Downloadable Scripts

skip navigation

honeypots for windows
Chapter 7 - Honeyd Service Scripts
Honeypots for Windows
by Roger A. Grimes
Apress 2005
progress indicator progress indicatorprogress indicator progress indicator

The Honeyd web site (http://www.honeyd.org/contrib.php) has more than a dozen downloadable service scripts. Most must be unarchived from their Gzip or tarballed, as previously stated in Chapter 6. The scripts listed in Table 7-2 are available from http://www.honeyd.org or from the listed links.

Tip 

GlobalSCAPE’s (http://www.globalscape.com) Cute FTP, WinZip (http://www.winzip.com), and WinRAR (http://www.rarlab.com) programs are all excellent tarball unzippers for the Windows platform.

Table 7-2: Service Scripts Available at Honeyd.org

Script Name

Language

Download Location

Description

Kuang2.pl

Perl

http://www.honeynet.org.br/tools/#kuang2

Emulates the backdoor installed by the Kuang2 (http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.kuang.b.html) password-stealing trojan. The script saves uploaded files, and also logs attempts to use Kuang2 backdoor commands, like file download, execution, deletion, etc.

Mydoom.pl

Perl

http://www.honeynet.org.br/tools/#mydoom

Mimics the backdoor installed by the Mydoom virus (http://securityresponse.symantec.com/avcenter/venc/data/w32.mydoom.a@mm.html). It saves uploaded files and also logs attempts to use the Mydoom backdoor proxy capability.

Faketelnet.pl

Perl

http://www.honeyd.org/contrib.php

(click the telnet-emul link)

Emulates a telnet server from one of the following: Red Hat Linux 6.2, Solaris, or GoodTech Telnet Server forWindows NT version 2.2.

Honeydscan.tar

Various

http://www.honeyd.org/contrib.php

(click the Honeyd Regression Testing link)

Contains several Perl and shell scripts that attempt to test a Honeyd installation over a wide range of personalities. One script creates a Honeyd configuration file that creates 858 different Honeyd templates and binds them to 10.2.0.0/16 addresses. Another script performs an Nmap test against the Honeyd installation (from another computer), and then compares and summarizes the results.

Honeyd.tar

Various

http://www.honeyd.org/contrib.php

(click the Honeyd Scripts link)

Contains dozens of scripts, including Cisco router telnet, Apache web server running on SUSE Linux, IIS 5 (complex web server script), Exchange Server (POP/SMTP/IMAP/ NNTP), Sendmail, LDAP, VNC, Microsoft FTP, Squid Proxy, Back Orifice, SSH, Finger, and Ident. This is a great package to borrow from for your own customized service scripts.

HoneyWeb-0.4.tgz

Python

http://www.honeyd.org/contrib.php

(click the HoneydWeb-0.4 link)

Medium-interaction web server script. Depending on the attack request, it can return HTML pages mimicking Apache, IIS, and Netscape web servers. It writes all requests to a log file and supports the GET, HEAD, POST, and OPTION HTTP commands.

Pop.emulator.tar.gz

Shell

http://www.honeyd.org/contrib.php

(click the POP.emulator link)

Mimics a generic POP3 server. It emulates successful and failed authentication attempts and mimics some common POP errors.

Iisemul8.pl

Perl

http://sourceforge.net/projects/iisemul8

Emulates, at a high-degree of functionality, a default installation of an IIS 5.0 server. It contains content, graphics, full error messages, and even emulates ISAPI filters (including .ASP and .NET). Written by the legendary hacker, Rain Forest Puppy, this is the “mac daddy” of Honeyd scripts.

ftp.sh

Shell

http://www.honeyd.org/contrib.php

(click the ftp.sh link)

Moderate emulation of a WU-FTP 2.6.0 server. It contains basic FTP commands and a help listing, and allows the anonymous user to log in. Of course, it saves interactions to a log file.

Smtp.sh

Shell

http://www.honeyd.org/contrib.php

(click the smtp.sh link)

Emulates a Sendmail 8.12.2 server with a small subset of login commands available, including the help file.

Pop3.sh

Shell

http://www.honeyd.org/contrib.php

(click the pop3.sh link)

Low emulation of a QPOP 2.53 e-mail server, with just a few login commands.

Service script emulations run the gamut, from low-emulation to a full-fledge web server. Ambitious honeypot administrators will want to consider taking the Iisemul8.pl script and creating a customized web server. Web servers receive a lot of hacker attention on the Internet. A honeypot emulating a web server is a good choice for administrators wishing to learn hacker tricks at a rapid pace. Any of the default scripts can be used as templates for custom service scripts.

progress indicator progress indicatorprogress indicator progress indicator


Honeypots for Windows
Honeypots for Windows (Books for Professionals by Professionals)
ISBN: 1590593359
EAN: 2147483647
Year: 2006
Pages: 119

Similar book on Amazon
Honeypots: Tracking Hackers
Honeypots: Tracking Hackers
Know Your Enemy: Learning about Security Threats (2nd Edition)
Know Your Enemy: Learning about Security Threats (2nd Edition)
Virtual Honeypots: From Botnet Tracking to Intrusion Detection
Virtual Honeypots: From Botnet Tracking to Intrusion Detection
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net