Last month we discussed a HoneyPot called Labrea (Prevent DoS Attacks, page 94) that is effective for reducing DOS attacks generated by network worms and is also very easy to install. This time we are going to use another HoneyPot called Honeyd. While Labrea can generate only Linux virtual machines, this small demon is capable of creating a number of virtual hosts with different OS fingerprints. The best part of the software is that it is very modular and configurable. This means that you can manually create a virtual machine and define its attributes, such as which OS it should reflect-Win XP Prof, Cisco IOS router or even an IBM OS/400-and which ports should be advertised as open. You can also configure scripts, which will run over these ports and appear as an actual service. Let's see how to configure such a Honey Pot.
Getting ready
First, you have to download four different components: Honeyd, libdnet, libevent and arpdfrom to your home directory from Honeyd's website (www.citi.umich.edu/u/provos/honeyd/). Now start installing them by issuing the following commands.
#tar -zxvf filename
#cd libevent-0.7c
#./configure
#make
#make install
where you have to replace filename by the four components you've downloaded. This will install Honeyd on your Linux machine.
Using Honeyd
Configuring and using Honeyd is not child's play; it needs a good knowledge of networking. It is highly recommended that you don't use Honeyd in a productive environment without properly assessing the consequences and understanding how Honeyd works. Here, we are going to demonstrate some of the key features of Honeyd in a test setup. You can always know more about it from its website
http://honeyd.org.
|
To start with, you have to create some fake IP addresses with the help of arpd demon, which you have to further bind with different templates in Honeyd's configuration file. The templates are nothing but script modules for the different OSs that you'd like Honeyd to fake. For instance, if you'd like to create ten fake instances of a Win XP installation, then you'll first assign ten fake IP addresses and then bind them to the templates. This assigning and binding is done as follows:
#arpd 192.168.3.111
This command will bind the 192.168.3.111 IP address to the MAC address of your machine's network card. You can even bind a subnet with the MAC address of your machine as follows:
#arpd 10.10.10.0/24
This command will bind all IPs in the 10.10.10.x network to your machine's MAC address. Isn't it great?
|
Write configuration file
Open a new file in /etc and name it honeyd.conf and create templates for different virtual machines. For example, if you want to create a template for a virtual machine (VM) that advertises itself as a Win XP Prof machine running http, telnet, SSH and UDP broadcast services, enter the following lines:
create WinXP_VM
set WinXP_VM personality “Microsoft Windows XP Professional”
set WinXP_VM uptime 1728650
add WinXP_VM tcp port 80 “scripts/web.sh”
add WinXP_VM port 22 “sh scripts/test.sh $ipsrc $dport”
add WinXP_VM port 23 proxy $ipsrc:23
#add WinXP_VM udp port 53 proxy 192.168.3.1
set WinXP_VM default tcp action reset
Similarly, if you want to create a virtual Cisco router, then enter the following:
create router
set router personality “Cisco 7206 running IOS 11.1(24)”
set router default tcp action reset
add router tcp port 22 “scripts/test.sh”
add router tcp port 23 “scripts/router-telnet.pl”
You can create as many VMs as you want depicting different OS fingerprints. Once you're done, bind these VMs to the virtual IP addresses you created using arpd. Let's suppose we have two virtual IP addresses 192.168.3.111 and 192.168.3.112. To bind these IPs with the VMs, we will add two lines at the end of the configure file like this:
bind 192.168.3.111 router
bind 192.168.3.112 WinXP_VM
Lastly, run the Honeyd demon with the following command:
# Honeyd -d -p nmap.prints -f /etc/honeyd.conf
|
Your single Linux machine will now advertise itself as both a Win XP machine and a Cisco router. Whew!
Testing your setup
To check whether Honeyd is working and doing it's job, we used Nmap and Nessus network scanners to attack the VMs we just created. We found that Honeyd fooled both scanners, as their results showed a machine with a vulnerable IIS5 server and a router with telnet and SSH ports open.
Anindya Roy