Nepenthes Installation

I've been interested in trying Nepenthes since I saw it added to the FreeBSD ports collection as net/nepenthes. According to the Nepenthes Web site, "Nepenthes is a versatile tool to collect malware. It acts passively by emulating known vulnerabilities and downloading malware trying to exploit these vulnerabilities."

I tried to install Nepenthes using the precompiled package for FreeBSD, like this:

janney:/root# setenv PACKAGESITE ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6-stable/Latest/

janney:/root# pkg_add -vr nepenthes

I ran into two problems. First, I had to install the ftp/curl port manually since the package seemed unavailable.

cd /usr/ports/ftp/curl
make
make install

Second, and more problematic, I found that the package which offered Nepenthes 0.1.5 did not work properly. Using the package, I could not get my Nepenthes client to connect to a specific IRC channel protected by a key.

I decided to install Nepenthes using the FreeBSD port. I made these changes to make the ports tree install version 0.1.6 instead of the older 0.1.5:

janney:/usr/ports/net/nepenthes# diff Makefile.orig Makefile
9c9
< PORTVERSION= 0.1.5
---
> PORTVERSION= 0.1.6
janney:/usr/ports/net/nepenthes# diff distinfo.orig distinfo
1,3c1,3
< MD5 (nepenthes-0.1.5.tar.gz) = d7eae244a5adef66ca504a233f1c51e1
< SHA256 (nepenthes-0.1.5.tar.gz) = 7c74614cb3027f0c9a409f68ed81baed4793673509e09138bd6296d72b04b08a
< SIZE (nepenthes-0.1.5.tar.gz) = 780788
---
> MD5 (nepenthes-0.1.6.tar.gz) = 317afd3dc86d57a22570632bdf839ef2
> SHA256 (nepenthes-0.1.6.tar.gz) = f9bae290d49df9658b7f27a2f4c304fd671cc1f2f344a3b960a181c12416d94b
> SIZE (nepenthes-0.1.6.tar.gz) = 794938

Once Nepenthes was installed, I began editing configuration files in /usr/local/etc/nepenthes.

First I edited log-irc.conf to log to my IRC channel of choice.

janney:/usr/local/etc/nepenthes# diff log-irc.conf.orig log-irc.conf
21,23c21,23
< nick "nep-noname";
< ident "nepenthes";
< userinfo "http://nepenthes.sf.net";
---
> nick "mynep";
> ident "mynep";
> userinfo "mynep";
29,30c29,30
< name "#nepenthesirc";
< pass "foo";
---
> name "#myfakeircchannel";
> pass "myfakepw";

Note that the default log-irc.conf wants to use Tor. I show how I set that up in a future post. To disable using Tor, change

use-tor "1";

to

use-tor "0";

Next I made changes to nepenthes.conf to reflect using /var/log instead of var/log.

janney:/usr/local/etc/nepenthes# diff nepenthes.conf.dist nepenthes.conf
91,92c91,92
< ring_logging_file "var/log/nepenthes/nepenthes.%d.log";
< file_logging_file "var/log/nepenthes/nepenthes.log";
---
> ring_logging_file "/var/log/nepenthes/nepenthes.%d.log";
> file_logging_file "/var/log/nepenthes/nepenthes.log";
104c104
< filesdir "var/nepenthes/binaries/";
---
> filesdir "/var/nepenthes/binaries/";
120c120
< hexdump_path "var/nepenthes/hexdumps/";
---
> hexdump_path "/var/nepenthes/hexdumps/";
125c125
< cache_path "var/cache/nepenthes/geolocation/";
---
> cache_path "/var/cache/nepenthes/geolocation/";

I made similar changes to log-download.conf.

janney:/usr/local/etc/nepenthes# diff log-download.conf.orig log-download.conf
3,4c3,4
< downloadfile "var/log/logged_downloads"; // log download attempts
< submitfile "var/log/logged_submissions"; // log successfull downloads
---
> downloadfile "/var/log/logged_downloads"; // log download attempts
> submitfile "/var/log/logged_submissions"; // log successfull downloads

And submit-file.conf:

janney:/usr/local/etc/nepenthes# diff submit-file.conf.orig submit-file.conf
3c3
< path "var/binaries/";
---
> path "/var/nepenthes/binaries/";

And submit-norman.conf:

janney:/usr/local/etc/nepenthes# diff submit-norman.conf.orig submit-norman.conf
4c4
< email "malware@mac.com";
---
> email "myemail@gmail.com";

download-nepenthes.conf needed a more radical change because I don't have /share/hda3/opt/ on FreeBSD.

janney:/usr/local/etc/nepenthes# diff download-nepenthes.conf.orig download-nepenthes.conf
5c5
< filespath "/share/hda3/opt/nepenthes";
---
> filespath "/var/nepenthes/";

Next I create directories needed by Nepenthes.

janney:/root# mkdir -p /var/nepenthes/binaries
janney:/root# mkdir /var/log/nepenthes
janney:/root# touch /var/log/nepenthes/nepenthes.log

When done I was able to start Nepenthes with the simple command 'nepenthes'. I recommend running it in the foreground within script(1). By default Nepenthes generates a ton of debug info.

