1Version 0.2.2 2================== 3 4This release has been overdue for a long time. 5It should compile using g++4.2 (and automake 1.10). 6 7Nepenthes 8 FIXES and ADDITIONS 9 ----- 10 * DownloadManager 11 * 0.0.0.0 is local 12 * if replace_local_ips is not set, local downloads will be dropped 13 14 * SocketManager 15 * adding sockets during send or recv increases the .size() of m_Sockets, 16 therefore the pollfd set is read beyond its borders, prevent this 17 18 19Modules 20 FIXES and ADDITIONS 21 ----- 22 * submit-norman 23 * submit to cwsandbox too, add a new config var urls, 24 which is a list of urls to post to 25 26 * download-ftp 27 * big endian fixes (rui) 28 29 * shellcode-signatures 30 * sparc64 fixes (rui 31 32 33 * log-prelude 34 * various fixes (yoann) 35 36 * sqlhandler-postgres 37 * support options 38 39 40 * submit-norman 41 * use captchaless url 42 43 44 * log-surfnet 45 * prevent attack insert failures from messing up following attacks using the same socket ptr 46 * update attack severity for delayed attacks 47 * erase closed sockets from the socket tracker if there is no outstanding query to process 48 49 * download-curl 50 * new curl api 51 52 NEW 53 --- 54 * vuln-sav 55 * added 56 57 * log-hexdump 58 * added, external module now 59 * compile with --enable-debug-logging and load loghexdump.so 60 61 62 * sumbit-mwserv 63 * added (oxff) 64 65 66 67 * submit-http 68 * added (Niklas Schiffler) 69 70 71 * module-honeytrap 72 * added 73 74Version 0.2.0 75================== 76 77Indepent from the codebase, we cleaned up the compile process, 78now every module is linked only on the libraries it relies on. 79 80 81Nepenthes 82 FIXES and ADDITIONS 83 ----- 84 * Nepenthes 85 * check for nepenthes in signal handler before logging 86 * dont handle SIGUSR1/2 87 * create LogManager in constructor, so we can use it right from the beginning to the bitter end 88 * added mips & arm to MY_ARCHES 89 * handle SIGCHLD & SIGPIPE 90 * add -D daemonize flag for start as daemon 91 * use proper types for uid/gid 92 * dont change user/group if not necessary 93 * clean up startup code 94 95 * GeoLocationManager 96 * removed 97 98 * UploadManager 99 * removed 100 101 102 * LogManager 103 * clear() loggers on destruction 104 * check for registerd loggers before logging, if no handlers re registerd, log using printf 105 106 * Socket 107 * allow hw address lookup using /proc/net/arp in Socket::getRemoteHWA(string *address) 108 109 * UDPSocket 110 * fix source based routing for udp, bind local address for connect' connections 111 * memset() our sockaddr_in before we use em 112 113 * TCPSocket 114 * add event on binding a port 115 * memset() our sockaddr_in before we use em 116 117 118 * SQLManager 119 * added 120 121 * ModuleManager 122 * unload modules in reverse order 123 124 * LogHandler 125 * added setOwnership() 126 127 * LogManager 128 * added bool LogManager::delLogger(LogHandler *lh), return true on success, false else 129 130 131Modules 132 FIXES and ADDITIONS 133 ----- 134 * shellcode-signatures 135 * changed the build process to use the yacc & flex files 136 * fix bug in sch_namespace_base64, credits go to Nelson William for pointing this out 137 138 * log-prelude 139 * fixes & classification changes by Harald Lampesberger 140 * should produce valid idmef now 141 142 * vuln-bagle 143 * fixed endless loop on closed connection 144 145 * vuln-mydoom 146 * fixed endless loop on closed connection 147 148 149 * log-irc 150 * can set filters now 151 * use LogManager::delLogger(LogHandler *lh) on ::Exit 152 153 * shellemu-winnt 154 * improve ftp.exe commandline parsing 155 problem was, when the host/anonymous flag was specified on the command line, 156 after the script 157 158 159 * log-surfnet 160 * log remote mac address to