Christian, Good news - I've got Capture running under the latest VMWare Server release (at last!). Although the VMWare Server installer runs vmware-uninstall.pl before installing a newer version, something must have gone wrong with a prior version install/uninstall, as when I ran vmware-uninstall.pl from 1.0.6 I found a couple of vmware-vix shared libraries still left on the file system. Removing these, installing VMware Server 1.0.6 again and recompiling Capture fixed the problem.
The honeypot VM was built under 1.0.6, so no tool upgrade was necessary. Thanks for the suggestions everyone. The steps below should be fine for the latest versions of Capture and VMWare Server on Ubuntu as log as you manually perform the uninstall and check the filesystem first: http://www.ukhoneynet.org/2008/07/28/compiling-capture-hpc-on-vmware-server-106/ Thanks, David Christian Seifert wrote: > David, just a couple of things. Few questions: > 1. Did you update your vmware tools to 1.0.6? > 2. Did you completely remove 1.0.5 prior to installing 1.0.6 (so no old vix > apis might be used) > > Christian > > On Wed, Jul 30, 2008 at 4:44 AM, David Watson <[EMAIL PROTECTED]> wrote: > >> Hi all, >> >> I've been having some problems getting the current version of Capture >> (capture-server-2.1.0-300) up and running on a machine running the >> current version of Kubuntu and the latest VMWare Server >> (VMware-server-1.0.6-91891.tar.gz). >> >> I've documented the server build process here: >> >> >> http://www.ukhoneynet.org/2008/07/28/compiling-capture-hpc-on-vmware-server-106/ >> >> My honeypot is WinXP SP2 with the default Capture install >> (capture-client-2.1.0-300), as per the Readme file. >> >> I've temporarily disabled iptables on the server and I've checked >> client/server connectivity by telnetting to the relevant ports. The >> usernames and passwords also work when tested locally and permissions >> seem correct. >> >> Server IP = 192.168.0.144 >> Honeypot VM IP = 192.168.0.21 >> >> Attempting to process the sample URLs results in this behaviour: >> >> [EMAIL PROTECTED]:~/client_honeypots/capture-server-2.1.0-300$ >> /usr/lib/jvm/java-6-sun/bin/java -Djava.net.preferIPv4Stack=true -jar >> CaptureServer.jar -s 192.168.0.144:7070 -f input_urls_example.txt >> >> Option added: server-listen-port => 7070 >> Option added: server-listen-address => 192.168.0.144 >> Option added: input_urls => input_urls_example.txt >> CaptureServer: Listening for connections >> Validating config.xml ... >> config.xml successfully validated >> Option added: capture-network-packets-benign => false >> Option added: capture-network-packets-malicious => false >> Option added: client-default-visit-time => 10 >> Option added: collect-modified-files => false >> Option added: p_m => 1 >> Option added: send-exclusion-lists => false >> ExclusionList: file - FileMonitor.exl: File not found >> ExclusionList: process - ProcessMonitor.exl: File not found >> ExclusionList: registry - RegistryMonitor.exl: File not found >> [192.168.0.144:902] VM added >> [Jul 30, 2008 12:31:27 PM-192.168.0.144:902-3374351] VMSetState: >> WAITING_TO_BE_REVERTED >> [Jul 30, 2008 12:31:27 PM-192.168.0.144:902-3374351] VMSetState: REVERTING >> Hostname: 192.168.0.144 >> Username: david >> Password: dummypassword >> VMPath: /var/lib/vmware/Virtual Machines/Capture1/Capture1.vmx >> Guest Username: Administrator >> Guest Password: client1 >> Guest Cmd: cmd.exe >> Guest Options: /K C:\Progra~1\Capture\CaptureClient.bat -s 192.168.0.144 >> -p 7070 -a 27687351 -b 3374351 >> VIX Error on connect in connect: One of the parameters was invalid >> E Disconnected >> [Jul 30, 2008 