CHANGES

Version 0.2.2
==================

This release has been overdue for a long time.
It should compile using g++4.2 (and automake 1.10).

Nepenthes
        FIXES and ADDITIONS
	-----
	* DownloadManager
		* 0.0.0.0 is local
		* if replace_local_ips is not set, local downloads will be dropped

	* SocketManager
		*  adding sockets during send or recv increases the .size() of m_Sockets, 
		   therefore the pollfd set is read beyond its borders, prevent this

	
Modules
        FIXES and ADDITIONS
        -----
	* submit-norman
		* submit to cwsandbox too, add a new config var urls, 
		  which is a list of urls to post to

	* download-ftp
		* big endian fixes (rui)

	* shellcode-signatures
		* sparc64 fixes (rui


	* log-prelude
		* various fixes (yoann)

	* sqlhandler-postgres
		* support options


	* submit-norman
		* use captchaless url


	* log-surfnet
		* prevent attack insert failures from messing up following attacks using the same socket ptr
		* update attack severity for delayed attacks
		* erase closed sockets from the socket tracker if there is no outstanding query to process

	* download-curl
		* new curl api

        NEW
        ---
	* vuln-sav
		* added

	* log-hexdump
		* added, external module now
		* compile with --enable-debug-logging and load loghexdump.so


	* sumbit-mwserv
		* added (oxff)



	* submit-http
		* added (Niklas Schiffler)


	* module-honeytrap
		* added

Version 0.2.0
==================

Indepent from the codebase, we cleaned up the compile process, 
now every module is linked only on the libraries it relies on.


Nepenthes
        FIXES and ADDITIONS
	-----
	* Nepenthes 
		* check for nepenthes in signal handler before logging
		* dont handle SIGUSR1/2
		* create LogManager in constructor, so we can use it right from the beginning to the bitter end
		* added mips & arm to MY_ARCHES
		* handle SIGCHLD & SIGPIPE
		* add -D daemonize flag for start as daemon
		* use proper types for uid/gid
		* dont change user/group if not necessary
		* clean up startup code

	* GeoLocationManager
        	* removed

	* UploadManager
        	* removed


	* LogManager 
		* clear() loggers on destruction
                * check for registerd loggers before logging, if no handlers re registerd, log using printf

	* Socket
		* allow hw address lookup using /proc/net/arp in Socket::getRemoteHWA(string *address)
	
	* UDPSocket
		* fix source based routing for udp, bind local address for connect' connections
		* memset() our sockaddr_in before we use em

	* TCPSocket
		* add event on binding a port
                * memset() our sockaddr_in before we use em


	* SQLManager
		* added

	* ModuleManager
		* unload modules in reverse order

	* LogHandler
		* added setOwnership()

	* LogManager
		* added bool LogManager::delLogger(LogHandler *lh), return true on success, false else

 
Modules
        FIXES and ADDITIONS
        -----
	* shellcode-signatures
		* changed the build process to use the yacc & flex files
		* fix bug in sch_namespace_base64, credits go to Nelson William for pointing this out

	* log-prelude
		* fixes & classification changes by Harald Lampesberger
		* should produce valid idmef now

	* vuln-bagle
		* fixed endless loop on closed connection

	* vuln-mydoom
		* fixed endless loop on closed connection


	* log-irc
		* can set filters now
		* use LogManager::delLogger(LogHandler *lh) on ::Exit

	* shellemu-winnt
		* improve ftp.exe commandline parsing
		  problem was, when the host/anonymous flag was specified on the command line, 
		  after the script


	* log-surfnet
		* log remote mac address to table if its availible
		* use sqlhandler-postgres, to offer autoreconnect etc etc etc

	* download-ftp
		* workaround problems with PORTs command where the virus would parse the wrong port

	* download-creceive
		* fix a bug where the downloads source is equal to the downloads destionation

	
	* vuln-mydoom
		* fix destionation ip
		* proper url

	* submit-norman
		* submit to cwsandbox too, add a new config var urls, 
		  which is a list of urls to post to

        NEW
        ---
	* vuln-realvnc 
		* handles alphanumeric keystrokes
		* clipboard actions

	* module-honeytrap
		* idea is taken from honeytrap.sf.net by Werner Tillmann
		* detect incoming connections using pcap/ipq/ipfw
		* bind unbound ports
		* create a mirror connection between to the attacker to "emulate" the vuln using the attackers own weakness
		* able to log incoming connections as pcap files