table if its availible 161 * use sqlhandler-postgres, to offer autoreconnect etc etc etc 162 163 * download-ftp 164 * workaround problems with PORTs command where the virus would parse the wrong port 165 166 * download-creceive 167 * fix a bug where the downloads source is equal to the downloads destionation 168 169 170 * vuln-mydoom 171 * fix destionation ip 172 * proper url 173 174 * submit-norman 175 * submit to cwsandbox too, add a new config var urls, 176 which is a list of urls to post to 177 178 NEW 179 --- 180 * vuln-realvnc 181 * handles alphanumeric keystrokes 182 * clipboard actions 183 184 * module-honeytrap 185 * idea is taken from honeytrap.sf.net by Werner Tillmann 186 * detect incoming connections using pcap/ipq/ipfw 187 * bind unbound ports 188 * create a mirror connection between to the attacker to "emulate" the vuln using the attackers own weakness 189 * able to log incoming connections as pcap files 190 191 * module-bridge 192 * basic exploit & command detection to the accept() Dialogue, 193 * handle recognized attacks, downloads what has to be downloaded 194 195 196 * sqlhandler-postgres 197 * can use domains 198 * nonblocking, even in conjunction with domains 199 * autoreconnect 200 201 * x-9 202 * example on the sqlmanager/handler 203 204 205 * submit-postgres 206 * submit samples & context information to a postgres database 207 * requires the sqlhandler-postgres 208 * compatible to libpq 7.4 and 8.x 209 * spooling with bencoded files 210 211 212 * module-peiros 213 * 'construction site' 214 215 216 GONE WITH THE WIND 217 ------------------ 218 * 219 * geolocation-* 220 * x-8 (geolocation example) 221 * upload-http 222 * submit-xmlrpc 223 224 225 226 227Version 0.1.7 228================== 229 230 231 232Nepenthes 233 FIXES and ADDITIONS 234 ----- 235 * Nepenthes 236 * default install wont spam the console, use --enable-debug-logging if you want the console spam pary 237 * --version dumps information about operating system 238 * --help is better 239 * log exit reason to file 240 * prevent crash on startup when running in changeroot 241 without changing process user and/or group id, -> changeroot _after_ we 242 chowned the logfiles 243 * support for linux capabilities 244 245 246 * SocketManager 247 * support for if:ethN for default bind address by interface 248 * removed RAWSocket 249 250 * GeolocatioManager 251 * add return value in Exit() 252 253 * UploadHandler 254 * g++ 4.1 fixes 255 256 * DownloadHandler 257 * g++ 4.1 fixes 258 259 * ModuleManager 260 * use dlopen() with RTLD_LOCAL, osx has RTLD_GLOBAL as default and 261 segfaults therefore when unloading modules 262 263 264 265Modules 266 FIXES and ADDITIONS 267 ----- 268 * vuln-ftpd 269 * can handle NAT for active ftp 270 271 * vuln-kuang 272 * log remote ip, not local ip 273 274 * x-6 275 * free the mallocs 276 277 * module-portwatch 278 * removed port 21 from portwatch list 279 * added 25 to portwatch list 280 281 * shellcode-generic 282 * detect wget in xmlrpc exploit attempts 283 284 * log-irc 285 * send irc server pass 286 * infinite retries to resolve server/tor domain 287 288 * x-7 289 * dropped 290 291 * dnsresolve-adns 292 * g++ 4.1 fixes 293 294 * submit-norman 295 * g++ 4.1 fixes 296 297 * download-curl 298 * g++ 4.1 fixes 299 300 * vuln-netdde 301 * removed shellcodehandler, moved to shellcode-signatures 302 303 * vuln-msmq 304 * removed shellcodehandler, moved to shellcode-signatures 305 306 * vuln-dcom 307 * removed shellcodehandler, moved to shellcode-signatures 308 309 * vuln-asn1 310 * removed shellcodehandler, moved to shellcode-signatures 311 312 * vuln-sasserftpd 313 * removed shellcodehandler, moved to shellcode-signatures 314 315 * vuln-wins 316 * removed shellcodehandler, moved to shellcode-signatures 317 318 * vuln-iis 