Computer Roles

skip navigation

honeypots for windows
Chapter 3 - Windows Honeypot Modeling
Honeypots for Windows
by Roger A. Grimes
Apress 2005
progress indicator progress indicatorprogress indicator progress indicator

A computer role is the operational function the computer is being used to perform. A Windows 2000 Server machine isn’t just a server—it’s a server fulfilling a particular role: a web server, e-commerce database server, print server, mail server, domain controller, file server, or some other type. The following sections list the ports and services your honeypot should emulate to mimic a particular server role.

Generic Windows Server

If you want to emulate a generic Windows server with only the most popular services running, open just the ports listed in Table 3-2 on your honeypot.

Table 3-2: Generic Windows Server Ports

Port

UDP or TCP

Description

23

TCP

Telnet

25

TCP

SMTP

53

UDP or TCP

DNS

68

UDP

DHCP

135

UDP and TCP

RPC

137

UDP

NetBIOS Name Service

138

UDP

NetBIOS Datagram Service

139

TCP

NetBIOS Session Services

445

UDP and TCP

CIFS

IIS Server

The ports listed in Table 3-3 are found on most IIS servers.

Table 3-3: Common IIS Server Ports

Port

UDP or TCP

Description

20, 21

TCP

FTP

25

TCP

SMTP

53

UDP or TCP

DNS

80

TCP

HTTP

135

UDP and TCP

RPC

137

UDP

NetBIOS Name Service

138

UDP

NetBIOS Datagram Service

139

TCP

NetBIOS Session Service

445

UDP and TCP

CIFS

Windows 2000 Domain Controller

The ports listed in Table 3-4 are found on most Windows 2000 Server computers.

Table 3-4: Common Windows 2000 Domain Controller Ports

Port

UDP or TCP

Description

53

UDP and TCP

DNS

68

UDP

DHCP

88

TCP and UDP

Kerberos

135

UDP and TCP

RPC

137

UDP

NetBIOS Name Service

138

UDP

NetBIOS Datagram Service

139

TCP

NetBIOS Session Service

379

UDP

LDAP

389

UDP

LDAP

445

UDP and TCP

CIFS

500

UDP

IPSec

1701

UDP

L2TP

3268

TCP

Microsoft Global Catalog (default listener port)

3269

TCP

Microsoft Global Catalog (SSL listener port)

3389

TCP

Terminal Services

4500

UDP

IPSec

Windows Workstation

The ports listed in Table 3-5 are found on most Windows workstations.

Table 3-5: Common Windows Workstation Ports

Port

UDP or TCP

Description

135

UDP and TCP

RPC

137

UDP

NetBIOS Name Service

138

UDP

NetBIOS Datagram Service

139

TCP

NetBIOS Session Service

445

UDP and TCP

CIFS (Windows 2000 and above)

4500

UDP

IPSec (Windows 2000 and above)

5000

TCP

Universal Plug and Play (Windows Me only)

SQL Server

The ports listed in Table 3-6 are found on most SQL Server servers.

Table 3-6: Common SQL Server Ports

Port

UDP or TCP

Description

135

UDP and TCP

RPC

137

UDP

NetBIOS Name Service

138

UDP

NetBIOS Datagram Service

139

TCP

NetBIOS Session Service

445

UDP and TCP

CIFS

1433

TCP

SQL Server

1434

UDP

SQL Server

Exchange Server

If you want to set up one of your emulated honeypots to mimic a simple Exchange Server server, you should add the ports listed in Table 3-7 at a minimum.

Table 3-7: Common Ports on a Simple Exchange Server

Port

UDP or TCP

Description

25

TCP

SMTP

110

TCP

POP3

135

UDP and TCP

RPC

137

UDP

NetBIOS Name Service

138

UDP

NetBIOS Datagram Service

139

TCP

NetBIOS Session Service

445

UDP and TCP

CIFS

If you want to mimic an industrial-strength Exchange Server computer running with all possible services, open the ports listed in Table 3-8.

Table 3-8: Common Ports on a Complex Exchange Server

Port

UDP or TCP

Description

25

TCP

SMTP

53

UDP and TCP

DNS

80

TCP

HTTP, Outlook for Web Access (OWA)

102

TCP

X.400

110

TCP

POP3

119

TCP

NNTP

135

UDP and TCP

RPC

137

UDP

NetBIOS Name Service

138

UDP

NetBIOS Datagram Service

139

TCP

NetBIOS Session Service

143

TCP

IMAP4

379 or 389 or 390

UDP or TCP

LDAP/Active Directory

443

TCP

HTTP/SSL

445

UDP and TCP

CIFS

465

TCP

SMTP/SSL

522

TCP

Universal Locator Service

563

TCP

NNTP/SSL (NEWS)

593

TCP

HTTP over RPC

636

TCP

LDAP/SSL

691

TCP

LDAP/Link state algorithm

993

TCP

IMAP4/SSL

995

TCP

POP3/SSL

1503

TCP

T.120

1720

TCP

H.323

3268

TCP

Active Directory Global Catalog

6001

TCP

Exchange Information Store

6002

TCP

Exchange System Administrator

6004

TCP

Exchange Global Catalog interface

progress indicator progress indicatorprogress indicator progress indicator


Honeypots for Windows
Honeypots for Windows (Books for Professionals by Professionals)
ISBN: 1590593359
EAN: 2147483647
Year: 2006
Pages: 119

Similar book on Amazon
Honeypots: Tracking Hackers
Honeypots: Tracking Hackers
Know Your Enemy: Learning about Security Threats (2nd Edition)
Know Your Enemy: Learning about Security Threats (2nd Edition)
Virtual Honeypots: From Botnet Tracking to Intrusion Detection
Virtual Honeypots: From Botnet Tracking to Intrusion Detection
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net