Computer Roles | Honeypots for Windows (Books for Professionals by Professionals)

Chapter 3 - Windows Honeypot Modeling
Honeypots for Windows
by Roger A. Grimes
Apress 2005

A computer role is the operational function the computer is being used to perform. A Windows 2000 Server machine isn’t just a server—it’s a server fulfilling a particular role: a web server, e-commerce database server, print server, mail server, domain controller, file server, or some other type. The following sections list the ports and services your honeypot should emulate to mimic a particular server role.

Generic Windows Server

If you want to emulate a generic Windows server with only the most popular services running, open just the ports listed in Table 3-2 on your honeypot.

Table 3-2: Generic Windows Server Ports
Port	UDP or TCP	Description
23	TCP	Telnet
25	TCP	SMTP
53	UDP or TCP	DNS
68	UDP	DHCP
135	UDP and TCP	RPC
137	UDP	NetBIOS Name Service
138	UDP	NetBIOS Datagram Service
139	TCP	NetBIOS Session Services
445	UDP and TCP	CIFS

IIS Server

The ports listed in Table 3-3 are found on most IIS servers.

Table 3-3: Common IIS Server Ports
Port	UDP or TCP	Description
20, 21	TCP	FTP
25	TCP	SMTP
53	UDP or TCP	DNS
80	TCP	HTTP
135	UDP and TCP	RPC
137	UDP	NetBIOS Name Service
138	UDP	NetBIOS Datagram Service
139	TCP	NetBIOS Session Service
445	UDP and TCP	CIFS

Windows 2000 Domain Controller

The ports listed in Table 3-4 are found on most Windows 2000 Server computers.

Table 3-4: Common Windows 2000 Domain Controller Ports
Port	UDP or TCP	Description
53	UDP and TCP	DNS
68	UDP	DHCP
88	TCP and UDP	Kerberos
135	UDP and TCP	RPC
137	UDP	NetBIOS Name Service
138	UDP	NetBIOS Datagram Service
139	TCP	NetBIOS Session Service
379	UDP	LDAP
389	UDP	LDAP
445	UDP and TCP	CIFS
500	UDP	IPSec
1701	UDP	L2TP
3268	TCP	Microsoft Global Catalog (default listener port)
3269	TCP	Microsoft Global Catalog (SSL listener port)
3389	TCP	Terminal Services
4500	UDP	IPSec

Windows Workstation

The ports listed in Table 3-5 are found on most Windows workstations.

Table 3-5: Common Windows Workstation Ports
Port	UDP or TCP	Description
135	UDP and TCP	RPC
137	UDP	NetBIOS Name Service
138	UDP	NetBIOS Datagram Service
139	TCP	NetBIOS Session Service
445	UDP and TCP	CIFS (Windows 2000 and above)
4500	UDP	IPSec (Windows 2000 and above)
5000	TCP	Universal Plug and Play (Windows Me only)

SQL Server

The ports listed in Table 3-6 are found on most SQL Server servers.

Table 3-6: Common SQL Server Ports
Port	UDP or TCP	Description
135	UDP and TCP	RPC
137	UDP	NetBIOS Name Service
138	UDP	NetBIOS Datagram Service
139	TCP	NetBIOS Session Service
445	UDP and TCP	CIFS
1433	TCP	SQL Server
1434	UDP	SQL Server

Exchange Server

If you want to set up one of your emulated honeypots to mimic a simple Exchange Server server, you should add the ports listed in Table 3-7 at a minimum.

Table 3-7: Common Ports on a Simple Exchange Server
Port	UDP or TCP	Description
25	TCP	SMTP
110	TCP	POP3
135	UDP and TCP	RPC
137	UDP	NetBIOS Name Service
138	UDP	NetBIOS Datagram Service
139	TCP	NetBIOS Session Service
445	UDP and TCP	CIFS

If you want to mimic an industrial-strength Exchange Server computer running with all possible services, open the ports listed in Table 3-8.

Table 3-8: Common Ports on a Complex Exchange Server
Port	UDP or TCP	Description
25	TCP	SMTP
53	UDP and TCP	DNS
80	TCP	HTTP, Outlook for Web Access (OWA)
102	TCP	X.400
110	TCP	POP3
119	TCP	NNTP
135	UDP and TCP	RPC
137	UDP	NetBIOS Name Service
138	UDP	NetBIOS Datagram Service
139	TCP	NetBIOS Session Service
143	TCP	IMAP4
379 or 389 or 390	UDP or TCP	LDAP/Active Directory
443	TCP	HTTP/SSL
445	UDP and TCP	CIFS
465	TCP	SMTP/SSL
522	TCP	Universal Locator Service
563	TCP	NNTP/SSL (NEWS)
593	TCP	HTTP over RPC
636	TCP	LDAP/SSL
691	TCP	LDAP/Link state algorithm
993	TCP	IMAP4/SSL
995	TCP	POP3/SSL
1503	TCP	T.120
1720	TCP	H.323
3268	TCP	Active Directory Global Catalog
6001	TCP	Exchange Information Store
6002	TCP	Exchange System Administrator
6004	TCP	Exchange Global Catalog interface