319 * removed shellcodehandler, moved to shellcode-signatures 320 321 * vuln-lsass 322 * removed shellcodehandler, moved to shellcode-signatures 323 324 325 * vuln-mydoom 326 * use CL_ASSIGN_AND_DONE when done (for log-surfnet) 327 328 * vuln-bagle 329 * use CL_ASSIGN_AND_DONE when done (for log-surfnet) 330 331 332 NEW 333 --- 334 * submit-gotek 335 * submit files to the mwcollect alliance via the gotek 1 protocol 336 337 * log-prelude 338 * fixed by Harald Lampesberger 339 340 * vuln-ftpd 341 * emulation for various bugs in windows ftp daemons 342 * contributed by Harald Lampesberger 343 344 345 * shellcode-signatures 346 * ported almost _all_ shellcodes from shellcode-generic 347 348 349 350 351 352 353Version 0.1.6 354============= 355 356 357We made sure the source compiles on 358 * cygwin 359 * linux (tested debian on x86, fedora core 3 on amd64, suse 9 enterprise server on powerpc) 360 * openbsd (tested on openbsd 3.8 on x86) 361 * netbsd (tested on netbsd 2.0.2 on x86) 362 363For cygwin we had to cast many int32_t to int, and many int32_t * to int too (104 times)... and include sys/socket.h (26 times) 364OpenBSD enforced including sys/types.h nearly everywhere (37 times) 36564bit fedora made us use intptr_t instead of int to point to memory (19 times) 366 367The other focus was adding some new shellcode handlers, 368and we added a new download handler for the broken by design rcp protocol 369 370 371Nepenthes 372 FIXES and ADDITIONS 373 ----- 374 * DownloadManager 375 * as long as BIG_ENDIAN is not coverd by autoconf, dont rely it on here. 376 377 * UploadManager 378 * fixed includes 379 * DNSManager 380 * errno fix 381 382 * DownloadUrl 383 * fixed inclues 384 385 * Buffer 386 * casting int for amd64 387 388 * Nepenthes 389 * getopt int casting 390 * no logfiles chown own cygwin 391 * no filetype on cygwin, dont rely on it 392 * cygwin needs int main() 393 * no signals for cygwin (yet) 394 395 * SocketManager 396 * interface to request tcp connect sockets with provided local port ( for download-rcp ) 397 * TCPSocket 398 * new constructor for connect sockets which allows setting a local port 399 400 401Modules 402 FIXES and ADDITIONS 403 ----- 404 * many modules 405 * fixed wrong module names/descriptions 406 407 * shellcode-generic (picchio contributed the analysis for them, we are really glad about his work) 408 * added sch_generic_winexec 409 * pinnebergConnect added 410 * sch_generic_xor schoenberg xor added 411 * schoenenberg bind added 412 * ravensburg bind added 413 * rosengarten xor added 414 * schauenburg bind added 415 * schauenburg xor added 416 * leimbach xor family added 417 * lichtenfels xor & connectback 418 419 * submit-xmlrpc 420 * using geolocation submit-xmlrpc resolved the locals geolocation, 421 now we resolve the remotes 422 423 * log-irc 424 * channel pass fix 425 * upon request - reply nepenthes version to !version 426 427 * shellemu-winnt 428 * added VFSCommandRCP for rcp.exe 429 430 431 NEW 432 --- 433 * download-rcp 434 * created, downloads files via the undocumented rcp protcoll 435 436 437 438 439 440 441Version 0.1.5 442============= 443Bugfix release/minor features. 444 445 446Nepenthes 447 FIXES and ADDITIONS 448 ----- 449 * none 450 451 452 453 454Modules 455 FIXES and ADDITIONS 456 ----- 457 * shellcode-generic 458 * sch_generic_cmd added \r\n as lineterminator 459 * shellcode-generic.conf.dist langenfeldConnect pcre added 460 * sch_generic_xor 461 * deggendorf & langenfeld xor added, 462 * removed possible off by n <=3 byte in the 4 byte xor 463 464 465 * vuln-dcom 466 * made it less aggressive, if it does not look like dcom, dont handle it 467 468 469 * shellemu-winnt 470 * VFSCommandSTART added 471 * VFSCommandTFTP proper var checks added 472 * added handling of the