Hack Tutorial and Reference , Hacking , Technology , Tutorials honeyd tutorial part 1, getting started There are many different types of honeypots and these different types are explained very well in the book Virtual Honeypots. This next few articles will focus on honeypots using an application called honeyd. There are a number of honeypot solutions out there but I certainly feel like honeyd is a great fit because it can be relatively simple or you can start tweaking it to get a more full featured product. For this tutorial I will be using one Windows machine and one Linux machine.
|Published (Last):||8 January 2012|
|PDF File Size:||16.66 Mb|
|ePub File Size:||12.20 Mb|
|Price:||Free* [*Free Regsitration Required]|
There are many different types of honeypots and these different types are explained very well in the book Virtual Honeypots which I highly recommend you read if you are serious about deploying a honeypot. This series of articles will focus on honeypots using an application called honeyd. There are a number of honeypot solutions out there but I personally feel like honeyd is a great fit because it can be relatively simple or you can start tweaking it to get a more full featured product.
For this tutorial I will be using one Windows machine and one Linux machine, Backtrack distribution to be exact. Backtrack will be the machine that is running honeyd. Honeyd is available for Windows but I highly recommend that you use honeyd on Linux. Sorry for the Linux rant, below is basic diagram of my setup. To install on other distributions such as Gentoo, Fedora, Slackware, etc I would check their documentation on how to install packages. A honeyd configuration file is the heart of your honeypot.
The configuration file tells honeyd what operating system to emulate, what ports to open, what services should be ran, etc. Below is my config file. In Backtrack Kate is under the Utilities menu. I find this section is needed when you let your honeypot acquire an IP address via dhcp.
In the windows template we are defining a number of things. First we are setting the personality, meaning when another device on the network connects to this honeypot it will appear to be a Windows XP Pro SP1 device. This is emulated via network stack fingerprints. These are common ports that are open on a windows system. This will be needed if you run your honeypot via dhcp. Finally the dhcp statement tells the windows template to acquire an IP address from dhcp. Now that we have our honeyd.
This allow for more verbose output so that we can troubleshoot as needed. Running in this mode will also show the IP that was given to our honeypot via dhcp. Below is the type of output you should see after running the honeyd command.
Honeyd V1. You should see output on the terminal similar to below. Below is the nmap command I used. Starting Nmap 5.
Port is closed because we did not define it in honeyd. So the ports are open but how well is this personality thing working? New versions of nmap are constantly coming out which means the nmap fingerprint database is changing as well. So nmap may respond properly or it may not, this will just depend on the version of nmap you or an attacker is scanning with. It will also depend on the nmap. The best idea is to open up ports that are common to a particular device. For instance most Linux and Solaris devices have port 22 open while routers and switches will probably have port open SNMP.
Honeypot – honeyd Tutorial part 3: Static IP’s
Honeyd Development Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. Honeyd enables a single host to claim multiple addresses - I have tested up to - on a LAN for network simulation. Honeyd improves cyber security by providing mechanisms for threat detection and assessment. It also deters adversaries by hiding real systems in the middle of virtual systems.