12:31:29 PM 192.168.0.144:902-3374351] VMware error 255 >> [Jul 30, 2008 12:31:29 PM-192.168.0.144:902-3374351] VMSetState: ERROR >> >> However, if I manually initiate Capture on the client honeypot VM by >> running: >> >> C:\Progra~1\Capture\CaptureClient.bat -s 192.168.0.144 -p 7070 -a >> 27687351 -b 3374351 >> >> I then get the following in the running Capture server output: >> >> <connect vm-server-id="27687351" vm-id="3374351"/> >> [Jul 30, 2008 12:32:24 PM-192.168.0.144:902-3374351] ClientSetState: >> CONNECTED >> [Jul 30, 2008 12:32:24 PM-192.168.0.144:902-3374351] ClientSetState: >> WAITING >> [Jul 30, 2008 12:32:24 PM-192.168.0.144:902-3374351] VMSetState: RUNNING >> <visit-event identifier="-2096107695" program="iexplore" time="30/7/2008 >> 12:33:3.45" type="start" malicious="0"><item >> url="http%3a%2f%2fwww.google.com" program="iexplore" >> major-error-code="0" minor-error-code="0" time="30/7/2008 12:33:3.45" >> visited="0"></item></visit-event> >> [Jul 30, 2008 12:32:25 PM-192.168.0.144:902-3374351] Visiting group >> -2096107695 >> UrlSetState: VISITING >> [Jul 30, 2008 12:32:25 PM-192.168.0.144:902-3374351] ClientSetState: >> VISITING >> <pong/> >> [Jul 30, 2008 12:32:27 PM-192.168.0.144:902-3374351] Got pong >> <visit-event identifier="-2096107695" program="iexplore" time="30/7/2008 >> 12:33:21.342" type="finish" malicious="0"><item >> url="http%3a%2f%2fwww.google.com" program="iexplore" >> major-error-code="0" minor-error-code="0" time="30/7/2008 12:33:21.342" >> visited="1"></item></visit-event> >> [Jul 30, 2008 12:32:36 PM-192.168.0.144:902-3374351] Visited group >> -2096107695 BENIGN >> UrlSetState: VISITED >> [Jul 30, 2008 12:32:36 PM-192.168.0.144:902-3374351] ClientSetState: >> WAITING >> <visit-event identifier="-126122049" program="iexplore" time="30/7/2008 >> 12:33:21.702" type="start" malicious="0"><item >> url="http%3a%2f%2fwww.google.de" program="iexplore" major-error-code="0" >> minor-error-code="0" time="30/7/2008 12:33:21.702" >> visited="0"></item></visit-event> >> [Jul 30, 2008 12:32:37 PM-192.168.0.144:902-3374351] Visiting group >> -126122049 >> UrlSetState: VISITING >> [Jul 30, 2008 12:32:37 PM-192.168.0.144:902-3374351] ClientSetState: >> VISITING >> <pong/> >> [Jul 30, 2008 12:32:37 PM-192.168.0.144:902-3374351] Got pong >> <visit-event identifier="-126122049" program="iexplore" time="30/7/2008 >> 12:33:36.139" type="finish" malicious="0"><item >> url="http%3a%2f%2fwww.google.de" program="iexplore" major-error-code="0" >> minor-error-code="0" time="30/7/2008 12:33:36.139" >> visited="1"></item></visit-event> >> [Jul 30, 2008 12:32:47 PM-192.168.0.144:902-3374351] Visited group >> -126122049 BENIGN >> UrlSetState: VISITED >> [Jul 30, 2008 12:32:47 PM-192.168.0.144:902-3374351] ClientSetState: >> WAITING >> <visit-event identifier="961326393" program="iexplore" time="30/7/2008 >> 12:33:36.295" type="start" malicious="0"><item >> url="http%3a%2f%2fwww.google.fr" program="iexplore" major-error-code="0" >> minor-error-code="0" time="30/7/2008 12:33:36.295" >> visited="0"></item></visit-event> >> [Jul 30, 2008 12:32:47 PM-192.168.0.144:902-3374351] Visiting group >> 961326393 >> UrlSetState: VISITING >> [Jul 30, 2008 12:32:47 PM-192.168.0.144:902-3374351] ClientSetState: >> VISITING >> <pong/> >> [Jul 30, 2008 12:32:47 PM-192.168.0.144:902-3374351] Got pong >> <visit-event identifier="961326393" program="iexplore" time="30/7/2008 >> 12:33:54.467" type="finish" malicious="0"><item >> url="http%3a%2f%2fwww.google.fr" program="iexplore" major-error-code="0" >> minor-error-code="0" time="30/7/2008 12:33:54.467" >> visited="1"></item></visit-event> >> [Jul 30, 