Setting Up Honeyd Configuration Files

skip navigation

honeypots for windows
Chapter 6 - Honeyd Configuration
Honeypots for Windows
by Roger A. Grimes
Apress 2005
progress indicator progress indicatorprogress indicator progress indicator

You can create one or more Honeyd configuration files to set up your virtual honeypots. The Honeyd configuration file is a simple text file created with any standard text editor. This file can be placed anywhere that can be referenced by the runtime Honeyd command-line options.

Within the configuration file, you set up each virtual honeypot, called a template. Although you could use just one template to mimic a single system, most instances of Honeyd are intended to emulate multiple machines. Therefore, the configuration file defines several templates.

Each virtual honeypot is made up of a collection of Honeyd commands bound to a template name defining its parameters. You also want to configure a default template to handle all traffic not defined by any other template. Although you can set up the configuration file definitions in almost any order, here is the recommended logical order of templates in the Honeyd.config file:

  1. Default template

  2. Template 1

  3. Template 2

  4. Template 3

Let’s look at the commands used to build a template, and then see how they all fit together in the Honeyd.config file. At the end of this section, I’ll present a sample configuration file with templates for several Windows OSs.

Configuring Honeyd Templates

Each template defines the necessary parameters in the following order:

  • OS personality (mimicked IP stack)

  • IP address or addresses to bind the virtual honeypot to

  • ICMP responses

  • TCP port responses

  • UDP port responses

  • System variables

Creating a Honeyd template to mimic a realistic Windows system is not easy. But it is this flexibility and customization that gives Honeyd its strength. Templates are easier to create if you use the following structure with each template:

 CREATE <template name>  ANNOTATE "<personality name>" [NO] FINSCAN FRAGMENT <action>  SET <template name> PERSONALITY “<personality name>”  BIND <IP address(es)> <template name>  SET DEFAULT <template name> TCP ACTION <action>  SET DEFAULT <template name> UDP ACTION <action>  SET DEFAULT <template name> ICMP ACTION <action>  ADD <template name> TCP PORT <number> <action>  SET <template name> UPTIME <seconds>  SET <template name> DROPRATE IN <%>  SET <template name> UID <number> [GID <number>] 

Note 

Don’t forget to set a default template to handle traffic to IP addresses not specifically defined.

We’ll go through each of these instructions, and then put it all together in a sample template.

Creating the Template

First, use the CREATE command word to create each template. One instance of Honeyd can contain one or more templates, as defined by the Honeyd configuration file. The syntax is as follows:

 CREATE <template name> 

Note 

Honeyd keyword commands are not case-sensitive. I’ve presented them in this book in all uppercase letters for readability.

Template names are case-sensitive and can be almost anything, subject to the following rules:

  • They cannot begin with a number.

  • They cannot begin with spaces or extended ASCII characters.

  • Names should not be identical to reserved keywords.

A special default template, which defines all otherwise undefined behavior, is created by using the following syntax:

 CREATE DEFAULT <template name> 

Many Honeyd administrators just type in CREATE DEFAULT default. This will create a default template called default (but the default template can be named nearly anything).

Adding Personality Instructions

As you learned in Chapter 5, a personality is an OS IP stack emulation associated with a Honeyd template. Personalities names are documented in the Nmap.prints file. There are 17 Windows personalities to choose from, although the list needs updating. For instance, Windows Server 2003 is called Windows .NET server. This is because Microsoft kept changing its name until just before Windows Server 2003’s release. I expect the Nmap.prints file to be updated with newer additions in the near future, and adding your own personalities is not all that difficult (see Nmap documentation at http://www.insecure.org/nmap/nmap_documentation.html).

