CRC-Blogs

Honeyd 1.6d

Introduction

 

It is a low interaction honeypot which creates multiple virtual hosts(honeypots) on a network as shown below. Honeyd monitor unused IP space when an attacker probs an unused IP, Honeyd detect the probe takeover that IP via ARP spoofing then create a virtual honeypot for the attacker to interact with (Honeyd can create multiple virtual honeypot to fool the attacker on all unused addresses to protect the real server). The attacker is fool into thinking that he is interacting with a hacked system. The hosts can be configured to run arbitrary services, and their TCP personality can be adapted so that they appear to be running certain versions of operating systems. Honeyd enables a single host to claim multiple addresses. It is possible to ping the virtual machines, or to traceroute them. Any type of service on the virtual machine can be simulated according to a simple configuration file.  Instead of simulating a service, itis also possible to proxy it to another machine.

 

10.0.0.1          Router  (Internet)

                                |

10.0.0.2          Honeyd

 

|                  |                |             |             

        Linux 1.0.9      FreeBSD 3.2-4.0     Windows NT 4   NetBSD 1.6H

        10.0.0.101         10.0.0.102         10.0.0.103     10.0.0.104

 

Protocols

Honeyd provide servies on the following protocols

  • TCP
  • UDP
  • ICMP

 

Distraction to potential hacker

Honeyd is used primarily for two purposes. Using the software's ability to mimic many different network hosts at once (up to 65536 hosts at once), Honeyd can act as a distraction to potential hackers. If a network only has 3 real servers, but one server is running Honeyd, the network will appear running hundreds of servers to a hacker. The hacker will then have to do more research (possibly through social engineering) in order to determine which servers are real, or the hacker may get caught in a honeypot. Either way, the hacker will be slowed down or possibly caught

 

 

Honeyd Dependencies

 

Honeyd depends on several libraries:

 

  • libevent for event notification
  • libdnet    for packet creation
  • libpcap   for packet sniffing
  • libpcre   for perl regular expression library (optional; for subsystems)

 

INSTALLATION

To install dependencies in Ubuntu, use the following commands:

 

$ sudo apt-get install libevent-dev libdumbnet-dev libpcap-dev libpcre3-dev libedit-dev bison flex libtool automake

 

To build honeyd, run the following commands:

 

$ ./autogen.sh

$ ./configure

$ make

$ sudo make install

 

Configuration

Default template of configuration file is available in honeyd package but you must have to configured it according to your requirements below is my configuration file .

 

#route entry 192.168.10.1

#route 10.0.0.1 link 10.2.0.0/24

#route 10.0.0.1 add net 10.3.0.0/16 10.3.0.1 latency 8ms bandwidth 10Mbps

#route 10.3.0.1 link 10.3.0.0/24

#route 10.3.0.1 add net 10.3.1.0/24 10.3.1.1 latency 7ms loss 0.5

#route 10.3.1.1 link 10.3.1.0/24

 

create default

set default default tcp action block

set default default udp action block

set default default icmp action block

set default personality "Cisco 2514 router (IOS 12.1)"

 

# Example of a simple host template and its binding

create windows

set windows personality "OpenBSD 4.0 (x86)"

#set windows uptime 17286500000

#set windows maxfds 3500

add windows tcp port 80 "/usr/share/honeyd/scripts/win32/iisemulator-0.95/iisemul8.pl"

add windows tcp port 22 "scripts/test.sh"

add windows tcp port 23 "scripts/router-telnet.pl"

add windows udp port 53 open

add windows udp port 68 open

add windows udp port 67 open

add windows tcp port 21 open

add windows icmp port 7 open

add windows tcp port 145 open

add windows tcp port 149 open

add windows tcp port 445 open

add windows tcp port 22 open

 

set windows ethernet "00:0c:29:e0:1e:44"

#set windows default tcp action open

 

#create router

#set router personality "Cisco 2514 router (IOS 12.1)"

#set router default tcp action closed

#add router tcp port 22 "scripts/test.sh"

#add router tcp port 23 "scripts/router-telnet.pl"

 

#bind 10.3.0.1 router

#bind 10.3.1.1 router

#bind 10.3.1.12 template

#bind 10.3.1.11 template

 

dhcp windows on ens33

 

Create key word

 is used to make a virtual host for example create windows, in this case windows is my new template and create is a reserved word which is represent a new host machine as we discussed earlier that we can create multiple template/machine to fool attacker by using create command.

 

set windows personality "OpenBSD 4.0 (x86)"

personality can be adapted so that they appear to be running certain versions of operating systems in my case it is OpenBSD 4.0 (x86.

time          

The template is only being used between a certain time interval.  This allows Honeyd to simulate machines being turned on and off.

 

add windows tcp port 80 "/usr/share/honeyd/scripts/win32/iisemulator-0.95/iisemul8.pl"

after setting personality/ O.S version we must have to define which ports are open and running which tool or script in this case a python script is running on port 80 named as iisemuI8.pl. you can get more scripts from  http://www.honeyd.org/contrib.php having different functionalities. Path and file name must be provided within the double quotes in case of a script. 

 

set windows ethernet "00:0c:29:e0:1e:44"

here you can assign a random MAC to your virtual host which should be close to your PC MAC.

 

dhcp windows on ens33

This command tells us about the network interface used by honeyd and dhcp will dynamically allocate IP address to your virtual honeypots in this way you can create multiple honeypots and log the activities of the attacker

 

Command to run Honeyd

Honeyd -d  -f honyed.config -l var/share/honeyd/logs/honeyd.log

-d represent daemon -f is for file -l is for making log and then the directory of a log file

 

Honeyd Logs

It has two different logging modes.  The syslog facility is used to log connection establishment and termination including other relevant packet events.  Most messages can be disabled when configuring syslog.conf(5) to drop all messages for the LOG_DAEMON facility if the log level is below LOG_NOTICE.

The second way of logging network activity is by using the -l flag.  This causes honeyd to log all received packets in a human readable format.  For UDP and TCP connections, honeyd logs the start and end of a flow including the amount of data transferred. For logging any other information, it is suggested to run a separate intrusion detection system.