V | Honeypots for Windows (Books for Professionals by Professionals)

Index
Honeypots for Windows
by Roger A. Grimes
Apress 2005

W

W= parameter

defined, 126

war drivers

using wireless honeypots to detect, 9

Web.sh script

source code for, 177–178

website addresses

for 4-clause BSD license, 122

for Active@ UNDELETE program, 315

for Active@ UNERASER program, 315

for Activeworx, Inc., 293

for Advanced Attachments Processor tool, 315

Afind program, 312

for Akonix L7 Enterprise tool, 317

for AllAPI, 343

for “An Evening with Berferd” paper by Bill Cheswick, 20

ArcSight, 294

Argus for Linux, Unix, and Solaris users, 309

AT&T Mexican honeynet, 8

for author of this book, 166

for Back Officer Friendly (BOF) honeypot, 189

for Back2Life program, 315

Bait and Switch Honeypot, 10

Blat utility, 299

for bootable CD-ROM for GenII honeywall, 25

Bugbear worm, 77

for Cache Reader tool, 316

for CacheInfo tool, 316

for CacheX utility, 316

Center for Internet Security, 40

CM utility, 276

Comcraft tap maker, 44

ComLog utilities, 23

for common NetBIOS enumeration tools, 77

for community support for Snort, 250

for comprehensive listing of TCP/IP ports, 65

Computer Associates, 294

Computer Forensics, Cybercrime and Steganograph Resources, 335

for CookieView tool, 316

Crucial ADS, 313

for DataGrab, 317

for DBXpress tool, 315

DCF Software’s Hard Disk Copy, 308

Dd.exe command-line tool, 306

for a detailed discussion on IPSec, 106

for details about SRP, 107

for the Developer.com Windows API Tutorial, 343

DiamondCS forensic utilities, 283

DiamondCSOpen Ports utility, 276

DiamondCSPort Explorer utility, 276

Digital Detective’s hashing tool, 312

for Directory Snoop, 314

for disabling Windows File Protection, 281

for disk editor programs, 314

for The Disk Investigator program, 314

for downloading ActivePerl Perl engine, 145

for downloading a Honeyd configuration file, 161

for downloading Cygwin, 142

for downloading GUI-based installers and management tools for Snort, 268

for downloading Honeyd emulation scripts, 132, 146

for downloading MASM, 350

for downloading ms-ftp.sh script, 183

for downloading Snort, 146

for downloading tcpdump utility, 249

for downloading the Windows version of gawk, 188

for downloading the Windows version of sed, 188

for downloading WinDump utility, 141, 249

Dr. Fred Cohen, 21

for ECMAScript scripting standard, 170

EditPlus text editor, 357

eEye Digital Security, 27

Electronic Evidence Information Center, 335

for E-Mail Detective, 315

EnCase software, 308

Engage Security, 296

for Ethereal install executable, 147

Ethereal network protocol analyzer, 43

EventCombMT application, 288

for Eventlog to Syslog Utility, 290

Exploiting Software: How to Break Code (Greg Hoglund and Gary McGraw), 359

for Faketelnet.pl script, 179

Febotti Command Line utility, 299

File Investigator, 314

FileCheckMD5, 312

for FINALeMail tool, 315

Foundstone utilities, 276, 280, 335

for Foundstone’s Attacker, 190

Foundstone’s Bin Text utility, 318

for Foundstone’s Fport and Vision utilities, 276

for Foundstone’s Galleta tool, 316

for Foundstone’s NTLast utility, 321

for Foundstone’s Pasco tool, 316

for Foundstone’s Rifiuti utility, 315

for ftp.sh script, 180

for GFI LANguard Security Event Log Monitor, 289

GhostRAdmin remote-access trojan, 333

for GlobalSCAPE’s Cute FTP, 178

for Guild’s FTP Server, 202

Hacking Disassembly Uncovered (Kris Kaspersky, et al.), 359

HD95Copy, 308

HFind tool, 313

for High Level Assembler (HLA), 352

for Hogle trojan virus, 207

Hogwash, 52

Honeycomb research tool, 7

Honeyd (honeypot daemon), 121

for the Honeyd Development web site, 33

for Honeydscan.tar script, 179

for Honeyd.tar script, 179

for the Honeynet Project, 33

Honeynet Project Scan of the Month, 248

for the Honeynet Project’s Scans of the Month, 324

for “Honeypots: Are They Illegal?” paper (Lance Spitzner), 33

for Honeypots: Tracking Hackers honeypot information, 33

for Honeypots.net, 219

for HoneyWeb-0.4 tgz, 179

IBM, 294

IDA Pro Disassembler and Debugger, 318

for iisemu18.pl script, 180

for IM Grabber, 317

Implementing CIFS, “Introduction”, 77

InCtrl5 (PC Magazine) utility, 283

for information about disabling LM hashing, 119

for information about EFS data recovery agent, 107

for information about event IDs, 323

for information about EVENTTRIGGERS command, 299