Here are some common Windows choices:

  • Windows 98

  • Windows 2000 SP2

  • Windows 2000/XP/ME

  • Windows XP Pro

  • Microsoft Windows.NET Enterprise Server (build 3615 beta)

Annotating a Personality

Before a personality can be associated with a particular template, it must be annotated. Annotating a personality loads the personality and further refines its behavior. The annotation syntax is as follows:

 ANNOTATE "<personality name>" [NO] FINSCAN 

and

 ANNOTATE "<personality name>" FRAGMENT <action> 

The FINSCAN keyword tells Honeyd whether to allow FIN port scans against the template. Setting the NO FINSCAN instruction tells Honeyd not to respond to FIN port scans.

Early port scans used TCP SYN packets to see whether a particular port was open or closed. When an open TCP port receives a SYN packet, it will reply back with an ACK-SYN packet as the second step of the three-way handshake. If the TCP port does not exist, most TCP/IP stacks will send a RST packet. Sequential SYN scans are easy to detect and will set off firewall and IDS alerts. Malicious hackers started sending FIN packets instead. A packet with the FIN flag set is the way a TCP host ends a session. Because the hacker did not have a previously established connection that needed closing, an active TCP port would send one type of error, and a closed port would just drop the packet and not respond. Older firewalls and IDSs did not check for FIN scan packets, so they would let the hacker port-scan a machine, without setting off any alarms.

The FRAGMENT instruction tells Honeyd how to react to fragmented TCP/IP packets. The DROP keyword says to drop all fragmented packets. The OLD and the NEW keywords tell Honeyd how to treat overlapping fragments. Malicious hackers often malform TCP/IP packet fragments so that when they are rejoined at the destination host, one packet can partially override another’s data, thereby possibly allowing it to bypass a perimeter device (like a firewall) and execute a malicious payload on the host. Honeyd’s default behavior is to allow the older packet to override the newer packet if there is an overlapping conflict.

Caution 

Due to a bug in the Honeyd Win32 port, fragmented packets cause Honeyd to lock up, regardless of the FRAGMENT action.

Fortunately, the ANNOTATE keyword can be used without specifying how to handle fragmented packets and FIN port scans. Here is an example:

 ANNOTATE "Windows 2000 SP2" 

The personality listed inside the quotation marks is case-sensitive and must match exactly the personality name listed in Nmap.prints. All ANNOTATE commands should be listed at the top of the Honeyd configuration file (see Listing 6-4, later in this chapter), so it is easy to see all the OS personalities that this particular configuration file is defining.

Associating a Template with a Personality

Next, you associate an OS personality with the template. This is done using the SET command with the following syntax:

 SET <template name> PERSONALITY "<personality name>" 

Setting up a Windows 2000 personality might have the following syntax:

 SET Windows 2000 PERSONALITY "Windows 2000 SP2" 

Next, bind one or more IP addresses to the template, with the following syntax:

 BIND <IP address(es)> <template name> 

For example, you could bind the 10.0.0.1 IP address to the Windows 2000 template using the following syntax:

 BIND 10.0.0.1 Windows 2000 

If an IP address serviced by the honeypot is not bound to a template, it is answered by the default template.

Adding Port Instructions

Next, you need to create and add ports and services to your template. Referring back to the recommendations in Chapter 3, you want your honeypot to mimic the customary ports of a typical Windows system. Honeyd can define ICMP, TCP, and UDP ports as Open, Blocked, or Reset (Closed).

Defining the Default Port State

The first order of business is to define what the default state is for all ports not specifically defined in the template. The syntax is as follows:

 SET DEFAULT <template name> <protocol> ACTION <action> 

The default behavior for Windows computers for TCP and UDP probes to inactive ports is Reset. The default for the ICMP protocol is Open (reply with response packets). So, a typical Windows machine would have the following default port response:

 SET DEFAULT <template name> ICMP ACTION OPEN  SET DEFAULT <template name> TCP ACTION RESET  SET DEFAULT <template name> UDP ACTION RESET 

Note 

Windows XP Service Pack 2 comes with the Windows Firewall (previously known as the Internet Connection Firewall) enabled. This firewall blocks all inbound traffic not initiated by an outbound request.

