The Google Summer of Code is an annual program in which Google awards stipends (5000 USD) to hundreds of students who successfully complete a free and open-source software coding project during the span of one summer.
Google invites students who meet their eligibility criteria to post applications that detail the software-coding project they wish to perform. These applications are then evaluated by the corresponding mentoring organization.
The Honeynet Project is one of these mentoring organizations and we provide mentors for the project ideas relevant for us. The mentors then rank the applications and decide among themselves which proposals to accept. Google then decides how many projects each organization gets, and asks the organizations to mark at most that many projects accordingly.
This year The Honeynet Project has mentored a total of 16 very exciting projects. Check them out!
- Automated Attack Community Graph Construction
- Automated Attack Community Graph Construction
- Expand Cuckoo Sandbox
- HonEeeBox User Interface
- Data mining, module for finding frequent network-itemsets
- AfterGlow Cloud
- Network malware simulation
- IPv6 attack detector
- IPv6 attack detector
- HoneyProxy – HTTP(S) Traffic Investigation
- Improve our Android application sandbox (DroidBox)
- Improving APKInspektor
- Network Analyzer
- Glastopf improvements
- Further extend Capture-HPC with possibility of detecting malicious behavior on Linux Machines
- USB Honeypot (Internal project)
Now the scanning has started again.
For those remembering back in 2008 there was a large scanning in Germany, where customers with softphones experienced incoming calls (very annoying during the night..), it has now started again. A good paper from ipcom.at describing it extensively.
What caugt my attention was the very long branch and callid fields. They contain IP of the scanner, the scanned victim, the phone number trying to be called and several other fields (if you know what the rest of the codes are, please let me know!)
INVITE sip:firstname.lastname@example.org;transport=udp SIP/2.0
Via: SIP/2.0/UDP 220.127.116.11:3916;branch=110100101110100010101\
CSeq: 1 INVITE
Allow: ACK, BYE, CANCEL, INFO, INVITE, MESSAGE, NOTIFY, OPTIONS,
PRACK, REFER, REGISTER, SUBSCRIBE, UPDATE, PUBLISH
User-Agent: eyeBeam release 1003s stamp 31159
o=- 16264 18299 IN IP4 the.honeypot.ip
s=CounterPath eyeBeam 1.5
c=IN IP4 the.honeypot.ip
m=audio 34222 RTP/AVP 18 0 8 101
- Hide quoted text -
And no, it is definely not “CounterPath eyeBeam 1.5″ but a custom-made scanner. This is just an indication that people are willing to put mony into developing software to attack these insecure VoIP servers.
Status now is frequent usage of stand-alone SIPviciuous and other scanners, and two kits doing extensively scanning:
they started this spring, getting scannings from all over the world, but an overweight of Chinese IP addresses.
the current scannings with “Counterpath” as user-agent.
They have been active before, and now started again (scanning latest month)
And this is just the beginning…. so secure your VoIP servers!
content originally written on the blog usken.no by Sjur Usken
Yesterday we had the pleasure of doing a presentation at the Norwegian infosec conference “ISF“. Our presentation gave a brief introduction to the Honeynet Project in general, but the main part introduced to the audience a lot of the tools developed by the project together with a few external tools as well. The presentation is available for download in several formats: PDF, ODP or PPT.
The Honeynet Project is pleased to announce the next forensic challenge: Log Mysteries. This challenge takes you into the world of virtual systems and confusing log data. Figure out what happened to a virtual server using all the logs from a possibly compromised server.
Submission deadline is September 30th and we will be announcing winners around October 21st. We have a few small prizes for the top three submission.
Good luck, and enjoy!
The latest month of scanning has seemed valuable for the hackers. A Norwegian municipality has been hacked and their PBX has been calling Somalia and a lot of others destinations we have picked up on our VoIP honeypots during the last month.
If you have an unsecure IP PBX on the net, now it will only take hours before it will be detected. Most normal cause for this is misconfiguration. The people setting up the IP PBX has not taken security seriously and the IP PBX is wide open for calling.
The simplest ways is that inbound calls is routed out again if no local destination is found. A little harder is to just brute-force the password on extensions. I can only say, there will be more like this!
The hacker can sell this “gateway” to a third party dealing with calling cards. I have investigated frauds in Norway where they managed to send 1,2 million NOK (approx 200 000 USD) within 10 days. This was a Cisco installation, but misconfigured Asterisk installations are also abused a lot.
The Honeynet Project has released a real VoIP attack challenge! It is real data and YOU must find out how the intruders does the attack! Are you up for it? You will learn more about VoIP and get an understanding of the current VoIP attack methods! Go for it here! Deadline in three weeks! Prizes for the best answers!
The Chinese speaking members of the Honeynet Project has translated it even to simplified Chinese! Have fun and learn a lot!
Update (26. jun): NB! Only a few days left to submit your answer! The deadline is June 30th.
Update (28. jul): The solution and the winners of this challenge is available here.
Are you aware of the effects of the network-prefetch-next preference in Firefox? It’s actually quite an old feature (according to this site it was introduced way back in 2003), but I’m pretty sure not everyone know the possibly scary side effect of this smart(tm) feature. It tries to make the browser being one step ahead of its user, by prefetching sites it assumes the user will click on next.
This is what’s being logged on honeynor.no when I (84.215.x.y) google the word “honeynor“.
