Josh, Thanks. I had thought it might be the space in the default directory name, so I had already tried moving the honeypot image to /home/david/vmware/Capture but this also fails with the same error.
Testing on another system today... Thanks for the suggestion anyway. Cheers, David [EMAIL PROTECTED] wrote: > I think I may have had this problem when I started out. I'm running > mine on the latest Ubuntu Server image. For some reason mine gave me > an error like that while it was in the /var/lib/vmware/Virtual > Machines/* directory. Try moving your virtual machine directory to > your home directory and load up Capture-HPC. I know it seems like a > permission issue, but I tried everything I could think of with > permissions but it only worked once i moved the virtual machine > directory. > > -Josh > > On 8/1/08, Christian Seifert <[EMAIL PROTECTED]> wrote: >> let me get back to you early next week...right now I am baffled as >> well and need to try out myself... >> >> Christian >> >> --- >> Web: http://www.mcs.vuw.ac.nz/~cseifert >> >> >> On Aug 1, 2008, at 7:51 AM, David Watson <[EMAIL PROTECTED]> wrote: >> >>> Christian, >>> >>> Using revert from the command line I get the same error: >>> >>> [EMAIL PROTECTED]:~/client_honeypots/capture-server-2.1.0-300-src$ ./ >>> revert >>> 192.168.0.144 david dummy123 /var/lib/vmware/Virtual\ >>> Machines/Capture1/Capture1.vmx Administrator client1 cmd.exe "/K dir" >>> Hostname: 192.168.0.144 >>> Username: david >>> Password: dummy123 >>> VMPath: /var/lib/vmware/Virtual Machines/Capture1/Capture1.vmx >>> Guest Username: Administrator >>> Guest Password: client1 >>> Guest Cmd: cmd.exe >>> Guest Options: /K dir >>> VIX Error on connect in connect: One of the parameters was invalid >>> E Disconnected >>> >>> (using localhost also fails, as does double quotes around the .vmx >>> location, and including the full command options normally passed by >>> Capture) >>> >>> I can definitely connect to this machine on port 902 with the above >>> credentials (and telnet into it to see the "VMware Authentication >>> Daemon" banner), plus the honeypot credentials are correct (as is the >>> .vmx path, which is owned by the user david). I've also tried >>> creating a >>> new user within the VM and adding it to the Administrators group then >>> passing these credentials, but it also fails. >>> >>> Nothing is logged in the system or vmware logs. >>> >>> Any ideas on how I might get some further diagnostic information, >>> particular on the VMWare Server side? Currently I'm stumped and will >>> have to try it on another machine. >>> >>> Thanks, >>> >>> David >>> >>> Christian Seifert wrote: >>>> David, I am unsure on why this is happening. Since it compiled, I >>>> suppose >>>> the api didnt change. >>>> >>>> You could take a look at revert.c and try to run it by itself from >>>> the >>>> command line. See whether this works. >>>> >>>> I will also do some testing on my end with 1.0.6 next week. I'd >>>> like to wrap >>>> up the next version of Capture next week....hopefully by Wednesday >>>> I can >>>> send a beta to the group... >>>> >>>> Christian >>>> >>>> On Wed, Jul 30, 2008 at 4:44 AM, David Watson >>>> <[EMAIL PROTECTED]> wrote: >>>> >>>>> Hi all, >>>>> >>>>> I've been having some problems getting the current version of >>>>> Capture >>>>> (capture-server-2.1.0-300) up and running on a machine running the >>>>> current version of Kubuntu and the latest VMWare Server >>>>> (VMware-server-1.0.6-91891.tar.gz). >>>>> >>>>> I've documented the server build process here: >>>>> >>>>> >>>>> http://www.ukhoneynet.org/2008/07/28/compiling-capture-hpc-on-vmware-server-106/ >>>>> >>>>> My honeypot is WinXP SP2 with the default Capture install >>>>> (capture-client-2.1.0-300), as per the Readme file. >>>>> >>>>> I've temporarily disabled iptables on the server and I've checked >>>>> client/server connectivity by telnetting to the relevant ports. The >>>>> usernames and passwords also work when tested locally and >>>>> permissions >>>>> seem correct. >>>>> >>>>> Server IP = 192.168.0.144 >>>>> Honeypot VM IP = 192.168.0.21 >>>>> >>>>> Attempting to process the sample URLs results in this behaviour: >>>>> >>>>> [EMAIL PROTECTED]:~/client_honeypots/capture-server-2.1.0-300$ >>>>> /usr/lib/jvm/java-6-sun/bin/java -Djava.net.preferIPv4Stack=true - >>>>> jar >>>>> CaptureServer.jar -s 192.168.0.144:7070 -f input_urls_example.txt >>>>> >>>>> Option added: server-listen-port => 7070 >>>>> Option added: server-listen-address => 192.168.0.144 >>>>> Option added: input_urls => input_urls_example.txt >>>>> CaptureServer: Listening for connections >>>>> Validating config.xml ... >>>>> config.xml successfully validated >>>>> Option added: capture-network-packets-benign => false >>>>> Option added: capture-network-packets-malicious => false >>>>> Option added: client-default-visit-time => 10 >>>>> Option added: collect-modified-files => false >>>>> Option added: p_m => 1 >>>>> Option added: send-exclusion-lists => false >>>>> ExclusionList: file - FileMonitor.exl: File not found >>>>> ExclusionList: process - ProcessMonitor.exl: File not found >>>>> ExclusionList: registry - RegistryMonitor.exl: File not found >>>>> [192.168.0.144:902] VM added >>>>> [Jul 30, 2008 12:31:27 PM-192.168.0.144:902-3374351] VMSetState: >>>>> WAITING_TO_BE_REVERTED >>>>> [Jul 30, 2008 12:31:27 PM-192.168.0.144:902-3374351] VMSetState: >>>>> REVERTING >>>>> Hostname: 192.168.0.144 >>>>> Username: david >>>>> Password: dummypassword >>>>> VMPath: /var/lib/vmware/Virtual Machines/Capture1/Capture1.vmx >>>>> Guest Username: Administrator >>>>> Guest Password: client1 >>>>> Guest Cmd: cmd.exe >>>>> Guest Options: /K C:\Progra~1\Capture\CaptureClient.bat -s 192.168.0.144 >>>>> -p 7070 -a 27687351 -b 3374351 >>>>> VIX Error on connect in connect: One of the parameters was invalid >>>>> E Disconnected >>>>> [Jul 30, 2008 12:31:29 PM 192.168.0.144:902-3374351] VMware error >>>>> 255 >>>>> [Jul 30, 2008 12:31:29 PM-192.168.0.144:902-3374351] VMSetState: >>>>> ERROR >>>>> >>>>> However, if I manually initiate Capture on the client honeypot VM by >>>>> running: >>>>> >>>>> C:\Progra~1\Capture\CaptureClient.bat -s 192.168.0.144 -p 7070 -a >>>>> 27687351 -b 3374351 >>>>> >>>>> I then get the following in the running Capture server output: >>>>> >>>>> <connect vm-server-id="27687351" vm-id="3374351"/> >>>>> [Jul 30, 2008 12:32:24 PM-192.168.0.144:902-3374351] ClientSetState: >>>>> CONNECTED >>>>> [Jul 30, 2008 12:32:24 PM-192.168.0.144:902-3374351] ClientSetState: >>>>> WAITING >>>>> [Jul 30, 2008 12:32:24 PM-192.168.0.144:902-3374351] VMSetState: >>>>> RUNNING >>>>> <visit-event identifier="-2096107695" program="iexplore" >>>>> time="30/7/2008 >>>>> 12:33:3.45" type="start" malicious="0"><item >>>>> url="http%3a%2f%2fwww.google.com" program="iexplore" >>>>> major-error-code="0" minor-error-code="0" time="30/7/2008 >>>>> 12:33:3.45" >>>>> visited="0"></item></visit-event> >>>>> [Jul 30, 2008 12:32:25 PM-192.168.0.144:902-3374351] Visiting group >>>>> -2096107695 >>>>> UrlSetState: VISITING >>>>> [Jul 30, 2008 12:32:25 PM-192.168.0.144:902-3374351] ClientSetState: >>>>> VISITING >>>>> <pong/> >>>>> [Jul 30, 2008 12:32:27 PM-192.168.0.144:902-3374351] Got pong >>>>> <visit-event identifier="-2096107695" program="iexplore" >>>>> time="30/7/2008 >>>>> 12:33:21.342" type="finish" malicious="0"><item >>>>> url="http%3a%2f%2fwww.google.com" program="iexplore" >>>>> major-error-code="0" minor-error-code="0" time="30/7/2008 >>>>> 12:33:21.342" >>>>> visited="1"></item></visit-event> >>>>> [Jul 30, 2008 12:32:36 PM-192.168.0.144:902-3374351] Visited group >>>>> -2096107695 BENIGN >>>>> UrlSetState: VISITED >>>>> [Jul 30, 2008 12:32:36 PM-192.168.0.144:902-3374351] ClientSetState: >>>>> WAITING >>>>> <visit-event identifier="-126122049" program="iexplore" >>>>> time="30/7/2008 >>>>> 12:33:21.702" type="start" malicious="0"><item >>>>> url="http%3a%2f%2fwww.google.de" program="iexplore" major-error- >>>>> code="0" >>>>> minor-error-code="0" time="30/7/2008 12:33:21.702" >>>>> visited="0"></item></visit-event> >>>>> [Jul 30, 2008 12:32:37 PM-192.168.0.144:902-3374351] Visiting group >>>>> -126122049 >>>>> UrlSetState: VISITING >>>>> [Jul 30, 2008 12:32:37 PM-192.168.0.144:902-3374351] ClientSetState: >>>>> VISITING >>>>> <pong/> >>>>> [Jul 30, 2008 12:32:37 PM-192.168.0.144:902-3374351] Got pong >>>>> <visit-event identifier="-126122049" program="iexplore" >>>>> time="30/7/2008 >>>>> 12:33:36.139" type="finish" malicious="0"><item >>>>> url="http%3a%2f%2fwww.google.de" program="iexplore" major-error- >>>>> code="0" >>>>> minor-error-code="0" time="30/7/2008 12:33:36.139" >>>>> visited="1"></item></visit-event> >>>>> [Jul 30, 2008 12:32:47 PM-192.168.0.144:902-3374351] Visited group >>>>> -126122049 BENIGN >>>>> UrlSetState: VISITED >>>>> [Jul 30, 2008 12:32:47 PM-192.168.0.144:902-3374351] ClientSetState: >>>>> WAITING >>>>> <visit-event identifier="961326393" program="iexplore" >>>>> time="30/7/2008 >>>>> 12:33:36.295" type="start" malicious="0"><item >>>>> url="http%3a%2f%2fwww.google.fr" program="iexplore" major-error- >>>>> code="0" >>>>> minor-error-code="0" time="30/7/2008 12:33:36.295" >>>>> visited="0"></item></visit-event> >>>>> [Jul 30, 2008 12:32:47 PM-192.168.0.144:902-3374351] Visiting group >>>>> 961326393 >>>>> UrlSetState: VISITING >>>>> [Jul 30, 2008 12:32:47 PM-192.168.0.144:902-3374351] ClientSetState: >>>>> VISITING >>>>> <pong/> >>>>> [Jul 30, 2008 12:32:47 PM-192.168.0.144:902-3374351] Got pong >>>>> <visit-event identifier="961326393" program="iexplore" >>>>> time="30/7/2008 >>>>> 12:33:54.467" type="finish" malicious="0"><item >>>>> url="http%3a%2f%2fwww.google.fr" program="iexplore" major-error- >>>>> code="0" >>>>> minor-error-code="0" time="30/7/2008 12:33:54.467" >>>>> visited="1"></item></visit-event> >>>>> [Jul 30, 2008 12:32:53 PM-192.168.0.144:902-3374351] Visited group >>>>> 961326393 BENIGN >>>>> UrlSetState: VISITED >>>>> [Jul 30, 2008 12:32:53 PM-192.168.0.144:902-3374351] ClientSetState: >>>>> WAITING >>>>> <visit-event identifier="-1716674727" program="iexplore" >>>>> time="30/7/2008 >>>>> 12:33:54.514" type="start" malicious="0"><item >>>>> url="http%3a%2f%2fwww.google.it" program="iexplore" major-error- >>>>> code="0" >>>>> minor-error-code="0" time="30/7/2008 12:33:54.514" >>>>> visited="0"></item></visit-event> >>>>> [Jul 30, 2008 12:32:54 PM-192.168.0.144:902-3374351] Visiting group >>>>> -1716674727 >>>>> UrlSetState: VISITING >>>>> [Jul 30, 2008 12:32:54 PM-192.168.0.144:902-3374351] ClientSetState: >>>>> VISITING >>>>> <pong/> >>>>> [Jul 30, 2008 12:32:58 PM-192.168.0.144:902-3374351] Got pong >>>>> <visit-event identifier="-1716674727" program="iexplore" >>>>> time="30/7/2008 >>>>> 12:34:11.30" type="finish" malicious="0"><item >>>>> url="http%3a%2f%2fwww.google.it" program="iexplore" major-error- >>>>> code="0" >>>>> minor-error-code="0" time="30/7/2008 