Problems about install Nepenthes on Ubuntu

glg · 08-22-2009, 08:55 PM

Quote:

Originally Posted by pixellany

Please post your thread in only one forum. Posting a single thread in the most relevant forum will make it easier for members to help you and will keep the discussion in one place. The duplicate threads have been merged---since both had replies.

OK, thank you.

glg · 08-22-2009, 09:44 PM

Quote:

Originally Posted by //////

No, it doesnt matter, its not the reason, the reason seems to be host firewall.

Have you opened your ports? If you have opened those try doing a service scan so you can be sure of it.

http://centralops.net/co/DomainDossier.aspx

You should see something like this:
(I opened ftp port for example)

Code:

Address lookup
canonical name 	yycccxxii.gprs.sl-laajakaista.fi.
aliases 	
addresses 	85.76.221.xx
Service scan
FTP - 21	220 ---freeFTPd 1.0---warFTPd 1.65---
SMTP - 25	Error: TimedOut
HTTP - 80	Error: TimedOut
POP3 - 110	Error: TimedOut
IMAP - 143	Error: TimedOut

-- end --

And in nepenthes you should see this:

Code:


[ warn module ] Unknown exploit 0 bytes

screenshot

Thank you.You said in nepenthes I should see this: [ warn module ] Unknown exploit 0 bytes.
Which file does the code in?

When I enter http://centralops.net/co/DomainDossier.aspx in my VM browser and chose service scan and input www.google.com , it rerurn some IP addresses like 74.125.95.103 ,74.125.95.106... and

FTP - 21 Error: TimedOut
SMTP - 25 Error: TimedOut
HTTP - 80 HTTP/1.0 200 OK
Date: Sun, 23 Aug 2009 02:33:32 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: PREF=ID=aa9c5d8f6463c032:TM=1250994812:LM=1250994812:S=HwNChVZTiC618ZWN; expires=Tue, 23-Aug-2011 02:33:32 GMT; path=/; domain=.google.com
Server: gws
POP3 - 110 Error: TimedOut
IMAP - 143 Error: TimedOut

Does this mean I have opened the ports I need? There is still nothing in : /var/lib/nepenthes/binaries/ as well as /var/log/nepenthes/logged_submissions
/var/log/nepenthes/logged_downloads

Thank you again.
glg

glg · 08-25-2009, 09:09 PM

Quote:

Originally Posted by //////

No, it doesnt matter, its not the reason, the reason seems to be host firewall.

Have you opened your ports? If you have opened those try doing a service scan so you can be sure of it.

http://centralops.net/co/DomainDossier.aspx

You should see something like this:
(I opened ftp port for example)

Code:

Address lookup
canonical name 	yycccxxii.gprs.sl-laajakaista.fi.
aliases 	
addresses 	85.76.221.xx
Service scan
FTP - 21	220 ---freeFTPd 1.0---warFTPd 1.65---
SMTP - 25	Error: TimedOut
HTTP - 80	Error: TimedOut
POP3 - 110	Error: TimedOut
IMAP - 143	Error: TimedOut

-- end --

And in nepenthes you should see this:

Code:

[ warn module ] Unknown exploit 0 bytes

screenshot

Thank you for your precious time. However, there is still nothing in logged_downloads and logged_submissions ,I think there may be something wrong with my config file,the following is from /etc/nepenthes/nepenthes.conf , I hope you could have a look at it and see if there is something wrong with it,thank you!

// main configuration file for nepenthes
// see also configuration files for modules (second row in the modules section)

nepenthes
{
moduledir "/usr/lib/nepenthes"; // relative to workdir
moduleconfigdir "/etc/nepenthes"; // relative to workdir

modules(
// module name (in moduledir) config file (in moduleconfigdir)

// dns handling modules, load only one
"dnsresolveadns.so" "" ""

// geolocation resolver modules, load only one, disabled by default
// "geolocationhostip.so" "" ""
// "geolocationgeoip.so" "" ""

// download handler for various protocols
"downloadcsend.so", "download-csend.conf", ""
"downloadcreceive.so", "", ""
// "downloadcurl.so", "download-curl.conf", ""
"downloadftp.so", "download-ftp.conf", ""
"downloadhttp.so", "", ""
"downloadlink.so", "download-link.conf", ""
// "downloadnepenthes.so", "download-nepenthes.conf", "" // get data from others via submit-nepenthes
"downloadtftp.so", "download-tftp.conf", ""
"downloadrcp.so", "" ""

// submission handler
"submitfile.so", "submit-file.conf", "" // save to disk
"submitnorman.so", "submit-norman.conf", ""
// "submitnepenthes.so", "submit-nepenthes.conf", "" // send to download-nepenthes in other nepenthes instances
// "submitxmlrpc.so", "submit-xmlrpc.conf", "" // submit files to a xmlrpc server
// "submithttp.so", "submit-http.conf", "" // submit files to a web server

// logging
"logdownload.so", "log-download.conf", ""
// "logirc.so", "log-irc.conf", "" // needs configuration
// "logprelude.so", "log-prelude.conf", ""
// "loghexdump.so" "" ""

// dumping and logging
"moduleportwatch.so", "module-portwatch.conf", ""

// cmd.exe simulation
"shellemuwinnt.so" "", ""

// single shellcodehandler modules
"shellcodesignatures.so", "", ""
"shellcodegeneric.so", "shellcode-generic.conf", ""

