[Capture-HPC] Problems running Capture on Ubuntu/Latest VMWare Server

David Watson david at honeynet.org.uk
Tue Aug 5 08:52:52 EDT 2008


Christian,

Good news - I've got Capture running under the latest VMWare Server
release (at last!). Although the VMWare Server installer runs
vmware-uninstall.pl before installing a newer version, something must
have gone wrong with a prior version install/uninstall, as when I ran
vmware-uninstall.pl from 1.0.6 I found a couple of vmware-vix shared
libraries still left on the file system. Removing these, installing
VMware Server 1.0.6 again and recompiling Capture fixed the problem.

The honeypot VM was built under 1.0.6, so no tool upgrade was necessary.

Thanks for the suggestions everyone. The steps below should be fine for
the latest versions of Capture and VMWare Server on Ubuntu as log as you
manually perform the uninstall and check the filesystem first:

http://www.ukhoneynet.org/2008/07/28/compiling-capture-hpc-on-vmware-server-106/

Thanks,

David

Christian Seifert wrote:
> David, just a couple of things. Few questions:
> 1. Did you update your vmware tools to 1.0.6?
> 2. Did you completely remove 1.0.5 prior to installing 1.0.6 (so no old vix
> apis might be used)
> 
> Christian
> 
> On Wed, Jul 30, 2008 at 4:44 AM, David Watson <david at honeynet.org.uk> wrote:
> 
>> Hi all,
>>
>> I've been having some problems getting the current version of Capture
>> (capture-server-2.1.0-300) up and running on a machine running the
>> current version of Kubuntu and the latest VMWare Server
>> (VMware-server-1.0.6-91891.tar.gz).
>>
>> I've documented the server build process here:
>>
>>
>> http://www.ukhoneynet.org/2008/07/28/compiling-capture-hpc-on-vmware-server-106/
>>
>> My honeypot is WinXP SP2 with the default Capture install
>> (capture-client-2.1.0-300), as per the Readme file.
>>
>> I've temporarily disabled iptables on the server and I've checked
>> client/server connectivity by telnetting to the relevant ports. The
>> usernames and passwords also work when tested locally and permissions
>> seem correct.
>>
>> Server IP = 192.168.0.144
>> Honeypot VM IP = 192.168.0.21
>>
>> Attempting to process the sample URLs results in this behaviour:
>>
>> david at monolith:~/client_honeypots/capture-server-2.1.0-300$
>> /usr/lib/jvm/java-6-sun/bin/java -Djava.net.preferIPv4Stack=true -jar
>> CaptureServer.jar -s 192.168.0.144:7070 -f input_urls_example.txt
>>
>> Option added: server-listen-port => 7070
>> Option added: server-listen-address => 192.168.0.144
>> Option added: input_urls => input_urls_example.txt
>> CaptureServer: Listening for connections
>> Validating config.xml ...
>> config.xml successfully validated
>> Option added: capture-network-packets-benign => false
>> Option added: capture-network-packets-malicious => false
>> Option added: client-default-visit-time => 10
>> Option added: collect-modified-files => false
>> Option added: p_m => 1
>> Option added: send-exclusion-lists => false
>> ExclusionList: file - FileMonitor.exl: File not found
>> ExclusionList: process - ProcessMonitor.exl: File not found
>> ExclusionList: registry - RegistryMonitor.exl: File not found
>> [192.168.0.144:902] VM added
>> [Jul 30, 2008 12:31:27 PM-192.168.0.144:902-3374351] VMSetState:
>> WAITING_TO_BE_REVERTED
>> [Jul 30, 2008 12:31:27 PM-192.168.0.144:902-3374351] VMSetState: REVERTING
>> Hostname: 192.168.0.144
>> Username: david
>> Password: dummypassword
>> VMPath: /var/lib/vmware/Virtual Machines/Capture1/Capture1.vmx
>> Guest Username: Administrator
>> Guest Password: client1
>> Guest Cmd: cmd.exe
>> Guest Options: /K C:\Progra~1\Capture\CaptureClient.bat -s 192.168.0.144
>> -p 7070 -a 27687351 -b 3374351