	* module-bridge
		* basic exploit & command detection to the accept() Dialogue,
		* handle recognized attacks, downloads what has to be downloaded


	* sqlhandler-postgres
		* can use domains
		* nonblocking, even in conjunction with domains
		* autoreconnect

	* x-9
		* example on the sqlmanager/handler


	* submit-postgres
		* submit samples & context information to a postgres database
		* requires the sqlhandler-postgres
		* compatible to libpq 7.4 and 8.x
		* spooling with bencoded files


	* module-peiros
		* 'construction site'


	GONE WITH THE WIND
	------------------
	*
		* geolocation-*
		* x-8 (geolocation example)
		* upload-http
		* submit-xmlrpc




Version 0.1.7
==================



Nepenthes
        FIXES and ADDITIONS
        -----
        * Nepenthes
                * default install wont spam the console, use --enable-debug-logging if you want the console spam pary
                * --version dumps information about operating system
                * --help is better
                * log exit reason to file
                * prevent crash on startup when running in changeroot
                  without changing process user and/or group id, -> changeroot _after_ we
                  chowned the logfiles
                * support for linux capabilities


        * SocketManager
                * support for if:ethN for default bind address by interface
                * removed RAWSocket

        * GeolocatioManager
                * add return value in Exit()

        * UploadHandler
                * g++ 4.1 fixes

        * DownloadHandler
                * g++ 4.1 fixes

        * ModuleManager
                * use dlopen() with RTLD_LOCAL, osx has RTLD_GLOBAL as default and
                  segfaults therefore when unloading modules



Modules
        FIXES and ADDITIONS
        -----
        * vuln-ftpd
                * can handle NAT for active ftp

        * vuln-kuang
                * log remote ip, not local ip

        * x-6
                * free the mallocs

        * module-portwatch
                * removed port 21 from portwatch list
                * added 25 to portwatch list

        * shellcode-generic
                * detect wget in xmlrpc exploit attempts

        * log-irc
                * send irc server pass
                * infinite retries to resolve server/tor domain

        * x-7
                * dropped

        * dnsresolve-adns
                * g++ 4.1 fixes

        * submit-norman
                * g++ 4.1 fixes

        * download-curl
                * g++ 4.1 fixes

        * vuln-netdde
                * removed shellcodehandler, moved to shellcode-signatures

        * vuln-msmq
                * removed shellcodehandler, moved to shellcode-signatures

        * vuln-dcom
                * removed shellcodehandler, moved to shellcode-signatures

        * vuln-asn1
                * removed shellcodehandler, moved to shellcode-signatures

        * vuln-sasserftpd
                * removed shellcodehandler, moved to shellcode-signatures

        * vuln-wins
                * removed shellcodehandler, moved to shellcode-signatures

        * vuln-iis
                * removed shellcodehandler, moved to shellcode-signatures

        * vuln-lsass
                * removed shellcodehandler, moved to shellcode-signatures


        * vuln-mydoom
                * use CL_ASSIGN_AND_DONE when done (for log-surfnet)

        * vuln-bagle
                * use CL_ASSIGN_AND_DONE when done (for log-surfnet)


        NEW
        ---
        * submit-gotek
		* submit files to the mwcollect alliance via the gotek 1 protocol
		
        * log-prelude
                * fixed by Harald Lampesberger

        * vuln-ftpd
		* emulation for various bugs in windows ftp daemons
                * contributed by Harald Lampesberger


        * shellcode-signatures
                * ported almost _all_ shellcodes from shellcode-generic






Version 0.1.6
=============


We made sure the source compiles on
  * cygwin
  * linux (tested debian on x86, fedora core 3 on amd64, suse 9 enterprise server on powerpc)
  * openbsd (tested on openbsd 3.8 on x86)
  * netbsd (tested on netbsd 2.0.2 on x86)

For cygwin we had to cast many int32_t to int, and many int32_t * to int too (104 times)... and include sys/socket.h (26 times)
OpenBSD enforced including sys/types.h nearly everywhere (37 times)
64bit fedora made us use intptr_t instead of int to point to memory (19 times)

The other focus was adding some new shellcode handlers, 
and we added a new download handler for the broken by design rcp protocol


Nepenthes
	FIXES and ADDITIONS
	-----
	* DownloadManager
		* as long as BIG_ENDIAN is not coverd by  autoconf, dont rely it on here.