for information about GPOs, 119

for information about JavaScript or JScript, 170

for information about Perl, 168

for information about Ping of Death attacks, 237

for information about settings for hardening TCP/IP stacks, 104

for information about Smurf attacks, 237

for information about VBScript, 170

for information about Visual Basic languages, 170

for information about Windows command-line shell language, 169

for information about Windows STOP errors, 306

for InfoWorld summary article about SIM/SEM, 294

Intrusion Inc. tap maker, 44

Jackpot SMTP tarpit, 9

for JpegDump tool, 315

for KaZaA .dat Viewer, 317

KeyFocus Ltd. KFSensor honeypot, 196

for KeyFocus’s HTTP engine that runs as a web server, 202

KFSensor honeypot, 196

Kiwi Syslog, 290

for Kuang2.pl password-stealing trojan script, 179

LaBrea tarpit, 9, 190

for the latest Honeyd version, 123

for learning which file extensions are associated with which programs, 314

LibnetNT, 191

list of BIOS interrupt routines, 341

for a list of disassemblers, 357

for Log Parser in Microsoft IIS 6 Resource Kit, 289

for MACS security event log collection information, 289

Malware: Fighting Malicious Code (Ed Skoudis and Lenny Zeltser), 359

for the MBlaster worm, 181

for MBlaster worm article by Laurent Oudot, 181

for MBlaster worm document by Dr. Niels Provos, 181

MessageLabs antispam resource, 304

for Michael Davis, 121

for Microsoft network model information, 227

Microsoft Security Baseline Analyzer tool, 101

Microsoft Security web site, 41

for Microsoft’s Automated Deployment Services, 306

Microsoft’s ExMerge utility, 315

for more hashing program alternatives, 312

for Mydoom.pl script, 179

National Security Agency, 40

nbtscan enumeration tool, 77

Net Send Command Line utility, 299

NetBIOS Auditing Tool, 77

NetBIOS enumeration tools, 77

“NetBIOS: Friend or Foe?, 77

for NetBIOS information, 77

for NetBIOS name suffix information, 74

Netcat utility, 14, 81

netForensics, 294

for Netsky worm, 265

for Network General’s Sniffer, 43

for Network Sniffer’s Netasyst Network Analyzer, 246

NISER Computer Forensics Laboratory, 335

Nmap active fingerprinting tool, 27

for Nmap documentation, 156

nmapNT active fingerprinting tool, 27

NMapWin, 27

for Norton System Utilities, 315

NT Objective’s ntoinsight’s, 316

Open Ports utility, 276

Open Watcom assembler, 352

for open-source Windows forensics tools, 335

for OSI model, 227

for OutlookRecovery tool, 315

for packers, 358

for PatriotBox honeypot, 212

for PE Explorer disassembler, 355

for Perkeo program, 317

for Photo Retriever tool, 315

for Pictuate program, 317

for POf passive fingerprinting tool, 43

POF utility, 311

for pop3.sh script, 180

for Pop.emulator.tar.gz script, 180

for presentation about ICMP fingerprinting, 29

ProDiscover software, 308

Provos, Dr. Niels, 121

Putty SSH program, 284

Remote Administrator, 333

Rugrat virus, 93

SafeBack software, 308

Sebek, 23

Secure Hash Signature Generator, 312

SecurIT Informatique Inc. utilities, 281

Security Assertion Markup Language (SAML), 291

for SecurityFocus honeypot mailing list, 166

SecurityProfiling, Inc., 121

Sendmail, 215

ServerSentry utility, 299

SFind utility, 313

for shell command language information, 168

The Shellcoder’s Handbook: Discovering and Exploiting Security Holes, 359

Slammer worm, 303

for Small Is Beautiful (SIB) assembly language starter kit, 353

for smtp.sh script, 180

Snort-inline, 52

for SpinRite, 339

for SpyAgent software, 317

for Ssed program, 318

Strings.exe program, 350

SuperDIR, 312

for Symantec’s Norton Ghost, 306

Symantec’s Norton System Utilities, 314

Sysdiff, 272

for Sysinternal’s Hostname utility, 311

Sysinternal’s PendMove utility, 319

Sysinternal’s Stream program, 313

for Sysinternal’s String.exe program, 311

for Sysinternal’s Strings utility, 318

Sysinternal’s TCPView utility, 276

TamoSoft SmartWhois query tool, 311

TCPView utility, 276

TextPad text editor, 357

Thing Trojan, 350

for Tracking Hacker’s web site, 219

for Tribble, 306

TUCOFS-The Ultimate Collection of Forensic Software, 335

for tutorials on PE files and their structure, 349

for Unix version of Tripwire program, 23

for updated Nmap.prints file, 151

UPX packer, 358

for “Using Microsoft Windows IPSec to Help Secure an Internal Corporate Server”, 106