escape var ^ for the shell 473 * VFSCommandFTP can download >1 file per batch now 474 * VFSCommandFTP can handle "cd" now 475 476 * download-http 477 * handle downloads with 0 byte bodysize as broken 478 479 * download-ftp 480 * can send CWD now 481 * fixed missing \r on sending RETR 482 483 * geolocation-hostip 484 * the address to look the address up changed, so we adjusted it 485 486 487 * geolocation-ip2location 488 * tarball lacked config file 489 490 491 NEW 492 --- 493 * vuln-msdtc 494 * emulation for the ms05-051 exploit by swan 495 496 497Version 0.1.4 498============= 499Bugfix release/minor features. 500 501Nepenthes 502 FIXES and ADDITIONS 503 ----- 504 * FileLogger logged to somewhere after config file was deleted as he lacked a valid path 505 506 507Modules 508 FIXES and ADDITIONS 509 ----- 510 * download-nepenthes 511 * NULL pointer bug fixed 512 513 * shellcode-generic 514 * rewrapped xor code, 515 * added some bindshell codes 516 * parthenstein 517 * wackerow 518 * kaltenborn 519 520 * geolocation-ip2location 521 * now makes use of the real ip2location c api you can download on their homepage, 522 setting the lib up sucks, but it works 523 524 * log-surfnet 525 * moduledescription changed, as we log to postgres, not to mysql 526 527 * dnsresolve-adns 528 * added modulename and description 529 530 531 532 533Version 0.1.3 534============= 535Bugfix release/minor features. 536FIXME 537 538* fixed some g++ 3.2 include issues 539 540 541* Autoconf 542 * improved configure.ac 543 * added --enable-* to configure 544 * geolocation is optional 545 * dump ./configure configuration to stdout 546 547 548 549* Nepenthes core 550 551 552 553 * DownloadManager & Download & DownloadCallback 554 * changed structure so we can specify a DownloadCallback for internal downloads 555 * intrested in a downloads result, ask the downloadmanager to download it, provide a DownloadCallback 556 the DownloadManager will pass the information encapsulated in a Download to its DownloadHandler 557 the DownloadHandler will try to download it and pass the Download as result to the DownloadCallback 558 559 560 561 562 563 * DNSManager DNSQuery DNSHandler DNSResult DNSCallback 564 * made DNSResolver Service modular, only module so far availible is dnsresolve-adns 565 * now modules providing resolver capabilties are now called 'DNSHandler' 566 anything which is intrested in its dns resolution result is a DNSCallback now 567 (before there was no DNSCallback, no modularity, and we called classes intrested in DNS DNSHandler) 568 * intrested in resolving some domain, ask the DNSManager and provide a DNSCallback 569 the DNSManager will form a DNSQuery from the request, pass it to its DNSHandler 570 the DNSHandler will try to resolve the domain and pass result as a DNSResult to the 571 DNSCallback 572 573 * Event 574 * use uint8_t as Eventid instead of event_type 575 * added ShellcodeEvent & DialogueEvent 576 577 578 * EventManager 579 * allow internal Event registration 580 581 582 * GeoLocationManager GeoLocationQuery GeoLocationHandler GeoLocationResult GeoLocationCallback 583 * created 584 * GeoLocationHandler register with the GeoLocationManager 585 * intrested in GeoLocation lookups, ask the GeoLocationManager and provide a GeoLocationCallback 586 the GeoLocationManager will form a GeoLocationQuery from the request, pass it to its GeoLocationHandler 587 the GeoLocationHandler will try to resolve it and pass the GeoLocationResult to the GeoLocationCallback 588 * added caching of results 589 590 591 592 * LogManager 593 * filelogger is the default logger again, so logrotate can do its job 594 * force ringbuffer logger usage with -R 595 596 597 * log-ringbuffer 598 * added 599 stop wasting diskspace with logs 600 * sets correct permissions on