12:34:11.30" >>>>> visited="1"></item></visit-event> >>>>> [Jul 30, 2008 12:33:00 PM-192.168.0.144:902-3374351] Visited group >>>>> -1716674727 BENIGN >>>>> UrlSetState: VISITED >>>>> [Jul 30, 2008 12:33:00 PM-192.168.0.144:902-3374351] ClientSetState: >>>>> WAITING >>>>> <visit-event identifier="1053184499" program="iexplore" >>>>> time="30/7/2008 >>>>> 12:34:11.92" type="start" malicious="0"><item >>>>> url="http%3a%2f%2fwww.google.co.nz" program="iexplore" >>>>> major-error-code="0" minor-error-code="0" time="30/7/2008 >>>>> 12:34:11.92" >>>>> visited="0"></item></visit-event> >>>>> [Jul 30, 2008 12:33:00 PM-192.168.0.144:902-3374351] Visiting group >>>>> 1053184499 >>>>> UrlSetState: VISITING >>>>> [Jul 30, 2008 12:33:00 PM-192.168.0.144:902-3374351] ClientSetState: >>>>> VISITING >>>>> <pong/> >>>>> [Jul 30, 2008 12:33:07 PM-192.168.0.144:902-3374351] Got pong >>>>> <visit-event identifier="1053184499" program="iexplore" >>>>> time="30/7/2008 >>>>> 12:34:25.811" type="finish" malicious="0"><item >>>>> url="http%3a%2f%2fwww.google.co.nz" program="iexplore" >>>>> major-error-code="0" minor-error-code="0" time="30/7/2008 >>>>> 12:34:25.811" >>>>> visited="1"></item></visit-event> >>>>> [Jul 30, 2008 12:33:11 PM-192.168.0.144:902-3374351] Visited group >>>>> 1053184499 BENIGN >>>>> UrlSetState: VISITED >>>>> [Jul 30, 2008 12:33:11 PM-192.168.0.144:902-3374351] ClientSetState: >>>>> WAITING >>>>> <pong/> >>>>> [Jul 30, 2008 12:33:17 PM-192.168.0.144:902-3374351] Got pong >>>>> <pong/> >>>>> [Jul 30, 2008 12:33:27 PM-192.168.0.144:902-3374351] Got pong >>>>> <pong/> >>>>> [Jul 30, 2008 12:33:37 PM-192.168.0.144:902-3374351] Got pong >>>>> <pong/> >>>>> [Jul 30, 2008 12:33:47 PM-192.168.0.144:902-3374351] Got pong >>>>> <pong/> >>>>> [Jul 30, 2008 12:33:57 PM-192.168.0.144:902-3374351] Got pong >>>>> <pong/> >>>>> [Jul 30, 2008 12:34:07 PM-192.168.0.144:902-3374351] Got pong >>>>> >>>>> With everything working as expected. >>>>> >>>>> Any ideas as to why I can't automatically revert the VM and launch >>>>> the >>>>> Capture client, or what causes the "VIX Error on connect in >>>>> connect: One >>>>> of the parameters was invalid" error? >>>>> >>>>> Thanks, >>>>> >>>>> David >>>>> >>>>> -- >>>>> David Watson >>>>> UK Honeynet Project >>>>> www.ukhoneynet.org >>>>> [EMAIL PROTECTED] >>>>> >>>>> _______________________________________________ >>>>> Capture-HPC mailing list >>>>> Capture-HPC@public.honeynet.org >>>>> https://public.honeynet.org/mailman/listinfo/capture-hpc >>>>> >>>> >>>> >>>> >>>> --- >>>> --------------------------------------------------------------------- >>>> >>>> _______________________________________________ >>>> Capture-HPC mailing list >>>> Capture-HPC@public.honeynet.org >>>> https://public.honeynet.org/mailman/listinfo/capture-hpc >>> >>> -- >>> David Watson >>> UK Honeynet Project >>> www.ukhoneynet.org >>> [EMAIL PROTECTED] >>> _______________________________________________ >>> Capture-HPC mailing list >>> Capture-HPC@public.honeynet.org >>> https://public.honeynet.org/mailman/listinfo/capture-hpc >> _______________________________________________ >> Capture-HPC mailing list >> Capture-HPC@public.honeynet.org >> https://public.honeynet.org/mailman/listinfo/capture-hpc >> > _______________________________________________ > Capture-HPC mailing list > Capture-HPC@public.honeynet.org > https://public.honeynet.org/mailman/listinfo/capture-hpc -- David Watson UK Honeynet Project www.ukhoneynet.org [EMAIL PROTECTED] _______________________________________________ Capture-HPC mailing list Capture-HPC@public.honeynet.org https://public.honeynet.org/mailman/listinfo/capture-hpc
