Deploying Honeypots with Honeyd

8 12 2008

Another work of Cryptography, this time on Security in systems information area. Me and Pedro Pereira choose the Honeypot project. The idea is to understand and if possible experiment tools to implement Honeypots.

The Honeynet Project


The Honeynet project began in 1999 by the initiative of Lance Spitzner. It is an international nonprofit project. The idea of this project is to increase security on the Internet without any cost to the public. This is a project with strong bases on OpenSource believes. This project has several years of experience in defense information systems. In his website you can have access to a lot of documentation and software to create Honeynets and Honeypots.

In fact we have started to watch this presentation from HITBSecConf2007 in Dubai by Lance Spitzner. If you feel interested and have 40 minutes I recommend to watch.

Reading about Honeypots

The are 2 kinds of honeypots, client and server. The client surf the web interacting with other computers, and the server wait until someone request a service. And more 2 kind, low and high interaction, that means, if the honeypot is virtual or real (a real machine).

Our work is focused on the study of some solutions to create Honeypots. We start to read some good papers about the subject. After reading Malicious Web Servers, from Know Youy Enemy series, and later the Behind the Scenes of Malicious Web Servers, we start to get involved by the idea of deploying our own Honeypot. So we decide to use Honeyd tool to create them.

In this post I will talk about the process of install and configure a Honepot with the help of Honeyd.

Honeyd

Honeyd is a low interaction honeypot client that create virtual hosts (Honeypots) in a network. These Honeypots can be configured to act like a real operative system, in fact there are approximately 1000 personalities of OS’s that we can chose. At the same time we can configure those operative systems to activate certains services like FTP, HTTP, Telnet, etc.

Honeyd enables a single host to claim multiple addresses – I have tested up to 65536 – on a LAN for network simulation.

The quote is from Niels Provos, the creator of Honeyd.

Installing Honeyd

If you are in debian (like me), the only thing you have to do (and I think you are accustomed to it :P) is:

hydra:~# apt-get install honeyd honeyd-common

The package honeyd-common came with a lot of scripts to emulate the services that we will run in our Honeypot.

If you are running another one download the version I will use, and install it.

Preparing the field for Honeyd

All the system configurations we found was with the intention of running Honeyd in a local network.
And we have a router between us and the Internet. The router do NAT to the internal network, so we only have one IP. So we decide to only implement one honeypot to start testing.

In the router we determined that the computer that has the Honeyd installed (192.168.1.72) can be accessed from outside by ssh throw the port 2222, and HTTP by 8080 (to see the statistics). We also add that our honeypot (192.168.1.50) would be visible from the Internet with a quantity of open ports. This ports we show further on.

In fact we still have a problem, the router don’t know our honeypot (192.168.1.50). To solve this we run in Honeyd computer:

hydra:~# farpd 192.168.1.50 -i eth0

farpd is a program made by Niels Povos. With that program the computer with Honeyd (192.168.1.72) will send is MAC address when a ARP request is made to the network. This ARP request happens because the router don’t know who is 192.168.1.50. After 192.168.1.72 sending his MAC address the router will send the package to Honeyd computer (192.168.1.72), and Honeyd program will take care of them, sending it to the virtual host.

Now we have to configure how Honeyd will run, the file can be found in /etc/defaults/honeyd
Agora temos que configurar como o hd~vai correr, para isso utilizamos o seguinte textit{script}:

# File: /etc/defaults/honeyd
# Defaults for honeyd initscript

# run as a daemon
RUN="yes"
# Network interface where honeyd will listen
INTERFACE="eth0"
# Network under control od honeyd (in my case: just one host)
NETWORK=192.168.1.50
# Options
# -c hostname:port:username:password
OPTIONS="-c localhost:12345:username:password"

The -c flag will collect to us some statistics, that we will put in a pie chart further. This flag receives the hostname, the port, username and password to can access to the statistics.

You may want to configure also the /etc/init.d/honeyd file, here are the first lines of the file:

. . .
PATH=/bin:/usr/bin:/sbin:/usr/sbin
# Daemon locations
DAEMON=/usr/bin/honeyd
# Daemon names
NAME=honeyd
# Pidfiles
PIDFILE=/var/run/honeyd.pid
# Labels
LABEL="Honeyd daemon"
DEFAULT=/etc/default/honeyd
LOGDIR="/var/log/honeypot"
DAEMONLOG="$LOGDIR/daemon.log"
. . .

Note that log files from Honeyd will be written in LOGDIR directory.

honeydstats

With all the statistics being collected by honeyd (with the flag -c activated) the only thing we need is a program to read them, and show them in a human way.
To do that job honeyd came with program honeydstats. To run that command, and start collecting statistics from you honeyd do:

hydra:~# honeydstats --os_report /etc/honeypot/os.honeydstats
      --port_report /etc/honeypot/port.honeydstats
      --spammer_report /etc/honeypot/spam.honeydstats
      --country_report /etc/honeypot/country.honeydstats
      -f /etc/honeypot/honeydstats.conf -l localhost -p 12345

I have choose to write all files in the /etc/honeypot/ directory for convenience. The command above start collecting statistics in port 12345 and host localhost, the –*_report flags indicate the statistics honeydstats collect. The file /etc/honeypot/honeydstats.conf contains the username and the password in the form:

# File: /etc/honeypot/honeydstats.conf
username:password

honeypot Configuration

This is the configuration file for my honeypot (192.168.1.50). I use a default one, with a little changes, you can find a lot of this files in the Internet.

create win2k
set win2k personality "Microsoft Windows 2000 SP2"
set win2k default tcp action reset
set win2k default udp action reset
set win2k default icmp action block
set win2k uptime 3567
set win2k droprate in 13
add win2k tcp port 23 "sh /usr/share/honeyd/scripts/unix/linux/suse8.0/telnetd.sh $ipsrc $sport $ipdst $dport"
add win2k tcp port 21 "sh /usr/share/honeyd/scripts/win32/win2k/msftp.sh $ipsrc $sport $ipdst $dport"
add win2k tcp port 25 "sh /usr/share/honeyd/scripts/win32/win2k/exchange-smtp.sh $ipsrc $sport $ipdst $dport"
add win2k tcp port 80 "sh /usr/share/honeyd/scripts/win32/win2k/iis.sh $ipsrc $sport $ipdst $dport"
add win2k tcp port 110 "sh /usr/share/honeyd/scripts/win32/win2k/exchange-pop3.sh $ipsrc $sport $ipdst $dport"
add win2k tcp port 143 "sh /usr/share/honeyd/scripts/win32/win2k/exchange-imap.sh $ipsrc $sport $ipdst $dport"
add win2k tcp port 389 "sh /usr/share/honeyd/scripts/win32/win2k/ldap.sh $ipsrc $sport $ipdst $dport"
add win2k tcp port 5901 "sh /usr/share/honeyd/scripts/win32/win2k/vnc.sh $ipsrc $sport $ipdst $dport"
add win2k udp port 161 "perl /usr/share/honeyd/scripts/unix/general/snmp/fake-snmp.pl public private --config=/usr/share/honeyd/scripts/unix/general/snmp"

# This will redirect incomming windows-filesharing back to the source

add win2k udp port 137 proxy $ipsrc:137
add win2k udp port 138 proxy $ipsrc:138
add win2k udp port 445 proxy $ipsrc:445
add win2k tcp port 137 proxy $ipsrc:137
add win2k tcp port 138 proxy $ipsrc:138
add win2k tcp port 139 proxy $ipsrc:139
add win2k tcp port 445 proxy $ipsrc:445

bind 192.168.1.50 win2k

Here I create a win2k operative system (Microsoft Windows 2000 with SP2) with a lot of open ports {23,21,25,80,110,143,389,5901,137,138,139}TCP and {161,137,138,445}UDP. These port’s must be open in your router, and pointing to the honeypot – 192.168.1.50.

And now we are ready to run honeyd:

hydra:~# /etc/init.d/honeyd start

Generating graphical statistics

Here is the problem of Honeyd, don’t have a graphical interface or a webpage to visualize all the information that are being saved to the .log, just honeydstats…
Well, I’ve found these perl script and these perl system file.

you:/etc/honeypot$ wget http://www.alunos.di.uminho.pt/~a43175/code/perl/customPie.pm -O /etc/honeypot/customPie.pm
you:/etc/honeypot$ wget http://www.alunos.di.uminho.pt/~a43175/code/perl/buildPie.pl -O /etc/honeypot/buildPie.pl

The file buildPie.pl receives files in the form:

#13#           Linux 2.6 .1-7#
#1#          Solaris 10 beta#
#1#            Windows 2000 #
#1#              Windows 98 #
#15#           Windows XP SP1#
#27#                  unknown#

and we have files in the form:

           Linux 2.6 .1-7:       0       1      13
          Solaris 10 beta:       0       0       1
            Windows 2000 :       0       0       1
              Windows 98 :       0       0       1
           Windows XP SP1:       0       0      15
                  unknown:       0       2      26

Now I’m gonna to use the these files generated by honeydstats {os,port,spam,country} to put the files in #n#id# form. Here we need to use the program txt2html, so, better you install it. Now we just have to get out the rust of sed command and we are ready!

# File: /etc/honeypot/generate-stats.sh
#!/bin/sh
#
# Country
cat /etc/honeypot/country | sort -rn | head | awk '{print $4" "$1}'  | sed 's/^/#/g' | sed 's/$/#/g' | sed 's/ /#/g' | sed 's/://g'  | perl /etc/honeypot/buildPie.pl /var/www/img/country
cat /etc/honeypot/country | txt2html > /var/www/img/country.html

# Operative System
cat /etc/honeypot/os | sed 's/(.*):([^0-9]*)([^ ]*)([^0-9]*)([^ ]*)([^0-9]*)([^ ]*).*/#7#1#/g' | perl /etc/honeypot/buildPie.pl /var/www/img/os
cat /etc/honeypot/os | txt2html > /var/www/img/os.html

# Spam
cat /etc/honeypot/spam | sort -rn | head | awk '{print $4" "$1}'  | sed 's/^/#/g' | sed 's/$/#/g' | sed 's/ /#/g' | sed 's/://g' | perl /etc/honeypot/buildPie.pl /var/www/img/spam
cat /etc/honeypot/spam | txt2html > /var/www/img/spam.html

# Ports
cat /etc/honeypot/port | sort -rn | head | awk '{print $4" "$1}'  | sed 's/^/#/g' | sed 's/$/#/g' | sed 's/ /#/g' | sed 's/://g' | perl /etc/honeypot/buildPie.pl /var/www/img/port
cat /etc/honeypot/port | txt2html /var/www/img/port.html

Now get the index.html to put in the /var/www/img directory:

you:/etc/honeypot$ mkdir /var/www/img/
you:/etc/honeypot$ wget http://www.alunos.di.uminho.pt/~a43175/code/html/index.html.txt -O /var/www/img/index.html

Add a cronjob:

you:/etc/honeypot# vi /etc/crontab

And add these line to the end of file:

6  *    * * *   root    /etc/honeypot/generate-stats.sh

And we are done! For now on, you should have these nice graphics in your index.html file:

Future work

Well, the honeypot still running, and more and more statistics are being collected, in fact we already have make a very good discovers, but in a future post I will talk about that.

We are also thinking in use another kind of honeypot, a low interaction client honeypot, maybe HoneyC to identify malicious servers on the web, and maybe experiment by our selfs what we have read about client honeypots.

About these ads

Actions

Information

14 responses

9 12 2008
web servers | Digg hot tags

[...] Vote Deploying Honeypots with Honeyd [...]

11 01 2009
SSH Login Attempts « Ulisses Costa Blog

[...] Login Attempts 11 01 2009 Back with honeypot news! We have launched our honeypot for 5 weeks, and now we have results to show you. In this post I will show you the attempts that [...]

11 01 2009
SMTP Attacks « Ulisses Costa Blog

[...] 11 01 2009 This post is part of the results discovered when the honeypot was running. This port concerns to SMTP connections to the [...]

16 01 2009
One Person’s Experience with Honeypots « UNIX Administratosphere

[...] January 2009 Ulisses Costa describes how he and Pedro Pereira created a honeypot and now has reported some of his statistics about attempted SMTP attacks and attempted [...]

18 01 2009
In a nutshell: 2009-01-18 | adminlife.net

[...] Deploying Honeypots with Honeyd Anleitung zur Installation und Konfiguration von honeyd unter Debian. Zusätzlich wurden Ergebnisse zu SMTP Attacken und SSH Login Versuchen veröffentlicht. [...]

12 10 2009
Honeyd Nedir? Sözlük Anlamı, Tanımı ve Honeyd Hakkında Bilgi DownloadSEN

[...] Honeyd ile balküpleri geliştirmek Yazar: admin | Tarih: Ekim 12, 2009 – 0 Kez Okundu | Kategori: Genel [...]

12 10 2010
vasant

“farpd 192.168.1.50 -i eth0″ giving error as:
“farpd: bad interface configuration: not IP or Ethernet”.

i’m using ubuntu 9.04 desktop edition on my lenovo netbook..which is connected to home router using wireless link. couldn’t figure out what is the problem.

11 01 2011
Timmy

Can you show your configfile or a sample config file of:
/usr/share/honeyd/scripts/unix/general/snmp

11 01 2011
Timmy

Nevermind

11 01 2011
Timmy

fake-snmp.pl returns the following error:
Undefined subroutine &main::decode_by_template called
Any ideas or do you have an updated script?

12 01 2011
Ulisses Araújo Costa

Timmy, is been a while since I did this. I don’t have any file related to this project. But I remember seeing a lot of scripts out there, I’m not sure about SNMP specifically.

7 05 2011
arihant kothari

I couldnt get the web interface..there is no process listening on port 12345. i have kept the default settings as given by you.
Please help.

26 08 2011
HoneyD – Your own virtual honeypot « nullpwd

[...] to two amazing blog posts that helped me get familiar with honeyd that I recommend you read: Deploying Honeypots with HoneyD by Ulisses Costa, and honeyd tutorial part 1, getting started by Travis Altman. Read them. [...]

8 07 2013

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




Follow

Get every new post delivered to your Inbox.

Join 185 other followers

%d bloggers like this: