Honeypot / honeyd tutorial part 1, getting started

If you’ve somehow found my obscure site then you probably already know a little bit about honeypots and their functionality, if not here is a good breakdown. There are many different types of honeypots and these different types are explained very well in the book Virtual Honeypots which I highly recommend you read if you are serious about deploying a honeypot. This series of articles will focus on honeypots using an application called honeyd. There are a number of honeypot solutions out there but I personally feel like honeyd is a great fit because it can be relatively simple or you can start tweaking it to get a more full featured product. You may think of honeypots as internet facing and it’s true that they can be configured that way but during this series of tutorials I will only be using honeyd on an internal network. Internet facing honeypots are mainly used to research and find new malware, internal honeypots are mainly used as alerting systems that would alert you when other devices / users are connecting to your honeypots. You can also use honeyd when investigating malware which I’ll discuss in a later tutorial.

For this tutorial I will be using one Windows machine and one Linux machine, Backtrack distribution to be exact. Backtrack will be the machine that is running honeyd. Honeyd is available for Windows but I highly recommend that you use honeyd on Linux. If you’re half way interested in information security then I suggest that you get to know Linux as there are a lot of information security tools such as honeyd that use Linux. Sorry for the Linux rant, below is basic diagram of my setup.

The idea here is that we’ll install and configure honeyd on Backtrack then simply test that we have connectivity with our Windows machine. To see if you have honeyd installed on Backtrack (or any Linux system) simply type “honey + TAB”, if “d” is shown right after honey then you know you have honeyd installed as it is an available command if you don’t have honeyd installed on Backtrack run the following command

sudo apt-get install honeyd

This will also work for any Debian based Linux system. To install on other distributions such as Gentoo, Fedora, Slackware, etc I would check their documentation on how to install packages. After honeyd is installed the next thing we’ll need to do is create a configuration file. A honeyd configuration file is the heart of your honeypot. The configuration file tells honeyd what operating system to emulate, what ports to open, what services should be ran, etc. This config file can be tweaked to emulate all sorts setups but for right now let’s look at a simple setup and get that up and running. Below is my config file.

create default
set default default tcp action block
set default default udp action block
set default default icmp action block

create windows
set windows personality "Microsoft Windows XP Professional SP1"
set windows default tcp action reset
add windows tcp port 135 open
add windows tcp port 139 open
add windows tcp port 445 open

set windows ethernet "00:00:24:ab:8c:12"
dhcp windows on eth0

Within Backtrack you can use Kate or nano text editors to create this file. In Backtrack Kate is under the Utilities menu. The “create default” section simply tells honeyd to drop traffic unless it is defined later in the configuration file. I find this section is needed when you let your honeypot acquire an IP address via dhcp. Also it’s probably a good idea to implement this section so that you only answer to network connections that you define later in the config file. Anytime you see “create” within the config file you are creating a template for a honeypot, so you can create as many honeypots as you’d like within the honed.conf config. In the windows template we are defining a number of things. First we are setting the personality, meaning when another device on the network connects to this honeypot it will appear to be a Windows XP Pro SP1 device. This is emulated via network stack fingerprints. In the windows template I’m also opening up three ports (135, 139, and 445). These are common ports that are open on a windows system. The “action reset” statement will drop traffic if it is not aimed at the open ports defined in this config. The “set windows ethernet” sets a MAC address for our honeypot.  This will be needed if you run your honeypot via dhcp. You can simply make up any MAC address you’d like, I usually keep it close to the physical MAC address that I’m running the honeypot off of. Finally the dhcp statement tells the windows template to acquire an IP address from dhcp. Now that we have our honeyd.conf file properly setup it’s time to launch honeyd, below is the command I use when initially getting honeyd up and running.

honeyd  -d  -f  honeyd.conf

Here we use the -d so that it doesn’t run in the background (or doesn’t run as a daemon in Linux terms). This allow for more verbose output so that we can troubleshoot as needed. Running in this mode will also show the IP that was given to our honeypot via dhcp. Below is the type of output you should see after running the honeyd command.

Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
honeyd[1870]: started with -d -f honeyd.conf
Warning: Impossible SI range in Class fingerprint "IBM OS/400 V4R2M0"
Warning: Impossible SI range in Class fingerprint "Microsoft Windows NT 4.0 SP3"
honeyd[1870]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src ...
honeyd[1870]: [eth0] trying DHCP
honeyd[1870]: Demoting process privileges to uid 65534, gid 65534
honeyd[1870]: [eth0] got DHCP offer: 192.168.99.135
honeyd[1870]: Updating ARP binding: 00:00:24:c8:e3:34 -> 192.168.99.135

In this verbose output we see that dhcp gave our honeypot the address of 192.168.99.135. From our windows machine let’s ping that IP address and make sure that we have connectivity. You should see output on the terminal similar to below.

honeyd[1870]: arp reply 192.168.99.135 is-at 00:00:24:c8:e3:34
honeyd[1870]: Sending ICMP Echo Reply: 192.168.99.135 -> 192.168.99.128
honeyd[1870]: arp_send: who-has 192.168.99.128 tell 192.168.99.135
honeyd[1870]: arp_recv_cb: 192.168.99.128 at 00:0c:29:7e:60:d0
honeyd[1870]: Sending ICMP Echo Reply: 192.168.99.135 -> 192.168.99.128
honeyd[1870]: Sending ICMP Echo Reply: 192.168.99.135 -> 192.168.99.128
honeyd[1870]: Sending ICMP Echo Reply: 192.168.99.135 -> 192.168.99.128

So congrats you’ve successfully deployed honeyd. We can now ping our honeypot but we need to make sure the ports we’ve configured to be open are open. Let’s us the cadillac of port scanners nmap to detect open ports on our honeypot. You can scan for all 65,535 ports on our honeypot but to keep the verbose output of honeyd low let’s just scan for a handful of ports. Below is the nmap command I used.

nmap -p 135,139,445,1337 192.168.99.135

The output of this command should look similar to below.

Starting Nmap 5.00 ( http://nmap.org ) at 2011-05-06 13:13 EDT
Interesting ports on someone (172.20.73.77):
PORT     STATE  SERVICE
135/tcp  open   msrpc
139/tcp  open   netbios-ssn
445/tcp  open   microsoft-ds
1337/tcp closed waste
MAC Address: 00:00:24:26:C4:ED (Connect AS)

Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds

So honeyd appears to be working correctly. If you’ve reached this point then you are on your way to doing even more with honeypots and honeyd. The main purpose of this article was to get you up and running. In the next series of articles we’ll configure more honeypots, set static IP’s, get alerts on devices port scanning our honeypots, investigate malware, etc. If you have any questions, catch errors, or have any feedback please comment below.

118 Responses to “Honeypot / honeyd tutorial part 1, getting started”

  1. Vivek Malik Says:

    Hi Travis,

    I got my honeyd up and running but can only nmap it from a different machine. I am using honeyd on a dual boot system with Windows 7 and Ubuntu (11.10). Well I wanted to ask if instead of using LAN cable for network how can we configure our .conf file for using the honeyd on the WLAN network. I am currently working on a project on Honeypots so need to know how to use it over wifi so that I can present it in the college.
    Plus one more thing does this configuration works with USB Internet data cards or only on through Ethernet cable?

    Please help.
    Regards

  2. travis Says:

    Vivek,

    If you wanted to use wireless just then specify your wireless interface in your configuration. For instance in Linux the wired interface is usually eth0 but the wireless interface will be something like wlan0 or ath0. Also when you say USB internet data card I assume you mean an USB to ethernet adapter and yes that will work just fine. Let me know if I didn’t answer your question.

  3. Seanny Says:

    Thanks for the tutorial Travis.

    I have Honeyd running inside a VirtualBox and have the bridged adapter set to allow all promiscuous listening.

    Unfortunately, my Honeyd machine can’t seem to get an IP. I assigned it a static IP and although it replies to ARP requests, it doesn’t reply to pings. When I do an nmap scan it says that the ports are filtered. Basically, I have the same problem as Edwanny and Sarah were having. When I log the data into the logfile as you suggested, I don’t see the pings. I don’t see them appear on wrieshark either, but I don’t know think I’m supposed to.

    Let me know if there’s another step I can try. Alternatively, I’m starting to think this might be a bug with VirtualBox…

    Regards,
    Seanny

  4. Seanny Says:

    I have confirmed that it is a bug with VirtualBox. An almost identical bare-metal installation of Ubuntu server worked perfectly while the VirtualBox version did not.

    Unfortunately, I cannot imagine what settings would cause this, since the machine in question seems to receive DHCP and pings just fine.

    Thank you for your time,
    Seanny

  5. kris kringle Says:

    I ran the exact config file that you suggest, with the exception of changing the last line to read wlan0 instead of eth0 as I am running bt5 on a wireless network. I start the program with honeyd -d -i wlan0 -f honeyd.conf and it starts to go, but after it prints “Demoting process privileges…” it just hangs. I’ve left it running for about twenty minutes and it came up with the aborting dhclient after 12 tries. To return to a prompt I have to kill with “ctrl+C” even after it aborts. I see this question has been asked once before but I can’t seem to locate the answer to this problem. Any help would be appreciated. Thank you and thank you for the tutorial.

  6. travis Says:

    kris,

    Sorry for the late reply. I tried searching for answers to your problem but could not find the solution. If you’ve managed to fix the issue I would love to ear your solution.

  7. Ankita Shah Says:

    I am working with honeypot for my dissertation work. I had implemented socket for connection. So i want to know that will honeyd be able to monitor that socket port? Also which port will be preferable for socket connection?

  8. Vivek Malik Says:

    I would like to thank you Travis for your blog and the immense help it gave me to complete my project.
    I have taken your some details from your G+ profile(link you gave in about me section of your blog) to put in my acknowledgements and and the link of your blog for references.

    Again Thank you very much
    Regards
    Vivek Malik

  9. travis Says:

    Vivek,

    Thank you for the kind words, just hope this helps others.

  10. laner Says:

    Thank you for the kind words

  11. panaj Says:

    how to deal with the “unknown personality” problem

  12. Uday Says:

    Hello,

    I am facing the same problem, that is, not able to get dhcp address.
    I found the solution from above discussion that, we need to change the Promiscuous Mode to Allow All. But how do I do that? Please help.

    Thanks.

  13. Rahul Says:

    Hi, Thanks for writing such a comprehensive article..
    I still don’t get it, where is the “conf” file ?. In my Ubuntu i see it under “/usr/share/doc/honeyd/examples#” where i have files like “config.localhost”, “honeyd.conf.bloat.gz”, “honeyd.conf.networks.gz” & “wireless.gz”

    No sign of Honeyd.conf..!!!
    pls help

  14. AJ Says:

    Hi Travis!

    Thanks heaps for this excellent and helpful tutorial! I am new to Honeyd and I was able to implement a basic Honeyd (with one honeypot) and later on to add more honeypots. I was able to scan from a Windows machine using ZENMAP version 6.01 and I found open ports on the Honeyd box installed on Linux Ubuntu, and to find open ports on the virtuals hosts (honeypots) as well as.

    However, when I run honeyd using “sudo honeyd -d -I eth0 -f honeyd-winxp.conf” everything works fine but stops at “arp reply” once I do a ping scan from the Windows machine with ZENMAP. BUT, THERE IS NO “SENDING ICMP ECHO REPLY”.

    I also tried to load Honeyd using “sudo honeyd -d -f honeyd-winxp.conf”. Again, everything is fine (listening promiscuously on eth0…, [eth0] trying DHCP, Demoting privileges to uid 65534, gid 65534, [eth0] got DHCP offer…Updating ARP binding …., arp reply…). BUT AGAIN IT DOES NOT REACH TO STAGE OF “SENDING ICMP ECHO REPLY”.

    Could you please help?

    Cheers,

    AJ

  15. travis Says:

    AJ

    Can you send me your config and let me try and run yours? My email is travisaltman@gmail.com

  16. travis Says:

    Rahul,

    As sudo or root run the command “updatedb” then run the command “locate”. This should for the most part always tell you where something is located on the file system in Linux. If that doesn’t work let me know.

  17. AJ Says:

    Hi Travis!

    Thanks heaps for your assistance!
    I just sent the configuration file as requested.
    Thank you for your assistance!
    Cheers,
    AJ

  18. Rahul Says:

    Thanks Travis,
    can you pls explain how to detect a spoofed IP using honeypot or by the logs of honeyd my project’s aim is to detect IP spoofing using Honeypot, so far Honeypot is installed up and running perfectly..
    thank you.

  19. Richard Says:

    Hey Travis I was just wondering where do I save the honeyd.conf file.

  20. Richard Says:

    Hi Travis I was just wondering where I save the honeyd.conf file.

  21. Chip Says:

    Dev,
    You may have already solved this, but figured i would post this anyways.
    I was getting the “aborting dhclient on interface wlan0 after 12 tries” also and after a few hours or troubleshooting i confirmed it was because my box was on a switch. Honeyd was requesting an IP and the router was offering one up but it was not finding its destination. After i hooked directly into my router, everything ran great.

    Does anyone know a workaround for this. Being directly hooked to my router is just a temp. solution.

    Thanks and great tutorial!!!

  22. travis Says:

    Richard,

    Doesn’t matter where you save the conf file put when you specify it on the command line you’ll need to make sure you be specific about its location.

  23. zad Says:

    Hi Chip & travis,

    I have this simple Q:
    how can I hook directly into my router? for ubuntu 12.4?
    I have your same problem with wlan0, I tried to connect the router directly to the modem but it did not work.

    Appreciate your help.
    Thanks ALOT,

  24. travis Says:

    zad,

    I can’t speak to Chip’s solution and I didn’t run my setup on wireless strictly wired. Also are you specifying the proper interface?

  25. zad Says:

    travis,

    Thankx for your respond,

    I did specify the interface replacing eth0 with wlan0. and “-i wlan0” when running. I got the same message “aborting dhclient on interface wlan0 after 12 tries”.

    I tried to connect through wired connection, it does work -the internet connection-only for “DSL connection” through interface “modem ppp0 “, it seems honeyd didn’t recognize this interface since I got an error with that meaning.

    I am trying for now two solutions:
    1- to move the connection to from ppp0 to eth0, but couldn’t till now.
    2-to install dhcp server in my ubuntu 12.4.

    Do you think any of these can help? or do you have any other ideas??

    THANKS ALOT,
    Regards,

  26. Dakiem Says:

    Hi Travis,

    I really appreciate your help here. I’m having a couple of problems. first, I am having the same problem as others with the mac address showing up as wrong. the mac address changes every time I kill and restart the honeyd service, and it is followed by (Connect AS) after an nmap scan.

    second, and the weird part, is that all of my ports are showing up as open. I have the same setup as your file, and I just can’t figure out what is wrong. I have a fresh install of 12.04 on a KVM for this purpose and am running it with a static IP.

    Thanks for your help!

  27. travis Says:

    @zad, yea try eth0. Installing a DHCP server won’t do anything for you.

  28. travis Says:

    @Dakiem, cant seem to reproduce your problem so not sure what your problem may be. Sorry I cant be of more help.

  29. Kyle Says:

    Travis,

    I used your exact .conf file. I’m using Stratagem but got honeyd installed. This is running on VMware Workstation 9. The error is as follows…

    I run honeyd -d -f honeyd.conf
    and get Operation not permitted.

    So I try sudo honeyd -d -f honeyd.conf
    and get prompted for password, I enter my root password and I get

    Listening promiscuously on eth0: (arp or ip pronto 47 or (udp and src port 67 and dst port 68) or (ip) ) and not ether src 00:0c:29:35:b5:00
    honeyd: fopen(honeyd.conf) : No such file or directory

    Any idea what i’m messing up?

  30. travis Says:

    Kyle,

    It can’t find your honeyd.conf, is honeyd.conf in the same directory where you’re running the command?

  31. Diba Says:

    Hello everybody,

    I’m trying to setup my home honeypot but i’m having problems with my honeyd installation. No matter what configuration and settings i try,when trying to start honeyd i get the same error :” aborting dhclient on interface eth0 after 12 tries” .
    Has anybody encountered the same error?

    Any help appriciated.

    DB

  32. Rob Says:

    Diba,

    I had this problem running Honeyd in Virtual box. I had to change the Virtual box network settings for promiscuous mode to allow all and then had to reboot Honeyd. When I re-ran the command after reboot I was able to get an IP address.

    Rob

  33. Diba Says:

    Rob,

    can you tell me the needed settings of the virtual box in order to get honeyd up and running?

    Thank you in advance

  34. Dim Says:

    Has anybody deployed honeyd on a vps?
    I was wondering how to set it up as you cannot get a separate ip.

  35. Lizz Says:

    Hi all,

    I am getting getting a “No such device” error when attempting to deploy my honeypot. Here is my configuration:

    create default
    set default default tcp action block
    set default default udp action block
    set default default icmp action block

    create windows
    set windows personality “Microsoft Windows XP Professional SP1”
    add windows tcp port 23 open
    add windows tcp port 25 open
    add windows tcp port 80 open

    set windows ethernet “00:50:56:29:ce:d3”
    dhcp windows on eth2

    Here is the response I receive:
    root@bt:~# honeyd -d -f honeyd.conf
    Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
    honeyd[2094]: started with -d -f honeyd.conf
    Warning: Impossible SI range in Class fingerprint “IBM OS/400 V4R2M0”
    Warning: Impossible SI range in Class fingerprint “Microsoft Windows NT 4.0 SP3”
    honeyd: interface_new: intf_get: No such device

    Any help is appreciated.

  36. Rob Says:

    Diba,

    Other than changing the Virtual box network settings for promiscuous mode to allow all I used the default settings. No other changes were needed.

    Hope this helps
    Rob

  37. dwija Says:

    hi travis,

    can u help me?
    i have install honeyd in ubuntu lts 12.0.3 in my virtual box and i use windows 7 for primary machine.
    in windows i set my ip 192.168.0.10 / 255.255.255.0
    and in my ubuntu (virtualbox) 192.168.0.5 / 255.255.255.0
    and in honeyd configuration i set dhcp eth0
    but when i run the honeyd, why i get ip different network from my windows n ubuntu ?
    the ip in honeyd i get 192.168.56.104

    can u help me please?? 🙁

  38. Dionne Says:

    Hi Travis,

    I have installed backtrack 5 r3 on my laptop to run side by side with my windows.
    After that I have tried to use honeyd using my wifi but it does work it gives me an error, but the internet is working and if I use my wired network the honeypot works.
    Do you have any idea why the wifi does not work?

  39. emna Says:

    hi , please can you help me
    i should install honeyd to get 2 honeypots , i should use snort also to get more log from honeyd
    can you give me some advices or idea about how shoul i started and what kind of OS shoul i use
    thanks

  40. travis Says:

    Dionne,

    You may have to specify the interface with the “-i” option, if you don’t it may default to wired which in Linux is typically eth0. First run ifconfig to determine the wireless interface name, normally its wlan0. Let me know if that doesn’t work.

  41. travis Says:

    emna,

    It really depends on what you want to accomplish. I wanted a simple solution and did not need to get alerted on a lot of activity. If you require multiple kinds of alerts then something like Snort may be a better solution. OS, I will always use Linux as I feel it has better flexibility and is overall easier than security applications in Windows. Yes there are plenty of times where Windows will be easier but Linux is my recommendation. Hope that helps.

  42. vikram Says:

    Did u get any fix lizz??

  43. vikram Khopade Says:

    [root@localhost tecomp]# honeyd -d -f honeyd.conf
    Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
    honeyd[3004]: started with -d -f honeyd.conf
    Warning: Impossible SI range in Class fingerprint “IBM OS/400 V4R2M0”
    Warning: Impossible SI range in Class fingerprint “Microsoft Windows NT 4.0 SP3”
    honeyd: interface_new: intf_get: No such device

    Hey i m getting the above o/p when running on man lab LAN
    my .conf file is as follows:

    create default
    set default default tcp action block
    set default default udp action block
    set default default icmp action block

    create windows
    set windows personality “Microsoft Windows XP Professional SP1”
    set windows default tcp action reset
    add windows tcp port 135 open
    add windows tcp port 139 open
    add windows tcp port 445 open

    set windows ethernet “00:00:24:ab:8c:12”

    bind 192.168.5.201 windows

  44. travis Says:

    @Vikram,

    Maybe specify the interface with the -i option.

  45. aarcee Says:

    hi travis . Gr8 tute.
    i have installed ubuntu 12.04 and trying to run the honeyd …the message i get is
    Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
    honeyd[6587]: started with
    honeyd: ip_open: Operation not permitted
    Can u please help

  46. Couch Says:

    Hi,there.
    I have the same problem which Peter had.But still not solved.
    “update_connect_cb: connection failed: Operation now in progress”
    I use Vmware 9.0. Can anyone tell me how to configure the network?

  47. travis Says:

    Couch,

    Hmmm, not sure, wish I had a better answer.

  48. travis Says:

    Aarcee,

    Are you running this as root?

  49. patrick Says:

    You need to be in root, in order to run the operations

  50. behnam Says:

    hi dear
    i need honeyD For win pleas help me and send download linke .
    yhx

Leave a Reply