LaBrea

		Chapter 8 - Other Windows-Based Honeypots Honeypots for Windows by Roger A. Grimes Apress 2005

LaBrea (http://labrea.sourceforge.net) was the first tarpit honeypot. Developed by Michael Robinton, LaBrea was originally nothing more than an open-source Perl script to run on Unix hosts. Today, it is a stand-alone, cross-platform executable with two dozen startup parameters. Its author eventually removed the program and its source code from his web site (http://www.hackbusters.com) because of legal concerns. LaBrea was ported as a Windows 32-bit application shortly after its initial release.

LaBrea was written in response to the Code Red worm, and its main purpose is to slow down Internet-scanning programs and worms. Like Arpd, it listens to ARP requests for unknown IP addresses and responds as a virtual machine with a bogus MAC address. It will automatically respond for any port number or ARP request to an undefined IP address. After allowing time for a legitimate host to answer, LaBrea answers connection attempts in a way designed to waste as much of the worm’s time as possible—maximizing TCP/IP retransmits and wait periods. It will slow down worms and identify the origination IP address.

Although LaBrea’s functionality is intentionally limited, it is a huge success at what it does do. There have been many real-life worms and corroborative lab tests documenting its ability to slow down Internet worms, just as its author hoped.

Installing and Running LaBrea

Here are the steps to install LaBrea:

1. Download the single zip file and extract to a folder called LaBrea. It will extract a single file called Labrea.exe.

2. You must have WinPcap (http://winpcap.polito.it) and LibnetNT (http://www.eeye.com/html/Research/Tools/libnetnt.html) installed first to execute LaBrea. Unzip and install WinPcap and reboot the computer (even if you’re not prompted to do so). Unzip and copy Libnetnt.dll to the same directory as Labrea.exe.

3. Run Labrea.exe -D to list your interfaces. (Note that LaBrea parameters are case-sensitive.) Record the interface number, IP address, and MAC address of the interface on which you want to run LaBrea.

4. To run LaBrea, type in Labrea.exe -v -z and press Enter. The -v tells LaBrea to be verbose; otherwise, the screen output will be minimized. The -z bypasses the initial startup message and allows execution.

You can type in Labrea.exe -? to get a listing of all possible command-line options.

Using LaBrea

After LaBrea starts, it will begin ARP sweeping the network (sending requests) to determine which hosts are active on the network. It will send 85 ARP packets every two minutes. Even after LaBrea starts responding for a particular IP address, if it later detects another computer responding to an address it holds, it will stop responding for the IP address and let the legitimate host maintain sole ownership.

When LaBrea is running, the screen console it presents changes only if it reports some connection activity. It will display the date, time, origination IP address, origination port number, destination IP address, and destination port number. Worms or scanning devices that connect to it will be effectively hung up for quite awhile.

Figure 8-2 shows an example of LaBrea running on a honeynet after the compromise of another honeypot. For the first six hours, LaBrea reports no activity. Then it records connection attempts to ports 80, 21, and 1433 (probably the Slammer worm). LaBrea begins by responding to the ping requests to the nonexistent IP address, 192.168.1.83, and tarpits the later port-connection attempts. If you were to connect a telnet or browser session to a LaBrea host, the session would just hang. That’s a tarpit’s job in the first place.

Figure 8-2: LaBrea’s screen console