>> VIX Error on connect in connect: One of the parameters was invalid
>> E Disconnected
>> [Jul 30, 2008 12:31:29 PM 192.168.0.144:902-3374351] VMware error 255
>> [Jul 30, 2008 12:31:29 PM-192.168.0.144:902-3374351] VMSetState: ERROR
>>
>> However, if I manually initiate Capture on the client honeypot VM by
>> running:
>>
>> C:\Progra~1\Capture\CaptureClient.bat -s 192.168.0.144 -p 7070 -a
>> 27687351 -b 3374351
>>
>> I then get the following in the running Capture server output:
>>
>> <connect vm-server-id="27687351" vm-id="3374351"/>
>> [Jul 30, 2008 12:32:24 PM-192.168.0.144:902-3374351] ClientSetState:
>> CONNECTED
>> [Jul 30, 2008 12:32:24 PM-192.168.0.144:902-3374351] ClientSetState:
>> WAITING
>> [Jul 30, 2008 12:32:24 PM-192.168.0.144:902-3374351] VMSetState: RUNNING
>> <visit-event identifier="-2096107695" program="iexplore" time="30/7/2008
>> 12:33:3.45" type="start" malicious="0"><item
>> url="http%3a%2f%2fwww.google.com" program="iexplore"
>> major-error-code="0" minor-error-code="0" time="30/7/2008 12:33:3.45"
>> visited="0"></item></visit-event>
>> [Jul 30, 2008 12:32:25 PM-192.168.0.144:902-3374351] Visiting group
>> -2096107695
>>        UrlSetState: VISITING
>> [Jul 30, 2008 12:32:25 PM-192.168.0.144:902-3374351] ClientSetState:
>> VISITING
>> <pong/>
>> [Jul 30, 2008 12:32:27 PM-192.168.0.144:902-3374351] Got pong
>> <visit-event identifier="-2096107695" program="iexplore" time="30/7/2008
>> 12:33:21.342" type="finish" malicious="0"><item
>> url="http%3a%2f%2fwww.google.com" program="iexplore"
>> major-error-code="0" minor-error-code="0" time="30/7/2008 12:33:21.342"
>> visited="1"></item></visit-event>
>> [Jul 30, 2008 12:32:36 PM-192.168.0.144:902-3374351] Visited group
>> -2096107695 BENIGN
>>        UrlSetState: VISITED
>> [Jul 30, 2008 12:32:36 PM-192.168.0.144:902-3374351] ClientSetState:
>> WAITING
>> <visit-event identifier="-126122049" program="iexplore" time="30/7/2008
>> 12:33:21.702" type="start" malicious="0"><item
>> url="http%3a%2f%2fwww.google.de" program="iexplore" major-error-code="0"
>> minor-error-code="0" time="30/7/2008 12:33:21.702"
>> visited="0"></item></visit-event>
>> [Jul 30, 2008 12:32:37 PM-192.168.0.144:902-3374351] Visiting group
>> -126122049
>>        UrlSetState: VISITING
>> [Jul 30, 2008 12:32:37 PM-192.168.0.144:902-3374351] ClientSetState:
>> VISITING
>> <pong/>
>> [Jul 30, 2008 12:32:37 PM-192.168.0.144:902-3374351] Got pong
>> <visit-event identifier="-126122049" program="iexplore" time="30/7/2008
>> 12:33:36.139" type="finish" malicious="0"><item
>> url="http%3a%2f%2fwww.google.de" program="iexplore" major-error-code="0"
>> minor-error-code="0" time="30/7/2008 12:33:36.139"
>> visited="1"></item></visit-event>
>> [Jul 30, 2008 12:32:47 PM-192.168.0.144:902-3374351] Visited group
>> -126122049 BENIGN
>>        UrlSetState: VISITED
>> [Jul 30, 2008 12:32:47 PM-192.168.0.144:902-3374351] ClientSetState:
>> WAITING
>> <visit-event identifier="961326393" program="iexplore" time="30/7/2008
>> 12:33:36.295" type="start" malicious="0"><item
>> url="http%3a%2f%2fwww.google.fr" program="iexplore" major-error-code="0"
>> minor-error-code="0" time="30/7/2008 12:33:36.295"
>> visited="0"></item></visit-event>
>> [Jul 30, 2008 12:32:47 PM-192.168.0.144:902-3374351] Visiting group
>> 961326393
>>        UrlSetState: VISITING
>> [Jul 30, 2008 12:32:47 PM-192.168.0.144:902-3374351] ClientSetState:
>> VISITING
>> <pong/>
>> [Jul 30, 2008 12:32:47 PM-192.168.0.144:902-3374351] Got pong
>> <visit-event identifier="961326393" program="iexplore" time="30/7/2008
>> 12:33:54.467" type="finish" malicious="0"><item
>> url="http%3a%2f%2fwww.google.fr" program="iexplore" major-error-code="0"
>> minor-error-code="0" time="30/7/2008 12:33:54.467"
>> visited="1"></item></visit-event>
>> [Jul 30, 2008 12:32:53 PM-192.168.0.144:902-3374351] Visited group
>> 961326393 BENIGN
>>        UrlSetState: VISITED
>> [Jul 30, 2008 12:32:53 PM-192.168.0.144:902-3374351] ClientSetState:
>> WAITING
>> <visit-event identifier="-1716674727" program="iexplore" time="30/7/2008
>> 12:33:54.514" type="start" malicious="0"><item
>> url="http%3a%2f%2fwww.google.it" program="iexplore" major-error-code="0"
>> minor-error-code="0" time="30/7/2008 12:33:54.514"
>> visited="0"></item></visit-event>
>> [Jul 30, 2008 12:32:54 PM-192.168.0.144:902-3374351] Visiting group
>> -1716674727
>>        UrlSetState: VISITING
>> [Jul 30, 2008 12:32:54 PM-192.168.0.144:902-3374351] ClientSetState:
>> VISITING
>> <pong/>
>> [Jul 30, 2008 12:32:58 PM-192.168.0.144:902-3374351] Got pong
>> <visit-event identifier="-1716674727" program="iexplore" time="30/7/2008
>> 12:34:11.30" type="finish" malicious="0"><item
>> url="http%3a%2f%2fwww.google.it" program="iexplore" major-error-code="0"
>> minor-error-code="0" time="30/7/2008 12:34:11.30"
>> visited="1"></item></visit-event>
>> [Jul 30, 2008 12:33:00 PM-192.168.0.144:902-3374351] Visited group
>> -1716674727 BENIGN
>>        UrlSetState: VISITED
>> [Jul 30, 2008 12:33:00 PM-192.168.0.144:902-3374351] ClientSetState:
>> WAITING
>> <visit-event identifier="1053184499" program="iexplore" time="30/7/2008
>> 12:34:11.92" type="start" malicious="0"><item
>> url="http%3a%2f%2fwww.google.co.nz" program="iexplore"
>> major-error-code="0" minor-error-code="0" time="30/7/2008 12:34:11.92"
>> visited="0"></item></visit-event>
>> [Jul 30, 2008 12:33:00 PM-192.168.0.144:902-3374351] Visiting group
>> 1053184499
>>        UrlSetState: VISITING
>> [Jul 30, 2008 12:33:00 PM-192.168.0.144:902-3374351] ClientSetState:
>> VISITING
>> <pong/>
>> [Jul 30, 2008 12:33:07 PM-192.168.0.144:902-3374351] Got pong
>> <visit-event identifier="1053184499" program="iexplore" time="30/7/2008
>> 12:34:25.811" type="finish" malicious="0"><item
>> url="http%3a%2f%2fwww.google.co.nz" program="iexplore"
>> major-error-code="0" minor-error-code="0" time="30/7/2008 12:34:25.811"
>> visited="1"></item></visit-event>
>> [Jul 30, 2008 12:33:11 PM-192.168.0.144:902-3374351] Visited group
>> 1053184499 BENIGN
>>        UrlSetState: VISITED
>> [Jul 30, 2008 12:33:11 PM-192.168.0.144:902-3374351] ClientSetState:
>> WAITING
>> <pong/>
>> [Jul 30, 2008 12:33:17 PM-192.168.0.144:902-3374351] Got pong
>> <pong/>
>> [Jul 30, 2008 12:33:27 PM-192.168.0.144:902-3374351] Got pong
>> <pong/>
>> [Jul 30, 2008 12:33:37 PM-192.168.0.144:902-3374351] Got pong
>> <pong/>
>> [Jul 30, 2008 12:33:47 PM-192.168.0.144:902-3374351] Got pong
>> <pong/>
>> [Jul 30, 2008 12:33:57 PM-192.168.0.144:902-3374351] Got pong
>> <pong/>
>> [Jul 30, 2008 12:34:07 PM-192.168.0.144:902-3374351] Got pong
>>
>> With everything working as expected.
>>
>> Any ideas as to why I can't automatically revert the VM and launch the
>> Capture client, or what causes the "VIX Error on connect in connect: One
>> of the parameters was invalid" error?
>>
>> Thanks,
>>
>> David
>>
>> --
>> David Watson
>> UK Honeynet Project
>> www.ukhoneynet.org
>> david at honeynet.org.uk
>>
>> _______________________________________________
>> Capture-HPC mailing list
>> Capture-HPC at public.honeynet.org
>> https://public.honeynet.org/mailman/listinfo/capture-hpc
>>
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Capture-HPC mailing list
> Capture-HPC at public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/capture-hpc


-- 
David Watson
UK Honeynet Project
www.ukhoneynet.org
david at honeynet.org.uk


More information about the Capture-HPC mailing list