Unfortunately, open-source tools with a multitude of functionality and flexibility are rarely easy to install. Honeyd is no exception. First-time honeypot administrators expecting the point-and-click GUI installations of most Windows programs will be disappointed. This section provides step-by-step instructions to guide you through the process, even if Honeyd is your first honeypot.
Actually, installing Honeyd by itself as a stand-alone product isn’t that difficult. You download an executable, unzip it, configure a file or two, and it’s up and running. But to get the fullest use of it, you need to install many other supporting files and programs and manually create moderately complex configuration files. The following steps summarize a typical Honeyd installation procedure:
Harden the host.
Update the Nmap and Xprobe database files, if desired.
Download advanced scripts.
This section will discuss in detail all the steps needed to get the most out of Honeyd. The installation steps will assume that you have not already installed the software and that your primary system drive is C:. If drive C: is not your primary system drive, or if you want to install software to another drive, replace any reference to C: with the desired drive letter. If you have already installed a software component mentioned in the steps, it is up to you to decide whether to install it again or trust your current configuration.
Like a carpenter that measures twice and cuts once, a good honeypot administrator does a lot of planning before configuring a honeypot. As Chapter 2 discussed, you first need to decide what you want to accomplish with your honeypot and which OSs you want to emulate. Do you want to emulate one Windows system or many? Do you want to emulate one IP host address or several? Which computer will you use to host Honeyd? Where will you place the host? What type of logging will you enable? How will you direct hostile traffic to your honeypot?
No matter where you decide to run Honeyd, it must be configured to run on its own virtual IP subnet. This is an important step that is often overlooked, or misunderstood, by first-time administrators. Honeyd must have its own IP subnet address space so that packets headed to or from it are not manipulated by the underlying Windows host’s TCP/IP stack. If Honeyd were allowed to share the same IP address space as its host, the programming and packet-level driver tricks it performs would become more complex. And complexity is the antithesis of security and stability. You can use any IP address space that you like—public or private—as long as it is unique to Honeyd within your network.
Giving Honeyd its own virtual IP address space adds an additional wrinkle to the setup. Since the new virtual subnet exists only in the memory space of the host computer, all remote computers will be unable to find it without routing assistance. If you have a router or firewall in front of your host, you will need to create a static mapping that routes packets headed to the honeypot through the host computer’s adapter. You do not add this static route command on the Honeyd host computer; you add it on the router or firewall directing traffic to Honeyd. Static routing commands vary by router and firewall.
To add a static route to a multihomed (two or more network adapters) Windows computer, for example, use the following syntax:
route add -p <Honeyd network address> mask <subnet mask> <host adapter address>
For example, if Honeyd had a virtual IP address space of 192.168.169.0-192.168.169.255 with a subnet mask of 255.255.255.0, running on a host with IP address 192.168.168.200, you would need to make the following static route entry in a Windows multihomed computer acting as a router:
route add -p 192.168.169.0 mask 255.255.255.0 192.168.168.200
The -p parameter tells Windows to make the added route permanent (persistent across boots of the system).
Another common problem for new Honeyd administrators is that the host computer will redirect all network traffic from Honeyd to the gateway defined on the host computer’s interface. This means if you contact Honeyd (for example, to do a ping test) from a computer on the same local subnet as the host computer, Honeyd will send the response back to the originator. But the host adapter will see the packet as arriving from a different subnet than its own and will forward Honeyd’s response to the defined default gateway, which is usually a router or firewall. The originating host never gets a response back. This results in all connection attempts to Honeyd from computers on the same local subnet as the Honeyd host computer timing out. Hosts originating on the other side of the gateway or router will not experience this problem.
This can be a very frustrating issue when setting up Honeyd for the first time and trying to test it before making it available to the world. To fix this issue, you can do one of two things:
Place another router in front of the Honeyd host computer, so that all other computers, local or not, are on another subnet. Reconfigure the host computer’s gateway address to point to the new router. This will take all other computers off the local subnet. It is an optimal solution if you can get another router. The only downside is that adding yet another router in your network means you might need to make other static route adjustments on your other routing devices to account for the new router.
For local testing purposes, you can temporarily configure the Honeyd host computer’s gateway address to point to a local testing computer.
Most first-time honeypot administrators will run Honeyd on a host connected to a network segment on their firewall’s DMZ or inside their network on the LAN. The majority of new Honeyd administrators start emulating one or just a few IP addresses, with a range of OS emulations. Advanced administrators set up a virtual honeynet emulating dozens of hosts stretched out over many subnets.
As long as your honeypot is contactable over the Internet, it will be visited. For this reason, your computer hosting Honeyd must be hardened.
Chapter 4 covered hardening the host OS. Here is a review of the most important hardening steps:
The host should be in a location physically secure from unauthorized access.