	* UploadManager 
		* fixed includes
	* DNSManager 
		* errno fix
	
	* DownloadUrl
		* fixed inclues	
	
	* Buffer 
		* casting int for amd64	

	* Nepenthes
		* getopt int casting
		* no logfiles chown own cygwin
		* no filetype on cygwin, dont rely on it 
		* cygwin needs int main()
		* no signals for cygwin (yet)
		
	* SocketManager
		* interface to request tcp connect sockets with provided local port ( for download-rcp )
	* TCPSocket 
		* new constructor for connect sockets which allows setting a local port
		
	
Modules
	FIXES and ADDITIONS
	-----
	* many modules
		* fixed wrong module names/descriptions
	
	* shellcode-generic (picchio contributed the analysis for them, we are really glad about his work)
		* added sch_generic_winexec
		* pinnebergConnect added
		* sch_generic_xor schoenberg xor added
		* schoenenberg bind added
		* ravensburg bind added
		* rosengarten xor added
		* schauenburg bind added
		* schauenburg xor added
		* leimbach xor family added
		* lichtenfels xor & connectback
		
	* submit-xmlrpc
		* using geolocation submit-xmlrpc resolved the locals geolocation, 
		  now we resolve the remotes
		  
	* log-irc 
		* channel pass fix
		* upon request - reply nepenthes version to !version
		
	* shellemu-winnt
		* added VFSCommandRCP for rcp.exe
		
		  
	NEW
	---
	* download-rcp
		* created, downloads files via the undocumented rcp protcoll






Version 0.1.5
=============
Bugfix release/minor features.


Nepenthes
	FIXES and ADDITIONS
	-----
	* none
	
	
	

Modules
	FIXES and ADDITIONS
	-----
	* shellcode-generic
		* sch_generic_cmd added \r\n as lineterminator
		* shellcode-generic.conf.dist langenfeldConnect pcre added
		* sch_generic_xor 
			* deggendorf & langenfeld xor added, 
			* removed possible off by n <=3 byte in the 4 byte xor

	
	* vuln-dcom
		* made it less aggressive, if it does not look like dcom, dont handle it
		

	* shellemu-winnt
		* VFSCommandSTART added
		* VFSCommandTFTP proper var checks added
		* added handling of the escape var ^ for the shell
		* VFSCommandFTP can download >1 file per batch now 
		* VFSCommandFTP can handle "cd" now
		
	* download-http
		* handle downloads with 0 byte bodysize as broken
		
	* download-ftp 
		* can send CWD now
		* fixed missing \r on sending RETR
		
	* geolocation-hostip
		* the address to look the address up changed, so we adjusted it
		

	* geolocation-ip2location
		* tarball lacked config file


	NEW
	---
	* vuln-msdtc
		* emulation for the ms05-051 exploit by swan
		

Version 0.1.4
=============
Bugfix release/minor features.

Nepenthes
	FIXES and ADDITIONS
	-----
	* FileLogger logged to somewhere after config file was deleted as he lacked a valid path


Modules
	FIXES and ADDITIONS
	-----
	* download-nepenthes 
		* NULL pointer bug fixed
	  
	* shellcode-generic 
		* rewrapped xor code, 
		* added some bindshell codes
			* parthenstein
			* wackerow
			* kaltenborn
	  
	* geolocation-ip2location 
		* now makes use of the real ip2location c api you can download on their homepage, 
		  setting the lib up sucks, but it works
	  
	* log-surfnet
		* moduledescription changed, as we log to postgres, not to mysql
	   
	* dnsresolve-adns 
		* added modulename and description
		



Version 0.1.3
=============
Bugfix release/minor features.
FIXME

* fixed some g++ 3.2 include issues


* Autoconf
	* improved configure.ac
		* added --enable-* to configure
			* geolocation is optional
		* dump ./configure configuration to stdout



* Nepenthes core

			

	* DownloadManager & Download & DownloadCallback
		* changed structure so we can specify a DownloadCallback for internal downloads
			* intrested in a downloads result, ask the downloadmanager to download it, provide a DownloadCallback
			  the DownloadManager will pass the information encapsulated in a Download to its DownloadHandler
			  the DownloadHandler will try to download it and pass the Download as result to the DownloadCallback
			  
			  



