Featured image: “DEFCON In Action #2” by Ambrosia Software
Today, I will discuss a very interesting tool called Honeyd (pronounced “honey-dee” or “honey-daemon“). It is a powerful virtual honeypot tool written by Niels Provos and released as open source under the GNU General Public License v2.0, as part of the Honeynet Project. It runs on many Linux distributions and BSD’s.
A honeypot is a public or private computer that is intentionally left insecure, unpatched, without an anti-virus or firewall, etc. which encourages malicious hackers to attack it for behavioral analysis or for spamtrapping. This is a perfect tool for catching potential black-hat network intruders or spammers and monitoring their behavior. If you like, you can even build a massive open “playground”, giving any hacker (good or bad) a testbed to develop their skills and put their knowledge and techniques to the test without disrupting others.
If you have the cash, you can up multiple honeypots in your home or workplace, which act as convincing “decoy machines” that can help protect your legitimate computers from crackers. Networks like these are called honeynets.
A typical honeynet consists of multiple honeypots interlinked together and finally to the Internet, if you so wish. This setup is robust, works effectively, and makes logging and forensics simple. Furthermore, should anything go wrong, you can simply pull the plug on the whole thing.
On the downside, while this option may be viable for corporations or large organizations, it can be very taxing to set up for a hobbyist, as it requires them to buy a server rack or two, maintain them, and run up the home electric bill. Remember that in most cases, more honeypots = better results. There is also some risk of malware leaking out of a compromised honeypot onto a legitimate computer and destroying it (if the honeypot isn’t completely isolated from your internal network, that is).
The best way to solve this problem is with virtual honeypots, which is basically a daemon running on one or a several computers that generates virtual honeypot computers and places them on the network. Instead of having to buy and set up many physical computers, you now only need one computer which can generate and host as many virtual honeypots as you please.
Honeyd is an open source application that tries to meet that goal. Each honeypot is a configuration file that you load and deploy. These honeypots are completely user-customizable through a simple text editor, where you may define such traits including its base operating system, port behavior, and more. Honeyd can simulate a whole slew of port services for each individual honeypot, such as HTTP, FTP, telnet, rsh, SMTP, and plenty more.
When would virtual honeypots or honeynets be used in the real world?
Here is an example scenario: a small company has three servers full of important data that it needs to diligently protect and it cannot risk a malicious hacker break-in. A fourth server on the same network runs Honeyd with a few hundred deployed honeypots. All servers have an intrusion detection system installed. The chances of an attacker hitting one of the four legitimate computers out of two hundred four total are very slim.
When a honeypot is attacked, all network traffic and time-frames are logged along with the attacker’s IP address and port listings, allowing the company to identify the presence of an intruder before any real damage is done. It’s the perfect trap.
- Manipulates TCP/IP packets to create the illusion that there is a host on the network.
- At the time of this writing, Honeyd supports up to 65,536 hosts at once.
- Convincingly emulates a plethora of port services.
- Can impersonate up to a thousand different operating systems.
- User can define unique virtual hosts using simple config files.
- Lets you catch spammers and network intruders, as well as observe the their behaviors.
- Safe and isolated from the true host computer(s).
Installing on Debian, Ubuntu, & friends from repositories
This is downright easy on Debian-like systems. Firstly, open up your terminal emulator and then update your package listings as shown below:
user@linuxbox~$ sudo apt-get update
Next, install Honeyd and its dependencies using apt-get.
user@linuxbox~$ sudo apt-get install honeyd honeyd-common
The honeyd package contains the actual Honeyd service, and honeyd-common contains various scripts and extra components that will emulate all the port services on the virtual honeypots, such as SSH, HTTP, rsh, etc.
Gentoo and Arch Linux should already supply Honeyd in their portage and AUR repositories, respectively. For any other distribution, you should consult your respective wikis or search your package listings. Hopefully, honeyd and honeyd-common are available to you in a simple installation format. If not, compilation from source code is always an option. Honeyd installation from BSD ports is easy, just see this link.
