onHacks

In “Who is Hacking Me?“, I mentioned using Nmap service probes on the honeypot to yield interesting results.

Here is the scan without service probes (sanitized) :

# Nmap 4.90RC1 scan initiated Sat Jul 11 00:39:13 2009 as: nmap -oN result.sS.txt -v -sS <XXXXXX>

Host <xxxxxx> (aaa.bbb.ccc.ddd) is up (0.092s latency).
Interesting ports on <xxxxxx> (aaa.bbb.ccc.ddd):
Not shown: 550 filtered ports, 434 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
110/tcp  open  pop3
139/tcp  open  netbios-ssn
143/tcp  open  imap
443/tcp  open  https
465/tcp  open  smtps
993/tcp  open  imaps
995/tcp  open  pop3s
1023/tcp open  netvenuechat
1025/tcp open  NFS-or-IIS
2103/tcp open  zephyr-clt
2105/tcp open  eklogin
2107/tcp open  unknown
3372/tcp open  msdtc
Read data files from: /usr/local/share/nmap
# Nmap done at Sat Jul 11 00:41:08 2009 — 1 IP address (1 host up) scanned in 114.52 seconds

Here is the scan with service probes :

# Nmap 4.90RC1 scan initiated Sat Jul 11 00:43:00 2009 as: nmap -oN result.sS.O.sV.txt -O -sV -v -sS <xxxxxx>
Increasing send delay for aaa.bbb.ccc.ddd from 0 to 5 due to 24 out of 79 dropped probes since last increase.
Initiating OS detection (try #1) against <xxxxxx> (aaa.bbb.ccc.ddd)
Retrying OS detection (try #2) against <xxxxxx> (aaa.bbb.ccc.ddd)
Host <xxxxxx> (aaa.bbb.ccc.ddd) is up (0.091s latency).
Interesting ports on <xxxxxx> (aaa.bbb.ccc.ddd):
Not shown: 550 filtered ports, 434 closed ports
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           Nepenthes HoneyTrap fake vulnerable ftpd
22/tcp   open  ssh           OpenSSH 5.1p1 Debian 5ubuntu1 (protocol 2.0)
25/tcp   open  smtp?
110/tcp  open  pop3?
139/tcp  open  netbios-ssn?
143/tcp  open  imap?
443/tcp  open  ssh           OpenSSH 5.1p1 Debian 5ubuntu1 (protocol 2.0)
465/tcp  open  smtps?
993/tcp  open  imaps?
995/tcp  open  pop3s?
1023/tcp open  netvenuechat?
1025/tcp open  NFS-or-IIS?
2103/tcp open  zephyr-clt?
2105/tcp open  eklogin?
2107/tcp open  unknown
3372/tcp open  msdtc?
4 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :

…
…

Read data files from: /usr/local/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
# Nmap done at Sat Jul 11 00:48:38 2009 — 1 IP address (1 host up) scanned in 338.94 seconds

Nmap shows a lot of question marks because these services all show odd behaviour from many known implementations. That’s because a low interaction honeypot only emulates a part of the target service, which means its missing basic behaviour could be detected as something unknown by Nmap service probes. The service probes are used to identify the software version and actual software using the port. If you see similar output, this is unlikely a real computer – an emulated service, i.e. a honeypot. Of course, this is just one of the ways, and you can probably think of other ways to accomplish the same as well.

Oh yes, this works for some other low interaction honeypots other than Nepenthes, too. In my next post, I will talk about how VM-detection, honeypot-detection and how to analyze a malware that does not run in VM.