This chapter explored six different application-layer Windows honeypots. The mere fact that they don’t emulate the IP stack along with the OS means that when you deploy one of these, you should consider the interaction of the honeypot with the host OS and how it might appear to hackers. Each of these honeypots excels at different objectives and might be useful to a security administrator.
Here is a summary of the honeypots described in this chapter:
Back Officer Friendly: This honeypot is just barely a step above simple port listeners. It has limited interaction for a handful of services. For people not ready to jump directly into running Honeyd or one of the other more sophisticated and time-intensive honeypots listed in this book, it can a good place to build a little confidence.
LaBrea: This is an excellent, low-interaction honeypot for slowing down Internet worms and hacker scanning.
SPECTER: This is a user-friendly honeypot that is quick and easy to use. Some of its features—default content, heartbeat, markers, and aggressive modes—are interesting and unique. It has a few weaknesses, including that it can emulate only 14 TCP ports, allows minimal customization, and doesn’t support the latest Windows OSs. I hope the vendor continues development to improve what could be a top competitor.
KFSensor: This is an excellent commercial honeypot, which is easy to set up and extend. Its context-sensitive help file’s usefulness is above average, and my questions to technical support were always responded to in a timely manner. It is one of the few honeypot products to offer default emulation services mimicking Microsoft’s Exchange Server, NetBIOS, SQL Server, telnet, and IIS. Its FTP server isn’t bad, but it needs to be adjusted to mimic IIS’s FTP service, not Guild’s. The Terminal Server emulation service needs beefing up, but having Universal Plug and Play, POP3, PC Anywhere, VNC, and Citrix port emulation makes up for its shortcomings. KFSensor has multiple alert and logging options, and its use of color-coded alerts makes recognizing a current event easy. On the downside, it’s an application-level honeypot, can run only one honeypot scenario at a time, and cannot automatically respond to all open ports or IP addresses. Still, what it does offer is tops in the industry.
PatriotBox: The newest Windows-based honeypot entry is an affordable second choice for administrators not able to afford KFSensor and not wanting the complexity of Honeyd. Its immaturity shows, but upcoming versions should strengthen this already nice offering.
Jackpot: This is an easy-to-use SMTP tarpit. It automates many spammer-tracking processes and comes with many configurable settings. It contains its share of bugs, but most readers will find it a quick way to set up a SMTP tarpit.
Back Officer Friendly and LaBrea are simple honeypots and make no attempt to mimic a Windows OS or services. LaBrea and Jackpot are easy to deploy tarpits. SPECTER has a lot of potential and a handful of unique features. KFSensor is the most sophisticated commercial offering, but PatriotBox is a more affordable alternative for administrators on a tighter budget.
Honeypots are just entering their second generation of development. We can expect them to mature significantly over the next few years and for more offerings to be developed.
This completes our exploration of honeypot setup. The next part of the book is about operating your honeypot, beginning with network traffic analysis in Chapter 9.