Alkasis Corporation’s PatriotBox (http://www.alkasis.com/?fuseaction=products.info&id=20) is the newest entry into the Windows honeypot market. At $39.99, it’s a very affordable GUI honeypot. It’s easy to install, with a mostly fluid graphical interface. The accompanying local help file is above average for honeypots.
Alkasis’s first attempt isn’t bad, but it needs improvement. The second version of PatriotBox will support SQL Server database back-ends for logging events and Honeyd scripts. Although PatriotBox is not nearly as capable as KFSensor, for the money, it can’t be beat.
Emulated services range from low- to medium-interaction. Administrators can choose from eight emulations:
Windows NT 4
Although you can create additional TCP and UDP custom services, each default emulation creates a few legitimate services plus adds one or more trojan ports. For instance, the Windows Server 2003 emulation creates listeners on ports 21, 25, 53, 80, 110, 143, and five trojan ports (for SubSeven, NetBus, and Back Orifice). Unfortunately, these are the same ports as in the Windows NT 4.0 and Windows XP emulations. Although Windows XP emulations might have ports 21, 25, and 80 because of IIS 5.1, they are unlikely to have Exchange Server ports 110 or 143, or to be running a DNS server on port 53.
PatriotBox uses KeyFocus’ SubSeven trojan emulation for its SubSeven emulation service. It lets remote SubSeven clients browse (allowed) files on the honeypot, upload, and download files, chat, and obtain fake system passwords.
Service emulation is a mixed bag, especially in the default modes. No service has all the displayed banner text, command options, or behaviors correctly emulating its real counterpart. For instance, the SMTP port brings up a version number of 5.0.2195.1600, regardless of the Windows emulation. While that version number might be true of a Windows NT 4.0 Exchange Server, it is unlikely to be available on the newer platforms (as discussed in Chapter 3). If you type in HELO at the SMTP prompt, the emulation returns the command options that should be returned with the HELP command, but even then, the returned options are wrong and formatted incorrectly.
The same types of minor issues exist with most of the other services as well. In some cases, such as for the SMTP and FTP services, you can change the returned banner text. However, for other services, like POP and IMAP, you cannot make any changes. The IMAP emulation was further hampered by the fact that it hung whenever a session was initiated. PatriotBox does emulate an open SMTP relay, but will not relay any e-mail. Most spammers and their spam bots check for the complete success of an open relay by relaying e-mail to a known third-party mailbox and monitoring the results. In these instances, the open relay would not fool the spammers.
Alkasis gave special attention to PatriotBox’s HTTP service. It will accept six HTTP commands: GET, POST, HEAD, PUT, RENAME, and REMOVE. You can choose the honeypot’s alert response level per command, as shown in Figure 8-18. For instance, you can choose to log (through the Normal action on an HTTP method) a GET command, but alert on a PUT command. This welcomed configuration setting is a feature I haven’t seen in other honeypots. A PUT command would reveal a hacker actively trying to modify the web server.
Figure 8-18: PatriotBox’s interface and HTTP configuration dialog box
PatriotBox also has a medium-interaction FTP service (with a changeable banner), but again, it is not representative of a true Microsoft FTP server. You can log in to the emulated FTP service using the anonymous user, and the password used will be recorded. But the command set available in a Microsoft FTP server is not fully supported, and the directory listing is in the Unix-style, rather than the default MS-DOS style. Although the former style is an available option when defining FTP in IIS, it’s rarely selected. And the FTP commands offered by the emulation are not representative of a real Microsoft FTP server. For example, the emulated FTP service does not support the LS command, while the real server does.
PatriotBox’s lack of default services for RPC (port 135) and NetBIOS (137 to 139) is a problem. Any Windows machine would seem strange without these services readily available. Maybe some hackers wouldn’t know the difference, but any experienced Windows hackers would be suspicious.
You can create your own custom, limited TCP or UDP port listeners. Nothing is ever returned to any connection attempts, but you can record what probe information was sent to a capture file.
For each custom service, you can choose the following:
The protocol type (TCP or UDP)
The port (actually, due to a bug, you can select a port number that isn’t possible, like 65,537)
The connection limits (for DoS handling or bandwidth throttling)
The mode, with four choices:
WaitClose, which waits after a successful connection, and then closes it
OpenandClose, which upon a successful connection, closes immediately
ReadandClose, which reads connection information, and then closes the socket
Capture, which captures information and saves it to a predefined file
Each connection event writes a message to the log. The log fields include source and destination IP addresses and ports, and the data sent during the connection attempt. The log can be exported into CSV or HTML format. You can filter the display log using PatriotBox’s Log Analyzer feature.
You can configure PatriotBox so that connection attempts to each service or custom port trigger e-mail alerts to the administrator. E-mail alerts are customizable, so that not too many are sent per single event in a given time period. Summary reports can be preconfigured to be sent once per day.