84.215.x.y - - [18/May/2010:23:42:55 +0200] "GET / HTTP/1.1" 200 17832 "http://www.google.com/ \
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:18.104.22.168) Gecko/20100423 Ubuntu/10.04 (lucid) \
I haven’t left google yet!, but my very intelligent browser thinks I might click on the first link (www.honeynor.no) so it goes ahead and access the site, way before my puny brain has had any chance on processing the search output. In true PKD-style, I hereby accuse firefox of a precrime!
Why is this action bad? Let me answer the question with a question; Do you always want to access the sites presented to you when you search the web? I can think of several cases where I’m not keen on letting some third party know of my interest in them; either that’s during an analysis or in case of possible repercussions against me for accessing a site in an unexpected or socially engineered manner.
It seems google is in cahoots with firefox on this one, because I’m unable to reproduce the same result using bing, yahoo or alltheweb. Only on google is the prefetch mechanism activated.
So, how can you disable this feature? Luckily it very easy; go to about:config in your firefox/mozilla browser and set the parameter network.prefetch-next to false. That’s it!
Recently I upgraded to the 3.6 series of Firefox (3.6.3 to be exact), and suddenly my VMware Remote Console (vmrc) was broken. We use VMware Server 2.0.1, but upgrading to the latest 2.0.2, didn’t help. At closer inspection, the problem was not with the server nor with vmrc itself, but rather with the integration of the plugin used with Firefox 3.6 (I’m using VMware Remote Console Plug-in 22.214.171.124581). Whether the problem is related to the plug-in or FF 3.6′s plug-in framework (or a combination of the two), I do not know. What I do know though, is that you don’t have to downgrade to FF 3.5.x if you use the following workaround.
On your vmware server, go to the following directory:
Copy the appropriate vmrc plugin for your client platform (mine was a 32 bit Ubuntu 10.04 Desktop, so I grabbed vmware-vmrc-linux-x86.xpi).
On your client, unzip the xpi-file:
$ unzip vmware-vmrc-linux-x86.xpi
Run the vmrc executable (it’s actually just a wrapper script) manually by specifying the absolute path (I extracted the contents to /tmp):
The vmrc UI starts, and you can connect to your vmware server by either specifying it’s hostname or it’s IP-address, together with your username and password (I also had to specify the port, e.g. <IP>:8333). When a connection has been established with the server, you will be presented with a selection of virtual machines you may connect to.
The Honeynet Project is proud to present our third Forensic Challenge 2010 created by Josh Smith and Matt Cote from The Rochester Institute of Technology Chapter, Angelo Dell’Aera from the Italian Chapter and Nicolas Collery from the Singapore Chapter. This challenge is a bit different than the previous two, as it involves investigating a memory image of an infected virtual machine. Read all the questions for this challenge over at the main blog and submit your answers by 17:00 EST, Sunday, April 18th 2010. Good luck!
UPDATE (12.Apr): There are now additional third-party incentives to participate in this forensics challenge. Both Volatile Systems and MANDIANT are offering their own prices to the top three winners that apply their memory analysis tools; The Volatility Framework, Memoryze and Audit Viewer respectively. But remember, there are now only a few days left until deadline, so get moving!
UPDATE (19.Apr): The submission deadline for this challenge has been extended till April 26th.
UPDATE (14.May): The solution and the winners of this challenge is available here.
The solution and winners of the second challenge are shown here.
For over 9 months we’ve run our CC2ASN service, allowing you to lookup up ISO-3166 country codes and get back all ASNs, IPv4 or IPv6 prefixes for that specific country. Now the time had come to do an update.
A major issue with the RIR data (delegated-feeds) used by the CC2ASN service, is ASNs registered to a region instead of a specific country. There are currently two regions in use; European Union (EU) and Asia Pacific (AP). The reason for using this is the ever increasing globalization of corporations and organizations, and hence quite understandable. But when you want a list of AS numbers for any given country code, the regional registrations have to be included.
This is where the enhanced database comes into action. In this database we’ve manually overridden the country code assignments for those ASNs that in the RIR data were registered to either EU or AP. In addition we’ve also corrected a few other ASNs that we knew had a wrong country code. The list we’ve compiled is publicly available: asn_override.txt.
It’s all been a manual job, going through all the EU and AP ASNs, plus a good portion of the CCs also. The CC override decision is based on one or more of the following actions:
- Looking at references to location in whois descr, address or country records.
- Using location info in router names from tracepath of the AS prefixes.
- The nationality of peers and upstream providers.
- Location of corporate headquarters or regional headquarters.
- General googling/binging.
And this is a continuing job, whenever new ASNs are allocated to either EU or AP.
So, how do you access this new database? From the CC2ASN web-interface make sure you check the box labeled “Use Enhanced Database“. The database is also available by directly querying port 44/tcp (the normal CC2ASN database is available on standard whois port 43/tcp). Note that the enhanced database only outputs ASNs, not prefixes.
$ echo "GB" | nc atari.honeynor.no 44
Every day, when the latest RIR data are downloaded and parsed, all changes to the enhanced database are recorded. This allows us to provide you with an ASN history tool; CC2ASN Delta. The main page lists changes over the last 90 days for ASNs registered to a spesific country. By clicking on a county, you get a textual representation of all registered changes for that country. By further clicking on an ASN, you get a listing of potential country changes for that AS.
For more information, take a look at the documentation.