Don’t forget to set the default actions for the default template. For example, if the default template is called default, the commands look like this:

 SET DEFAULT default ICMP ACTION OPEN  SET DEFAULT default TCP ACTION RESET  SET DEFAULT default UDP ACTION RESET 

Adding Ports

With default port actions set up, you now need to explicitly define the active ports or the ports that deviate from the default behavior. This is done using the following syntax:

 ADD <template name> <protocol> PORT <port number> <action> 

For example, if you want your Windows honeypot to mimic a Windows Server 2003 server, you might open and block the following ports:

 ADD <template name> UDP PORT 135 BLOCK  ADD <template name> UDP PORT 137 BLOCK  ADD <template name> UDP PORT 138 BLOCK  ADD <template name> UDP PORT 389 BLOCK  ADD <template name> UDP PORT 445 BLOCK  ADD <template name> UDP PORT 500 OPEN  ADD <template name> UDP PORT 4500 OPEN  ADD <template name> TCP PORT 25 OPEN  ADD <template name> TCP PORT 80 OPEN  ADD <template name> TCP PORT 88 OPEN  ADD <template name> TCP PORT 110 OPEN  ADD <template name> TCP PORT 119 OPEN  ADD <template name> TCP PORT 135 BLOCK  ADD <template name> TCP PORT 137 BLOCK  ADD <template name> TCP PORT 139 BLOCK  ADD <template name> TCP PORT 143 OPEN  ADD <template name> TCP PORT 443 OPEN  ADD <template name> TCP PORT 445 BLOCK  ADD <template name> TCP PORT 593 OPEN  ADD <template name> TCP PORT 3389 OPEN 

Tip 

Blocking certain ports, especially ports 135 and 137 through 139, is essential to making your honeypot look real. Blocking versus resetting the port mimics the behavior the hacker would expect when an Exchange Server is protected by a firewall. I still keep enough ports open to intrigue the hacker.

Defining open and closed ports is the bulk of any template. You must carefully consider which ports to define and which states to assign to those ports. For example, even though I recommend blocking ports 135, and 137 through 139, if your interest is in catching RPC malware, then by all means, make port 135 open. Also, consider opening a few random TCP and UDP ports between 1023 and 2000, as real Windows computers usually have a few listening RPC ports established in these ranges. The great thing about Honeyd is that you can define and customize your honeypot to meet your objectives. As you’ll learn when we look at other Windows-based honeypots in Chapter 8, not all honeypot software gives you the same flexibility.

Adding Service Scripts

To give your honeypot even more realism, you should add functionality to different ports, instead of simply marking them Open, Blocked, or Reset. In particular, an Exchange Server with IIS should readily accept telnet sessions to its publicly accessible mail TCP ports (ports 25, 110, 119, and 143) and also accept web browsing to TCP ports 80 and 443. In Chapter 7, you will see how to create service scripts to mimic the appropriate behavior. For now, just modify the configuration instructions in preparation for the scripts. The syntax for adding scripts is as follows:

 ADD <template name> <protocol> PORT <number> "<script engine to call> <script file>" 

For example, the following scripts could be added:

 ADD <template name> TCP PORT 25 "sh c:\Honeyd\scripts\smtp.sh"  ADD <template name> TCP PORT 80 "cscript.exe c:\Honeyd\scripts\iis6.cs"  ADD <template name> TCP PORT 110 "sh c:\Honeyd\scripts\pop.sh"  ADD <template name> TCP PORT 119 "perl.exe c:\Honeyd\scripts\nntp.pl"  ADD <template name> TCP PORT 143 "wscript.exe c:\Honeyd\scripts\imap.vbs"  ADD <template name> TCP PORT 443 "sh c:\Honeyd\scripts\ssl.sh" 

Adding Proxies

There are times when you might want to redirect the intruder’s probes away from the low-interaction world of Honeyd and to a higher-interaction real server. This process is called proxying. For instance, you might want the hacker to be given access to a real FTP or DNS server. Both of these services are particularly hard to create fake scripts for, and if you have a server that can deliver both of these services to the hacker safely, why not use it? The actual services will add realism to your honeypot. The proxy syntax is as follows:

