SMB¶
The main protocol offerd by dionaea is SMB. SMB has a decent history of remote exploitable bugs, and is a very popular target for worms. dionaeas SMB implementation makes use of an python3 adapted version of scapy. As scapys own version of SMB was pretty limited, almost everything but the Field declarations had to be rewritten. The SMB emulation written for dionaea is used by the mwcollectd <http://code.mwcollect.org> low interaction honeypot too. Besides the known attacks on SMB dionaea supports uploading files to smb shares. Adding new DCE remote procedure calls is a good start to get into dionaea code, you can use:
SELECT
COUNT(*),
dcerpcrequests.dcerpcrequest_uuid,
dcerpcservice_name,
dcerpcrequest_opnum
FROM
dcerpcrequests
JOIN dcerpcservices ON(dcerpcrequests.dcerpcrequest_uuid == dcerpcservices.dcerpcservice_uuid)
LEFT OUTER JOIN dcerpcserviceops ON(dcerpcserviceops.dcerpcserviceop_opnum = dcerpcrequest_opnum AND dcerpcservices.dcerpcservice = dcerpcserviceops.dcerpcservice )
WHERE
dcerpcserviceop_name IS NULL
GROUP BY
dcerpcrequests.dcerpcrequest_uuid,dcerpcservice_name,dcerpcrequest_opnum
ORDER BY
COUNT(*) DESC;
to identify potential usefull targets of unknown dcerpc calls using the data you gathered and stored in your logsql database. Patches are appreciated.
Example config¶
# SPDX-FileCopyrightText: none
# SPDX-License-Identifier: CC0-1.0
- name: smb
config:
## Generic setting ##
# 1:"Windows XP Service Pack 0/1",
# 2:"Windows XP Service Pack 2",
# 3:"Windows XP Service Pack 3",
# 4:"Windows 7 Service Pack 1",
# 5:"Linux Samba 4.3.11"
# os_type: 2
# Additional config
# primary_domain: Test
# oem_domain_name: Test
# server_name: TEST-SERVER
## Windows 7 ##
# native_os: Windows 7 Professional 7600
# native_lan_manager: Windows 7 Professional 6.1
# shares:
# ADMIN$:
# comment: Remote Admin
# path: C:\\Windows
# type: disktree
# C$:
# comment: Default Share
# path: C:\\
# type:
# - disktree
# - special
# IPC$:
# comment: Remote IPC
# type: ipc
# Printer:
# comment: Microsoft XPS Document Writer
# type: printq
## Samba ##
# native_os: Windows 6.1
# native_lan_manager: Samba 4.3.11
# shares:
# admin:
# comment: Remote Admin
# path: \\home\\admin
# type: disktree
# share:
# comment: Default Share
# path: \\share
# type: disktree
# IPC$:
# comment: Remote IPC
# path: IPC Service
# type: ipc
# Printer:
# comment: Printer Drivers
# type: printq