	* DNSManager DNSQuery DNSHandler DNSResult DNSCallback
		* made DNSResolver Service modular, only module so far availible is dnsresolve-adns
		* now modules providing resolver capabilties are now called 'DNSHandler'
		  anything which is intrested in its dns resolution result is a DNSCallback now
		  (before there was no DNSCallback, no modularity, and we called classes intrested in DNS DNSHandler)
			* intrested in resolving some domain, ask the DNSManager and provide a DNSCallback
			  the DNSManager will form a DNSQuery from the request, pass it to its DNSHandler
			  the DNSHandler will try to resolve the domain and pass result as a  DNSResult to the 
			  DNSCallback
		  
	* Event 
		* use uint8_t as Eventid instead of event_type
		* added ShellcodeEvent & DialogueEvent 


	* EventManager
		* allow internal Event registration


	* GeoLocationManager GeoLocationQuery GeoLocationHandler GeoLocationResult GeoLocationCallback 
        	* created
			* GeoLocationHandler register with the GeoLocationManager
			* intrested in GeoLocation lookups, ask the GeoLocationManager and provide a GeoLocationCallback
			  the GeoLocationManager will form a GeoLocationQuery from the request, pass it to its GeoLocationHandler
			  the GeoLocationHandler will try to resolve it and pass the GeoLocationResult to the GeoLocationCallback
		* added caching of results
		


	* LogManager
		* filelogger is the default logger again, so logrotate can do its job
		* force ringbuffer logger usage with -R
		

	* log-ringbuffer
		* added
		  stop wasting diskspace with logs
		* sets correct permissions on destination files
		* uses path to log to from nepenthes.logmanager.ring_logger_file
		

	* log-file
		* uses path to log to from nepenthes.logmanager.file_logger_file


	* Nepenthes
		* improved the init, better errorhandling
		* -f can do dirs


	* ShellcodeManager
		* hooks a ShellcodeEvent on success
		

	
	* SocketManager TCPSocket UDPSocket RAWSocketListener
		* decreased poll timeout
		* moved ports to uint16_t
		* use nepenthes.socketmanager.bind_address instead of binding INADDR_ANY for bind & connect
			(suggested by Michael H. Warfield)
			

	* TCPSocket
		* hooks a DialogueEvent on success

		
		
	* UploadManager UploadQuery UploadHandler UploadResult UploadCallback 
		* created
			* intrested in uploading something to somewhere, ask the UploadManager and provide a UploadCallback
			  the UploadManager will form a UploadQuery from the request, pass it to its UploadHandler
			  the UploadHandler will try to upload the data it and pass reply to the UploadResult to the 
			  UploadCallback


	
	* Utilities
		* added escapeXMLString(char *)
		
	

* Modules
	FIXES and ADDITIONS
	-----
	* shellemu-winnt 
		* fixed sending shell header on accept shells
		* VFSCommandFTP handle -A flag for anonymous logins
		* fixed crash with -f flag for checking dumps
		* batch file handling 
		
	
	* vuln-mssql 
		* fixed tcp socket instead of udp
	
	
	* download-ftp
		* fixed quiting loop

	* dnsmanager, dnsquery, dnsresult
		* TXT record added
	

	* x-2 
		* fix memleak

	* x-5
		* now registers its own event to show hiw this works
		

	* x-6 
		* 'txt <domain>' will resolve the txt record now
		

	* submit-xmlrpc
		* can use geolocation services now
		* fixes some xml parsing
		

	* download-ftp 
		* send LOGIN after 220 Welcome
		

	* download-curl
		* add internal download capabilities
		

	* shellcode-generic
		* sch_generic_link_xor
			* improve bad length handling
		* added adenau xor
		* added adenau connectback
		* added unicode decoder
		* sch_generic_url 
			* added - to allowed chars 
			

	NEW
	---

	* dnsresolve-adns
		* made it a module
		* fixes some memoryleaks we saw before
	
	* download-http
		* written as download-curl replacement
		
	* geolocation-hostip
		* resolve geolocations via hostip.info
		
	* geolocation-geoip
		* resolve geolocations via maxminds geoip library
		
	* geolocation-ip2location
		* resolve geolocations via maxminds geoip library

	* log-surfnet
		* log to surfnet ids database
		  http://ids.surfnet.nl
		  

	* vuln-ssh 
		* created, 
		* works for ssh logins, fails for ssh worms :\

	* x-8 
		* added example how to use geolocation services


* Other
	* phpxmlrpc_server
		* added
		
	* doxygen docu
		* added
		


Version 0.1.2
=============
Bugfix release/minor features.