 ADD <template name> <protocol> PORT <port number> PROXY <real server  IP address port number> 

Here are two examples of adding proxies:

 ADD <template name> TCP PORT 21 PROXY 66.45.57.103:21  ADD <template name> TCP PORT 53 PROXY 10.0.0.2:53 

Setting System Variables

Honeyd allows you to set a few more system variables that add even more realism to your template:

  • UPTIME: The number of seconds the system has been up between reboots:

     SET <template name> UPTIME <seconds> 

  • DROPRATE: If used, DROPRATE IN will drop the specified percentage of packets sent from Honeyd to simulate a busy network:

     SET <template name> DROPRATE IN <%> 

  • UID and GID: Unique identifier and global identifier for the virtual computer:

     SET <template name> UID <number> [GID <number>] 

Here are examples of system variable settings:

 SET <template name> UPTIME 2248020  SET <template name> DROPRATE IN 0.005  SET <template name> UID 20208 GID 13876 

A Sample Template

Listing 6-3 shows a sample template for a virtual Exchange Server. This Honeyd template example would create a realistic-looking, low-interaction, Exchange Server 2003 honeypot.

Note 

The pound sign (#) is used to remark out lines so they aren’t executed or read by Honeyd.

Listing 6.3: Sample Honeyd Exchange Server Template

image from book
 ###Example Honeyd Template-Exchange Server 2003###  #Create and bind template  CREATE Exchange Server 2003  ANNOTATE "Microsoft Windows.NET Enterprise Server (build 3615 beta)"  SET Exchange Server 2003 PERSONALITY "Microsoft Windows.NET  Enterprise Server (build 3615 beta)"  BIND 10.0.0.1 Exchange Server 2003  #Set port behavior  SET DEFAULT Exchange Server 2003 TCP ACTION RESET  SET DEFAULT Exchange Server 2003 UDP ACTION RESET  ADD Exchange Server 2003 UDP PORT 135 BLOCK  ADD Exchange Server 2003 UDP PORT 137 BLOCK  ADD Exchange Server 2003 UDP PORT 138 BLOCK  ADD Exchange Server 2003 UDP PORT 389 BLOCK  ADD Exchange Server 2003 UDP PORT 445 BLOCK  ADD Exchange Server 2003 UDP PORT 500 OPEN  ADD Exchange Server 2003 UDP PORT 4500 OPEN  ADD Exchange Server 2003 TCP PORT 25 "sh c:\Honeyd\scripts\smtp.sh"  ADD Exchange Server 2003 TCP PORT 80 "cscript.exe c:\Honeyd\scripts\iis6.cs"  ADD Exchange Server 2003 TCP PORT 88 OPEN  ADD Exchange Server 2003 TCP PORT 110 "sh c:\Honeyd\scripts\pop.sh"  ADD Exchange Server 2003 TCP PORT 119 "perl.exe c:\Honeyd\scripts\nntp.pl"  ADD Exchange Server 2003 TCP PORT 143 "wscript.exe c:\Honeyd\scripts\imap.vbs"  ADD Exchange Server 2003 TCP PORT 135 BLOCK  ADD Exchange Server 2003 TCP PORT 137 BLOCK  ADD Exchange Server 2003 TCP PORT 139 BLOCK  ADD Exchange Server 2003 TCP PORT 443 "sh c:\Honeyd\scripts\ssl.sh"  ADD Exchange Server 2003 TCP PORT 445 BLOCK  ADD Exchange Server 2003 TCP PORT 593 OPEN  ADD Exchange Server 2003 TCP PORT 1063 OPEN  ADD Exchange Server 2003 TCP PORT 1071 OPEN  ADD Exchange Server 2003 TCP PORT 1073 OPEN  ADD Exchange Server 2003 TCP PORT 3389 OPEN  #Set template system variables  SET Exchange Server 2003 UPTIME 2248020  SET Exchange Server 2003 DROPRATE IN 0.005  SET Exchange Server 2003 UID 20208 GID 13876  ###End of Exchange Server 2003 Example template### 
image from book

Assembling Templates in a Honeyd Configuration File

You can place your Honeyd.config file anywhere that can be referenced by the runtime Honeyd command-line options. Listing 6-4 shows an example of a configuration file for a Honeyd honeynet consisting of a mix of Windows machines. This configuration file creates five Windows honeypots, plus the default template, mimicking various capabilities. You can download it from the Downloads section of the Apress web site (http://www.apress.com).

Listing 6.4: Sample Honeyd Configuration File

image from book
 #####Example Honeyd Configuration File#####  #Place annotations at the top of the file for readability  ANNOTATE "Windows Millennium Edition v4.90.300"  ANNOTATE "Microsoft Windows.NET Enterprise Server (build 3615 beta)"  ANNOTATE "Windows 98"  ANNOTATE "Windows 2000 SP2"  ANNOTATE "Windows NT 4.0 SP 6a + hotfixes"  ANNOTATE "Windows XP Pro"  ###Set up Default Template###  CREATE DEFAULT Default  SET DEFAULT PERSONALITY "Windows Millennium Edition v4.90.300"  SET DEFAULT Default TCP ACTION RESET  SET DEFAULT Default UDP ACTION RESET  ADD Default UDP PORT 135 BLOCK  ADD Default UDP PORT 137 BLOCK  ADD Default UDP PORT 138 BLOCK  ADD Default TCP PORT 135 BLOCK  ADD Default TCP PORT 137 BLOCK  ADD Default TCP PORT 139 BLOCK  SET Default UPTIME 111010  SET Default UID 50603 GID 38706  ###End of Default Template Setup  ###Example Honeyd Template-Exchange Server 2003###  #Create and bind template Exchange Server 2003 Template  CREATE Exchange Server 2003  SET Exchange Server 2003 PERSONALITY "Microsoft Windows.NET  Enterprise Server (build 3615 beta)"  BIND 10.0.0.1 Exchange Server 2003  #Set port behavior  SET DEFAULT Exchange Server 2003 TCP ACTION RESET  SET DEFAULT Exchange Server 2003 UDP ACTION RESET  ADD Exchange Server 2003 UDP PORT 135 BLOCK  ADD Exchange Server 2003 UDP PORT 137 BLOCK  ADD Exchange Server 2003 UDP PORT 138 BLOCK  ADD Exchange Server 2003 UDP PORT 389 BLOCK  ADD Exchange Server 2003 UDP PORT 445 BLOCK  ADD Exchange Server 2003 UDP PORT 500 OPEN  ADD Exchange Server 2003 UDP PORT 4500 OPEN  ADD Exchange Server 2003 TCP PORT 25 "sh c:\Honeyd\scripts\smtp.sh"  ADD Exchange Server 2003 TCP PORT 80 "cscript.exe c:\Honeyd\scripts\iis6.cs"  ADD Exchange Server 2003 TCP PORT 88 OPEN  ADD Exchange Server 2003 TCP PORT 110 "sh c:\Honeyd\scripts\pop.sh"  ADD Exchange Server 2003 TCP PORT 119 "perl.exe c:\Honeyd\scripts\nntp.pl"  ADD Exchange Server 2003 TCP PORT 143 "wscript.exe c:\Honeyd\scripts\imap.vbs"  ADD Exchange Server 2003 TCP PORT 135 BLOCK  ADD Exchange Server 2003 TCP PORT 137 BLOCK  ADD Exchange Server 2003 TCP PORT 139 BLOCK  ADD Exchange Server 2003 TCP PORT 443 "sh c:\Honeyd\scripts\ssl.sh"  ADD Exchange Server 2003 TCP PORT 593 OPEN  ADD Exchange Server 2003 TCP PORT 1063 OPEN  ADD Exchange Server 2003 TCP PORT 1071 OPEN  ADD Exchange Server 2003 TCP PORT 1073 OPEN  ADD Exchange Server 2003 TCP PORT 593 OPEN  ADD Exchange Server 2003 TCP PORT 3389 OPEN  #Set template system variables  SET Exchange Server 2003 UPTIME 2248020  SET Exchange Server 2003 DROPRATE IN 0.005  SET Exchange Server 2003 UID 20208 GID 13876  ###End of Exchange Server 2003 Example template###  ###Example Honeyd Template-Windows 98###  #Create and bind template  CREATE Windows 98  SET Windows 98 PERSONALITY "Windows 98"  BIND 10.0.0.2 Windows 98  #Set port behavior  SET DEFAULT Windows 98 TCP ACTION RESET  SET DEFAULT Windows 98 UDP ACTION RESET  ADD Windows 98 UDP PORT 135 BLOCK  ADD Windows 98 UDP PORT 137 BLOCK  ADD Windows 98 UDP PORT 138 BLOCK  ADD Windows 98 UDP PORT 389 BLOCK  ADD Windows 98 TCP PORT 137 "sh c:\Honeyd\scripts\netbios.sh"  ADD Windows 98 TCP PORT 135 OPEN  ADD Windows 98 TCP PORT 137 OPEN  ADD Windows 98 TCP PORT 139 