As configured, Nepenthes is listening on a slew of ports:

janney:/usr/local/etc/rc.d# sockstat -4 | grep nep
root nepenthes 7669 3 udp4 *:50838 *:*
root nepenthes 7669 6 tcp4 *:21 *:*
root nepenthes 7669 7 tcp4 *:25 *:*
root nepenthes 7669 8 tcp4 *:110 *:*
root nepenthes 7669 9 tcp4 *:143 *:*
root nepenthes 7669 10 tcp4 *:220 *:*
root nepenthes 7669 11 tcp4 *:465 *:*
root nepenthes 7669 12 tcp4 *:993 *:*
root nepenthes 7669 13 tcp4 *:995 *:*
root nepenthes 7669 14 tcp4 *:2745 *:*
root nepenthes 7669 15 tcp4 *:6129 *:*
root nepenthes 7669 16 tcp4 *:135 *:*
root nepenthes 7669 17 tcp4 *:445 *:*
root nepenthes 7669 18 tcp4 *:1025 *:*
root nepenthes 7669 19 tcp4 *:443 *:*
root nepenthes 7669 20 tcp4 *:17300 *:*
root nepenthes 7669 21 tcp4 *:2103 *:*
root nepenthes 7669 22 tcp4 *:2105 *:*
root nepenthes 7669 23 tcp4 *:2107 *:*
root nepenthes 7669 24 tcp4 *:3372 *:*
root nepenthes 7669 25 udp4 *:1434 *:*
root nepenthes 7669 26 tcp4 *:3127 *:*
root nepenthes 7669 27 tcp4 *:139 *:*
root nepenthes 7669 28 tcp4 *:3140 *:*
root nepenthes 7669 29 tcp4 *:5554 *:*
root nepenthes 7669 30 tcp4 *:1023 *:*
root nepenthes 7669 31 tcp4 *:27347 *:*
root nepenthes 7669 32 tcp4 *:5000 *:*
root nepenthes 7669 33 tcp4 *:10000 *:*
root nepenthes 7669 34 tcp4 *:42 *:*
root nepenthes 7669 35 tcp4 *:80 *:*

The system running Nepenthes has a private IP and it sits behind my Comcast cable modem. I decided to tell my router connected to the cable modem to forward ports 80 and 443 to the Nepenthes system.

Now, if I connect to port 80 on my router, Nepenthes handles the connection.

janney:/root# nc -v bej.dyndns.org 80
Connection to bej.dyndns.org 80 port [tcp/http] succeeded!
HEAD / HTTP/1.0
janney:/root#

Here is what Nepenthes reports:

[ debug net mgr ] Socket TCP (bind) 0.0.0.0:0 -> 0.0.0.0:80
DialogueFactory ASN1 Dialogue Factory creates dialogues for the SMB and IIS flaw
killbill showed us could Accept a Connection
[ spam net handler ]
[ spam net handler ] Socket TCP (accept) 192.168.2.1:55966 -> 192.168.2.7:80
[ spam net handler ] Adding Dialogue ASN1 Dialogue Factory
[ spam mgr event ]
[ debug net mgr ] Accepted Connection Socket TCP (accept) 192.168.2.1:55966 -> 192.168.2.7:80
32 Sockets in list
[ spam net handler ]
[ spam mgr event ]
[ spam net handler ] doRecv() 16
[ debug net handler ] Dialogue IISDialogue inactive, returned CL_DROP
[ debug net handler ] Socket TCP (accept) 192.168.2.1:55966 -> 192.168.2.7:80
has no active Dialogues left, closing
[ debug net mgr ] Deleting Socket TCP (accept) 192.168.2.1:55966 -> 192.168.2.7:80
due to closed connection
[ spam net handler ]
[ spam net handler ] Socket TCP (accept) 192.168.2.1:55966 -> 192.168.2.7:80
clearing DialogueList (1 entries)
[ spam net handler ] Removing Dialog "IISDialogue"
[ warn dia ] Unknown IIS 16 bytes State 0
[ dia ] =------------------[ hexdump(0x0808c300 , 0x00000010) ]-------------------=
[ dia ] 0x0000 48 45 41 44 20 2f 20 48 54 54 50 2f 31 2e 30 0a HEAD / H TTP/1.0.
[ dia ] =-------------------------------------------------------------------------=

If I find anything interesting, I will pass it on. Here I just wanted to document what I had to do to get Nepenthes running.

Comments

Anonymous said…
I was wondering how it compares with mwcollect. I got a rather impressive collection of malware with mwcollect, but which one them does a better job ?
Anonymous said…
any recommendations on a rc.d script to start nepenthes?
I would pick a simple existing script and modify it for Nepenthes.
Anonymous said…
Anyone get it running on Mac OS X 10.4.8? I'm having no luck. -- Clint
Anonymous said…
This page was helpful for me too. Installed from ports at a FreeBSD 6.1-SECURITY box, after the here mentioned adjustments, it is up and running fine. Thanks!

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics