skip navigation

honeypots for windows
Honeypots for Windows
by Roger A. Grimes
Apress 2005
progress indicator progress indicatorprogress indicator progress indicator


SafeBack software

website address, 308


website address, 318

Sbk_extract tool

for collecting Sebek packets for analysis, 278


Perl script for displaying attacker keystrokes on the screen, 278


Perl script that uploads Sebek packets for advance analysis, 278

scanning scripts

use of in blended attacks, 31


for sim standard server listener ports, 201

script files

steps for downloading for Honeyd, 146

script languages

common, 168–170

scripts. See Honeyd service scripts; service scripts

\scripts folder

Honeyd Windows version default scripts in, 172

Search or Find Files and Folder Windows feature

using to find files modified since a certain date, 312


monitoring tool for Windows honeypots, 277

website address, 23, 277

Sebek server

tools that make up, 278

Secure Hash Signature Generator

website address, 312

SecurIT Informatique Inc. utilities

example of several monitoring system processes, 282

for honeypot or IDS data collection, 281–282

others available, 282

website address, 281

SecurIT Intrusion Detection Kit

components of, 282


automating, 119–120

using honeypots to improve, 10

Security Assertion Markup Language (SAML)

website address, 291

security audit files

events of interest in, 292–293

security event logging

of data captured from honeypot monitoring systems, 284–285

importance of for honeypots, 285–286

useful information extraction from, 294

Security Event Management. See SEM (Security Event Management)

security event manager

Activeworx Security Center (ASC) as, 293–294

Security Incident Management. See SIM (Security Incident Management)

security logs

noise on, 6

security monitoring tools

as protection for monitoring communications, 284

security patches. See Microsoft patches

security roll-ups, 101

security updates or hot fixes, 101

SecurityProfiling, Inc.

website address, 121


website address for downloading Windows version, 188

SEM (Security Event Management)

vendors, 294

Sendmail utility

function of, 283

setting up a spam tarpit with, 215

website address, 215

sequence number field

in TCP, 233

server ports

list of common complex Exchange Server, 71–72

list of common IIS, 69

list of common simple Exchange Server, 71

list of common SQL Server, 70

list of generic, 68–69

SERVER variable

using in Snort, 258

ServerSentry utility

website address, 299

service accounts

configuring to protect your honeypot, 115–117

service pack patches, 101

service scripts

See also Honeyd service scripts

adding to Honeyd templates, 159

in Honeyd, 167–188

session layer

in OSI model, 229

SET command

for associating a template with a personality, 157

SFind utility

for listing NTFS alternate data streams and their access times, 313

SHA-160 Hash utility

function of, 283


defined, 122

shell command language

using for Honeyd service scripts, 168

website address for information about, 168

Showacls.exe utility

for checking permissions, 314

ShoWin utility

function of, 281

SIM (Security Incident Management) vendors, 294

sim banner servers

in KFSensor honeypot, 199–200

list of banner parameters, 200

sim (simulated) servers

in KFSensor honeypot, 198–208

sim standard servers

emulated services included with, 201

in KFSensor honeypot, 200–201

simple ports

defined, 131–132

Simple TCP/IP services

provided in a TCP/IP add-on component, 78

slack space

storage of malicious code in by hackers, 345

Slammer worm

website address, 303

Small Is Beautiful (SIB) assembly language starter kit

by Steve Gibson, 353

SMB protocol

as workhorse of NetBIOS, 73

SMTP sim standard server

example of screen, 204

SMTP tarpit

Jackson tarpit as, 215

smtp.sh script

website address, 180

Smurf amplification

use of ICMP by hackers for, 237

Smurf attacks

website address for information about, 237

snapshot software. See integrity checkers (snapshot software)

snapshot utilities

website addresses for free, 23


availability of, 224

benefits of using in a honeypot environment, 223–225

vs. IDSs, 223–224

sniffers and IDSs

how they complement each other, 226

where to place them, 226


benefits of using in a honeypot environment, 225–226

binary log file, 256

command for fastest performance, 255

configuring, 252–268

configuring the configuration file, 257–264

creating a Snort.bat file, 267

deciding what you want it to do, 253–256

default variables list, 257

defining variables in, 257

directories and their functions, 252

example of alert file, 262

example of rules from Snort’s Web-IIs.rules rule set, 262

exiting to finish with a packet statistics screen, 255

in full packet capture mode, 255

function of, 250–268

installing, 252

list of some preprocessors, 259

packet pathway, 251

sample configuration file, 265–267

steps for configuring the first time, 252

steps for installing, 146–147

syntax for configuring preprocessors, 260

understanding how it works, 250–251

website address for community support, 250

website address for downloading, 146

website address for downloading GUI-based installers and management tools for, 268

Snort configuration file

configuring, 257–264

sample of, 265–267

testing, 267

Snort GUI ISDcenter configuration console

from Engage Security, 296

Snort network IDS mode

putting Snort into, 256

Snort output plug-ins

function of, 264

Snort packet dump mode

command-line switches, 253–254

fields captured on TCP packets, 254

Snort point-and-click

using, 268

Snort rules

function of, 260

syntax fields list, 262

syntax for typical, 260

Snort rule sets

list of default, 263

Snort.bat file

creating, 267


website address, 52


restricting unauthorized execution of on honeypots, 106–117

software interrupts. See BIOS interrupt routines

Software Restriction Policies (SRP)

for preventing unauthorized software execution, 107

software solutions

for hiding honeynet monitoring devices, 42–43

Software Update Services (SUS). See Microsoft Software Update Services (SUS)

SONET backbone

function of, 224–225

spam malware

effect on open relays, 207

spam tarpits

setting up, 215


how they work and the damage they do, 206–207

using Jackpot tarpit to slow down and frustrate, 9

SPECTER honeypot

characters available for each emulated OS, 193

function of, 192–195

installing and setting up, 193–194

Log Analyzer tool, 195

logging and alerting with, 194–195

main Control screen, 194

on-screen log, 195

traps and services, 192

website address, 192


for recovering damaged hard drive data, 339

Spitzner, Lance

Honeypots book by, 21

Know Your Enemy honeypot book by, 8


memory variable useful in scripts, 171

SpyAgent software

for checking for IM services hacker activity, 317

spying programs

website addresses for, 317

SQL Server ports

list of common, 70

SQL Slammer worm

defenses against, 10

detection of, 7

function of, 30

SRP. See Software Restriction Policies (SRP)

Ssed program

for extracting text, 318

using, 188

SSH programs

for protecting monitoring communications, 284

SSH test script, 172–173


popping and pushing of information to, 348

Startup type settings. See Windows Services Startup type settings

static linking

defined, 342

STDERR (standard unbuffered output stream for writing errors)

in Honeyd, 171

STDIN (standard input stream)

in Honeyd, 170

STDOUT (standard buffered output stream)

in Honeyd, 170

stealth mechanisms

used by malware to hide infection, 358

sticky honeypots

preventing malicious activity with, 9

Stoll, Clifford

The Cuckoo’s Egg by, 20

STOP error

creating intentionally, 305–306

stream4 preprocessor

in Snort, 259

string analysis

performing on packets, 311

Strings.exe program

example revealing text strings in a malicious file, 350

searching for ASCII text with, 350

website address, 311, 350

SubSeven emulation service

used by PatriotBox honeypot, 212


website address, 312

switches. See Ethernet switches

Symantec’s Norton Ghost

for making copies of a hard drive, 306

using to restore honeypots, 16

Symantec’s Norton System Utilities

disk editor program, 314

SYN (Synchronization) flag

in TCP, 234

SYN flood DoS attack

use of by hackers, 235


website address, 23, 272

Sysinternal PsTools utilities

list and functions of, 280

Sysinternal utilities, 278–280

website address, 278

Sysinternal’s AccessEnum utility

for listing who has permissions to files, Registry keys, and folders, 314

Sysinternal’s Hex2dec

using as hexidecimal-to-decimal converter, 318

Sysinternal’s Hostname utility

for resolving an IP address to a domain name, 311

Sysinternal’s PendMove utility

checking for OS pending file changes with, 319

Sysinternal’s Stream program

for listing any hidden NTFS streams by file or directory, 313

Sysinternal’s Strings.exe program

for performing string analysis on network packets, 311

Sysinternal’s Strings utility

for searching for ASCII and Unicode strings, 318

Sysinternal’s TCPView utility

website address, 276

Syslog (system log daemon)

for collecting log files, 289–290

system network devices

for honeypots, 41–54

system variables

setting for Honeyd templates, 160

progress indicator progress indicatorprogress indicator progress indicator

Honeypots for Windows
Honeypots for Windows (Books for Professionals by Professionals)
ISBN: 1590593359
EAN: 2147483647
Year: 2006
Pages: 119

Similar book on Amazon
Honeypots: Tracking Hackers
Honeypots: Tracking Hackers
Know Your Enemy: Learning about Security Threats (2nd Edition)
Know Your Enemy: Learning about Security Threats (2nd Edition)
Virtual Honeypots: From Botnet Tracking to Intrusion Detection
Virtual Honeypots: From Botnet Tracking to Intrusion Detection
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net