OPEN  ADD Windows 98 TCP PORT 5132 OPEN  #Set template system variables  SET Windows 98 UPTIME 343412  SET Windows 98 UID 27218 GID 33876  ###End of Windows 98 Example template###  ###Example Honeyd Template- Windows 2000###  #Create and bind template  CREATE Windows 2000  SET Windows 2000 PERSONALITY "Windows 2000 SP2"  BIND 10.0.0.3 Windows 2000  #Set port behavior  SET DEFAULT Windows 2000 TCP ACTION RESET  SET DEFAULT Windows 2000 UDP ACTION RESET  ADD Windows 2000 UDP PORT 135 OPEN  ADD Windows 2000 UDP PORT 137 OPEN  ADD Windows 2000 UDP PORT 138 OPEN  ADD Windows 2000 UDP PORT 389 OPEN  ADD Windows 2000 UDP PORT 445 OPEN  ADD Windows 2000 UDP PORT 500 OPEN  ADD Windows 2000 UDP PORT 4500 OPEN  ADD Windows 2000 TCP PORT 80 "cscript.exe c:\Honeyd\scripts\iis5.cs"  ADD Windows 2000 TCP PORT 88 OPEN  ADD Windows 2000 TCP PORT 135 OPEN  ADD Windows 2000 TCP PORT 137 OPEN  ADD Windows 2000 TCP PORT 139 OPEN  ADD Windows 2000 TCP PORT 3389 "sh c:\Honeyd\scripts\termserv.sh"  #Set template system variables  SET Windows 2000 UPTIME 311020  SET Windows 2000 DROPRATE IN 0.0005  SET Windows 2000 UID 21233 GID 71523  ###End of Windows 2000 Example template###  ###Example Honeyd Template-NTSQL Server###  #Create and bind template  CREATE NT SQL Server  SET NT SQL Server PERSONALITY "Windows NT 4.0 SP 6a + hotfixes"  BIND 10.0.0.4 NT SQL Server  #Set port behavior  SET DEFAULT NT SQL Server TCP ACTION RESET  SET DEFAULT NT SQL Server UDP ACTION RESET  ADD NT SQL Server UDP PORT 135 OPEN  ADD NT SQL Server UDP PORT 137 OPEN  ADD NT SQL Server UDP PORT 138 RESET  ADD NT SQL Server UDP PORT 1433 OPEN  ADD NT SQL Server UDP PORT 1434 OPEN  ADD NT SQL Server TCP PORT 80 "cscript.exe c:\Honeyd\scripts\iis4.cs"  ADD NT SQL Server TCP PORT 42 "wscript.exe c:\Honeyd\scripts\wins.vbs"  ADD NT SQL Server TCP PORT 70 OPEN  ADD NT SQL Server TCP PORT 135 OPEN  ADD NT SQL Server TCP PORT 137 OPEN  ADD NT SQL Server TCP PORT 139 OPEN  ADD NT SQL Server TCP PORT 1433 OPEN  #Set template system variables  SET NT SQL Server UPTIME 1248013  SET NT SQL Server DROPRATE IN 0.05  SET NT SQL Server UID 11208 GID 7786  ###End of NT SQL Server Example template###  ###Example Honeyd Template-Windows XP Pro###  #Create and bind template  CREATE XP  SET XP PERSONALITY "Windows XP Pro"  BIND 10.0.0.155 XP  #Set port behavior  SET DEFAULT XP TCP ACTION RESET  SET DEFAULT XP UDP ACTION RESET  ADD XP UDP PORT 88 OPEN  ADD XP UDP PORT 123 OPEN  ADD XP UDP PORT 135 OPEN  ADD XP UDP PORT 137 OPEN  ADD XP UDP PORT 138 OPEN  ADD XP UDP PORT 389 OPEN  ADD XP UDP PORT 445 OPEN  ADD XP UDP PORT 500 OPEN  ADD XP UDP PORT 4500 OPEN  ADD XP TCP PORT 21 PROXY 192.168.1.1:21  ADD XP TCP PORT 80 "wscript.exe c:\Honeyd\scripts\iis51.ws"  ADD XP TCP PORT 88 OPEN  ADD XP TCP PORT 135 OPEN  ADD XP TCP PORT 137 OPEN  ADD XP TCP PORT 139 OPEN  ADD XP TCP PORT 443 "sh c:\Honeyd\scripts\ssl.sh"  ADD XP TCP PORT 515 OPEN  ADD XP TCP PORT 560 OPEN  ADD XP TCP PORT 563 OPEN  ADD XP TCP PORT 1863 OPEN  ADD XP TCP PORT 3389 OPEN  ADD XP TCP PORT 5000 OPEN  ADD XP TCP PORT 5190 OPEN  #Set template system variables  SET XP UPTIME 111010  SET XP UID 50603 GID 38706  ###End of XP Example template###  #####End of Honeyd Configuration File Example##### 
image from book