Building a honeypot
To make a virtual honeypot in Honeyd, you create a *.conf file using gedit, Kate, nano, vim etc. and load it. Below is an example configuration file that generates a Windows 2000 host and places it on the LAN:
# Make a new Win2K SP2 host called "windows". create windows set windows personality "Microsoft Windows 2000 SP2" set windows default tcp action reset set windows default udp action block set windows default icmp action block add windows tcp port 25 open add windows tcp port 110 open # Make this server run POP3 and SMTP email services. add windows tcp port 25 "sh /usr/share/honeyd/scripts/win32/win2k/exchange-smtp.sh $ipsrc $sport $ipdst $dport" add windows tcp port 110 "sh /usr/share/honeyd/scripts/win32/win2k/exchange-pop3.sh $ipsrc $sport $ipdst $dport" # Finally, create the host and assign its IP. bind 192.168.1.150 windows
To load the honeypot(s) into Honeyd and deploy them, simply enter the appropriate commands.
user@linuxbox~$ honeyd -d -f honeypots.conf
The -d parameter forces Honeyd not to run in the background as a daemon and dumps any and all output information into the terminal. If you wish to log the data into a file, simply use the -l option.
user@linuxbox~$ honeyd -d -f honeypots.conf -l log.out
A simple nmap scan here shows that the honeypot indeed works…
Starting Nmap 5.00 ( http://nmap.org ) at 2011-08-26 21:48 IDT Interesting ports on 192.168.1.150: PORT STATE SERVICE 25/tcp open smtp 110/tcp open pop3
That’s about it! You now have a simple Windows 2000 honeypot on your LAN! All what you need now is to hook your host machine to the Internet to wait for attacks to start pouring in…
More honeypot-related tools
Honeyd was developed under the initiative of the influential and non-profit Honeynet Project. Founded in 1999 under the directive of Lance Spitzner, the Honeynet Project has been researching honeypot technology heavily and pushing the frontier of its usage. Besides Honeyd, Honeynet research members have also collaborated with other network security experts and even GSoC (Google Summer of Code) participants to produce high quality, free and open source security software, including:
- Cuckoo (formerly known as CuckooBox) – A beautifully lightweight program capable of dynamically intercepting and analyzing malware on the Web so security experts can understand them. Currently managed by the guys at Rapid7 behind the popular but unrelated Metasploit Project.
- Glastopf – An Internet-capable honeypot geared to mimic common web vulnerabilities.
- Honeystick – A Damn Small Linux/Honeywall installation on a bootable USB stick.
- Honeywall CD – A bootable CD-ROM that provides many tools to help automate the process of setting up, connecting, and deploying honeypots (including Honeyd).
- HoneyWeb – A graphical web interface frontend to remotely deploy and manage honeypots.
- Online projects
To tell you the truth, up till I found Honeyd, I never knew about nor cared for honeypots before. I came across the concept by surfing Wikipedia and looked up the Honeynet Project and reading a bit about them. After checking out what tools had emerged from their research, my perspectives changed. I took a liking to Honeyd because it seems like an extremely promising tool that can be easily obtained on most GNU/Linux distributions. I love that it not only gives white-hats an edge against the black-hats, but that it also promotes research by providing an insecure playground of virtual hosts to let a beginning hacker train with nmap, ettercap, etc. and let their imagination run wild. Best of all, it integrates really well with all the other excellent software the Honeynet Project has to offer, which is a big plus from me!
Also, I would like to give a quick shout-out to two amazing blog posts that helped me get familiar with Honeyd that I highly recommend you read: Deploying Honeypots with HoneyD by Ulisses Costa, and honeyd tutorial part 1, getting started by Travis Altman. Read them. Now.
- Very little maintenance need to keep the honeypots up and running.
- Wide range of entirely unique hosts to choose from.
- Virtual hosts are entirely isolated from the real host (no risk of malware leakage).
- Hope attackers do not write a tool to isolate the fake IP addresses and defeat honeyd’s trickery.
- Legality in the U.S. State of Michigan is questionable, as seen in Honeyd’s old website and in the link on Michigan’s “Super DMCA” law.
I believe that Honeyd is simply a great all-around honeypot program. It can impersonate any operating system or port service you throw at it, it has plenty of good features, and is easily obtainable from various repository sources. It is a very powerful, customizable, and cost-effective alternative to physical, hardware-based honeypots, which makes it perfect for budding hackers, hobbyists, or really paranoid users. I will gladly rate Honeyd:
« 98% »
Awesome! Honeynet, give yourselves a pat on the back.