Chapter 7: Honeyd Service Scripts

		Chapter 7 - Honeyd Service Scripts Honeypots for Windows by Roger A. Grimes Apress 2005

Service scripts allow Honeyd to go beyond simple port listening and respond to intruders. If appropriately constructed, service scripts can induce hackers to reveal more tricks and capture malware.

This chapter discusses the default and downloadable Honeyd scripts, as well as creating custom Honeyd scripts. But before we look at the scripts themselves, we’ll go over some script basics. Several of the scripts shown in this chapter can be integrated with the configuration file we created in Chapter 6.

Honeyd Script Basics

Service scripts are the key to making a more interesting and realistic Honeyd honeypot. Service scripts can be used for the following tasks:

• Making a higher-interaction honeypot

• Capturing more detailed logs

• Reacting to intruders

• Catching worms and viruses

• Executing an alert mechanism

Within the confines of text-based input and output, you can create nearly any behavior you desire. If you’re a programmer, you will feel comfortable with the idea of writing scripts. If you’re not a programmer, you will be happy to know that you can download and install existing scripts, and you can use them as templates for new scripts.

You can make scripts in any programming language supported by your honeypot host platform. Administrators with a minimum understanding of the underlying script language can modify other people’s scripts for their environment. For example, it takes less time to start with someone else’s script written to emulate Unix’s WU-FTPD daemon and customize it to emulate IIS’s FTP service than it does to create the script from scratch.

Whether you’re developing your own service scripts or customizing other people’s scripts, you’ll need to understand Honeyd script basics.

Common Script Languages

Most Honeyd scripts are coded in the shell or Perl scripting languages. This section will briefly discuss those languages and a few others that can be used to code and run scripts on Windows platforms.

Shell Command

Common Unix/Linux shells include Korn, Bash, Bourne, and Zsh. Although the shell command language can vary from shell to shell (for example, between Korn and Bash), many of the commands are the same and share the same basic syntax. The shell command interpreter, sh.exe, is the Unix cousin of the DOS batch file language. Typing in sh.exe and pressing Enter will result in the interactive $ prompt. Although the shell command language isn’t the best scripting language, it is usually available on any Unix/Linux system, even when Perl or some other high-level language isn’t available. For simple file manipulations and portability, shell scripting is a safe choice for programmers. For that reason, many Honeyd service scripts are written in the shell command language. Shell script file names usually end in .sh.

Visit the following sites for more information about the shell command language:

• http://www.quong.com/shellin20/#LtohTOCentry-2

• http://www.cs.princeton.edu/~jlk/kornshell/doc/man93.html

• http://www.computerhope.com/unix/ush.htm

• http://www.opengroup.org/onlinepubs/007908799/xcu/shellix.html

Perl

Perl is an open-source, cross-platform language released in 1987 by Larry Wall. Its rich feature set helped it to become known as the “duct tape of the Internet.” It supports HTML, XML, Unicode, and C language integration. Perl also enjoys wide third-party database support (including MySQL, Sybase, and Oracle). As a testament to its acceptance and versatility, many whitehat vulnerability testing and penetration tools are coded purely in Perl. Visit http://www.perl.org or http://www.activestate.com (the Windows version) for more details. Perl file names end in .pl.

Python

Python (http://www.python.org) is another free language. It was developed in 1990 by Guido van Rossum, whose favorite comedy group at the time was Monty Python’s Flying Circus. It has gained popularity because of its clear syntax, readability, and object-oriented programming style. Although it is not as widely used as Perl and shell for writing Honeyd service scripts, it shows up in some of the larger scripts. Python file names usually end in .py.

Windows Command-Line Shell Language

If you’ve ever seen a sophisticated DOS batch file before, then you already know the Windows command interpreter language is more than simple REM and ECHO commands. When you execute Cmd.exe (32-bit version) or Command.com (the 16-bit version), you open the Windows command shell. In new versions of Windows, you can type in the Help.exe command to get a list of built-in command-line programs. But there are dozens of additional commands that can be used to automate processes and jobs, and to build complete runtime programs. Programming constructs such as GOTO, CHOICE, DO, CALL, IF, FOR, and SHIFT allow a programmer to do much more than execute simple commands.

You can use the Windows command-line shell language to build Honeyd service scripts. Windows command-line file names end in .bat or .cmd.

