There are many tools that have been developed to probe and exploit Windows networking. Tools like these may well be used against your KFSensor honeypot system, by hackers.
Note: Many scanners make use of Window's operating system routines to perform a scan. These will not work from the honeypot machine. Always test KFSensor from another machine on your network.
Windows includes a very powerful set of commands, which are available from a command console.
These "net" commands provide a simple and powerful way of testing KFSensor without the need to use third party scanners.
To run these tests simply open a DOSBOX on another machine and use the IP address of the KFSensor machine in the examples below.
C:\>net time \\192.168.2.9|
Current time at \\192.168.2.9 is 10/21/2015 12:01 PM
The net time command displays the time on the remote computer. This is a simple way of seeing if you have a working connection with a remote computer and a hacker's favorite.
C:\>net use * \\192.168.2.9\DOCS|
Drive Z: is now connected to \\192.168.2.9\DOCS.
The net use command maps a remote file share to a virtual drive.
C:\>net use \\192.168.2.9\ipc$ "" /user:""|
The command completed successfully.
This command opens a null connection on the remote computer.
This indicates a hack is possible.
C:\>net view \\192.168.2.9|
System error 58 has occurred.
The specified server cannot perform the requested operation.
The net view is used to interrogate a remote domain server. This is not been added to the emulation.
In order to start an NBT Session on port 139 an attacker needs to know the target system's NetBIOS name to establish a session.
So the first stage of an attack is to send a wild card name query to the NBT Name Service.
Note: Attacks launched against SMB direct on port 445 do not need to go through this stage.
These requests usually have the following format:
NBT NS Packet: id:256 Op: Name Query|
Question: *<00 Workstation Service>, Node Status, Internet class
KFSensor does not attempt to register itself with other Windows machines on the LAN, so it will not appear on My Network Places in Windows explorer.
It will respond to requests sent directly to its IP address.
There are many NetBIOS scanners available.
A reliable and simple command line scanner is nbtscan available from http://www.inetcat.org/software/nbtscan.html.
Doing NBT name scan for adresses from 192.168.2.9|
NetBIOS Name Table for Host 192.168.2.9:
Incomplete packet, 227 bytes long.
Name Service Type
GIMLI <00> UNIQUE
MORIA <00> GROUP
GIMLI <03> UNIQUE
GIMLI <20> UNIQUE
MORIA <1e> GROUP
GIMLID <03> UNIQUE
??__MSBROWSE__? <01> GROUP
Adapter address: e8-92-96-33-52-3d
One of the most common worms on the Internet is Opaserv.
The worm scans the Internet for Windows 98 machines that do not password protect the administration share.
On establishing a connection with port 139 the worm first writes a copy of its executable to the C:\Windows directory.
It then reads the system file WIN.INI, adds the following line to this file in order to run the worm and then over writes the original.
The following is the KFSensor received event for an W32/Opaserv.worm.d attack.
This will generate the following two files in the upload directory.
200_141_93_72_21145_scrsvr_exe.bin - Worm executable
200_141_93_72_21145_win_ini.bin - Modified system file
NBT:1 Session Request|
Called Name : GIMLI<20 File Server Service>
Calling Name: LOCALHOST<20 File Server Service>
NBT:2 SMB: [tree con X]
NBT:3 SMB: [create file]
NBT:4 SMB: [write]
Write 512 bytes at offset 0
NBT:60 SMB: [write]
Write 259 bytes at offset 28672
NBT:61 SMB: [close file]
NBT:62 SMB: [open file]
NBT:63 SMB: [read]
Read 512 bytes at offset 0
NBT:65 SMB: [read]
Read 512 bytes at offset 1024
NBT:66 SMB: [close file]
NBT:67 SMB: [create file]
NBT:68 SMB: [write]
Write 512 bytes at offset 0
NBT:70 SMB: [write]
Write 103 bytes at offset 1024
NBT:71 SMB: [close file]