IPP script #50

altf4 · 2013-01-02T17:42:53Z

An IPP (Internet Printing Protocol) script for honeyd is needed. From a quick reading of the protocol, there appears to be two different ports that are commonly used: TCP 631 and UDP 631. The TCP port is for data and the actual sending of print documents. There are many features here that would be difficult to support, like authentication and encryption. The UDP port is just used for discovery, and may be significantly easier to implement.

#50

Getting properly formed http segments, just need to get the IPP part in working order; there's some places where it's using hex values as binary data, and some where it needs actual characters, so discovering the problem areas is taking a bit of time, but I feel like it's close to being a #50

Still would like to get around to a "full" implementation of a successful print-job-accepted response cycle, but that'll take a bit longer than the error code response will. Going to focus on replies to printer discovery packets from things like CUPS and LPD for the time being. #50

For some reason, there's one byte of extra, random data at the end of the packet data being passed back to honyed by the script. It's not being appended from within the script, which is confusing, but wireshark sees it and complains about it, despite the packet being an SNMP response that it'll recognize. Work more on it tomorrow. #50

Didn't take into account variable-length ids and error codes, etc. Fixed now. Responds well enough for wireshark to recognize that it's an SNMP packet. Just need to get that pesky data byte that's appended to the end to disappear, and hopefully it'll turn out well. #50

snmpscrape.py will snmpwalk an ip address, get as many of the MIB values as it can, and store them in a file. The idea will be that, with this file of MIB values, the ipp scripts will just have to parse and match a request OID with one from the file, construct the correct value parameter (type byte, length byte, and value) and send it back, thus mimicing the response an actual printer will get. Idea's there, implementation isn't as of yet. #50

Going to be useful for parsing the results of snmpscrape.py, though I may extend that script to take the results of snmpwalk and restructure it into a more capably parsed format. #50

I'm just going to have the snmpscrape script parse through the file and convert all returned variable values into their hex equivalents for easy use in ipp.py. Have OIDs and IpAddresses thus far. #50

Using the restructured file should be as easy as parsing for a response OID matching the request id, appending the type value, calculating the length of the response, and then hexlifying the response for the return packet. To finish this script series, a couple things need to happen: I found that an SNMP agent responds to MIBs in a best-match manner; there are cases where the request will contain an OID that doesn't trace all the way down to a leaf of the tree, and the expected behavior is that the responding agent will return all values that can claim the given request as a parent. This functionality is not within the script yet. In addition, the ipp_udp_wrap.py needs to parse for multiple OIDs within the request segment, and respond to all in kind. I'm not sure how the responding agent is supposed to handle multiple-oid requests...Does he respond to the OIDs all in one message, or does he respond to each request OID in a separate packet? I'll have to research more. I hope that it's the former. #50

Trying to find a way for the script to respond to a request with multiple packets per one request, if needed. creating an snmprequest.py script to send a single snmp get-request packet to a specified ip address to test whether multiple prints within a honeyd script will correlate to multiple packets. #50

snmprequest.py sends a single snmp get-request packet with an OID and to an IP and port of the users choosing, allowing simpler wiresharking and testing of the snmp responses. #50

The difference became a get-request and a get-next-request became important enough to have code that makes the output reflect the difference in the response. #50

All of the values from the parsed file are parsed correctly to generate the desired output values, with the exception of some integer values that will be cleaned up in another commit. Going to start messing around with 'find printer' and such to see if the honeypot will actually show up, and then see if I can't make honeyd respond a little faster than it is with the script data. #50

The integers within the restructured file were being encoded incorrectly if they were negative or larger than two 7-bit bytes could contain (the reason for that is within the BER long form encoding documentation). Thus, just prepended two zeros so that the integer will be parsed correctly. Shifted output of snmpscrape.py to a comma-separated file. Going to move from explicit file read/manipulation in ipp.py to using the csv module in the python std libs, eventually. #50

The halting of a vanilla snmpwalk run is at the next-request of 1.3.6.1.2.1.43.17.6.1.5.1.2, which will yield the value of the OID 1.3.6.1.4.1.1602.1.1.1.1.0, which is the first node of a separate subtree that snmpscrape.py didn't get previously. Now it has those OIDs, and thus can respond to that subtree as well. This update is the first of many that will be needed to respond to a 'find printer' call. #50

Made snmpscrape accept some command line args, as well as enabling addition of scanned machine into a selected scripts' key,value pairs. #50

Added comments for snmpscrape.py, made indent not indent the tag after the last tag. #50

import statement was changed, changed it back after it stopped working. It's good now. snmpscrape checks for the string 'End of MIB' to remove the last (possible) line of the snmpwalk outputs, but there was a newline after that was screwing things up. Fixed it. #50

When one attaches the SNMP script to a node, a generated file is formed from the option subtree within the scripts.xml file. Note that this won't happen if the snmpscrape script isn't run, as there's no mib file at that point; if one wishes to manually construct a file, it must be in the correct syntax and it must have commensurate values within scripts.xml. #50 Signed-off-by: Addison Waldow <[email protected]>

awaldow · 2013-01-22T18:45:36Z

The actual IPP part of this is going to be on a bit of a hiatus until we can figure out if Honeyd can speed up the packet response process; currently, we're finding that the generic 'Find Network Printer' program blasts many packets in quick succession, and expects response in a similarly quick fashion, whereas Honeyd takes on average 1 sec. to respond to a given request.

Sometimes the request-id integer from snmpwalk will be a value such that its hexlified translation omits the leading zero, thus leading to a2b_hex complaining about an odd length string. Fixed #50

The end result I'd like is some way to let an attacker see the honeypot make a DNS request out in the internet, assuming he's in place to do so; this will make it look like an authentic DNS server, minus any caching, though I'm sure that's an option that could be assumed toggled on or off in the real world. #50

ghost assigned awaldow Jan 2, 2013

altf4 pushed a commit that referenced this issue Jan 3, 2013

SCRIPTS: WIP for IPP script

dbd4fae

#50

altf4 pushed a commit that referenced this issue Jan 14, 2013

SCRIPTS: Testing of snmprequest.py

96bea5c

snmprequest.py sends a single snmp get-request packet with an OID and to an IP and port of the users choosing, allowing simpler wiresharking and testing of the snmp responses. #50

altf4 pushed a commit that referenced this issue Jan 21, 2013

SCRIPTS: Allow snmpscrape.py to take command line args and write info

8659f3b

Made snmpscrape accept some command line args, as well as enabling addition of scanned machine into a selected scripts' key,value pairs. #50

altf4 pushed a commit that referenced this issue Jan 22, 2013

SCRIPTS: Make some comments, fix indent in snmpscrape.py

9bd6a49

Added comments for snmpscrape.py, made indent not indent the tag after the last tag. #50

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

IPP script #50

IPP script #50

altf4 commented Jan 2, 2013

awaldow commented Jan 22, 2013

IPP script #50

IPP script #50

Comments

altf4 commented Jan 2, 2013

awaldow commented Jan 22, 2013