David, just a couple of things. Few questions: 1. Did you update your vmware tools to 1.0.6? 2. Did you completely remove 1.0.5 prior to installing 1.0.6 (so no old vix apis might be used)
Christian On Wed, Jul 30, 2008 at 4:44 AM, David Watson <[EMAIL PROTECTED]> wrote: > Hi all, > > I've been having some problems getting the current version of Capture > (capture-server-2.1.0-300) up and running on a machine running the > current version of Kubuntu and the latest VMWare Server > (VMware-server-1.0.6-91891.tar.gz). > > I've documented the server build process here: > > > http://www.ukhoneynet.org/2008/07/28/compiling-capture-hpc-on-vmware-server-106/ > > My honeypot is WinXP SP2 with the default Capture install > (capture-client-2.1.0-300), as per the Readme file. > > I've temporarily disabled iptables on the server and I've checked > client/server connectivity by telnetting to the relevant ports. The > usernames and passwords also work when tested locally and permissions > seem correct. > > Server IP = 192.168.0.144 > Honeypot VM IP = 192.168.0.21 > > Attempting to process the sample URLs results in this behaviour: > > [EMAIL PROTECTED]:~/client_honeypots/capture-server-2.1.0-300$ > /usr/lib/jvm/java-6-sun/bin/java -Djava.net.preferIPv4Stack=true -jar > CaptureServer.jar -s 192.168.0.144:7070 -f input_urls_example.txt > > Option added: server-listen-port => 7070 > Option added: server-listen-address => 192.168.0.144 > Option added: input_urls => input_urls_example.txt > CaptureServer: Listening for connections > Validating config.xml ... > config.xml successfully validated > Option added: capture-network-packets-benign => false > Option added: capture-network-packets-malicious => false > Option added: client-default-visit-time => 10 > Option added: collect-modified-files => false > Option added: p_m => 1 > Option added: send-exclusion-lists => false > ExclusionList: file - FileMonitor.exl: File not found > ExclusionList: process - ProcessMonitor.exl: File not found > ExclusionList: registry - RegistryMonitor.exl: File not found > [192.168.0.144:902] VM added > [Jul 30, 2008 12:31:27 PM-192.168.0.144:902-3374351] VMSetState: > WAITING_TO_BE_REVERTED > [Jul 30, 2008 12:31:27 PM-192.168.0.144:902-3374351] VMSetState: REVERTING > Hostname: 192.168.0.144 > Username: david > Password: dummypassword > VMPath: /var/lib/vmware/Virtual Machines/Capture1/Capture1.vmx > Guest Username: Administrator > Guest Password: client1 > Guest Cmd: cmd.exe > Guest Options: /K C:\Progra~1\Capture\CaptureClient.bat -s 192.168.0.144 > -p 7070 -a 27687351 -b 3374351 > VIX Error on connect in connect: One of the parameters was invalid > E Disconnected > [Jul 30, 2008 12:31:29 PM 192.168.0.144:902-3374351] VMware error 255 > [Jul 30, 2008 12:31:29 PM-192.168.0.144:902-3374351] VMSetState: ERROR > > However, if I manually initiate Capture on the client honeypot VM by > running: > > C:\Progra~1\Capture\CaptureClient.bat -s 192.168.0.144 -p 7070 -a > 27687351 -b 3374351 > > I then get the following in the running Capture server output: > > <connect vm-server-id="27687351" vm-id="3374351"/> > [Jul 30, 2008 12:32:24 PM-192.168.0.144:902-3374351] ClientSetState: > CONNECTED > [Jul 30, 2008 12:32:24 PM-192.168.0.144:902-3374351] ClientSetState: > WAITING > [Jul 30, 2008 12:32:24 PM-192.168.0.144:902-3374351] VMSetState: RUNNING > <visit-event identifier="-2096107695" program="iexplore" time="30/7/2008 > 12:33:3.45" type="start" malicious="0"><item > url="http%3a%2f%2fwww.google.com" program="iexplore" > major-error-code="0" minor-error-code="0" time="30/7/2008 12:33:3.45" > visited="0"></item></visit-event> > [Jul 30, 2008 12:32:25 PM-192.168.0.144:902-3374351] Visiting group > -2096107695 > UrlSetState: VISITING > [Jul 30, 2008 12:32:25 PM-192.168.0.144:902-3374351] ClientSetState: > VISITING > <pong/> > [Jul 30, 2008 12:32:27 PM-192.168.0.144:902-3374351] Got pong > <visit-event identifier="-2096107695" program="iexplore" time="30/7/2008 > 12:33:21.342" type="finish" malicious="0"><item > url="http%3a%2f%2fwww.google.com" program="iexplore" > major-error-code="0" minor-error-code="0" time="30/7/2008 12:33:21.342" > visited="1"></item></visit-event> > [Jul 30, 2008 12:32:36 PM-192.168.0.144:902-3374351] Visited group > -2096107695 BENIGN > UrlSetState: VISITED > [Jul 30, 2008 12:32:36 PM-192.168.0.144:902-3374351] ClientSetState: > WAITING > <visit-event identifier="-126122049" program="iexplore" time="30/7/2008 > 12:33:21.702" type="start" malicious="0"><item > url="http%3a%2f%2fwww.google.de" program="iexplore" major-error-code="0" > minor-error-code="0" time="30/7/2008 12:33:21.702" > visited="0"></item></visit-event> > [Jul 30, 2008 12:32:37 PM-192.168.0.144:902-3374351] Visiting group > -126122049 > UrlSetState: VISITING > [Jul 30, 2008 12:32:37 PM-192.168.0.144:902-3374351] ClientSetState: > VISITING > <pong/> > [Jul 30, 2008 12:32:37 PM-192.168.0.144:902-3374351] Got pong > <visit-event identifier="-126122049" program="iexplore" time="30/7/2008 > 12:33:36.139" type="finish" malicious="0"><item > url="http%3a%2f%2fwww.google.de" program="iexplore" major-error-code="0" > minor-error-code="0" time="30/7/2008 12:33:36.139" > visited="1"></item></visit-event> > [Jul 30, 2008 12:32:47 PM-192.168.0.144:902-3374351] Visited group > -126122049 BENIGN > UrlSetState: VISITED > [Jul 30, 2008 12:32:47 PM-192.168.0.144:902-3374351] ClientSetState: > WAITING > <visit-event identifier="961326393" program="iexplore" time="30/7/2008 > 12:33:36.295" type="start" malicious="0"><item > url="http%3a%2f%2fwww.google.fr" program="iexplore" major-error-code="0" > minor-error-code="0" time="30/7/2008 12:33:36.295" > visited="0"></item></visit-event> > [Jul 30, 2008 12:32:47 PM-192.168.0.144:902-3374351] Visiting group > 961326393 > UrlSetState: VISITING > [Jul 30, 2008 12:32:47 PM-192.168.0.144:902-3374351] ClientSetState: > VISITING > <pong/> > [Jul 30, 2008 12:32:47 PM-192.168.0.144:902-3374351] Got pong > <visit-event identifier="961326393" program="iexplore" time="30/7/2008 > 12:33:54.467" type="finish" malicious="0"><item > url="http%3a%2f%2fwww.google.fr" program="iexplore" major-error-code="0" > minor-error-code="0" time="30/7/2008 12:33:54.467" > visited="1"></item></visit-event> > [Jul 30, 2008 12:32:53 PM-192.168.0.144:902-3374351] Visited group > 961326393 BENIGN > UrlSetState: VISITED > [Jul 30, 2008 12:32:53 PM-192.168.0.144:902-3374351] ClientSetState: > WAITING > <visit-event identifier="-1716674727" program="iexplore" time="30/7/2008 > 12:33:54.514" type="start" malicious="0"><item > url="http%3a%2f%2fwww.google.it" program="iexplore" major-error-code="0" > minor-error-code="0" time="30/7/2008 12:33:54.514" > visited="0"></item></visit-event> > [Jul 30, 2008 12:32:54 PM-192.168.0.144:902-3374351] Visiting group > -1716674727 > UrlSetState: VISITING > [Jul 30, 2008 12:32:54 PM-192.168.0.144:902-3374351] ClientSetState: > VISITING > <pong/> > [Jul 30, 2008 12:32:58 PM-192.168.0.144:902-3374351] Got pong > <visit-event identifier="-1716674727" program="iexplore" time="30/7/2008 > 12:34:11.30" type="finish" malicious="0"><item > url="http%3a%2f%2fwww.google.it" program="iexplore" major-error-code="0" > minor-error-code="0" time="30/7/2008 12:34:11.30" > visited="1"></item></visit-event> > [Jul 30, 2008 12:33:00 PM-192.168.0.144:902-3374351] Visited group > -1716674727 BENIGN > UrlSetState: VISITED > [Jul 30, 2008 12:33:00 PM-192.168.0.144:902-3374351] ClientSetState: > WAITING > <visit-event identifier="1053184499" program="iexplore" time="30/7/2008 > 12:34:11.92" type="start" malicious="0"><item > url="http%3a%2f%2fwww.google.co.nz" program="iexplore" > major-error-code="0" minor-error-code="0" time="30/7/2008 12:34:11.92" > visited="0"></item></visit-event> > [Jul 30, 2008 12:33:00 PM-192.168.0.144:902-3374351] Visiting group > 1053184499 > UrlSetState: VISITING > [Jul 30, 2008 12:33:00 PM-192.168.0.144:902-3374351] ClientSetState: > VISITING > <pong/> > [Jul 30, 2008 12:33:07 PM-192.168.0.144:902-3374351] Got pong > <visit-event identifier="1053184499" program="iexplore" time="30/7/2008 > 12:34:25.811" type="finish" malicious="0"><item > url="http%3a%2f%2fwww.google.co.nz" program="iexplore" > major-error-code="0" minor-error-code="0" time="30/7/2008 12:34:25.811" > visited="1"></item></visit-event> > [Jul 30, 2008 12:33:11 PM-192.168.0.144:902-3374351] Visited group > 1053184499 BENIGN > UrlSetState: VISITED > [Jul 30, 2008 12:33:11 PM-192.168.0.144:902-3374351] ClientSetState: > WAITING > <pong/> > [Jul 30, 2008 12:33:17 PM-192.168.0.144:902-3374351] Got pong > <pong/> > [Jul 30, 2008 12:33:27 PM-192.168.0.144:902-3374351] Got pong > <pong/> > [Jul 30, 2008 12:33:37 PM-192.168.0.144:902-3374351] Got pong > <pong/> > [Jul 30, 2008 12:33:47 PM-192.168.0.144:902-3374351] Got pong > <pong/> > [Jul 30, 2008 12:33:57 PM-192.168.0.144:902-3374351] Got pong > <pong/> > [Jul 30, 2008 12:34:07 PM-192.168.0.144:902-3374351] Got pong > > With everything working as expected. > > Any ideas as to why I can't automatically revert the VM and launch the > Capture client, or what causes the "VIX Error on connect in connect: One > of the parameters was invalid" error? > > Thanks, > > David > > -- > David Watson > UK Honeynet Project > www.ukhoneynet.org > [EMAIL PROTECTED] > > _______________________________________________ > Capture-HPC mailing list > [email protected] > https://public.honeynet.org/mailman/listinfo/capture-hpc > -- ---- Web: http://www.mcs.vuw.ac.nz/~cseifert PGP key http://www.mcs.vuw.ac.nz/~cseifert/pgpkey.txt Primary key fingerprint: E979 0D9A 9187 D821 F86F B712 C8DB 0583 B046 BAEF
_______________________________________________ Capture-HPC mailing list [email protected] https://public.honeynet.org/mailman/listinfo/capture-hpc