As you’ve learned, the key to setting up any honeynet is ensuring that the different OS flavors mimic the appropriate ports and services. The configuration file in Listing 6-4 reflects the choices I made in this regard. For example, Windows XP Professional uses IIS 5.1, Windows NT uses IIS 3 or 4, Windows 2000 uses IIS 5, and Windows Server 2003 uses IIS 6. The Universal Plug and Play port, 5000, exists in Windows Me and XP, but not the other versions. I added a port 70 (Gopher) to Windows NT. Gopher was a common service back in IIS 3 and 4, but it was removed in later versions of IIS because it became unused and contained vulnerabilities. I also randomly added ports, such as 1863, Windows Messenger, and 5190, AOL Instant Messenger, to give the XP honeypot realism. One of the templates got a common PC Anywhere port, 5132. TCP ports 1063, 1071, and 1073 were added to the Exchange Server 2003 template to simulate randomly open RPC ports, but they could have been almost any port number and added to any of the templates.

Use what you learned in this chapter, along with the information in Chapter 3, to construct the most realistic honeynet you can make. The more interesting your honeynet is, the longer the hacker will lurk, and the more you will learn about your adversary.

progress indicator progress indicatorprogress indicator progress indicator


Honeypots for Windows
Honeypots for Windows (Books for Professionals by Professionals)
ISBN: 1590593359
EAN: 2147483647
Year: 2006
Pages: 119

Similar book on Amazon
Honeypots: Tracking Hackers
Honeypots: Tracking Hackers
Know Your Enemy: Learning about Security Threats (2nd Edition)
Know Your Enemy: Learning about Security Threats (2nd Edition)
Virtual Honeypots: From Botnet Tracking to Intrusion Detection
Virtual Honeypots: From Botnet Tracking to Intrusion Detection
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net