f flag for checking dumps
* batch file handling
* vuln-mssql
* fixed tcp socket instead of udp
* download-ftp
* fixed quiting loop
* dnsmanager, dnsquery, dnsresult
* TXT record added
* x-2
* fix memleak
* x-5
* now registers its own event to show hiw this works
* x-6
* 'txt <domain>' will resolve the txt record now
* submit-xmlrpc
* can use geolocation services now
* fixes some xml parsing
* download-ftp
* send LOGIN after 220 Welcome
* download-curl
* add internal download capabilities
* shellcode-generic
* sch_generic_link_xor
* improve bad length handling
* added adenau xor
* added adenau connectback
* added unicode decoder
* sch_generic_url
* added - to allowed chars
NEW
---
* dnsresolve-adns
* made it a module
* fixes some memoryleaks we saw before
* download-http
* written as download-curl replacement
* geolocation-hostip
* resolve geolocations via hostip.info
* geolocation-geoip
* resolve geolocations via maxminds geoip library
* geolocation-ip2location
* resolve geolocations via maxminds geoip library
* log-surfnet
* log to surfnet ids database
http://ids.surfnet.nl
* vuln-ssh
* created,
* works for ssh logins, fails for ssh worms :\
* x-8
* added example how to use geolocation services
* Other
* phpxmlrpc_server
* added
* doxygen docu
* added
Version 0.1.2
=============
Bugfix release/minor features.
* Utilities
* hexdump uses nepenthes.utilites.hexdump_path as pathinfo now
* shellemu-wint
* VFSCommandFTP uses new DownloadFlags
* Download
* added DownloadFlags so we can handle broken ftpds better
* added ::addFlag(uint8_t ) & ::getFlags()
* DownloadManager
* download() now takes uint8_t downloadflags as argument
* download-ftp
* bind to port 0 to avoid collision
* rewrote quite everything to handle broken ftp daemons better, including the new DownloadFlags
* Socket
* changed SS_NULL to SS_CONNECTED
* added SS_CONNECTING
* TCPSocket
* set localip on accept() Sockets, so we can use this info further
* bind ConnectSockets before connecting, so we use the same ip for reverseconnect shells
* uses SS_CONNECTING for connect sockets
* overloads setState(), so if they are in state SS_CONNECTING and goto SS_CONNECTED they
can call Dialogue::connectionEstablished() for their dialogues
* some changes in the TCPSockets internal Dialogue handling prevent nepenthes recognizing
the same shellcode in more than one dialogue, resulting in more than one download per exploit
* vuln-dameware
* created
* Dialogue
* added ::dump()
* added ::connectionEstablished()
* many vuln-* modules
* added CL_ASSIGN_AND_DONE handling
* many shellcodehandlers using downloadhandler
* added valid downloadflag usage
Version 0.1.1
=============
Bugfix release/minor features.
This is the first release featuring auto(conf|make|broken|whatever) support.
Maximillian Dornseif had enough time to burn to write configure.whatever
and such stuff for everything so far.
* Compile fixes for
* Mac OSX
* FreeBSD
* Nepenthes
* Added functionality for -d and -l command line options (log filtering).
* Handle SIGINT on -f (command line) usage.
* -V is now version.
* -v is now verbose, useful for -f when debugging new shellcodehandlers.
* DownloadBuffer now features cutFront(unsigned int len)
* Veritas Backup Exec Exploit for port 10000 added.
* shellcode-generic
* Konstanz XOR added as sch_generic_konstanz_xor.
* Konstanz connectback shell pattern added to shellcode-generic.conf.dist.
* Removed VERITASDialogue for port 10000 hexdump, added shellcodehandling.
* shellcode-generic
* Fixed sch_generic_connect.
* Added sch_generic_connect_trans and Halle PCRE.
* Added sch_generic_xor Halle.
* vuln-dcom
* Fixed oc192 PCRE.
* Removed SOL2k shellcode handler, as they were never seen during the last two months.
* download-csend
* the atoi(url->path) is cut from the download buffer to be able to use csend with halle
* vuln-iis
* Handle NULL if binding the socket fails in a useful manner
* vuln-pnp
* added
* handles the MS05-039 exploit by houseofdabus
* vuln-lsass
* fixed some lines to work properly with vuln-pnp
* Utilities
* sha512 added
* shellemu-wint
* VFSCommandCMD
the first command after the /c has to be readded to the StdIn queue, like we did before,
but we have to add a delimiter '&' so we dont break our own parsing.
* Download
* added SHA512 get & set methods
* SubmitManager
* set SHA512 for downloads
* tools/rpcxmlxfer
* there is an early implementation of an central collection and
logging protocol called rpcxmlxfer in this release. The prototype is
implemented as an external script. Just add something like
*/5 * * * * nobody /opt/nepenthes/bin/rpcxmlxfer-client -q
to your /etc/crontab to try it.
* download-ftp
* bind to port 0 to avoid collision
* Socket
* changed SS_NULL to SS_CONNECTED
* added SS_CONNECTING
* TCPSocket
* set localip on accept() Sockets, so we can use this info further
* bind ConnectSockets before connecting, so we use the same ip for reverseconnect shells
* uses SS_CONNECTING for connect sockets
* overloads setState(), so if they are in state SS_CONNECTING and goto SS_CONNECTED they
can call Dialogue::connectionEstablished() for their dialogues
* submit-xmlrpc
* created
* depends on vuln-lsass
* vuln-dameware
* created
* Dialogue
* added dump()
* added connectionEstablished
Version 0.1.0
=============
Initial release.
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
ece3b46199411e57e44da372ec6c2d79
>
files
>
110