* Utilities
	* hexdump uses nepenthes.utilites.hexdump_path as pathinfo now
	
* shellemu-wint
	* VFSCommandFTP uses new DownloadFlags

* Download 
	* added DownloadFlags so we can handle broken ftpds better
	* added ::addFlag(uint8_t ) & ::getFlags()

* DownloadManager 
	* download() now takes uint8_t downloadflags as argument

* download-ftp
	* bind to port 0 to avoid collision
	* rewrote quite everything to handle broken ftp daemons better, including the new DownloadFlags

* Socket
	* changed SS_NULL to SS_CONNECTED
	* added SS_CONNECTING

	
* TCPSocket 
	* set localip on accept() Sockets, so we can use this info further
	* bind ConnectSockets before connecting, so we use the same ip for reverseconnect shells
	* uses SS_CONNECTING for connect sockets
	* overloads setState(), so if they are in state SS_CONNECTING and goto SS_CONNECTED they 
		can call Dialogue::connectionEstablished() for their dialogues

	* some changes in the TCPSockets internal Dialogue handling prevent nepenthes recognizing 
		the same shellcode in more than one dialogue, resulting in more than one download per exploit
		
		
* vuln-dameware
	* created
	
* Dialogue
	* added ::dump()
	* added ::connectionEstablished()

	
* many vuln-* modules
	* added CL_ASSIGN_AND_DONE handling


* many shellcodehandlers using downloadhandler
	* added valid downloadflag usage



Version 0.1.1
=============
Bugfix release/minor features.

This is the first release featuring auto(conf|make|broken|whatever) support.
Maximillian Dornseif had enough time to burn to write configure.whatever 
and such stuff for everything so far.


* Compile fixes for 
	* Mac OSX	
	* FreeBSD

* Nepenthes
	* Added functionality for -d and -l command line options (log filtering).
	* Handle SIGINT on -f (command line) usage.
	* -V is now version.
	* -v is now verbose, useful for -f when debugging new shellcodehandlers.
	* DownloadBuffer now features cutFront(unsigned int len)

* Veritas Backup Exec Exploit for port 10000 added.
	* shellcode-generic
		* Konstanz XOR added as sch_generic_konstanz_xor.
		* Konstanz connectback shell pattern added to shellcode-generic.conf.dist.
	* Removed VERITASDialogue for port 10000 hexdump, added shellcodehandling.


* shellcode-generic
	* Fixed sch_generic_connect.
	* Added sch_generic_connect_trans and Halle PCRE.
	* Added sch_generic_xor Halle.

* vuln-dcom
	* Fixed oc192 PCRE.
	* Removed SOL2k shellcode handler, as they were never seen during the last two months.

* download-csend
	* the atoi(url->path) is cut from the download buffer to be able to use csend with halle
	
* vuln-iis 
	* Handle NULL if binding the socket fails in a useful manner
	
* vuln-pnp
	* added
	* handles the MS05-039 exploit by houseofdabus
	
* vuln-lsass 
	* fixed some lines to work properly with vuln-pnp

* Utilities
	* sha512 added
	
* shellemu-wint
	* VFSCommandCMD
	the first command after the /c has to be readded to the StdIn queue, like we did before,
	but we have to add a delimiter '&' so we dont break our own parsing.

* Download 
	* added SHA512 get & set methods

* SubmitManager 
	* set SHA512 for downloads

* tools/rpcxmlxfer
	* there is an early implementation of an central collection and
	logging protocol called rpcxmlxfer in this release. The prototype is
	implemented as an external script. Just add something like
          */5 * * * * nobody /opt/nepenthes/bin/rpcxmlxfer-client -q
	to your /etc/crontab to try it.

* download-ftp
	* bind to port 0 to avoid collision

* Socket
	* changed SS_NULL to SS_CONNECTED
	* added SS_CONNECTING
	
* TCPSocket 
	* set localip on accept() Sockets, so we can use this info further
	* bind ConnectSockets before connecting, so we use the same ip for reverseconnect shells
	* uses SS_CONNECTING for connect sockets
	* overloads setState(), so if they are in state SS_CONNECTING and goto SS_CONNECTED they 
		can call Dialogue::connectionEstablished() for their dialogues
		

* submit-xmlrpc
	* created
	* depends on vuln-lsass 
	
* vuln-dameware
	* created
	
* Dialogue
	* added dump()
	* added connectionEstablished


Version 0.1.0
=============
Initial release.