// vulnerability modules
"vulnbagle.so", "vuln-bagle.conf", ""
"vulndameware.so", "vuln-dameware.conf", ""
"vulndcom.so", "vuln-dcom.conf", ""
"vulnftpd.so", "vuln-ftpd.conf", ""
"vulniis.so", "vuln-iis.conf", ""
"vulnkuang2.so", "vuln-kuang2.conf", ""
"vulnlsass.so", "vuln-lsass.conf", ""
"vulnmsmq.so", "vuln-msmq.conf", ""
"vulnmsdtc.so", "vuln-msdtc.conf", ""
"vulnmssql.so", "vuln-mssql.conf", ""
"vulnmydoom.so", "vuln-mydoom.conf", ""
"vulnnetbiosname.so", "vuln-netbiosname.conf", ""
"vulnnetdde.so", "vuln-netdde.conf", ""
"vulnoptix.so", "vuln-optix.conf", ""
"vulnpnp.so", "vuln-pnp.conf", ""
"vulnsasserftpd.so", "vuln-sasserftpd.conf", ""
"vulnsub7.so", "vuln-sub7.conf", ""
"vulnupnp.so", "vuln-upnp.conf", ""
"vulnveritas.so", "vuln-veritas.conf", ""
"vulnwins.so", "vuln-wins.conf", ""
"vulnasn1.so", "vuln-asn1.conf", ""
"vulnms08067.so", "vuln-ms08067.conf", ""

// eXample modules for testing - disabled by default
// "x1.so", "x-1.conf", "",
// "x2.so", "x-2.conf", "",
// "x3.so", "", "",
// "x4.so", "", "",
// "x5.so", "", "",
// "x6.so", "", "",
// "x7.so", "", "",
);

logmanager
{
ring_logging_file "/var/log/nepenthes.%d.log";
file_logging_file "/var/log/nepenthes.log";
};

modulemanager
{
exit_on_broken_moduleload "1";
};

submitmanager
{
strictfiletype "1";
// where does submit-file write to? set this to the same dir
filesdir "/var/lib/nepenthes/binaries/";
};

downloadmanager
{
replace_local_ips "1";
};

socketmanager
{
use_rawsockets "0"; // unstable feature
bind_address "0.0.0.0";

// specify "if:ethX" to get the ip from an interface at startup,
// only works on linux!
};

utilities
{
hexdump_path "/var/lib/nepenthes/hexdumps/";
};

// geolocationmanager
// {
// cache_path "var/cache/nepenthes/geolocation/";
// };
};

Thank you for your precious time again.
glg

abhishekshah33 · 09-03-2009, 11:40 AM

I have installed nepenthes on ubuntu intrepid. I have been running this since many days but not able to capture anything. I have disabled the firewall(

Code:

sudo ufw disable

). After I start nepenthes it gives the following in log file. I have posted only some of the lines of log file.

Quote:

[03092009 09:17:18 spam net handler] <in virtual nepenthes::TCPSocket::~TCPSocket()>
[03092009 09:17:18 spam mgr event] <in virtual uint32_t nepenthes::EventManager::handleEvent(nepenthes::Event*)>
[03092009 09:17:18 spam net mgr] bindTCPSocket 0 465 0 30 1846530
[03092009 09:17:18 spam net handler] <in virtual bool nepenthes::TCPSocket::bindPort()>
[03092009 09:17:18 crit net handler] Could not Bind Socket to Port 465
Address already in use
[03092009 09:17:18 crit net handler] ERROR Could not init Socket Address already in use
[03092009 09:17:18 crit net mgr] ERROR Binding :465 failed

Quote:

[03092009 09:17:18 debug mgr submit] Creating Magic Cookie
[03092009 09:17:18 debug mgr submit] Loading Config
[03092009 09:17:18 debug mgr submit] Adding known files
[03092009 09:17:18 spam mgr submit] =--- SubmitManager ---=
[03092009 09:17:18 spam mgr submit] 0) submit-file store with md5sum as name in /tmp
[03092009 09:17:18 spam mgr submit] 1) submit-norman submit files to sandbox.norman.no
[03092009 09:17:18 spam mgr submit] =--- 2 Submit Handlers registerd ---=

[03092009 09:17:18 spam mgr dia] =--- DialogueFactoryManager --=
[03092009 09:17:18 spam mgr dia] 0 WinNTShell DialogueFactory creates winnt shell dialogues
[03092009 09:17:18 spam mgr dia] =--- 1 Factories --=
[03092009 09:17:18 debug spam fixme] =--- SQLManager ---=
[03092009 09:17:18 debug spam fixme] =--- 0 SQLHandlerFactories registerd ---=

[03092009 09:17:18 debug info fixme] Logfile /var/log/nepenthes.log ownership is now 0:0 (root:root)
[03092009 09:17:18 spam mgr] <in bool nepenthes::Nepenthes::setCapabilties()>
[03092009 09:17:18 info mgr] The process 7852 was given capabilities = cap_setgid,cap_setuid,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_chroot+eip

glg · 09-04-2009, 02:05 AM

Quote:

Originally Posted by abhishekshah33

I have installed nepenthes on ubuntu intrepid. I have been running this since many days but not able to capture anything. I have disabled the firewall(

Code:

sudo ufw disable

). After I start nepenthes it gives the following in log file. I have posted only some of the lines of log file.

Thank you.But when I run sudo ufw disable, it tells me the firewall is closed automatically when the system startup.There is still nothing in the log file. I still do not why. What's more, my VM can not ping my host computer, but it can connect to the Internet, my host computer can ping my VM, that's quite strange.Do you know why?
Thank you for your precious time.
glg