G | Honeypots for Windows (Books for Professionals by Professionals)

Index
Honeypots for Windows
by Roger A. Grimes
Apress 2005

H

hackers

attracting to your honeypot, 37

defined, 7

hacking activity

redirecting to protect systems, 8

Hacking Disassembly Uncovered (Kris Kaspersky, et al.)

book on disassembling malicious code, 359

hacking prevention

effect of honeypots on, 8–10

hardware

Windows OS minimum and hardware requirements, 95–96

hardware solutions

for hiding honeynet monitoring devices, 44–45

HD95Copy

website address, 308

Helix bootable forensic distribution

website address, 324

Hex2dec converter

website address, 318

hexidecimal-to-decimal converter

using Sysinternal’s Hex2dec as, 318

HFind tool

for finding hidden files and alternate data streams, 313

hidden files and alternate data streams

looking for in file system, 313

utilities for finding, 313

High Level Assembler (HLA)

created as a learning tool for programmers, 352

high-interaction honeypots

determining need for, 90

function of, 14

Hogle trojan virus

website address, 207

Hogwash

website address, 52

HOME_NET variable

syntax for using in Snort, 258

Homename utility

website address, 311

Honeycomb research tool

website address, 7

Honeyd (honeypot daemon)

creating a default template in, 156

creating a runtime batch file in, 152–154

creator of, 10

default directories, 145

default scripts in Windows version of, 172

downloading script files, 146

emulation of ICMP behavior by, 128

example with multiple templates, 134

features of, 123–136

installation, 121–149

IP stack emulation settings in, 123–124

list of simple port behaviors, 131

logging, 134–136

memory variables useful in scripts, 171

mimicking IP information in, 124

mimicking TCP/IP stack in, 124–126

on-screen logging, 135

OS personalities, 129–130

output fields for on-screen logging, 134

proxy services, 132

reasons for using, 122–123

recommended directories, 148

runtime options, 152

steps for a typical installation, 136

steps for installing, 145

steps for testing your installation, 145–146

subsystems and plug-ins for Unix, 133

TCP/IP port emulation, 131–134

website address, 121, 123

Honeyd configuration, 151–166

using command-line options, 151–152

Honeyd configuration files

adding port instructions to, 158–160

assembling templates in, 161–165

sample code list for, 162–165

setting up, 154–165

setting up virtual honeypots (templates) in, 154

syntax for, 171–172

testing, 165–166

Honeyd emulation service scripts, 132

Honeyd installation

deciding logistics, 137–139

default directories, 145

installing Cygwin, 142–145

installing WinPcap, 140–142

resolving local subnet problems, 138–139

resolving routing problems, 138

steps for, 145

steps for hardening the host, 139

steps for testing, 145–146

Honeyd log files

fields included in default, 135

using the -l parameter to enable, 134–135

Honeyd logging

choices, 134–136

Honeyd OS personalities, 129–130

Honeyd runtime command

example of, 152

Honeyd script files

steps for downloading, 146

Honeyd service scripts, 167–188

available from Honeyd.org, 179–180

basic tasks they can be used for, 167–172

to catch the MBlaster worm, 181

common languages for, 168–170

custom, 180–188

default in Windows version, 172

downloadable from Honeyd web site, 178–180

input/output routines, 170–171

memory variable useful in, 171

for an offensive response to the MBlaster worm, 181–182

using JavaScript for, 170

using Python for writing, 169

using shell command language for, 168

using Visual Basic languages for, 169–170

a worm catcher script, 180–181

Honeyd simple port behaviors

list of, 131

Honeyd templates

adding personality instructions to, 156–157

adding port instructions to, 158–160

adding proxies to, 160

adding service scripts to, 159

blocking certain ports in, 159

code example for creating, 155

configuring, 154–165

contents of, 133–134

creating, 155–156

defining the default port state in, 158

for an Exchange Server 2003 honeypot, 161

naming rules, 155

order for defining necessary parameters, 154–155

personality defined, 156

setting system variables for, 160

Honeyd.bat configuration file

example of with multiple runtime configurations, 153

Honeyd.config file

recommended logical order of templates in, 154

Honeyd.org

service scripts available at, 179–180

Honeydscan.tar script

website address, 179

Honeyd.tar script

website address, 179

honeynet monitoring devices

hardware solutions for hiding, 44–45

software solutions for hiding, 42–43

Honeynet Project

formed by Lance Spitzner, 21

function of, 3

future generations of honeypot technology, 26

Honeynet Project Scan of the Month

website address, 248

honeynet security console

Activeworx Security Center (ASC) as, 294

honeynets

defined, 5

example of, 6

example of complex IP address scheme, 54

system network devices for, 41–54

honeypot daemon. See Honeyd (honeypot daemon)

honeypot data analysis.

