In the previous chapters, you’ve learned about honeypots in general, and specifically which emulated services and ports you need to create an authentic-looking Windows honeypot. Starting in this chapter, you’ll put those lessons to use by implementing Honeyd.
This chapter will introduce Honeyd and the functionality it offers. Then it will guide you through installing Honeyd and its related programs, with step-by-step instructions.
Honeyd stands for honeypot daemon. Honeyd (http://www.honeyd.org) is an open-source, low-interaction honeypot released by Dr. Niels Provos (firstname.lastname@example.org) in April 2002 so he could study the methods and tactics used by malicious hackers. Dr. Provos is an experimental computer scientist who conducts research in steganography and network security. He is currently working for Google. A German native, he earned his Ph.D. at the University of Michigan, and he is an active member of The Honeynet Project and other open-source projects.
Dr. Provos is particularly interested in analyzing hacker payloads. Most company networks are protected by firewalls. Whether or not the firewalls are successful in blocking an exploit attempt, they usually don’t capture the actual exploit. Dr. Provos wanted to give malicious hackers a decoy place to attack, where he could observe the tricks and tools of their trade. Although Honeyd is a relatively small program, it filled a huge vacuum as a much-needed tool in the computer security community and quickly became the de facto honeypot.
Originally programmed for Unix and Linux systems, Honeyd was ported to the Windows environment by Michael Davis (email@example.com) of SecurityProfiling, Inc. (http://www.securityprofiling.com). Mr. Davis currently serves as the lead developer at SecurityProfiling, where he works on IDSs, with contributions to the Snort IDS project. He is also a member of The Honeynet Project, where he develops data and network control mechanisms for Windows-based honeynets. Mr. Davis has ported Ngrep, Dsniff, Snort, Honeyd, libnides, and Sebek, and he is finishing up an ARPd port as this book goes to publication. If something is going to be ported from Unix to Windows in the intrusion detection or honeypot fields, there’s a good chance Mr. Davis is doing the hard work. As is common among members of the Open Source community, both Dr. Niels Provos and Michael Davis are extremely friendly and eager to help others.
If you’re not familiar with open-source software, it may be hard to believe that software can be free. Early on in the development of computers, most software was free to use.Today, proprietary, reimbursed software makes up the largest class of software. Proprietary software isn’t necessarily all evil, as the profit motive ensures more software for us all to enjoy. Many open-source developers also offer commercial alternatives of their products, but with added enterprise features and phone support.
Open source is a step back to the days of freely available software. Open-source software may be released under different licensing terms known as Open Source Initiative, BSD, GNU, Free Software Foundation (also known as copyleft), shareware, freeware, or public domain. Here are the basic licensing terms of some of the different licensing agreements:
Freeware is free to use or distribute. License terms vary for each product.
Public domain software is free to use or distribute. It usually has no copyright and can even be reused in commercial programs and distributed for payment.
Shareware is free to try, but you must buy it if you continue to use it after a set time period (usually 30 days). The creator retains the copyright. The software can be freely distributed (or there is a small distribution fee), but the program should not be modified in any way.
Open Source can be freely copied, distributed, used, and reused in other programs. If any part of an open-source program is used in another program, the new program must follow the same Open Source rules. The code is copyrighted, and it should be referenced if used in another program.
Honeyd is released under an open-source agreement called the 4-clause BSD license (http://www.wikipedia.org/wiki/BSD_License).