Featured image: “DEFCON In Action #2” by Ambrosia Software

HoneyD Logo
Today, I will discuss a very interesting tool called Honeyd (pronounced “honey-dee” or “honey-daemon“). It is a powerful virtual honeypot tool written by Niels Provos and released as open source under the GNU General Public License v2.0, as part of the Honeynet Project. It runs on many Linux distributions and BSD’s.

A honeypot is a public or private computer that is intentionally left insecure, unpatched, without an anti-virus or firewall, etc. which encourages malicious hackers to attack it for behavioral analysis or for spamtrapping. This is a perfect tool for catching potential black-hat network intruders or spammers and monitoring their behavior. If you like, you can even build a massive open “playground”, giving any hacker (good or bad) a testbed to develop their skills and put their knowledge and techniques to the test without disrupting others.

If you have the cash, you can up multiple honeypots in your home or workplace, which act as convincing “decoy machines” that can help protect your legitimate computers from crackers. Networks like these are called honeynets.

Virtual honeypots

A typical honeynet consists of multiple honeypots interlinked together and finally to the Internet, if you so wish. This setup is robust, works effectively, and makes logging and forensics simple. Furthermore, should anything go wrong, you can simply pull the plug on the whole thing.

On the downside, while this option may be viable for corporations or large organizations, it can be very taxing to set up for a hobbyist, as it requires them to buy a server rack or two, maintain them, and run up the home electric bill. Remember that in most cases, more honeypots = better results. There is also some risk of malware leaking out of a compromised honeypot onto a legitimate computer and destroying it (if the honeypot isn’t completely isolated from your internal network, that is).

The best way to solve this problem is with virtual honeypots, which is basically a daemon running on one or a several computers that generates virtual honeypot computers and places them on the network. Instead of having to buy and set up many physical computers, you now only need one computer which can generate and host as many virtual honeypots as you please.

Honeyd is an open source application that tries to meet that goal. Each honeypot is a configuration file that you load and deploy. These honeypots are completely user-customizable through a simple text editor, where you may define such traits including its base operating system, port behavior, and more. Honeyd can simulate a whole slew of port services for each individual honeypot, such as HTTP, FTP, telnet, rsh, SMTP, and plenty more.

When would virtual honeypots or honeynets be used in the real world?

Here is an example scenario: a small company has three servers full of important data that it needs to diligently protect and it cannot risk a malicious hacker break-in. A fourth server on the same network runs Honeyd with a few hundred deployed honeypots. All servers have an intrusion detection system installed. The chances of an attacker hitting one of the four legitimate computers out of two hundred four total are very slim.

When a honeypot is attacked, all network traffic and time-frames are logged along with the attacker’s IP address and port listings, allowing the company to identify the presence of an intruder before any real damage is done. It’s the perfect trap.

Feature list

  • Manipulates TCP/IP packets to create the illusion that there is a host on the network.
  • At the time of this writing, Honeyd supports up to 65,536 hosts at once.
  • Convincingly emulates a plethora of port services.
  • Can impersonate up to a thousand different operating systems.
  • User can define unique virtual hosts using simple config files.
  • Lets you catch spammers and network intruders, as well as observe the their behaviors.
  • Safe and isolated from the true host computer(s).

Getting Honeyd

Installing on Debian, Ubuntu, & friends from repositories

This is downright easy on Debian-like systems. Firstly, open up your terminal emulator and then update your package listings as shown below:

user@linuxbox~$ sudo apt-get update

Next, install Honeyd and its dependencies using apt-get.

user@linuxbox~$ sudo apt-get install honeyd honeyd-common

The honeyd package contains the actual Honeyd service, and honeyd-common contains various scripts and extra components that will emulate all the port services on the virtual honeypots, such as SSH, HTTP, rsh, etc.

Anything else

Gentoo and Arch Linux should already supply Honeyd in their portage and AUR repositories, respectively. For any other distribution, you should consult your respective wikis or search your package listings. Hopefully, honeyd and honeyd-common are available to you in a simple installation format. If not, compilation from source code is always an option. Honeyd installation from BSD ports is easy, just see this link.