2008 12:32:53 PM-192.168.0.144:902-3374351] Visited group >> 961326393 BENIGN >> UrlSetState: VISITED >> [Jul 30, 2008 12:32:53 PM-192.168.0.144:902-3374351] ClientSetState: >> WAITING >> <visit-event identifier="-1716674727" program="iexplore" time="30/7/2008 >> 12:33:54.514" type="start" malicious="0"><item >> url="http%3a%2f%2fwww.google.it" program="iexplore" major-error-code="0" >> minor-error-code="0" time="30/7/2008 12:33:54.514" >> visited="0"></item></visit-event> >> [Jul 30, 2008 12:32:54 PM-192.168.0.144:902-3374351] Visiting group >> -1716674727 >> UrlSetState: VISITING >> [Jul 30, 2008 12:32:54 PM-192.168.0.144:902-3374351] ClientSetState: >> VISITING >> <pong/> >> [Jul 30, 2008 12:32:58 PM-192.168.0.144:902-3374351] Got pong >> <visit-event identifier="-1716674727" program="iexplore" time="30/7/2008 >> 12:34:11.30" type="finish" malicious="0"><item >> url="http%3a%2f%2fwww.google.it" program="iexplore" major-error-code="0" >> minor-error-code="0" time="30/7/2008 12:34:11.30" >> visited="1"></item></visit-event> >> [Jul 30, 2008 12:33:00 PM-192.168.0.144:902-3374351] Visited group >> -1716674727 BENIGN >> UrlSetState: VISITED >> [Jul 30, 2008 12:33:00 PM-192.168.0.144:902-3374351] ClientSetState: >> WAITING >> <visit-event identifier="1053184499" program="iexplore" time="30/7/2008 >> 12:34:11.92" type="start" malicious="0"><item >> url="http%3a%2f%2fwww.google.co.nz" program="iexplore" >> major-error-code="0" minor-error-code="0" time="30/7/2008 12:34:11.92" >> visited="0"></item></visit-event> >> [Jul 30, 2008 12:33:00 PM-192.168.0.144:902-3374351] Visiting group >> 1053184499 >> UrlSetState: VISITING >> [Jul 30, 2008 12:33:00 PM-192.168.0.144:902-3374351] ClientSetState: >> VISITING >> <pong/> >> [Jul 30, 2008 12:33:07 PM-192.168.0.144:902-3374351] Got pong >> <visit-event identifier="1053184499" program="iexplore" time="30/7/2008 >> 12:34:25.811" type="finish" malicious="0"><item >> url="http%3a%2f%2fwww.google.co.nz" program="iexplore" >> major-error-code="0" minor-error-code="0" time="30/7/2008 12:34:25.811" >> visited="1"></item></visit-event> >> [Jul 30, 2008 12:33:11 PM-192.168.0.144:902-3374351] Visited group >> 1053184499 BENIGN >> UrlSetState: VISITED >> [Jul 30, 2008 12:33:11 PM-192.168.0.144:902-3374351] ClientSetState: >> WAITING >> <pong/> >> [Jul 30, 2008 12:33:17 PM-192.168.0.144:902-3374351] Got pong >> <pong/> >> [Jul 30, 2008 12:33:27 PM-192.168.0.144:902-3374351] Got pong >> <pong/> >> [Jul 30, 2008 12:33:37 PM-192.168.0.144:902-3374351] Got pong >> <pong/> >> [Jul 30, 2008 12:33:47 PM-192.168.0.144:902-3374351] Got pong >> <pong/> >> [Jul 30, 2008 12:33:57 PM-192.168.0.144:902-3374351] Got pong >> <pong/> >> [Jul 30, 2008 12:34:07 PM-192.168.0.144:902-3374351] Got pong >> >> With everything working as expected. >> >> Any ideas as to why I can't automatically revert the VM and launch the >> Capture client, or what causes the "VIX Error on connect in connect: One >> of the parameters was invalid" error? >> >> Thanks, >> >> David >> >> -- >> David Watson >> UK Honeynet Project >> www.ukhoneynet.org >> [EMAIL PROTECTED] >> >> _______________________________________________ >> Capture-HPC mailing list >> [email protected] >> https://public.honeynet.org/mailman/listinfo/capture-hpc >> > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Capture-HPC mailing list > [email protected] > https://public.honeynet.org/mailman/listinfo/capture-hpc -- David Watson UK Honeynet Project www.ukhoneynet.org [EMAIL PROTECTED] _______________________________________________ Capture-HPC mailing list [email protected] https://public.honeynet.org/mailman/listinfo/capture-hpc