For more information about the Windows command-line shell language, see the following:

• http://labmice.techtarget.com/articles/batchcmds.htm

• http://home.att.net/~gobruen/progs/dos_batch/dos_batch.html

• http://www.computerhope.com/batch.htm

Visual Basic

Microsoft’s most popular programming language platform is called Visual Basic (VB). It has morphed from a GUI shell placed over the BASIC command-line interpreter to Microsoft’s most advanced programming platform. .NET. Microsoft’s Visual Studio platform and Visual Basic Scripting Edition (VBScript) languages are the most popular languages for writing script files and management routines. Visual Studio encompasses Microsoft’s VB .NET, Visual C++, Visual C# (pronounced “C sharp”), and Visual J# .NET (a Java competitor). VBScript is a subset of VB, and it can run in the Internet Explorer browser rendering engine (Vbscript.dll) or use the Windows Scripting Host (Wscript.exe or Cscript.exe) executable. VBScript file names usually end in .vbs.

Microsoft’s VB languages are widely used because they are powerful, simple compared with the C languages, and designed for Windows system manipulation. Of course, this has made VB the favorite of hackers and malware writers. Because VB (and its relatives) run only on Windows platforms, and honeypots have developed in the Unix/Linux world, there are no widely available Honeyd scripts written in VB.

See the following for more information about VB and VBScript:

• http://msdn.microsoft.com/vbasic

• http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnanchor/ html/scriptinga.asp

• http://tech.irt.org/articles/js117/#8

JavaScript

JavaScript (which has nothing to do with the Java programming language besides the common root name and vendor parent) was developed by Netscape in 1995. Originally known as LiveScript, it was the first scripting language to give dynamic feedback to otherwise static HTML.

JavaScript is the most commonly deployed scripting language on the Web. Microsoft released a similar version called JScript, which is handled by the Internet Explorer rendering engine (Jscript.dll) or the Windows Scripting Host engine (Wscript.exe or Cscript.exe). JScript is based on an open, international scripting standard called ECMAScript (http://www.ecma-international.org/publications/standards/Ecma-262.htm). In keeping with the .NET naming convention, Microsoft’s current version is called JScript .NET.

Although JavaScript is popular, it hasn’t found wide acceptance for use in Honeyd service scripts. JavaScript file names end in .js.

For more information about JavaScript or JScript, see the following:

• http://wp.netscape.com/eng/mozilla/3.0/handbook/javascript

• http://www.javascript.com

• http://javascript.internet.com

• http://www.webreference.com/js

• http://msdn.microsoft.com/library/default.asp?url=/library/en-us/script56/html/js56jsoriJScript.asp

In the world of Honeyd and honeypots, the shell and Perl scripting languages are the most popular for service scripts. However, no matter which programming language you use to write your service scripts, you must understand the inherent limitations in using Honeyd, especially with regard to which input and output pathways are available.

Script Input/Output Routines

Dr. Niels Provos included service script support in Honeyd using the normal input/output routines used in most C language programs:

• STDIN, which stands for standard input stream, and is normally data input through the keyboard (typed in by the user).

• STDOUT, which is the standard buffered output stream, and is usually data output to the monitor.

• STDERR, which is the standard unbuffered output stream for writing errors, and is usually output to the monitor.

Dr. Provos’s reliance on these input/output routines means service scripts are, without significant modification of Honeyd, limited to interfacing to typed commands and will display resulting information on the screen. This works great for the normal console-type interfaces, such as telnet or FTP, but means sophisticated GUI emulations are not available. Using a script, you cannot open up new network connections, do sophisticated database queries, or do much beyond responding with predefined text.

Honeyd Variables

Honeyd has several memory variables that are useful in scripts:

• IPSRC stands for source IP address.

• IPDST stands for destination IP address.

• SPORT stands for source IP transport port number.

• DPORT stands for destination IP transport port number.

• TYPE stands for protocol type (UDP, TCP, or ICMP).

Memory variables can be used to make scripts more dynamic. For example, an incoming connection’s source IP address is automatically assigned to the IPSRC variable. It can be used in a script to record an intruder’s IP address to a log file or to send back commands or data.

Honeyd Configuration File Syntax

As you learned in Chapter 6, service scripts are added in Honeyd’s configuration file with the ADD command and the following syntax:

 ADD <template name> <protocol> PORT <number> "<script engine to call>  <script file> <optional parameters>" 

Here are some examples that demonstrate different ways to point to the scripting engine and the service script file:

 ADD win2k tcp port 21 "sh ftp.sh $ipsrc $sport $ipdst $dport"  ADD xpprosp2 tcp port 80 "c:\cygwin\sh c:\honeyd\scripts\iis.sh"  ADD w2k3 tcp port 25 "perl.exe exchange.pl" 

You can explicitly point to the executable and script file, or you can allow the default path directories to locate the engine and script locations. For accuracy, I prefer to explicitly point to the appropriate full path locations.