LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 08-22-2009, 08:55 PM   #16
glg
LQ Newbie
 
Registered: Aug 2009
Location: China
Posts: 25

Original Poster
Rep: Reputation: 15

Quote:
Originally Posted by pixellany View Post
Please post your thread in only one forum. Posting a single thread in the most relevant forum will make it easier for members to help you and will keep the discussion in one place. The duplicate threads have been merged---since both had replies.

OK, thank you.
 
Old 08-22-2009, 09:44 PM   #17
glg
LQ Newbie
 
Registered: Aug 2009
Location: China
Posts: 25

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by ////// View Post
No, it doesnt matter, its not the reason, the reason seems to be host firewall.

Have you opened your ports? If you have opened those try doing a service scan so you can be sure of it.

http://centralops.net/co/DomainDossier.aspx

You should see something like this:
(I opened ftp port for example)
Code:
Address lookup
canonical name 	yycccxxii.gprs.sl-laajakaista.fi.
aliases 	
addresses 	85.76.221.xx
Service scan
FTP - 21	220 ---freeFTPd 1.0---warFTPd 1.65---
SMTP - 25	Error: TimedOut
HTTP - 80	Error: TimedOut
POP3 - 110	Error: TimedOut
IMAP - 143	Error: TimedOut

-- end --
And in nepenthes you should see this:
Code:

[ warn module ] Unknown exploit 0 bytes
screenshot
Thank you.You said in nepenthes I should see this: [ warn module ] Unknown exploit 0 bytes.
Which file does the code in?

When I enter http://centralops.net/co/DomainDossier.aspx in my VM browser and chose service scan and input www.google.com , it rerurn some IP addresses like 74.125.95.103 ,74.125.95.106... and

FTP - 21 Error: TimedOut
SMTP - 25 Error: TimedOut
HTTP - 80 HTTP/1.0 200 OK
Date: Sun, 23 Aug 2009 02:33:32 GMT
Expires: -1
Cache-Control: private, max-age=0
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: PREF=ID=aa9c5d8f6463c032:TM=1250994812:LM=1250994812:S=HwNChVZTiC618ZWN; expires=Tue, 23-Aug-2011 02:33:32 GMT; path=/; domain=.google.com
Server: gws
POP3 - 110 Error: TimedOut
IMAP - 143 Error: TimedOut


Does this mean I have opened the ports I need? There is still nothing in : /var/lib/nepenthes/binaries/ as well as /var/log/nepenthes/logged_submissions
/var/log/nepenthes/logged_downloads

Thank you again.
glg
 
Old 08-25-2009, 09:09 PM   #18
glg
LQ Newbie
 
Registered: Aug 2009
Location: China
Posts: 25

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by ////// View Post
No, it doesnt matter, its not the reason, the reason seems to be host firewall.

Have you opened your ports? If you have opened those try doing a service scan so you can be sure of it.

http://centralops.net/co/DomainDossier.aspx

You should see something like this:
(I opened ftp port for example)
Code:
Address lookup
canonical name 	yycccxxii.gprs.sl-laajakaista.fi.
aliases 	
addresses 	85.76.221.xx
Service scan
FTP - 21	220 ---freeFTPd 1.0---warFTPd 1.65---
SMTP - 25	Error: TimedOut
HTTP - 80	Error: TimedOut
POP3 - 110	Error: TimedOut
IMAP - 143	Error: TimedOut

-- end --
And in nepenthes you should see this:
Code:
[ warn module ] Unknown exploit 0 bytes
screenshot
Thank you for your precious time. However, there is still nothing in logged_downloads and logged_submissions ,I think there may be something wrong with my config file,the following is from /etc/nepenthes/nepenthes.conf , I hope you could have a look at it and see if there is something wrong with it,thank you!

