Z

		List of Figures Honeypots for Windows by Roger A. Grimes Apress 2005

Chapter 1: An Introduction to Honeypots

Figure 1-1: A honeynet example

Figure 1-2: A sample honeypot deployment

Figure 1-3: VMware running Windows NT Server 4.0 and Windows 98 on a Windows 2000 Professional computer

Figure 1-4: GenII honeypot setup

Chapter 2: A Honeypot Deployment Plan

Figure 2-1: Example of a production honeynet

Figure 2-2: Honeynet created using a hub

Figure 2-3: Wiring schematic for receive-only Ethernet cable

Figure 2-4: Example of port mirroring

Figure 2-5: Example of NAT routing

Figure 2-6: Honeynet Project’s Honeywall Administration menu

Figure 2-7: Example of a simple router segment IP address scheme

Figure 2-8: Example of a complex honeynet IP address scheme

Figure 2-9: External placement of a honeypot

Figure 2-10: Internal honeypot placement

Figure 2-11: Honeypot DMZ placement

Chapter 4: Windows Honeypot Deployment

Figure 4-1: A Microsoft Longhorn screen

Figure 4-2: Microsoft patching pathway

Figure 4-3: Windows Firewall remote-monitoring port exceptions

Figure 4-4: Windows Computer Management Services console

Figure 4-5: Configuring a service logon

Figure 4-6: Example of Group Policy Object security settings

Chapter 5: Honeyd Installation

Figure 5-1: Honeyd with multiple templates

Figure 5-2: Honeyd screen activity summary example

Figure 5-3: Confirming WinPcap’s successful installation in Add/Remove Programs

Figure 5-4: Windump.exe −D output example verifying a correctly installed WinPcap driver

Figure 5-5: Cygwin Setup – Select Packages dialog box

Figure 5-6: An Ethereal screen

Chapter 7: Honeyd Service Scripts

Figure 7-1: Example of the Router-telnet Perl script in action

Figure 7-2: Ms-ftp.sh script emulating a Microsoft FTP server

Chapter 8: Other Windows-Based Honeypots

Figure 8-1: Back Officer Friendly interface

Figure 8-2: LaBrea’s screen console

Figure 8-3: SPECTER’s main Control screen

Figure 8-4: SPECTER’s on-screen log

Figure 8-5: SPECTER’s Log Analyzer tool

Figure 8-6: KFSensor’s Setup Wizard components (port listeners) selection

Figure 8-7: KFSensor monitor in Ports view

Figure 8-8: KFSensor’s Edit Sim Banner dialog box

Figure 8-9: KFSensor emulated IIS 6.0 Under Construction error page

Figure 8-10: FTP client screen when attaching to KFSensor’s emulated FTP server

Figure 8-11: KFSensor’s Event Details screen for an FTP session

Figure 8-12: Example of KFSensor’s SMTP sim standard server

Figure 8-13: Results of running Nbtscan.exe against KFSensor’s NetBIOS sim banner server

Figure 8-14: KFSensor SMTP alert configuration dialog box

Figure 8-15: KFSensor log example showing an FTP login session

Figure 8-16: Windows event log message generated by an FTP login session

Figure 8-17: KFSensor’s anti-DoS settings dialog box

Figure 8-18: PatriotBox’s interface and HTTP configuration dialog box

Figure 8-19: Jackpot’s console screen showing SMTP connection activity

Figure 8-20: Example of a connected SMTP Jackpot session from the spammer’s computer

Figure 8-21: Jackpot main administration screen

Chapter 9: Network Traffic Analysis

Figure 9-1: The OSI model

Figure 9-2: TCP/IP protocol flow example

Figure 9-3: IP packet structure

Figure 9-4: TCP packet structure

Figure 9-5: UDP packet structure

Figure 9-6: The main Ethereal screen with packet-capture data

Figure 9-7: Ethereal showing HTTP traffic on a port other than 80

Figure 9-8: Ethereal’s middle pane shows packet layer information.

Figure 9-9: Ethereal Capture Options dialog box

Figure 9-10: Ethereal’s TCP Conversation screen

Figure 9-11: Ethereal showing packets of a captured hacker session

Figure 9-12: Ethereal showing the TCP stream (using the Follow TCP Stream) feature for a packet

Figure 9-13: WinDump screen

Figure 9-14: Snort packet pathway

Figure 9-15: Executing Snort with the -v option captures header information only.

Figure 9-16: Snort in full packet capture mode

Figure 9-17: A Snort binary log file

Figure 9-18: A Snort alert file

Chapter 10: Honeypot Monitoring

Figure 10-1: Honeypot data-collection strategy

Figure 10-2: Winfingerprint in action

Figure 10-3: WinInterrogate scanning local files

Figure 10-4: Winalysis snapshot comparison screen

Figure 10-5: Sysinternal’s Regmon utility

Figure 10-6: Several SecurIT utilities monitoring system processes

Figure 10-7: Event Viewer snap-in console monitoring several computers

Figure 10-8: Kiwi Syslog collecting events from a honeypot system

Figure 10-9: Event Viewer filtering successful logins

Figure 10-10: Snort IDScenter SMTP alerting options

Figure 10-11: A NET SEND console alert message

Chapter 11: Honeypot Data Analysis

Figure 11-1: Example of dd --list command output

Figure 11-2: Example of event ID 528

Figure 11-3: Main KFSensor screen showing some of the 1,022 events

Figure 11-4: Ethereal generating a protocol distribution report

Figure 11-5: Portion of Ethereal protocol distribution report

Figure 11-6: KFSensor logs showing the first IIS attack

Figure 11-7: KFSensor log detail for one of the attacks

Figure 11-8: Ethereal capture showing Windows Media Services buffer overflow attack

Figure 11-9: KFSensor’s logs of the spam open relay

Figure 11-10: Hacker’s malicious folder structure

Figure 11-11: Bogus .system directory

Figure 11-12: R_bot.ini IRC configuration file

Chapter 12: Malware Code Analysis

Figure 12-1: Executable code pathway

Figure 12-2: Programming interface choices

Figure 12-3: Using the Debug register command

Figure 12-4: Strings.exe revealing text strings in a malicious file

Figure 12-5: MASM disassembly of the Thing Trojan showing called Windows APIs

Figure 12-6: Sampling of MASM disassembly of the Thing Trojan

Figure 12-7: IDA Pro disassembling Netlog1.exe instructions

Figure 12-8: An IDA Pro logic diagram

Figure 12-9: PE Explorer disassembing Netlog1.exe

Figure 12-10: Borg disassembling Netlog1.exe