All patches and service packs should be applied.
If installed, rename the administrator and guest accounts. Make sure the guest account is disabled.
Secure the user accounts and limit them to only the ones that are necessary, and use complex passwords to protect remaining accounts.
Use the NTFS file system to tighten file permissions.
Uninstall unnecessary applications and services.
Don’t install Internet browsers, e-mail, word processors, or other high-risk applications.
Maintain a clean copy of the system, in case it needs to be rebuilt.
Some honeypot administrators install a firewall in front of the host computer. This can be useful to block traffic to or from the host or Honeyd, depending on the needs of the administrator. Versions of Windows NT 4.0 and above have the ability to do IP filtering on the Windows IP stack, but this will have no effect on the traffic headed to Honeyd. When you enable the IP Filtering feature,Windows says you are enabling filtering for all adapters. But the packet-level capture driver, WinPcap (which you’ll install in the next step), intercepts traffic before the Windows IP stack can manipulate it. Thus, the Windows IP Filtering option will have no effect on Honeyd. You can use this characteristic to your favor when hardening your host.
To enable IP Filtering, open the Control Panel and select Network Connections. Then right-click the active network connection, and choose Properties. On the General tab of the Properties dialog box, select Internet Protocol (TCP/IP), then choose Properties, then Advanced, then Options.
If the hacker compromises your host computer, consider all captured data suspect. Figure out how your host was compromised and close the hole.
Honeyd, and many of its supporting programs, require the presence of WinPcap. WinPcap is a Win32 API for packet capturing at the driver level. It is needed to capture and inspect packets before Windows’ own IP stack takes control. It is a port of libpcap, the versatile Unix API. Many programs take advantage of the WinPcap API. It can be installed on Windows computers with Windows 95 and above.
WinPcap’s two main files are Packet.dll and Wpcap.dll.
To install WinPcap, go to http://winpcap.polito.it and download the latest version. (If you have an older version of WinPcap, uninstall it first.) It comes in a normal (auto-installer) package and a silent (transparent) package. Either install package works great.
To install WinPcap using the auto-installer package, follow these instructions:
Download the executable to your Honeyd host desktop and execute it. This will start the WinPcap Installation wizard.
In the WinPcap 3.0 Setup dialog box, click Next to continue.
In the WinPcap License Agreement dialog box, enable the check box to accept the terms of the WinPcap license. Click Next to continue. The installation will proceed rapidly and end quickly.
Click Next, and then click Finish to exit the WinPcap installation program.
Reboot your PC. Although this last step is not always necessary, it never hurts to do a reboot after a packet-level driver installation.
You should download and install WinPcap version 3.0 unless otherwise instructed by the product installation documentation. Newer versions of WinPcap are available, but they may cause problems.
You can confirm the successful installation of WinPcap under the Add/Remove Programs Control Panel applet, as shown in Figure 5-3. (Older versions of WinPcap installed a driver that could be seen in Network Neighborhood properties.)
Figure 5-3: Confirming WinPcap’s successful installation in Add/Remove Programs
There is another, more accurate, way to check for a correct installation. It’s a good idea to do this extra step so that you don’t need to worry about it later on if you’re troubleshooting other installed components. For this method, you use WinDump, a Windows version of the Unix tcpdump utility, which captures and displays network packets.
Download Windump.exe from http://windump.polito.it. Place it in a location you can easily access from the DOS command prompt. I like to download it to C:\ so I can find it easily. (It does not have an installation routine and is executed directly at the DOS command prompt.)
Exit to the DOS command prompt.
Type windump.exe -D (make sure to type -D, not -d) and press the Enter key. If WinDump returns a number and the name of your interface card, along with some other less interesting information, as shown in Figure 5-4, then WinPcap is correctly installed. You can continue with the next software installation step. If WinDump does not work, try rebooting your computer (if you didn’t after installing WinPcap) or troubleshooting the WinPcap installation using the documentation located on the web site (http://winpcap.polito.it).
Figure 5-4: Windump.exe −D output example verifying a correctly installed WinPcap driver
Although WinPcap is known to work with most Ethernet network cards, there are a few known conflicts. WinPcap has been reported to conflict with other drivers that work at the packet level, including PGPnet and some personal firewalls. It also has been reported to cause connection problems on PPP links. WinPcap supports other types of network interface cards, like ATM, FDDI, and Token Ring, but it has not been tested widely to ensure that it works on all non-Ethernet cards.
Cygwin is a Linux emulation environment for Windows. It consists of a large collection of Linux tools and utilities. Although Cygwin is an optional installation, it is essential for running Honeyd service scripts, since most scripts were created for Unix-like environments. Among other tools, it will install the shell scripting and Perl interpreters to run associated script files. The default installation contains over 2,000 files and over 500 subdirectories, and we need to add a few additional optional selections to get the Perl scripting engine and decompression utilities.
Follow these steps to install Cygwin:
The download size is roughly 26MB, so plan your download time accordingly. Go to http://www.cygwin.com. Click the small icon labeled Install Cygwin Now, located in the upper-right portion of the screen.
Save the Setup.exe file to your desktop and execute it.
In the Cygwin Setup dialog box, click Next to continue past the initial install screen.
A message may appear asking you to choose whether or not to disable your virus scanner. If so, disable your antivirus software and click Next.
In the Cygwin Setup – Choose Installation Type dialog box, choose the Install from Internet option, unless you have the Cygwin files installed elsewhere. Click Next.
In the Cygwin Setup – Choose Installation Directory dialog box, accept the default directory of C:\cygwin and the other defaults by clicking Next.
In the Cygwin Setup – Select Local Package Directory dialog box, click Next to accept the default location, or choose another location.
In the Cygwin Setup – Select Connection Type dialog box, click Next to accept the default, or choose the appropriate connection type.
In the Cygwin Setup – Choose Download Site(s) dialog box, choose a site to download from. Look through the available sites and choose one closest to you (or randomly pick one). Click Next to continue. You may need to do this step several times, choosing different download sites, to get the download started.
A Cygwin Setup – Select Packages dialog box will appear, asking you to select what Cygwin software packages to install, as shown in Figure 5-5. It has different install categories (Archive, Development, and so on). Select the Archive category and choose Install. This is to get Unix-style decompression programs, like zip file decompressors.
For each category in the Cygwin Setup – Select Packages dialog box, you can click the Install action and choose to accept the Default(s), Install (all), Skip, Reinstall, or Uninstall. Be careful not to click Install in the top category, or it will install everything available with Cygwin—hundreds of megabytes.
Figure 5-5: Cygwin Setup – Select Packages dialog box
In the Cygwin Setup – Select Packages dialog box, select and expand (by clicking the + symbol) the Interpreters category. Select Perl-libwin32 and Python (scripting languages). Downloading just the binaries is fine; there’s no need to download the source code.
In the Cygwin Setup – Select Packages dialog box, click Next. The files will download and install. You will see a percentage completion for each file download and for the whole installation. This step usually takes several minutes or longer.
The Cygwin download process can take over an hour if downloaded from a slow mirror site. If downloading is taking too long, cancel the process, and restart the downloading using a new mirror site.
In the Cygwin Setup – Create Icons dialog box, click Finish to finish. Click OK to acknowledge the end of the Cygwin setup program.
Go to the C:\cygwin\bin directory and verify that both the sh.exe and perl.exe files are located there. If not, repeat the previous steps.
The Cygwin setup instructions change slightly every version, so the exact installation instructions may vary over time.
After the installation is complete, you need to add the C:\cygwin\bin and C:\Honeyd directories to the system PATH statement so its binaries can be accessed when needed. To do this on a Windows 2000 or above machine, follow these steps:
Go to the Control Panel and choose the System applet.
Click the Advanced tab and select Environment Variables.
Click the Edit button for the path system.
Go to the end of the current PATH statement (do not erase the current contents) and add the following text:
Click OK. Then click OK two more times to accept the changes and return to the main screen.
From the main screen, get to the DOS command prompt (choose Start Run, type cmd, and press Enter). Type SET PATH and press Enter. You should see C:\cygwin\bin and C:\Honeyd in the PATH statement.
Cygwin is an excellent learning environment for all things Unix and Linux. You can play with and install many utilities that have always been available only in the Unix world . Some honeypot users have become so excited by all the new tools and fun things to learn with Cygwin that they get distracted from their primary mission.
Alternately, many Perl programmers prefer ActiveState’s (http://www.activestate.com) ActivePerl Perl engine over the one included with Cygwin. ActiveState was recently acquired by antivirus vendor Sophos. Both Cygwin’s and Sophos’s versions are free.
Now you finally get to install Honeyd. Follow these steps:
Go to SecurityProfiling’s web site (http://securityprofiling.com/honeyd/honeyd.shtml) and download the Honeyd binaries (honeyd-0.5-win32.zip) to your desktop.
Create a folder called C:\Honeyd.
Unzip the Honeyd binaries to the C:\Honeyd folder. Make sure to override the default subdirectory that the Honeyd binaries want to install to. Placing them in C:\Honeyd instead of C:\Honeyd-0.5 makes life a little easier.
You should have more than 70 files in C:\Honeyd and its six child folders. The Honeyd default directories are as follows:
Honeyd is a command-line utility that you will be running from the DOS command prompt until you get proficient enough to trust using a batch file executed in Windows.
To test your installation, follow these steps:
Get to the DOS command prompt (choose Start Run, type cmd, and press Enter) and change to the C:\Honeyd folder.
Type honeyd.exe –W (case-sensitive). You should see output similar to the display from Windump.exe –D (see Figure 5-4).
To verify that SH is working, type SH and press Enter. You should be at a $ prompt. Type EXIT and press Enter to exit.
To test Perl, change to C:\Cygwin\bin, type Perl, and press Enter. You should be at a blank line (this might appear locked up to you, because nothing is happening, but this is normal). Press Ctrl-C to exit.
If you saw anything other than what I’ve described here, you need to troubleshoot the previous installation steps.
Honeyd’s real power is its ability to emulate services using script files. Let’s download some scripts to analyze and play with in Chapter 7.
Go to http://www.honeyd.org/contrib.php and download the different script files to the \scripts folder under C:\Honeyd.
From the DOS command prompt, switch to the C:\Honeyd\scripts directory. You will see that many of the script files are archived and must be uncompressed. Files ending in the extensions .gz, .tgz, and .tar.gz (called tarballs) are compressed with GNU zip (Gzip). Cygwin comes with a command-line version of Gzip. (You can find Gzip documentation at http://www.gzip.org.)
You can use a Windows utility or Gzip to uncompress the files. Archiving utilities—like Win-GZ (http://www.crispen.org/src), 7-Zip (http://www.7-zip.org), Power Archiver (http://www.sfsu.edu/ftp/win/utils), WinZip (http://www.winzip.com), and WinRAR (http://www.rarlab.com)—can uncompress tarballs with a friendly GUI. To use Gzip, type gzip –d <filename>. Gzip will automatically delete the compressed parent file. The uncompressed file could have a .tar extension. You can rename each file’s .tar extension to .pl or .sh, depending on the scripting language it is written in.
Snort is another essential, but optional, sidekick program for Honeyd. It can act as a packet sniffer, but, more importantly, it can serve as a network intrusion detection device. You can use Snort to monitor your honeypot links and have it alert you when it detects activity. It can use its rules to identify exploits, making your job a lot easier. It can also be used to replay attacks, if the packets were captured using a tcpdump-compatible utility (like Snort, Ethereal, or WinDump). Chapter 9 will cover Snort’s configuration and use.
Follow these steps to install Snort:
Go to http://www.snort.org/dl/binaries/win32 and download the latest version to your desktop.
Execute the Snort install program.
In the Snort Setup License Agreement dialog box, click the I Agree button to accept the Snort licensing agreement (after reading it, of course).
In the Snort Setup Installation Options dialog box, select the “I do not plan to log to a database” option or the “I am planning to log to one of the databases listed above” option. Click the Next button.
In the Snort Setup Choose Components and the Snort Setup License Agreement dialog boxes, click Next to accept the default install components.
In the Snort Setup Install Location dialog box, make sure the destination folder is C:\Snort and click the Install button.
In the Snort Setup Installation Complete dialog box, click the Close button. Click the OK button when it warns you to install WinPcap (it will do so whether or not you have WinPcap installed).
Ethereal is an excellent open-source packet-capturing utility. It’s relatively easy to install and use. Ethereal can be your best friend when trying to diagnose a honeypot runtime problem or when capturing malicious hacking packets. We will cover using Ethereal in Chapter 9.
To install Ethereal, follow these steps:
Download the Ethereal install executable from http://www.ethereal.com/distribution/win32 and save it to your desktop.
Execute the Ethereal install program to start the installation wizard.
In the Ethereal Setup dialog box, click Next to continue.
In the Ethereal Setup License Agreement dialog box, click the I Agree button to accept the Ethereal licensing terms.
In the Ethereal Setup Choose Components dialog box, click the Next button to accept the default install components.
In the Ethereal Setup Install Location dialog box, click the Install button to accept the default install location, C:\Program Files\Ethereal.
Click the Close button when the installation completes.
Double-click the new Ethereal icon to test the installation. Choose Start in the Capture menu and click the OK button. Create some network packet activity (for example, start a web browser and surf to any Internet web site). Click the Stop button. Packet activity should populate your screen, similar to the example shown in Figure 5-6.
Figure 5-6: An Ethereal screen
Well, we are finished installing Honeyd and all its support software. The hard part is over.
During any of these installation steps, you can choose to install to a different drive letter and directories. Table 5-4 shows the directories I’ve recommended. If you deviated from these default drive letters or directories, replace your drive letter and directory any time the book references these subdirectory structures.
Honeyd honeypot software
Cygwin emulation program and related executables
Snort Intrusion Detection System
Ethereal network traffic analyzer