// main configuration file for nepenthes
// see also configuration files for modules (second row in the modules section)

nepenthes
{
moduledir "/usr/lib/nepenthes"; // relative to workdir
moduleconfigdir "/etc/nepenthes"; // relative to workdir

modules(
// module name (in moduledir) config file (in moduleconfigdir)

// dns handling modules, load only one
"dnsresolveadns.so" "" ""



// geolocation resolver modules, load only one, disabled by default
// "geolocationhostip.so" "" ""
// "geolocationgeoip.so" "" ""


// download handler for various protocols
"downloadcsend.so", "download-csend.conf", ""
"downloadcreceive.so", "", ""
// "downloadcurl.so", "download-curl.conf", ""
"downloadftp.so", "download-ftp.conf", ""
"downloadhttp.so", "", ""
"downloadlink.so", "download-link.conf", ""
// "downloadnepenthes.so", "download-nepenthes.conf", "" // get data from others via submit-nepenthes
"downloadtftp.so", "download-tftp.conf", ""
"downloadrcp.so", "" ""

// submission handler
"submitfile.so", "submit-file.conf", "" // save to disk
"submitnorman.so", "submit-norman.conf", ""
// "submitnepenthes.so", "submit-nepenthes.conf", "" // send to download-nepenthes in other nepenthes instances
// "submitxmlrpc.so", "submit-xmlrpc.conf", "" // submit files to a xmlrpc server
// "submithttp.so", "submit-http.conf", "" // submit files to a web server

// logging
"logdownload.so", "log-download.conf", ""
// "logirc.so", "log-irc.conf", "" // needs configuration
// "logprelude.so", "log-prelude.conf", ""
// "loghexdump.so" "" ""

// dumping and logging
"moduleportwatch.so", "module-portwatch.conf", ""

// cmd.exe simulation
"shellemuwinnt.so" "", ""

// single shellcodehandler modules
"shellcodesignatures.so", "", ""
"shellcodegeneric.so", "shellcode-generic.conf", ""

// vulnerability modules
"vulnbagle.so", "vuln-bagle.conf", ""
"vulndameware.so", "vuln-dameware.conf", ""
"vulndcom.so", "vuln-dcom.conf", ""
"vulnftpd.so", "vuln-ftpd.conf", ""
"vulniis.so", "vuln-iis.conf", ""
"vulnkuang2.so", "vuln-kuang2.conf", ""
"vulnlsass.so", "vuln-lsass.conf", ""
"vulnmsmq.so", "vuln-msmq.conf", ""
"vulnmsdtc.so", "vuln-msdtc.conf", ""
"vulnmssql.so", "vuln-mssql.conf", ""
"vulnmydoom.so", "vuln-mydoom.conf", ""
"vulnnetbiosname.so", "vuln-netbiosname.conf", ""
"vulnnetdde.so", "vuln-netdde.conf", ""
"vulnoptix.so", "vuln-optix.conf", ""
"vulnpnp.so", "vuln-pnp.conf", ""
"vulnsasserftpd.so", "vuln-sasserftpd.conf", ""
"vulnsub7.so", "vuln-sub7.conf", ""
"vulnupnp.so", "vuln-upnp.conf", ""
"vulnveritas.so", "vuln-veritas.conf", ""
"vulnwins.so", "vuln-wins.conf", ""
"vulnasn1.so", "vuln-asn1.conf", ""
"vulnms08067.so", "vuln-ms08067.conf", ""

// eXample modules for testing - disabled by default
// "x1.so", "x-1.conf", "",
// "x2.so", "x-2.conf", "",
// "x3.so", "", "",
// "x4.so", "", "",
// "x5.so", "", "",
// "x6.so", "", "",
// "x7.so", "", "",
);


logmanager
{
ring_logging_file "/var/log/nepenthes.%d.log";
file_logging_file "/var/log/nepenthes.log";
};

modulemanager
{
exit_on_broken_moduleload "1";
};

submitmanager
{
strictfiletype "1";
// where does submit-file write to? set this to the same dir
filesdir "/var/lib/nepenthes/binaries/";
};

downloadmanager
{
replace_local_ips "1";
};

socketmanager
{
use_rawsockets "0"; // unstable feature
bind_address "0.0.0.0";

// specify "if:ethX" to get the ip from an interface at startup,
// only works on linux!
};

utilities
{
hexdump_path "/var/lib/nepenthes/hexdumps/";
};

