Honey-pot with Honeyd on Ubuntu

1. What is honeyd ?

honeyd: Small daemon that creates virtual hosts simulating their services and behavior

Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their TCP personality can be adapted so that they appear to be running certain versions of operating systems. Honeyd enables a single host to claim multiple addresses on a LAN for network simulation. It is possible to ping the virtual machines, or to traceroute them. Any type of service on the virtual machine can be simulated according to a simple configuration file.

Instead of simulating a service, it is also possible to proxy it to another machine.

Features:

  • Simulates thousands of virtual hosts at the same time.
  • Configuration of arbitrary services via simple configuration file:
    • Includes proxy connects.
  • Simulates operating systems at TCP/IP stack level:
    • Fools nmap and xprobe,
    • Adjustable fragment reassembly policy,
    • Adjustable FIN-scan policy.
  • Simulation of arbitrary routing topologies:
    • Configurable latency and packet loss.

2. Scenario

  • Current network : 192.168.1.0/24
  • Ubuntu machines : 192.168.1.10
  • Gateway : 192.168.1
  • HoneyHost Linux : 192.168.1.101 – SSH/SMTP
  • HoneyHost Linux : 192.168.1.102 – SSH/FTP/HTTP/MYSQL
  • HoneyHost Windows : 192.168.1.105 – FTP/HTTP

3. Install

apt-get install honeyd honeyd-common nmap  farpd

4. Attrack IP Packet to the Honey Hosts

Before configuring and running Honeyd, we need to ensure that the Honeyd host responds to arp request for the IPs of the honeypots we are hosting.

Farpd was used to generate traffic to my assigned subnet. It uses ARP spoofing to respond to ARP requests for the IPs used in the honeynet.

To start farpd I used the following command:

farpd -i eth0 192.168.1.0/24

5. Configure your Pot

Here is a sample configuration file you can use and adapt.

/etc/honeypot/honeyd.conf

See the scripts you have on your machine (Ubuntu 10.04 – /usr/share/honeyd/scripts/)


# Sample configuration

### Linux 2.4.x computer
create linux
set linux personality "Linux 2.4.16 - 2.4.18"
set linux default tcp action reset
set linux default udp action reset
add linux tcp port 21 "sh /usr/share/honeyd/scripts/unix/linux/ftp.sh"
add linux tcp port 25 "sh /usr/share/honeyd/scripts/unix/general/smtp.sh"
add linux tcp port 80 "sh /usr/share/honeyd/scripts/unix/linux/suse8.0/telnetd.sh"
#set linux uptime 3284460
bind 192.168.1.101 linux
bind 192.168.1.101 linux

### Windows computers
create windowsnt
set windows personality "Windows NT 4.0 Server SP5-SP6"
set windows default tcp action reset
set windows default udp action reset
add windows tcp port 80 "sh /usr/share/honeyd/scripts/win32/win2k/iis.sh"
add windows tcp port 139 open
add windows tcp port 137 open
add windows udp port 137 open
add windows udp port 135 open
set windows uptime 3284460

### Windows XP and IIS
create windowsxp
set default personality "Microsoft Windows XP Professional SP1"
add default tcp port 80 "sh /usr/share/honeyd/scripts/win32/web.sh"
set default default tcp action reset
set default default udp action reset

### Cisco router
create router
set router personality "Cisco IOS 11.3 - 12.0(11)"
set router default tcp action reset
set router default udp action reset
add router tcp port 23 "pl /usr/share/honeyd/scripts/router-telnet.pl"
set router uid 32767 gid 32767
set router uptime 1327650

# Select what to bind
#bind 192.168.1.15 router
bind 192.168.1.104 windowsnt
bind 192.168.1.105 windowsxp
<pre># /usr/share/honeyd/scripts/win32/win2k/exchange-smtp.sh
# /usr/share/honeyd/scripts/unix/linux/suse7.0/wuftpd.sh
# /usr/share/honeyd/scripts/unix/linux/suse8.0/proftpd.sh
# /usr/share/honeyd/scripts/win32/win2k/msftp.sh</pre>

Check your configuration with this command :

honeyd --verify-config /etc/honeypot/honeyd.conf

6. Running Honeyd

After creating the configuration file, I opened a Command prompt window and navigated to my Honeyd folder. I then launched Honeyd by using the following command:

honeyd -f /etc/honeypot/honeyd.conf 192.168.1.101-192.168.1.105 -l /tmp/honeypot.log
  • Open Source Honeypots: Learning with Honeyd – http://www.securityfocus.com/infocus/1659
  • Honeyd – http://www.honeyd.org/

Be the first to comment

Leave a Reply

Your email address will not be published.


*


*