Building a honeypot

To make a virtual honeypot in Honeyd, you create a *.conf file using gedit, Kate, nano, vim etc. and load it. Below is an example configuration file that generates a Windows 2000 host and places it on the LAN:

# Make a new Win2K SP2 host called "windows".
create windows
set windows personality "Microsoft Windows 2000 SP2"
set windows default tcp action reset
set windows default udp action block
set windows default icmp action block
add windows tcp port 25 open
add windows tcp port 110 open

# Make this server run POP3 and SMTP email services.
add windows tcp port 25 "sh /usr/share/honeyd/scripts/win32/win2k/exchange-smtp.sh $ipsrc $sport $ipdst $dport"
add windows tcp port 110 "sh /usr/share/honeyd/scripts/win32/win2k/exchange-pop3.sh $ipsrc $sport $ipdst $dport"

# Finally, create the host and assign its IP.
bind 192.168.1.150 windows

To load the honeypot(s) into Honeyd and deploy them, simply enter the appropriate commands.

user@linuxbox~$ honeyd -d -f honeypots.conf

The -d parameter forces Honeyd not to run in the background as a daemon and dumps any and all output information into the terminal. If you wish to log the data  into a file, simply use the -l option.

user@linuxbox~$ honeyd -d -f honeypots.conf -l log.out

A simple nmap scan here shows that the honeypot indeed works…

Starting Nmap 5.00 ( http://nmap.org ) at 2011-08-26 21:48 IDT
Interesting ports on 192.168.1.150:
PORT     STATE  SERVICE
25/tcp   open   smtp
110/tcp  open   pop3

That’s about it! You now have a simple Windows 2000 honeypot on your LAN! All what you need now is to hook your host machine to the Internet to wait for attacks to start pouring in…

More honeypot-related tools

The Honeynet Project

Honeyd was developed under the initiative of the influential and non-profit Honeynet Project. Founded in 1999 under the directive of Lance Spitzner, the Honeynet Project has been researching honeypot technology heavily and pushing the frontier of its usage. Besides Honeyd, Honeynet research members have also collaborated with other network security experts and even GSoC (Google Summer of Code) participants to produce high quality, free and open source security software, including:

  • Tools
    • Cuckoo (formerly known as CuckooBox) – A beautifully lightweight program capable of dynamically intercepting and analyzing malware on the Web so security experts can understand them. Currently managed by the guys at Rapid7 behind the popular but unrelated Metasploit Project.
    • Glastopf – An Internet-capable honeypot geared to mimic common web vulnerabilities.
    • Honeystick – A Damn Small Linux/Honeywall installation on a bootable USB stick.
    • Honeywall CD – A bootable CD-ROM that provides many tools to help automate the process of setting up, connecting, and deploying honeypots (including Honeyd).
    • HoneyWeb – A graphical web interface frontend to remotely deploy and manage honeypots.
  • Online projects
    • HoneyMap – A real-time visual representation of all honeypot attacks around the world. Reminds me of the “big boards” from WarGames!
    • Malwr – A real-time malware analysis website powered by Cuckoo.

To see a full list of all the innovations developed by the Honeynet Project, visit their projects page. You can also visit them on GitHub and take a look at their source code.

Overall impressions

To tell you the truth, up till I found Honeyd, I never knew about nor cared for honeypots before. I came across the concept by surfing Wikipedia and looked up the Honeynet Project and reading a bit about them. After checking out what tools had emerged from their research, my perspectives changed. I took a liking to Honeyd because it seems like an extremely promising tool that can be easily obtained on most GNU/Linux distributions. I love that it not only gives white-hats an edge against the black-hats, but that it also promotes research by providing an insecure playground of virtual hosts to let a beginning hacker train with nmap, ettercap, etc. and let their imagination run wild. Best of all, it integrates really well with all the other excellent software the Honeynet Project has to offer, which is a big plus from me!

Also, I would like to give a quick shout-out to two amazing blog posts that helped me get familiar with Honeyd that I highly recommend you read: Deploying Honeypots with HoneyD by Ulisses Costa, and honeyd tutorial part 1, getting started by Travis Altman. Read them. Now.

Honeyd Pros:

  1. Very little maintenance need to keep the honeypots up and running.
  2. Wide range of entirely unique hosts to choose from.
  3. Virtual hosts are entirely isolated from the real host (no risk of malware leakage).

Honeyd Cons:

  1. Hope attackers do not write a tool to isolate the fake IP addresses and defeat honeyd’s trickery.
  2. Legality in the U.S. State of Michigan is questionable, as seen in Honeyd’s old website and in the link on Michigan’s “Super DMCA” law.

I believe that Honeyd is simply a great all-around honeypot program. It can impersonate any operating system or port service you throw at it, it has plenty of good features, and is easily obtainable from various repository sources. It is a very powerful, customizable, and cost-effective alternative to physical, hardware-based honeypots, which makes it perfect for budding hackers, hobbyists, or really paranoid users. I will gladly rate Honeyd:

« 98% »

Awesome! Honeynet, give yourselves a pat on the back.

Advertisements

11 thoughts on “Honeyd: Your own virtual honeypot

    1. Hmm, what other info does Honeyd give? I need to know what it is doing when the error occurs. There is very little information online about this error, but from what I understand, “ip_open: Operation not permitted” means that Honeyd tried to manipulate the IP you created in some improper manner (usually the signs of an improper config). In the meantime, here a few things to try…

      1. Honeyd must be having issues creating and deploying the honeypot you specified. The IP address you selected seems to be okay, but there may be an issue with the port setup. You could play around with the tcp/udp/icmp action block/reset options, check your honeypots.conf configuration for errors, etc. You should consult your Honeyd manpages for the full listing of config options. If you like, you can check out these sample configs from the Honeyd website.
      2. Ensure there are no IP address conflicts on your network. If you are using an IP address that already exists or is too long/short for your network setup… change it!
      3. Are you trying to run this in a BSD jail? If so, there is a workaround by entering sysctl security.jail.allow.raw_sockets=1 into the console (see this manpage). There have been reports of problems while jailing a Honeyd instance; hopefully allowing unfiltered and unhindered sockets connectivity will fix the problem.
      4. If all else fails, you may need to reinstall/recompile Honeyd and check very closely for errors/warnings… 😦

      UPDATE: I just revised the default config in the article. Let me know if it works!

      1. I have received similar message ip_open: result too large
        for honeyd -d -f honeypots.conf
        can you help me to correct this pls

  1. Thanks alot for this article,

    I had this simple Qs:
    how to reinstall/recompile Honeyd and check very closely for errors/warnings??

    THANKS for your time,

    1. Installing honeyd is very easy if you are on a distribution like Ubuntu, Mint, or Debian and requires no compilation at all, as you can simply enter sudo apt-get install honeyd into an open terminal and let the magic do the rest. Arch Linux should also have it in the AUR, and several other major distributions may also provide it. It’s entirely foolproof and I prefer this approach, as it gets honeyd on your computer in seconds and just works. But if you are stuck with a distro that does not have honeyd in its repositories, only then should you attempt manual compilation. Decide whether the first or second approach fits you best.

      Anyway, onto compilation: provided you already have the latest GCC installed (which most distros should), go to and download the latest version, launch a terminal window, cd to your Downloads directory, and extract it. The first step is to install a few critical dependencies, namely libevent, libdnet, and libpcap (optionally, you may install Python 2.4 for extra features). Like with honeyd, if these packages are in your distribution’s repositories, get them from there; if not, download and compile them manually (instructions should be on their respective websites).

      To get honeyd on your machine, browse through honeyd’s folder and look at the README. Everything pertaining to compilation is laid out there. The process is pretty simple:

      $ ./configure
      $ make
      $ make install

      If you get Python-related errors, try:

      $ ./configure --without-python
      $ make
      $ make install

      Good luck; hope this helped!

  2. What I would love is an email honeypot application that accepts mail messages. If the mail message is for a “honeypot address” it should add the originating IP address to a DNSBL. If the message is for a non-honeypot address then it should simply be passed on unchanged to the real mail server. Can any of the software above do that?

    1. Honeyd should be able to power a spamtrapper just fine; I know that it has been used in such experiments before.

      Some useful details of such a setup can be found here (http://www.honeyd.org/spam.php), but this is by no means a comprehensive guide and I don’t personally know how to set up such a system myself. I wonder if you could write a shell script utilizing sendmail/postfix to accomplish this task… ?

  3. Hey, i’m trying to run ur config file but i get error saying cannot add tcp port 25 to ur window template..can u please let me know how can i proceed..thanku in advance

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s