for utilities for checking permissions, 314

for virtual machine honeypots in forensic analysis whitepaper, 309

VMware, 16

for Webster’s Art of Assembly Language tutorial, 346

for Webster’s web site for assembler information, 353

Welchia worm, 182

WhatFormat program, 314

for WildPackets’ EtherPeek NX, 246

for the Win32 API FAQ, 343

Winalysis, 274

Windiff, 272

Windows Forensic Toolchest (WFT), 274

for Windows GUI for nmapNT, 27

Windows implementation guides, 284

“Windows Internet Naming Service (WINS): Architecture and Capacity Planning”, 77

Windows IT Pro magazine, 41

Windows Update Services (WUS), 102

for Windows version of Tripwire program, 272

WinDump utility, 309

Winfingerprint, 272

Winfo enumeration tool, 77

for Wingate proxy server, 206

Winhex software, 308

WinInterrogate, 272

WinMessenger utility, 299

WinPcap, 191

WinPcap packet capture driver, 43

for WinRAR tarball unzipper, 178

for WinZip tarball unzipper, 178

Xprobe2 active fingerprinting tool, 27

for Xprobe2 and fingerprinting article, 28

Webster’s Art of Assembly Language

tutorial for learning assembly language, 346

Webster’s HLA support page

website address, 352

Welchia worm

website address, 182

WhatFormat program

for determining a files real content, 314

website address, 314

WhiteDoe real honeypot

bogus .system directory in, 334

finding exploit code on, 332–335

hacker’s malicious folder structure, 333

lessons learned from the attacks on, 335

R_bot.ini IRC configuration file, 334

whitehat vulnerability testing tools

coding of in Perl, 168–169

whois query tools

TamoSoft SmartWhois, 311

WildPackets’ EtherPeek NX

website address, 246

Win32 API FAQ

website address, 343

Win32 API files

main for Windows core functionality, 342

Winalysis

snapshot comparison screen, 273

website address, 23, 274

Windiff

website address, 272

Window Size field

in TCP, 234

Windows

NET SEND command for sending short console messages in, 296

website address for implementation guides, 284

Windows 2000 domain controller ports

list of common, 69–70

Windows 32-bit executables

known as Portable Executables (PE files), 348–349

Windows API

housekeeping tasks handled by, 341

resources for learning how to use, 343

using, 341–343

Windows API files

searching for a larger list of, 342

Windows applications

common and their port numbers, 86–87

Windows command-line shell language

using for Honeyd service scripts, 169

Windows Computer Management Services window

configuring services in, 108–109

Windows event logging, 285–286

main auditing categories, 286–287

Windows event triggers

using, 298–299

Windows File Protection

disabling to use ComLog, 281

website address for disabling, 281

Windows Firewall

filtering network traffic on your honeypot with, 105–106

Windows Forensic Toolchest (WFT)

website address, 274

Windows honeypot deployment, 89–120

decisions to make for, 89

Windows honeypot emulation

common ports and services, 65–68

Windows honeypot modeling.

See also honeypot modeling

port-related protocols and services review, 63–65

Windows implementation guides

website address, 284

“Windows Internet Naming Service (WINS): Architecture and Capacity Planning”

website address, 77

Windows IT Pro magazine

website address, 41

Windows Performance Monitoring console

using to collect network traffic baseline data, 275

Windows personalities

annotation syntax, 156–157

common choices of, 156

Windows platform

tarball unzippers for, 178

Windows ports and services

list of common, 66–68

Windows protocols, 237–239

Windows security audit files

events of interest in, 292–293

Windows security log analyzer

NTLast as, 280

Windows Server 2003

editions available in, 91

Windows server ports

list of generic, 68–69

Windows services

for honeypot modeling, 72–83

steps for hardening, 116–117

Windows Services Startup type settings

recommended on a Windows Server 2003 computer, 109–115

Windows STOP errors

creating intentionally, 305–306

website address for information about, 306

Windows TCP/IP stack

Microsoft use of a four-layer network mode to describe, 227

Windows Terminal Server

RDP protocol used by, 78

Windows Update Services (WUS), 17

checking for system patches with, 102–103

website address, 102

Windows workstation ports

list of common, 70

Windows XP

Remote Desktop in, 78

Windows-based honeypots

Honey-Potter as, 219

other than Honeyd, 189–220

WinDump utility

confirming successful installation of WinPcap with, 141–142

determining the number of collected network packets with, 309

using with Ethereal protocol analyzer utility, 249

website address, 309

website address for downloading, 141, 249

Winfingerprint

website address, 272

Winfo enumeration tool

website address, 77

Wingate proxy server

website address, 206

Winhex software

website address, 308

WinInterrogate

scanning local files, 274

website address, 272

WinMessenger utility

website address, 299

WinPcap

confirming successful installation of, 140–141

conflicts with some Ethernet cards, 142

needed to run LaBrea tarpit, 191

steps for installing using the auto-installer package, 140

website address, 43, 140, 191

WinRAR tarball unzipper

website address, 178

WinZip tarball unzipper

website address, 178

wireless access points (WAPs)

exploitation of weakly protected, 9

workstation ports

list of common Windows, 70

worm catcher script, 180–181

worm cleaners

problem with, 182

WU-FTPD daemon

developed at Washington University, 168