Honeyd: Track the hackers

July 7, 2010, by | Start Discussion


Honeyd is a low interaction Honeypot client that creates virtual hosts (Honeypots) in a network. These Honeypots can be configured to act like a real operating system, in fact there are approximately 1000 personalities of OS’s that we can choose. At the same time we can configure those operating systems to activate certain services like FTP, HTTP, Telnet, etc.

Honeyd enables a single host to claim multiple addresses.

Ever wanted to be like those secret agents in Hollywood movies who work with cool looking computers, flashy programs, with sexy assistants and catches the bad guys? Here is your once in a life time chance to be like one. Ok enough jokes, lets come back to reality Honeypots or honey nets are the tools/ systems used by security researchers around the globe to track malicious activity.

In computer terminology, a Honeypot is a trap set to detect, deflect, or in some Manner counteracts attempts to unauthorized use of information systems. Honeyd is a non-interactive, easy to deploy Honeypot. It is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. Honeyd enables a single host to claim multiple addresses.

Installation

Honeyd can be downloaded from http://www.honeyd.org and is available for both Windows (Cygwin) and Linux. I will be explaining about installation and configuration in Linux (to be specific in Ubuntu); windows installation follows a similar path. Download the latest release from the website

Before installing the Honeyd, you need to install following libraries

libevent, libdnet, libpcap, libpcre make sure that you are installing the development packages of the above also.
Once all the dependencies are met, the installation is trivial.

Unzip the tar file and then.

./configure

Make

sudo make install

Once installation is over Honeyd is ready to play with. Let’s run our first Honeypot.
Download the example configuration file config.localhost from http://www.honeyd.org/config/config.localhost and run the command

$honeyd -d -p nmap.prints -f config.localhost -i lo

[For the time being use the nmap.prints which came along with the Honeyd package, later you can update it to the latest version.]

In the command you just run, “-d” will ask it not to run as a daemon, so that we can see the log information directly printed to the console and will be able to interact with it. “-p” will specify the nmap style finger print used for simulating OS characteristics “-i” will specify the interface used and the IP range to listen, which in our case is the local loop, and “-f” will specify the configuration file which has the structure of our Honeypot.

Configuration Files

Each of the virtual Honeypot you create inside the configuration file is called as a template. A single configuration can have multiple templates (i.e. multiple systems).

An example template configuration taken from config.localhost

------------------------------------------------------
create routerone  #create the template(virtual system) with name routerone
Set routerone personality "Cisco 7206 running IOS 11.1(24)"
 #assigns the personality (OS nature) as CISCO IOS
Set routerone default tcp action reset
 #set the default TCP action of the system routerone as RESET
add routerone tcp port 23 "scripts/router-telnet.pl"
#add TCP port 23 to the system routerone and give that port the characteristic defined by 
the given script file, here it will emulate a telnet session
bind 10.0.0.1 routerone
 #bind the system routerone to the particular ip address
----------------------------------------------------

Honeyd is a really versatile tool that can be used to simulate complex network topologies; if you are interested you can read more on the site.

Experiment

Now that you have a basic understanding about the configuration, let’s continue with the experiment.

Once you have started the Honeyd, it will listen on the “lo” interface looking for packets matching the configured hosts. It’s our job to make sure that packets are reaching the particular interface.

So now add a route to 10.0.0.0/8 in the “lo”

$sudo route -n add -net 10.0.0.0 netmask 255.0.0.0 gw

Now try pinging a host we have specified in the config file (eg.10.0.0.1), voila!! You will get ICMP response from that IP. Also if you look into the terminal where Honeyd is running, you can see the activities happening. If you do an nmap scan against the host 10.0.0.1, you can see that telnet service is running at 23. Try to connecting with telnet and see the logs.

Pinging the virtual host 10.0.0.1 and the correspondingly generated honeyd logs

Nmap scan against 10.0.0.1, see port 23 is shows as open

But if you are planning to run it to  reach  the hackers, you need to run it in the daemon mode and store the traces. For that run the command without “-d”, “-l” option will let you log the packet level details and “-s” will let you log at the service level.
For e.g.

$sudo honeyd -l log_pkt.log -s log_srvc.log -p nmap.prints
-f config.localhost

Now you’re ready for actual Honeypot deployment. It’s advisable to deploy honeyd on a separate system, if you are planning to put it in the wild web. A typical deployment is shown in the figure. Configure the router to forward ports you are planning to monitor to your honeyd PC. Now wait like a spider waiting for the prey [;)], soon enough an attacker will come your way. Happy honey potting

Rakesh has completed his B Tech from NIT Calicut in ECE, now he is working in the field of wireless testing with a leading telecom MNC. Rakesh has fairly good amount of experience in PT, and RCE and is an active member of Indian Honeynet project. His programming expertise includes PHP, MySQL, Perl, C, Verilog, HTML/CSS and AJAX.

Leave a Reply