destination files 601 * uses path to log to from nepenthes.logmanager.ring_logger_file 602 603 604 * log-file 605 * uses path to log to from nepenthes.logmanager.file_logger_file 606 607 608 * Nepenthes 609 * improved the init, better errorhandling 610 * -f can do dirs 611 612 613 * ShellcodeManager 614 * hooks a ShellcodeEvent on success 615 616 617 618 * SocketManager TCPSocket UDPSocket RAWSocketListener 619 * decreased poll timeout 620 * moved ports to uint16_t 621 * use nepenthes.socketmanager.bind_address instead of binding INADDR_ANY for bind & connect 622 (suggested by Michael H. Warfield) 623 624 625 * TCPSocket 626 * hooks a DialogueEvent on success 627 628 629 630 * UploadManager UploadQuery UploadHandler UploadResult UploadCallback 631 * created 632 * intrested in uploading something to somewhere, ask the UploadManager and provide a UploadCallback 633 the UploadManager will form a UploadQuery from the request, pass it to its UploadHandler 634 the UploadHandler will try to upload the data it and pass reply to the UploadResult to the 635 UploadCallback 636 637 638 639 * Utilities 640 * added escapeXMLString(char *) 641 642 643 644* Modules 645 FIXES and ADDITIONS 646 ----- 647 * shellemu-winnt 648 * fixed sending shell header on accept shells 649 * VFSCommandFTP handle -A flag for anonymous logins 650 * fixed crash with -f flag for checking dumps 651 * batch file handling 652 653 654 * vuln-mssql 655 * fixed tcp socket instead of udp 656 657 658 * download-ftp 659 * fixed quiting loop 660 661 * dnsmanager, dnsquery, dnsresult 662 * TXT record added 663 664 665 * x-2 666 * fix memleak 667 668 * x-5 669 * now registers its own event to show hiw this works 670 671 672 * x-6 673 * 'txt <domain>' will resolve the txt record now 674 675 676 * submit-xmlrpc 677 * can use geolocation services now 678 * fixes some xml parsing 679 680 681 * download-ftp 682 * send LOGIN after 220 Welcome 683 684 685 * download-curl 686 * add internal download capabilities 687 688 689 * shellcode-generic 690 * sch_generic_link_xor 691 * improve bad length handling 692 * added adenau xor 693 * added adenau connectback 694 * added unicode decoder 695 * sch_generic_url 696 * added - to allowed chars 697 698 699 NEW 700 --- 701 702 * dnsresolve-adns 703 * made it a module 704 * fixes some memoryleaks we saw before 705 706 * download-http 707 * written as download-curl replacement 708 709 * geolocation-hostip 710 * resolve geolocations via hostip.info 711 712 * geolocation-geoip 713 * resolve geolocations via maxminds geoip library 714 715 * geolocation-ip2location 716 * resolve geolocations via maxminds geoip library 717 718 * log-surfnet 719 * log to surfnet ids database 720 http://ids.surfnet.nl 721 722 723 * vuln-ssh 724 * created, 725 * works for ssh logins, fails for ssh worms :\ 726 727 * x-8 728 * added example how to use geolocation services 729 730 731* Other 732 * phpxmlrpc_server 733 * added 734 735 * doxygen docu 736 * added 737 738 739 740Version 0.1.2 741============= 742Bugfix release/minor features. 743 744* Utilities 745 * hexdump uses nepenthes.utilites.hexdump_path as pathinfo now 746 747* shellemu-wint 748 * VFSCommandFTP uses new DownloadFlags 749 750* Download 751 * added DownloadFlags so we can handle broken ftpds better 752 * added ::addFlag(uint8_t ) & ::getFlags() 753 754* DownloadManager 755 * download() now takes uint8_t downloadflags as argument 756 757* download-ftp 758 * bind to port 0 to avoid collision 759 * rewrote quite everything to handle broken ftp daemons better, including the new DownloadFlags 760 761* Socket 762 * changed SS_NULL to SS_CONNECTED 763 * added SS_CONNECTING 764 765 766* TCPSocket 767 * set localip on accept() Sockets, so we can use this info further 768 * bind ConnectSockets before connecting, so we use the same ip for reverseconnect shells 769 * uses SS_CONNECTING for connect sockets 770 * overloads setState(), so if they are in state SS_CONNECTING and goto SS_CONNECTED they 771 can call Dialogue::connectionEstablished() for their dialogues 772 773 * some changes in the TCPSockets internal Dialogue handling prevent nepenthes recognizing 774 the same shellcode in more than one dialogue, resulting in more than one download per exploit 775 776 777* vuln-dameware 778 * created 779 780* Dialogue 781 * added ::dump() 782 * added ::connectionEstablished() 783 784 785* many vuln-* modules 786 * added CL_ASSIGN_AND_DONE handling 787 788 789* many shellcodehandlers using downloadhandler 790 * added valid downloadflag usage 791 792 793 794Version 0.1.1 795============= 796Bugfix release/minor features. 797 798This is the first release featuring auto(conf|make|broken|whatever) support. 799Maximillian Dornseif had enough time to burn to write configure.whatever 800and such stuff for everything so far. 801 802 803* Compile fixes for 804 * Mac OSX 805 * FreeBSD 806 807* Nepenthes 808 * Added functionality for -d and -l command line options (log filtering). 809 * Handle SIGINT on -f (command line) usage. 810 * -V is now version. 811 * -v is now verbose, useful for -f when debugging new shellcodehandlers. 812 * DownloadBuffer now features cutFront(unsigned int len) 813 814* Veritas Backup Exec Exploit for port 10000 added. 815 * shellcode-generic 816 * Konstanz XOR added as sch_generic_konstanz_xor. 817 * Konstanz connectback shell pattern added to shellcode-generic.conf.dist. 818 * Removed VERITASDialogue for port 10000 hexdump, added shellcodehandling. 819 820 821* shellcode-generic 822 * Fixed sch_generic_connect. 823 * Added sch_generic_connect_trans and Halle PCRE. 824 * Added sch_generic_xor Halle. 825 826* vuln-dcom 827 * Fixed oc192 PCRE. 828 * Removed SOL2k shellcode handler, as they were never seen during the last two months. 829 830* download-csend 831 * the atoi(url->path) is cut from the download buffer to be able to use csend with halle 832 833* vuln-iis 834 * Handle NULL if binding the socket fails in a useful manner 835 836* vuln-pnp 837 * added 838 * handles the MS05-039 exploit by houseofdabus 839 840* vuln-lsass 841 * fixed some lines to work properly with vuln-pnp 842 843* Utilities 844 * sha512 added 845 846* shellemu-wint 847 * VFSCommandCMD 848 the first command after the /c has to be readded to the StdIn queue, like we did before, 849 but we have to add a delimiter '&' so we dont break our own parsing. 850 851* Download 852 * added SHA512 get & set methods 853 854* SubmitManager 855 * set SHA512 for downloads 856 857* tools/rpcxmlxfer 858 * there is an early implementation of an central collection and 859 logging protocol called rpcxmlxfer in this release. The prototype is 860 implemented as an external script. Just add something like 861 */5 * * * * nobody /opt/nepenthes/bin/rpcxmlxfer-client -q 862 to your /etc/crontab to try it. 863 864* download-ftp 865 * bind to port 0 to avoid collision 866 867* Socket 868 * changed SS_NULL to SS_CONNECTED 869 * added SS_CONNECTING 870 871* TCPSocket 872 * set localip on accept() Sockets, so we can use this info further 873 * bind ConnectSockets before connecting, so we use the same ip for reverseconnect shells 874 * uses SS_CONNECTING for connect sockets 875 * overloads setState(), so if they are in state SS_CONNECTING and goto SS_CONNECTED they 876 can call Dialogue::connectionEstablished() for their dialogues 877 878 879* submit-xmlrpc 880 * created 881 * depends on vuln-lsass 882 883* vuln-dameware 884 * created 885 886* Dialogue 887 * added dump() 888 * added connectionEstablished 889 890 891Version 0.1.0 892============= 893Initial release. 894