Archive

Posts Tagged ‘nepenthes’

The Power of hexdump

December 15th, 2008 No comments

One of my favourite new commands has become hexdump. From time to time I go through my nepenthes hexdump folder to take a look at what I've recently seen.

These hexdumps on their own are fairly useless:

treguly@ns:/home/nepenthes/hexdumps$ cat ffa6fd1e9b143a4bd5ac705a570e3b21.bin
D CKFDENECFDEFFCFGAAAAAAAAAAAAAAAA EGFCEPEOFECACACACACACACACACACAAA
ÿSMBrSÈÿþbPC NETWORK PROGRAM 1.0LANMAN1.0Windows for Workgroups 3.1aLM1.2X002LANMAN2.1NT LM 0.12

However, when you make use of hexdump it becomes much more readable.

treguly@ns:/home/nepenthes/hexdumps$ hexdump -C ffa6fd1e9b143a4bd5ac705a570e3b21         .bin
00000000  81 00 00 44 20 43 4b 46  44 45 4e 45 43 46 44 45  |...D CKFDENECFDE|
00000010  46 46 43 46 47 41 41 41  41 41 41 41 41 41 41 41  |FFCFGAAAAAAAAAAA|
00000020  41 41 41 41 41 00 20 45  47 46 43 45 50 45 4f 46  |AAAAA. EGFCEPEOF|
00000030  45 43 41 43 41 43 41 43  41 43 41 43 41 43 41 43  |ECACACACACACACAC|
00000040  41 43 41 43 41 41 41 00  00 00 00 85 ff 53 4d 42  |ACACAAA......SMB|
00000050  72 00 00 00 00 18 53 c8  00 00 00 00 00 00 00 00  |r.....S.........|
00000060  00 00 00 00 00 00 ff fe  00 00 00 00 00 62 00 02  |.............b..|
00000070  50 43 20 4e 45 54 57 4f  52 4b 20 50 52 4f 47 52  |PC NETWORK PROGR|
00000080  41 4d 20 31 2e 30 00 02  4c 41 4e 4d 41 4e 31 2e  |AM 1.0..LANMAN1.|
00000090  30 00 02 57 69 6e 64 6f  77 73 20 66 6f 72 20 57  |0..Windows for W|
000000a0  6f 72 6b 67 72 6f 75 70  73 20 33 2e 31 61 00 02  |orkgroups 3.1a..|
000000b0  4c 4d 31 2e 32 58 30 30  32 00 02 4c 41 4e 4d 41  |LM1.2X002..LANMA|
000000c0  4e 32 2e 31 00 02 4e 54  20 4c 4d 20 30 2e 31 32  |N2.1..NT LM 0.12|
000000d0  00                                                |.|
000000d1

Of course, you could always pipe any output you have into hexdump. I have to say that I only really like it with the -C option, otherwise I haven't found a use for it yet.

Categories: IT, Tools Tags: ,

Scan-Me.org

November 28th, 2008 No comments

I shared a while back that I had decided to pick up two dedicated servers... rather than worrying about buying hardware and paying colo fees, I went with just paying fees... high fees, but fees none-the-less. I picked up one windows machine and one linux machine and I've been playing with them quite a bit.

One of the things I got to do was remember everything I learned in school and configure various services in a working "production" state. It's one thing to setup a piece of software to test against... it's another to configure it, and lock it down to a state you're comfortable with having online.

One of the things I decided to do was to pick up an extra IP and setup nepenthes listening. I decided to register the domain scan-me.org to attach to it. The domain may seem to obvious but I figure automatted tools looking at IP addresses or links to domains (required link for any bots to pick up).

I've had it listening for about a month with nepenthes 0.2.0. I attempted to upgrade to the latest svn version so that I could include the listener for MS08-067 but my first attempt went rather poorly and I ended up with nothing listening. I'm back to 0.2.0 for now, however I do plan to attempt another upgrade in the near future.

I'm hoping mentioning the domain here will increase the number of scans and quantity of traffic that it sees (anyone that wants to feel free to repost the address). As I've seen limited samples coming in so far, however those samples do make for some fun nights (I suppose I have an odd definition of fun).

Anyways... I just wanted to share that I had nepenthes running and get a blog post out with the domain mentioned. In the upcoming weeks I hope to post some write-ups related to the samples I'm seeing.

Categories: IT, Security Tags: , , ,