Service scripts allow Honeyd to go beyond simple port listening and respond to intruders. If appropriately constructed, service scripts can induce hackers to reveal more tricks and capture malware.
This chapter discusses the default and downloadable Honeyd scripts, as well as creating custom Honeyd scripts. But before we look at the scripts themselves, we’ll go over some script basics. Several of the scripts shown in this chapter can be integrated with the configuration file we created in Chapter 6.
Service scripts are the key to making a more interesting and realistic Honeyd honeypot. Service scripts can be used for the following tasks:
Making a higher-interaction honeypot
Capturing more detailed logs
Reacting to intruders
Catching worms and viruses
Executing an alert mechanism
Within the confines of text-based input and output, you can create nearly any behavior you desire. If you’re a programmer, you will feel comfortable with the idea of writing scripts. If you’re not a programmer, you will be happy to know that you can download and install existing scripts, and you can use them as templates for new scripts.
Before continuing, make sure you have correctly installed Cygwin and the Perl and shell scripting engines, as explained in Chapter 5.
You can make scripts in any programming language supported by your honeypot host platform. Administrators with a minimum understanding of the underlying script language can modify other people’s scripts for their environment. For example, it takes less time to start with someone else’s script written to emulate Unix’s WU-FTPD daemon and customize it to emulate IIS’s FTP service than it does to create the script from scratch.
WU-FTPD is the most popular FTP server daemon used on the Internet today. WU-FTPD (or Wuarchive-ftpd) was developed at Washington University.
Whether you’re developing your own service scripts or customizing other people’s scripts, you’ll need to understand Honeyd script basics.
Most Honeyd scripts are coded in the shell or Perl scripting languages. This section will briefly discuss those languages and a few others that can be used to code and run scripts on Windows platforms.
Common Unix/Linux shells include Korn, Bash, Bourne, and Zsh. Although the shell command language can vary from shell to shell (for example, between Korn and Bash), many of the commands are the same and share the same basic syntax. The shell command interpreter, sh.exe, is the Unix cousin of the DOS batch file language. Typing in sh.exe and pressing Enter will result in the interactive $ prompt. Although the shell command language isn’t the best scripting language, it is usually available on any Unix/Linux system, even when Perl or some other high-level language isn’t available. For simple file manipulations and portability, shell scripting is a safe choice for programmers. For that reason, many Honeyd service scripts are written in the shell command language. Shell script file names usually end in .sh.
Visit the following sites for more information about the shell command language:
Perl is an open-source, cross-platform language released in 1987 by Larry Wall. Its rich feature set helped it to become known as the “duct tape of the Internet.” It supports HTML, XML, Unicode, and C language integration. Perl also enjoys wide third-party database support (including MySQL, Sybase, and Oracle). As a testament to its acceptance and versatility, many whitehat vulnerability testing and penetration tools are coded purely in Perl. Visit http://www.perl.org or http://www.activestate.com (the Windows version) for more details. Perl file names end in .pl.
Many hacker tools can be used both with or without malicious intent. Whitehat hackers often use vulnerability testing tools to audit and strengthen security.
Python (http://www.python.org) is another free language. It was developed in 1990 by Guido van Rossum, whose favorite comedy group at the time was Monty Python’s Flying Circus. It has gained popularity because of its clear syntax, readability, and object-oriented programming style. Although it is not as widely used as Perl and shell for writing Honeyd service scripts, it shows up in some of the larger scripts. Python file names usually end in .py.
If you’ve ever seen a sophisticated DOS batch file before, then you already know the Windows command interpreter language is more than simple REM and ECHO commands. When you execute Cmd.exe (32-bit version) or Command.com (the 16-bit version), you open the Windows command shell. In new versions of Windows, you can type in the Help.exe command to get a list of built-in command-line programs. But there are dozens of additional commands that can be used to automate processes and jobs, and to build complete runtime programs. Programming constructs such as GOTO, CHOICE, DO, CALL, IF, FOR, and SHIFT allow a programmer to do much more than execute simple commands.
You can use the Windows command-line shell language to build Honeyd service scripts. Windows command-line file names end in .bat or .cmd.
For more information about the Windows command-line shell language, see the following:
Microsoft’s most popular programming language platform is called Visual Basic (VB). It has morphed from a GUI shell placed over the BASIC command-line interpreter to Microsoft’s most advanced programming platform. .NET. Microsoft’s Visual Studio platform and Visual Basic Scripting Edition (VBScript) languages are the most popular languages for writing script files and management routines. Visual Studio encompasses Microsoft’s VB .NET, Visual C++, Visual C# (pronounced “C sharp”), and Visual J# .NET (a Java competitor). VBScript is a subset of VB, and it can run in the Internet Explorer browser rendering engine (Vbscript.dll) or use the Windows Scripting Host (Wscript.exe or Cscript.exe) executable. VBScript file names usually end in .vbs.
Microsoft’s VB languages are widely used because they are powerful, simple compared with the C languages, and designed for Windows system manipulation. Of course, this has made VB the favorite of hackers and malware writers. Because VB (and its relatives) run only on Windows platforms, and honeypots have developed in the Unix/Linux world, there are no widely available Honeyd scripts written in VB.
See the following for more information about VB and VBScript:
In the world of Honeyd and honeypots, the shell and Perl scripting languages are the most popular for service scripts. However, no matter which programming language you use to write your service scripts, you must understand the inherent limitations in using Honeyd, especially with regard to which input and output pathways are available.
Dr. Niels Provos included service script support in Honeyd using the normal input/output routines used in most C language programs:
STDIN, which stands for standard input stream, and is normally data input through the keyboard (typed in by the user).
STDOUT, which is the standard buffered output stream, and is usually data output to the monitor.
STDERR, which is the standard unbuffered output stream for writing errors, and is usually output to the monitor.
Dr. Provos’s reliance on these input/output routines means service scripts are, without significant modification of Honeyd, limited to interfacing to typed commands and will display resulting information on the screen. This works great for the normal console-type interfaces, such as telnet or FTP, but means sophisticated GUI emulations are not available. Using a script, you cannot open up new network connections, do sophisticated database queries, or do much beyond responding with predefined text.
Honeyd has several memory variables that are useful in scripts:
IPSRC stands for source IP address.
IPDST stands for destination IP address.
SPORT stands for source IP transport port number.
DPORT stands for destination IP transport port number.
TYPE stands for protocol type (UDP, TCP, or ICMP).
Memory variables can be used to make scripts more dynamic. For example, an incoming connection’s source IP address is automatically assigned to the IPSRC variable. It can be used in a script to record an intruder’s IP address to a log file or to send back commands or data.
The intruder’s true source IP address may be obscured by any intervening routers. If there are NAT’d routers between the intruder and the honeypot, as is usually the case, the originating IP address will probably be from one of the intermediate devices and not from the original source.
As you learned in Chapter 6, service scripts are added in Honeyd’s configuration file with the ADD command and the following syntax:
ADD <template name> <protocol> PORT <number> "<script engine to call> <script file> <optional parameters>"
Here are some examples that demonstrate different ways to point to the scripting engine and the service script file:
ADD win2k tcp port 21 "sh ftp.sh $ipsrc $sport $ipdst $dport" ADD xpprosp2 tcp port 80 "c:\cygwin\sh c:\honeyd\scripts\iis.sh" ADD w2k3 tcp port 25 "perl.exe exchange.pl"
You can explicitly point to the executable and script file, or you can allow the default path directories to locate the engine and script locations. For accuracy, I prefer to explicitly point to the appropriate full path locations.