// geolocationmanager
// {
// cache_path "var/cache/nepenthes/geolocation/";
// };
};


Thank you for your precious time again.
glg
 
Old 09-03-2009, 11:40 AM   #19
abhishekshah33
LQ Newbie
 
Registered: Sep 2009
Posts: 1

Rep: Reputation: 0
I have installed nepenthes on ubuntu intrepid. I have been running this since many days but not able to capture anything. I have disabled the firewall(
Code:
sudo ufw disable
). After I start nepenthes it gives the following in log file. I have posted only some of the lines of log file.
Quote:
[03092009 09:17:18 spam net handler] <in virtual nepenthes::TCPSocket::~TCPSocket()>
[03092009 09:17:18 spam mgr event] <in virtual uint32_t nepenthes::EventManager::handleEvent(nepenthes::Event*)>
[03092009 09:17:18 spam net mgr] bindTCPSocket 0 465 0 30 1846530
[03092009 09:17:18 spam net handler] <in virtual bool nepenthes::TCPSocket::bindPort()>
[03092009 09:17:18 crit net handler] Could not Bind Socket to Port 465
Address already in use
[03092009 09:17:18 crit net handler] ERROR Could not init Socket Address already in use
[03092009 09:17:18 crit net mgr] ERROR Binding :465 failed
Quote:
[03092009 09:17:18 debug mgr submit] Creating Magic Cookie
[03092009 09:17:18 debug mgr submit] Loading Config
[03092009 09:17:18 debug mgr submit] Adding known files
[03092009 09:17:18 spam mgr submit] =--- SubmitManager ---=
[03092009 09:17:18 spam mgr submit] 0) submit-file store with md5sum as name in /tmp
[03092009 09:17:18 spam mgr submit] 1) submit-norman submit files to sandbox.norman.no
[03092009 09:17:18 spam mgr submit] =--- 2 Submit Handlers registerd ---=

[03092009 09:17:18 spam mgr dia] =--- DialogueFactoryManager --=
[03092009 09:17:18 spam mgr dia] 0 WinNTShell DialogueFactory creates winnt shell dialogues
[03092009 09:17:18 spam mgr dia] =--- 1 Factories --=
[03092009 09:17:18 debug spam fixme] =--- SQLManager ---=
[03092009 09:17:18 debug spam fixme] =--- 0 SQLHandlerFactories registerd ---=

[03092009 09:17:18 debug info fixme] Logfile /var/log/nepenthes.log ownership is now 0:0 (root:root)
[03092009 09:17:18 spam mgr] <in bool nepenthes::Nepenthes::setCapabilties()>
[03092009 09:17:18 info mgr] The process 7852 was given capabilities = cap_setgid,cap_setuid,cap_net_bind_service,cap_net_admin,cap_net_raw,cap_sys_chroot+eip
 
Old 09-04-2009, 02:05 AM   #20
glg
LQ Newbie
 
Registered: Aug 2009
Location: China
Posts: 25

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by abhishekshah33 View Post
I have installed nepenthes on ubuntu intrepid. I have been running this since many days but not able to capture anything. I have disabled the firewall(
Code:
sudo ufw disable
). After I start nepenthes it gives the following in log file. I have posted only some of the lines of log file.
Thank you.But when I run sudo ufw disable, it tells me the firewall is closed automatically when the system startup.There is still nothing in the log file. I still do not why. What's more, my VM can not ping my host computer, but it can connect to the Internet, my host computer can ping my VM, that's quite strange.Do you know why?
Thank you for your precious time.
glg
 
  


Reply

Tags
install


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
GRUB install problems... (post windows install on ubuntu) sersdf Linux - Software 4 02-27-2009 07:59 AM
Problems while trying to Install Ubuntu Cor3y Ubuntu 6 10-09-2008 03:41 AM
LXer: Create a simple honeypot with Debian and Nepenthes LXer Syndicated Linux News 0 08-23-2007 08:40 PM
Nepenthes: low interaction honeypots OlRoy Linux - Security 8 03-18-2007 04:25 PM
new ubuntu install problems shindinobot Linux - Newbie 5 01-25-2007 06:35 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 01:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration