Honeypot / honeyd tutorial part 1, getting started

If you’ve somehow found my obscure site then you probably already know a little bit about honeypots and their functionality, if not here is a good breakdown. There are many different types of honeypots and these different types are explained very well in the book Virtual Honeypots which I highly recommend you read if you are serious about deploying a honeypot. This series of articles will focus on honeypots using an application called honeyd. There are a number of honeypot solutions out there but I personally feel like honeyd is a great fit because it can be relatively simple or you can start tweaking it to get a more full featured product. You may think of honeypots as internet facing and it’s true that they can be configured that way but during this series of tutorials I will only be using honeyd on an internal network. Internet facing honeypots are mainly used to research and find new malware, internal honeypots are mainly used as alerting systems that would alert you when other devices / users are connecting to your honeypots. You can also use honeyd when investigating malware which I’ll discuss in a later tutorial.

For this tutorial I will be using one Windows machine and one Linux machine, Backtrack distribution to be exact. Backtrack will be the machine that is running honeyd. Honeyd is available for Windows but I highly recommend that you use honeyd on Linux. If you’re half way interested in information security then I suggest that you get to know Linux as there are a lot of information security tools such as honeyd that use Linux. Sorry for the Linux rant, below is basic diagram of my setup.

The idea here is that we’ll install and configure honeyd on Backtrack then simply test that we have connectivity with our Windows machine. To see if you have honeyd installed on Backtrack (or any Linux system) simply type “honey + TAB”, if “d” is shown right after honey then you know you have honeyd installed as it is an available command if you don’t have honeyd installed on Backtrack run the following command

sudo apt-get install honeyd

This will also work for any Debian based Linux system. To install on other distributions such as Gentoo, Fedora, Slackware, etc I would check their documentation on how to install packages. After honeyd is installed the next thing we’ll need to do is create a configuration file. A honeyd configuration file is the heart of your honeypot. The configuration file tells honeyd what operating system to emulate, what ports to open, what services should be ran, etc. This config file can be tweaked to emulate all sorts setups but for right now let’s look at a simple setup and get that up and running. Below is my config file.

create default
set default default tcp action block
set default default udp action block
set default default icmp action block

create windows
set windows personality "Microsoft Windows XP Professional SP1"
set windows default tcp action reset
add windows tcp port 135 open
add windows tcp port 139 open
add windows tcp port 445 open

set windows ethernet "00:00:24:ab:8c:12"
dhcp windows on eth0

Within Backtrack you can use Kate or nano text editors to create this file. In Backtrack Kate is under the Utilities menu. The “create default” section simply tells honeyd to drop traffic unless it is defined later in the configuration file. I find this section is needed when you let your honeypot acquire an IP address via dhcp. Also it’s probably a good idea to implement this section so that you only answer to network connections that you define later in the config file. Anytime you see “create” within the config file you are creating a template for a honeypot, so you can create as many honeypots as you’d like within the honed.conf config. In the windows template we are defining a number of things. First we are setting the personality, meaning when another device on the network connects to this honeypot it will appear to be a Windows XP Pro SP1 device. This is emulated via network stack fingerprints. In the windows template I’m also opening up three ports (135, 139, and 445). These are common ports that are open on a windows system. The “action reset” statement will drop traffic if it is not aimed at the open ports defined in this config. The “set windows ethernet” sets a MAC address for our honeypot.  This will be needed if you run your honeypot via dhcp. You can simply make up any MAC address you’d like, I usually keep it close to the physical MAC address that I’m running the honeypot off of. Finally the dhcp statement tells the windows template to acquire an IP address from dhcp. Now that we have our honeyd.conf file properly setup it’s time to launch honeyd, below is the command I use when initially getting honeyd up and running.

honeyd  -d  -f  honeyd.conf

Here we use the -d so that it doesn’t run in the background (or doesn’t run as a daemon in Linux terms). This allow for more verbose output so that we can troubleshoot as needed. Running in this mode will also show the IP that was given to our honeypot via dhcp. Below is the type of output you should see after running the honeyd command.

Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
honeyd[1870]: started with -d -f honeyd.conf
Warning: Impossible SI range in Class fingerprint "IBM OS/400 V4R2M0"
Warning: Impossible SI range in Class fingerprint "Microsoft Windows NT 4.0 SP3"
honeyd[1870]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src ...
honeyd[1870]: [eth0] trying DHCP
honeyd[1870]: Demoting process privileges to uid 65534, gid 65534
honeyd[1870]: [eth0] got DHCP offer: 192.168.99.135
honeyd[1870]: Updating ARP binding: 00:00:24:c8:e3:34 -> 192.168.99.135

In this verbose output we see that dhcp gave our honeypot the address of 192.168.99.135. From our windows machine let’s ping that IP address and make sure that we have connectivity. You should see output on the terminal similar to below.

honeyd[1870]: arp reply 192.168.99.135 is-at 00:00:24:c8:e3:34
honeyd[1870]: Sending ICMP Echo Reply: 192.168.99.135 -> 192.168.99.128
honeyd[1870]: arp_send: who-has 192.168.99.128 tell 192.168.99.135
honeyd[1870]: arp_recv_cb: 192.168.99.128 at 00:0c:29:7e:60:d0
honeyd[1870]: Sending ICMP Echo Reply: 192.168.99.135 -> 192.168.99.128
honeyd[1870]: Sending ICMP Echo Reply: 192.168.99.135 -> 192.168.99.128
honeyd[1870]: Sending ICMP Echo Reply: 192.168.99.135 -> 192.168.99.128

So congrats you’ve successfully deployed honeyd. We can now ping our honeypot but we need to make sure the ports we’ve configured to be open are open. Let’s us the cadillac of port scanners nmap to detect open ports on our honeypot. You can scan for all 65,535 ports on our honeypot but to keep the verbose output of honeyd low let’s just scan for a handful of ports. Below is the nmap command I used.

nmap -p 135,139,445,1337 192.168.99.135

The output of this command should look similar to below.

Starting Nmap 5.00 ( http://nmap.org ) at 2011-05-06 13:13 EDT
Interesting ports on someone (172.20.73.77):
PORT     STATE  SERVICE
135/tcp  open   msrpc
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
1337/tcp closed waste
MAC Address: 00:00:24:26:C4:ED (Connect AS)

Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds

So honeyd appears to be working correctly. If you’ve reached this point then you are on your way to doing even more with honeypots and honeyd. The main purpose of this article was to get you up and running. In the next series of articles we’ll configure more honeypots, set static IP’s, get alerts on devices port scanning our honeypots, investigate malware, etc. If you have any questions, catch errors, or have any feedback please comment below.

88 Responses to “Honeypot / honeyd tutorial part 1, getting started”

  1. Sylar Says:

    Hi. An Excellent tutorial.

    I am having a bit of a problem though. I configured everything as mentioned in your post. Honeyd also got a response from the DHCP and got allocated an IP. ARP binding also got updated.

    It got the IP 192.168.1.6

    However, when I try to ping the address from the linux machine itself, it gets a destination host unreachable.

    The nmap says, the host is down.

    And no, my firewall is disabled. It is not stopping any flow of packets.

    Any idea, what might possibly be wrong?

    Any help is much appreciated!

    And thanks for a good tutorial :)

  2. travis Says:

    Try pinging the honeypot from a different device, say a windows machine. That shouldn’t matter but just curious if another device can see it. If it got a dhcp address then things should work properly.

  3. Sylar Says:

    Weirdly enough, that worked! I am able to ping from the windows machine, but not the linux machine that is actually hosting the honeypot! (Tried pinging again from the linux, didn’t work). Any idea, what might be causing this?

    And thanks again for a speedy reply! Much appreciated :)

  4. David Says:

    One question regarding the logs record, how they saved the records? Do we need to make a directory for this purpose? And could anyone teach me how to do step-by-step as I am new to Linux >.< Any guide will be appreciated :D

  5. travis Says:

    David,

    You could log output to a log file via the “-l” option which would log packets and connections. Also if you emulate a a service such as a web server or ftp server you can log those specific connections via the “-s” option. Currently I do not use either one of these options but I may implement them later down the road. I’ll post another article talking about how I monitor the honeypot activity in the coming weeks. I could probably help you with step by step instructions but anyone new to Linux I always encourage you getting your hands dirty which means sometimes not knowing what you’re doing and getting frustrated. This may sound like a cop out answer but it’s the truth. Get started on the process and if you have any questions I’ll try to help as much as I can. Hope I’ve answere your logging question, if not let me know. Thanks.

  6. David Says:

    Thanks for the reply :D
    I’ve tried with this ‘-l’ and to the folder destination, however there is nothing recorded or changes to the log files, is the -l command follow with the destination will make a new log file itself or we need to create a .txt file myself instead?
    And on top of that, its been a very very long time for me to just configure the honeyd settings, as there is keep occurring errors, but I have finally managed to settle all these issues, and just the final steps will be regarding this logging issues. Hope you can understand :D

  7. David Says:

    Oww.. I managed to get it saved on the log directory now :D

  8. travis Says:

    David,

    Sorry been busy, glad you got things working. If I can help in any other way let me know.

  9. Sam Bowne Says:

    This is a great tutorial, and I used it to make a homework assignment for one of my security classes. Thanks!

    Strangely, when I did it on BackTrack 5 R1, the command line to start honeyd would not work until I explicitly specified the interface with the -i eth2 switch. See the “Running Honeyd” section here. Otherwise these instructions worked perfectly.

    http://samsclass.info/122/proj/p12-122-honeyd.html

  10. travis Says:

    Sam,

    Glad it could help. I’ve got another two parts I’m going to write about honeyd, hopefully within the next couple of months.

  11. Peter Says:

    Hi Travis,

    I followed the configuration as mentioned, but when I execute honeyd, I get the following output:
    “[eth0] trying DHCP
    Demoting process privileges to uid 65534, gid 65534
    update_connect_cb: connection failed: Operation now in progress”

    It does not proceed any further after the “connection failed” message.
    Please advise. Thanks.

  12. travis Says:

    Peter,

    Are you running honeyd as the root user? If not give that a shot and see if that fixes the issue.

  13. Peter Says:

    Hi Travis,

    Yes, I am running as root user. I also tried to use another account with the sudo command to execute honeyd, but yielding the same error message.
    Thanks.

  14. Adam Says:

    Peter,

    I ran into the same problem as you. If by chance your running VirtualBox and having this problem you have to change your VirtualBox Network Settings.

    Change the Promiscuous Mode to Allow All. After I made that change I was able to get a DHCP address. Hope that helps.

  15. travis Says:

    Peter,

    Did Adam’s suggestion help? He mentions a possible good solution. If honeyd can’t properly talk to the dhcp server then it won’t be able to properly get an address. If this doesn’t help let me know.

  16. Peter Says:

    Hi Adam and Travis,

    Thanks for the help, finally got it to work :)

  17. Amandeep Singh Says:

    Sir Nmap shows the MAC address of Honeyd host(Backtrack) and not of the honeypot (window machine) above.
    So what the use of giving?
    set windows ethernet “00:00:24:ab:8c:12″
    dhcp windows on eth0

  18. travis Says:

    Amandeep,

    I would have to look into this further why nmap doesn’t pull the mac address for the mac we set in the config file but if you don’t set the mac address in the config honeyd will fail to start. I assume this is needed for routing purposes so that the local network knows what IP is matched with a mac address. If I find out about why nmap doesn’t see the mac address I’ll let you know. Thanks for the feedback that was an excellent question.

  19. Reshma Patel Says:

    hi…
    i followed the steps and i hv successfully installed honeyd on my two virtual machines …I can ping my honeypots from Host Oses and from Windows also..
    but i can’t “nmap” my honeypots. nmap result shows that the machine is down.
    so, i need some way to nmap my honeypot..plz .reply soon…

    regards,
    Reshma Patel

  20. Reshma Patel Says:

    hey i hv solved problem using

    nmap -sT -P0 192.168.137.21

    i can scan my honeypot 192.168.137.21 and see the open ports..
    yeaapppy..

  21. travis Says:

    Reshma,

    Glad to hear you got it working

  22. Dave Says:

    Hi,
    Is this tutorial the same way to setup a honeyd for a web server?
    If not can anyone give me sources of guidelines of setting a honeyd web server possibly in Backtrack 5 R1

    Thanks

  23. Edwanny Soto Says:

    HEY ADAM, WHERE ON THE VIRTUAL BOX DO I SEE THAT OPTION. I go to the network setting but i do not see that

  24. Edwanny Soto Says:

    can i get some help please i was able to get the honeyput up and running but for some reason i cannot ping from another machine. i can pin within backtrac but not when i do it from my OS

  25. travis Says:

    Dave,

    Sorry for the late reply. The setup would be the same from a web server or laptop, if that doesn’t help let me know.

  26. travis Says:

    Edwanny,

    Hmmm. Do you have your backtrack VM in “host” only mode? I would start there first although you probably have it set to NAT or Bridged. I say that because I do stupid stuff all the time and forget to check my settings. If you’re in NAT or Bridged try pinging from a different device on the network, something not running on your local machine. If that doesn’t work hit me back. I’m currently running everything in VMWare workstation so I dont have your exact setup.

  27. Edwanny Soto Says:

    Hey Travis,

  28. Edwanny Soto Says:

    Hey Travis,

    I tried to ping from another machine and nothing happens, all it say its request timed out. Do you have any idea what else it could be? I tried to swith the networking setting . From NAT to Bridge Adapter and the Host only nothing seem to work when i ping from another machine or within the backtrack 5r2 it self

  29. Edwanny Soto Says:

    Hey Travis,
    sorry for so many comments but i believe this is my problem, when ever i write this command nmap -p 135,139,445,1337 192.168.99.135 . This is the outcome i get
    Host seesm down if it up, but blocking our ping probes try it -Pn.
    BUt when when i do that it say INvalid taget host specification.

  30. travis Says:

    Edwanny,

    I tried to reproduce your problems but could not. I actually have the opposite results where I can’t ping from backtrack but can ping from another device. It’s a bummer that I can’t pinpoint your problem and I wish I could magically solve your problem but unfortunately that’s not the case. If there is any other information I could provide to you please let me know.

  31. Edwanny Soto Says:

    Travis I believe the reason I cannot ping is because my ports say “Filtered”m I don’t know why. Is there any way on how I can open them?

  32. travis Says:

    Edwanny,

    If you ever get the term “filtered” in a nmap scan that means something is in between you and the target you’re trying to port scan, such as a firewall. Do you think there is a firewall between you and your target machine?

  33. Edwanny Soto Says:

    no my firewall is turned off on my VM machine backtrack and on my local machine . Also on the other computer as well.. this is so wierd right

  34. travis Says:

    Edwanny,

    Yea that is weird. Maybe start over from scratch, sometimes when I can’t figure out the issue starting over can possibly solve the problem. Without me being right there looking over you shoulder it’s hard for me to troubleshoot the issue but if I can help in anyway just let me know.

  35. Anonymous Says:

    Hey Travis, im sorry but i still get the same errors i am unable to ping the giving IP address by DHCP. I started from 0 and im still not able to do so.My final grade rely heavly on this project and i have tried everything but nothing seems to work idk why

  36. Edwanny Soto Says:

    Hey Travis,

    I changed the connection type from NAT, to Bridge and i still cannot make it work.. any ideas?

  37. Edwanny Soto Says:

    Hey Travis, can you please show how to records logs step by step i know you have to use “-l” command, but but i write and i see nothign happening

  38. travis Says:

    Edwanny,

    Try the following command

    honeyd -d -f honeyd.conf -l /tmp/logfile

    Ping the honeypot then view the logfile

    tail /tmp/logfile

    You should see the “icmp” messages and the time they were received. Let me know if that doesn’t work for you.

  39. shruti Says:

    Hello every1. i have installed honeyd on linux. everytime i start honeyd it does not show its IP address. it takes the public IP when i connect it with the LAN.

    How will i know IP for honeyd. How can i allot it? i know it is a basic question but im getting problem.
    It will be great if someone answers me step by step. :)

  40. travis Says:

    Shruti,

    Do you not see something like “[eth0] got DHCP offer: 192.168.99.135″ in the output of honeyd? You can allot an IP using the static method which I’ve described below.

    http://travisaltman.com/honeypot-honeyd-tutorial-part-3-static-ips/

  41. Dave Says:

    Hi, how can I use this honeyd to set up as a web server in Windows or BackTrack 5?

  42. travis Says:

    Dave,

    You could just open up port 80 in your config but I assume you’re wanting to do more than that? There is a way to actually serve up web pages but I forget the actual instructions. I hate to punt you but the book “Virtual Honeypots” is an excellent resource on doing things like that.

  43. dev Says:

    hey travis
    i am implementing honeyd using ubuntu and ma interface to network is wlan0 n i am not able to det dhcp offer……………plz help

  44. dev Says:

    in the last it shows
    “aborting dhclient on interface wlan0 after 12 tries”

  45. Sarah Says:

    Hi Travis,

    A really useful tutorial, thank you. I just have an issue I am hoping you could help me out with. when I run the nmap scan for the open ports I get that the ports are “Filtered” do you have any idea what may cause this other than the firewall? I read through the comments and I noticed someone else having the same problem.

    can you please help me out.

  46. travis Says:

    dev,

    Sorry for the delay, are you still having this issue? Could you post your honeyd.conf? What’s your setup? I assume you’re running Ubuntu on a laptop. The honeypot is trying to get a dhcp address but for some reason it’s having a hard time getting one from the dhcp server. I assume the dhcp server is on your wireless router?

  47. travis Says:

    Sarah,

    Could you tell what your setup is? Are you performing this on two physical machines or are they are virtual?

  48. saurabh Says:

    hey i m not getting d config file part…

    do i have to configure the setting in ..
    /usr/share/doc/iisemulator/examples/honeyd.conf…..in this file….
    plz help me….asap…

  49. saurabh Says:

    i got it done its working..:)…..ur tutorial is gr8….keep it up!!!!!

  50. travis Says:

    saurabh,

    glad things are working.

  51. Vivek Malik Says:

    Hi Travis,

    I got my honeyd up and running but can only nmap it from a different machine. I am using honeyd on a dual boot system with Windows 7 and Ubuntu (11.10). Well I wanted to ask if instead of using LAN cable for network how can we configure our .conf file for using the honeyd on the WLAN network. I am currently working on a project on Honeypots so need to know how to use it over wifi so that I can present it in the college.
    Plus one more thing does this configuration works with USB Internet data cards or only on through Ethernet cable?

    Please help.
    Regards

  52. travis Says:

    Vivek,

    If you wanted to use wireless just then specify your wireless interface in your configuration. For instance in Linux the wired interface is usually eth0 but the wireless interface will be something like wlan0 or ath0. Also when you say USB internet data card I assume you mean an USB to ethernet adapter and yes that will work just fine. Let me know if I didn’t answer your question.

  53. Seanny Says:

    Thanks for the tutorial Travis.

    I have Honeyd running inside a VirtualBox and have the bridged adapter set to allow all promiscuous listening.

    Unfortunately, my Honeyd machine can’t seem to get an IP. I assigned it a static IP and although it replies to ARP requests, it doesn’t reply to pings. When I do an nmap scan it says that the ports are filtered. Basically, I have the same problem as Edwanny and Sarah were having. When I log the data into the logfile as you suggested, I don’t see the pings. I don’t see them appear on wrieshark either, but I don’t know think I’m supposed to.

    Let me know if there’s another step I can try. Alternatively, I’m starting to think this might be a bug with VirtualBox…

    Regards,
    Seanny

  54. Seanny Says:

    I have confirmed that it is a bug with VirtualBox. An almost identical bare-metal installation of Ubuntu server worked perfectly while the VirtualBox version did not.

    Unfortunately, I cannot imagine what settings would cause this, since the machine in question seems to receive DHCP and pings just fine.

    Thank you for your time,
    Seanny

  55. kris kringle Says:

    I ran the exact config file that you suggest, with the exception of changing the last line to read wlan0 instead of eth0 as I am running bt5 on a wireless network. I start the program with honeyd -d -i wlan0 -f honeyd.conf and it starts to go, but after it prints “Demoting process privileges…” it just hangs. I’ve left it running for about twenty minutes and it came up with the aborting dhclient after 12 tries. To return to a prompt I have to kill with “ctrl+C” even after it aborts. I see this question has been asked once before but I can’t seem to locate the answer to this problem. Any help would be appreciated. Thank you and thank you for the tutorial.

  56. travis Says:

    kris,

    Sorry for the late reply. I tried searching for answers to your problem but could not find the solution. If you’ve managed to fix the issue I would love to ear your solution.

  57. Ankita Shah Says:

    I am working with honeypot for my dissertation work. I had implemented socket for connection. So i want to know that will honeyd be able to monitor that socket port? Also which port will be preferable for socket connection?

  58. Vivek Malik Says:

    I would like to thank you Travis for your blog and the immense help it gave me to complete my project.
    I have taken your some details from your G+ profile(link you gave in about me section of your blog) to put in my acknowledgements and and the link of your blog for references.

    Again Thank you very much
    Regards
    Vivek Malik

  59. travis Says:

    Vivek,

    Thank you for the kind words, just hope this helps others.

  60. laner Says:

    Thank you for the kind words

  61. panaj Says:

    how to deal with the “unknown personality” problem

  62. Uday Says:

    Hello,

    I am facing the same problem, that is, not able to get dhcp address.
    I found the solution from above discussion that, we need to change the Promiscuous Mode to Allow All. But how do I do that? Please help.

    Thanks.

  63. Rahul Says:

    Hi, Thanks for writing such a comprehensive article..
    I still don’t get it, where is the “conf” file ?. In my Ubuntu i see it under “/usr/share/doc/honeyd/examples#” where i have files like “config.localhost”, “honeyd.conf.bloat.gz”, “honeyd.conf.networks.gz” & “wireless.gz”

    No sign of Honeyd.conf..!!!
    pls help

  64. AJ Says:

    Hi Travis!

    Thanks heaps for this excellent and helpful tutorial! I am new to Honeyd and I was able to implement a basic Honeyd (with one honeypot) and later on to add more honeypots. I was able to scan from a Windows machine using ZENMAP version 6.01 and I found open ports on the Honeyd box installed on Linux Ubuntu, and to find open ports on the virtuals hosts (honeypots) as well as.

    However, when I run honeyd using “sudo honeyd -d -I eth0 -f honeyd-winxp.conf” everything works fine but stops at “arp reply” once I do a ping scan from the Windows machine with ZENMAP. BUT, THERE IS NO “SENDING ICMP ECHO REPLY”.

    I also tried to load Honeyd using “sudo honeyd -d -f honeyd-winxp.conf”. Again, everything is fine (listening promiscuously on eth0…, [eth0] trying DHCP, Demoting privileges to uid 65534, gid 65534, [eth0] got DHCP offer…Updating ARP binding …., arp reply…). BUT AGAIN IT DOES NOT REACH TO STAGE OF “SENDING ICMP ECHO REPLY”.

    Could you please help?

    Cheers,

    AJ

  65. travis Says:

    AJ

    Can you send me your config and let me try and run yours? My email is travisaltman@gmail.com

  66. travis Says:

    Rahul,

    As sudo or root run the command “updatedb” then run the command “locate”. This should for the most part always tell you where something is located on the file system in Linux. If that doesn’t work let me know.

  67. AJ Says:

    Hi Travis!

    Thanks heaps for your assistance!
    I just sent the configuration file as requested.
    Thank you for your assistance!
    Cheers,
    AJ

  68. Rahul Says:

    Thanks Travis,
    can you pls explain how to detect a spoofed IP using honeypot or by the logs of honeyd my project’s aim is to detect IP spoofing using Honeypot, so far Honeypot is installed up and running perfectly..
    thank you.

  69. Richard Says:

    Hey Travis I was just wondering where do I save the honeyd.conf file.

  70. Richard Says:

    Hi Travis I was just wondering where I save the honeyd.conf file.

  71. Chip Says:

    Dev,
    You may have already solved this, but figured i would post this anyways.
    I was getting the “aborting dhclient on interface wlan0 after 12 tries” also and after a few hours or troubleshooting i confirmed it was because my box was on a switch. Honeyd was requesting an IP and the router was offering one up but it was not finding its destination. After i hooked directly into my router, everything ran great.

    Does anyone know a workaround for this. Being directly hooked to my router is just a temp. solution.

    Thanks and great tutorial!!!

  72. travis Says:

    Richard,

    Doesn’t matter where you save the conf file put when you specify it on the command line you’ll need to make sure you be specific about its location.

  73. zad Says:

    Hi Chip & travis,

    I have this simple Q:
    how can I hook directly into my router? for ubuntu 12.4?
    I have your same problem with wlan0, I tried to connect the router directly to the modem but it did not work.

    Appreciate your help.
    Thanks ALOT,

  74. travis Says:

    zad,

    I can’t speak to Chip’s solution and I didn’t run my setup on wireless strictly wired. Also are you specifying the proper interface?

  75. zad Says:

    travis,

    Thankx for your respond,

    I did specify the interface replacing eth0 with wlan0. and “-i wlan0″ when running. I got the same message “aborting dhclient on interface wlan0 after 12 tries”.

    I tried to connect through wired connection, it does work -the internet connection-only for “DSL connection” through interface “modem ppp0 “, it seems honeyd didn’t recognize this interface since I got an error with that meaning.

    I am trying for now two solutions:
    1- to move the connection to from ppp0 to eth0, but couldn’t till now.
    2-to install dhcp server in my ubuntu 12.4.

    Do you think any of these can help? or do you have any other ideas??

    THANKS ALOT,
    Regards,

  76. Dakiem Says:

    Hi Travis,

    I really appreciate your help here. I’m having a couple of problems. first, I am having the same problem as others with the mac address showing up as wrong. the mac address changes every time I kill and restart the honeyd service, and it is followed by (Connect AS) after an nmap scan.

    second, and the weird part, is that all of my ports are showing up as open. I have the same setup as your file, and I just can’t figure out what is wrong. I have a fresh install of 12.04 on a KVM for this purpose and am running it with a static IP.

    Thanks for your help!

  77. travis Says:

    @zad, yea try eth0. Installing a DHCP server won’t do anything for you.

  78. travis Says:

    @Dakiem, cant seem to reproduce your problem so not sure what your problem may be. Sorry I cant be of more help.

  79. Kyle Says:

    Travis,

    I used your exact .conf file. I’m using Stratagem but got honeyd installed. This is running on VMware Workstation 9. The error is as follows…

    I run honeyd -d -f honeyd.conf
    and get Operation not permitted.

    So I try sudo honeyd -d -f honeyd.conf
    and get prompted for password, I enter my root password and I get

    Listening promiscuously on eth0: (arp or ip pronto 47 or (udp and src port 67 and dst port 68) or (ip) ) and not ether src 00:0c:29:35:b5:00
    honeyd: fopen(honeyd.conf) : No such file or directory

    Any idea what i’m messing up?

  80. travis Says:

    Kyle,

    It can’t find your honeyd.conf, is honeyd.conf in the same directory where you’re running the command?

  81. Diba Says:

    Hello everybody,

    I’m trying to setup my home honeypot but i’m having problems with my honeyd installation. No matter what configuration and settings i try,when trying to start honeyd i get the same error :” aborting dhclient on interface eth0 after 12 tries” .
    Has anybody encountered the same error?

    Any help appriciated.

    DB

  82. Rob Says:

    Diba,

    I had this problem running Honeyd in Virtual box. I had to change the Virtual box network settings for promiscuous mode to allow all and then had to reboot Honeyd. When I re-ran the command after reboot I was able to get an IP address.

    Rob

  83. Diba Says:

    Rob,

    can you tell me the needed settings of the virtual box in order to get honeyd up and running?

    Thank you in advance

  84. Dim Says:

    Has anybody deployed honeyd on a vps?
    I was wondering how to set it up as you cannot get a separate ip.

  85. Lizz Says:

    Hi all,

    I am getting getting a “No such device” error when attempting to deploy my honeypot. Here is my configuration:

    create default
    set default default tcp action block
    set default default udp action block
    set default default icmp action block

    create windows
    set windows personality “Microsoft Windows XP Professional SP1″
    add windows tcp port 23 open
    add windows tcp port 25 open
    add windows tcp port 80 open

    set windows ethernet “00:50:56:29:ce:d3″
    dhcp windows on eth2

    Here is the response I receive:
    root@bt:~# honeyd -d -f honeyd.conf
    Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
    honeyd[2094]: started with -d -f honeyd.conf
    Warning: Impossible SI range in Class fingerprint “IBM OS/400 V4R2M0″
    Warning: Impossible SI range in Class fingerprint “Microsoft Windows NT 4.0 SP3″
    honeyd: interface_new: intf_get: No such device

    Any help is appreciated.

  86. Rob Says:

    Diba,

    Other than changing the Virtual box network settings for promiscuous mode to allow all I used the default settings. No other changes were needed.

    Hope this helps
    Rob

  87. dwija Says:

    hi travis,

    can u help me?
    i have install honeyd in ubuntu lts 12.0.3 in my virtual box and i use windows 7 for primary machine.
    in windows i set my ip 192.168.0.10 / 255.255.255.0
    and in my ubuntu (virtualbox) 192.168.0.5 / 255.255.255.0
    and in honeyd configuration i set dhcp eth0
    but when i run the honeyd, why i get ip different network from my windows n ubuntu ?
    the ip in honeyd i get 192.168.56.104

    can u help me please?? :(

  88. Dionne Says:

    Hi Travis,

    I have installed backtrack 5 r3 on my laptop to run side by side with my windows.
    After that I have tried to use honeyd using my wifi but it does work it gives me an error, but the internet is working and if I use my wired network the honeypot works.
    Do you have any idea why the wifi does not work?

Leave a Reply