The book has twelve chapters organized into three main parts.
By the time you get through reading this book, you should have an excellent understanding of honeypots in a Windows environment.
Many of the tools covered in this book are Windows ports of open-source Unix tools, like Honeyd, WinPcap, and Snort. All of these tools have been tested on Windows 98 and later Microsoft platforms, but most have been optimized for Windows 2000 and above. Menu options and screenshots were done on Windows 2000 and XP Professional computers, but most commands and screens are identical, no matter which Microsoft operating system you use. Every effort has been made to verify that all commands and utilities work across all current versions of Windows. Exceptions are noted when known.
Part One: Honeypots in General
Part One covers honeypot theory and topics common to all honeypots, along with the particular configuration requirements of a Windows-based environment.
Chapter 1 explains general honeypot theory and reasons to use honeypots. It discusses the main honeypot types, along with advantages and disadvantages of each choice. The chapter also covers hacking basics, such as attack model types and fingerprinting. Understanding the different hacking threats is essential to setting up and using a honeypot.
Chapter 2 describes the general setup and deployment of a honeypot, as well as how to attract hackers to it. Topics include how to decide where to place a honeypot and why. It covers the physical deployment issues involved in placing a honeypot, including hardening the host and configuring your network to route hacking traffic to your honeypot. It includes details on the problems introduced on switched networks and how to correctly configure your routing tables.
Part Two: Windows Honeypots
Part Two provides a detailed lesson in configuring and using Windows-based honeypots. Using an emulated honeypot in aWindows environment takes special consideration to make it appear as a Windows-based host. This means it should have the normal Windows ports open, run the normal Windows services, and respond in a predictable way. Chapter 3 defines normal behaviors, ports, and services on a Windows host, and tells you how to emulate them on a honeypot.
Chapter 4 describes using a real Windows operating system as a honeypot. It reveals what is the best Windows version to attract malicious hackers and presents hardening tips you can use to minimize compromise damage.
Chapters 5 through 7 focus on Honeyd, the most popular honeypot software in use today. Chapter 5 covers how to download and install Honeyd. Honeyd is a fantastic free tool, but like many other open-source programs, not particularly easy to configure. Chapter 6 begins deciphering the Honeyd configuration and provides several sample configuration files that you can adapt for your own needs. Chapter 7 explains how to use service scripts, which allow Honeyd to mimic basic applications, such as FTP, telnet, and IIS. Service scripts are very important in making a honeypot look like a real system.
Honeyd is the most popular and versatile honeypot software in use today, but it isn’t the easiest to use. In Chapter 8, we explore six other Windows-based honeypots with front-end graphical user interfaces that make for a more pleasant user experience. Each of these honeypots excels at different goals. The honeypots are Back Officer Friendly, LaBrea, SPECTER, KFSensor, PatriotBox, and Jackpot.
Part Three: Honeypot Operations
Part Three discusses a range of topics related to getting the most out of your honeypot.
Using a network traffic analyzer and understanding how to recognize and decode malicious network traffic is essential to honeypot operations. Chapter 9 discusses how to install and use various tools for analyzing network traffic. It begins with network protocol basics, reviewing the OSI model and TCP/IP suite, and then focuses on using Snort and Ethereal.
Chapter 10 covers the very important issues of monitoring, logging, alerting, and reporting. It discusses how to set up an alert system, how and what to log, and what reports you need to generate.
Honeypots can quickly gather copious amounts of information—sometimes an overwhelming amount. The ultimate success of your honeypot is determined by how well you interpret the attack evidence. Chapter 11 discusses techniques to use in the forensics analysis of your honeypot data.
Chapter 12 discusses analyzing malicious code by disassembling it. For new programmers, this involves learning assembly language, learning how to disassemble executables, and learning about malicious coding in general. Becoming a disassembler is not for the faint of heart, but with a moderate amount of effort and practice, it can reveal malware functions that cannot be found any other way.
The sample files presented in this book, as well as other related files, are available from the Downloads area of the Apress web site (http://www.apress.com). You can direct any technical questions or concerns to me at firstname.lastname@example.org.