Honeyd is the most popular and versatile honeypot software in use today, but it isn’t the easiest to configure. In this chapter, we will explore six other Windows-based honeypots: Back Officer Friendly, LaBrea, SPECTER, KFSensor, PatriotBox, and Jackpot. All of these honeypots are application-level, meaning that they do not interact at the IP stack level.
Each of these honeypots excels at different objectives. The first two, Back Officer Friendly and LaBrea, are very simple honeypots and make no attempt to mimic a Windows host. Back Officer Friendly is a simple port listener, and LaBrea is a worm tarpit. SPECTER, KFSensor, and PatriotBox are more sophisticated commercial offerings, each emulating Windows services and applications. Jackpot is an SMTP tarpit.
We will start with the simplest honeypot available. Back Officer Friendly (BOF), from Network Flight Recorder Security (http://www.nfr.com/resource/backOfficer.php), came about as a way to detect Back Orifice remote-access trojan scans. BOF does port listening (and some very low-level interaction) for FTP, telnet, SMTP, HTTP, POP3, and IMAP2, as well as the Back Orifice remote-access trojan on port 31337. It’s very basic, and it’s free.
After a quick installation procedure, BOF presents you with a small configuration and viewing screen, as shown in Figure 8-1.
Figure 8-1: Back Officer Friendly interface
You select and deselect port listeners under the Options menu. Turning on each listener is as simple as clicking one of the service names. Some of the options, like telnet, will give a login and password prompt to the end user. It puts the remote attacker in a login loop and displays the activity, along with the attempted login names and passwords. Other listener services, like FTP, simply disconnect the user. There is never an attempt to fool remote users into believing they are attaching to a real Windows host.
In its default mode, BOF does not respond, but you can enable the Fake Replies option for limited interaction. These replies clearly indicate the use of the honeypot by name.
Another port listener is Foundstone’s Attacker (http://www.foundstone.com/resources/intrusion_detection.htm). It’s a simple Windows application that can listen to a large number of TCP and UDP ports. It does not capture traffic or emulate services. It just alerts the user when a connection attempt is made.
BOF is a great way to quickly gain experience with honeypots. Install it, and then probe one of its seven ports from a remote machine. It does not write log files or allow any customization beyond what it presented in the point-and-click GUI.
Released in 1999, BOF is getting very long in the tooth. Even the Back Orifice trojan got a major upgrade in 2000, and it no longer uses port 31337 as a default port. Still, BOF is capable of recognizing several different Back Orifice tools, and will even send replies like “Naughty, naughty. Bad hacker! No donut!” so you have to appreciate the lightheartedness of this tool.