See also data analysis

investigations, 302–304

honeypot deployment

in Windows, 89–120

honeypot emulation software

function of, 18–20

honeypot farm

defined, 9

honeypot interaction levels, 14–15

honeypot layers

function of, 13–14

honeypot modeling

what you need to know, 63–65

in Windows, 63–88

honeypot monitoring, 269–299

honeypot network system devices

bridges as, 46

Ethernet switches as, 46–47

firewalls as, 51

hubs as, 41–45

summary, 52–54

honeypot placement

location comparison table, 59

honeypot platform

deciding what OS to use as, 89

honeypot system deployment

steps for, 35–36

honeypot system placement

main locations for, 54–59

honeypot systems

defined, 35

modifying and redeploying, 324–325

honeypot traffic

as malicious traffic, 3–4

honeypots

attracting hackers to, 37, 95

automated vs. manual attacks, 302–303

automating security for, 119–120

availability of OS software support tools for, 93

basic components of, 11–12

blocking certain ports in, 159

choosing real or virtual, 39–40

common reasons for using, 5–11

configuring service accounts to protect, 115–117

creating and storing user accounts on, 94

The Cuckoo’s Egg by Clifford Stoll’s about, 20

data capture, 22–23, 36

data control, 21–22, 36

deciding on research or production, 37–39

deciding to patch or not patch OS on, 93

deciding to run as client or server, 93

deciding which applications to install on, 94

deciding which OS to choose for, 90–93

defined, 3–5

defining goals for, 37–41

deployment in Windows, 89–120

deployment plan, 35–59

deployment steps, 35–36

design tenets, 36

determining need for high interaction, 90

determining the number of collected network packets, 309

disabling unneeded services on, 108–117

documenting configuration settings for, 98

emulated, 18–20

external placement of, 55–56

filtering network traffic on, 105–106

firewall DMZ placement, 57–58

as forensic tools, 10

function of high interaction, 14

function of low interaction, 14

general installation guidelines, 99

guidelines for reducing your legal risk, 33

history of, 20–26

hub network devices, 41–45

identifying the IP addresses and top talkers, 309–310

importance of using complex passwords, 118

improving computer security with, 10

information resources, 33

initial compromise of, 303

installation guidance, 96–100

installation steps to deploy and operate, 97

installation tips, 99–100

installing necessary patches to, 101

internal placement, 56–57

introduction to, 3–34

modifying and redeploying after analysis, 324–325

monitoring, 269–299

monitoring programs for, 277–283

need for licenses for all virtual machines, 18

need for update plan for, 90

new threat detection by, 7

physically securing, 100–101

placement summary, 58–59

potentially dangerous executable files list, 107

preferred by hackers, 94–95

production, 8

of real operating systems, 15–16

recommended hardware requirements for, 96

rejecting default folder locations for software, 103

removing or securing network shares before making live, 104–105

renaming administrator and guest accounts for, 117

research, 8

restricting unauthorized software execution on, 106–117

risks of using, 32–33

a sample deployment of, 11

scenarios for high levels of exploitation, 94–95

summary of other available Windows based, 220

summary of types, 20

system network devices, 41–54

taking baseline measurements for, 98–99

telltale signs of a manual attack on, 303

telltale signs of an automated attack on, 302–303

testing, 97–98

things they can mimic, 13

tools for recovering e-mail messages, 315

tracking the hackers, 311

types of, 13–20

using IPSec as a firewall on, 105–106

using real OS or virtual machine, 90

using Software Restriction Policies with, 107

using Symantec’s Norton Ghost to restore, 16

virtual, 16–20

VM installation guidelines, 99–100

web site addresses for hardening information, 40–41

what happens after initial compromise, 303–304

Windows based, 61–220

Windows OS minimum and hardware requirements, 95–96

Windows-based other than Honeyd, 189–220

“Honeypots: Are They Illegal?” paper (Lance Spitzner)

website address, 33

Honeypots book

by Lance Spitzner, 21

Honeypots.net

website address for list of honeypots, 219

Honey-Potter

website address, 219

honeytoken

ensuring early detection of threats with, 7

honeywall. See honeywall gateways

Honeywall Administration menu

for Honeynet Project, 52

honeywall gateways

benefits of, 51–52

for redirecting malicious activity, 9–10

use of in GenII model, 24–26

HoneyWeb-0.4 tgz script

website address, 179

host baseline programs

for documenting current computer settings, 272–275

host documentation tools, 272–275

host enumeration

defined, 77–78

hot fixes, 101

HTTP header

using Netcat to read, 81–82

Http_decode preprocessor

in Snort, 259

hub network device

for honeypots, 41–45

using to create a honeynet, 42