Honeypot / honeyd tutorial part 2, multiple honeypots

Part one of this series was to mainly get honeyd up and running. Hopefully you also took away from part one that the configuration file, honeyd.conf, is the key to making things work smoothly and properly. Now that you’ve got honeyd up and running let’s tweak honeyd.conf so that we have multiple honeypots running on one installation of honeyd. One honeypot is great but having three or four is even better. Part two is dedicated to showing you how to properly setup multiple honeypots in honeyd. In part one we only emulated a Windows device via the line below in honeyd.conf

set windows personality "Microsoft Windows XP Professional SP1"
set windows default tcp action reset

The personality tries to emulate what device you are trying to pretend to be. There are plenty of other personalities we could choose from so when setting up multiple honeypots you may want to emulate other devices besides a standard Windows device. Maybe you’d like to emulate a Solaris box, PBX system, or if you are going to emulate a Windows device make it real juicy to an attacker by making it a Windows 98 device. You’ve got plenty of options when choosing a personality for your honeypot. Honeyd takes advantage of nmap and the way it fingerprints devices. The list of personalities is located in the nmap.prints file, you should be able to find this file by using the following command

locate nmap.prints

You can view this file using less, for me I issued the following command.

less /usr/share/honeyd/nmap.prints

Nmap has a version of this file as well named “nmap-os-db”. The nmap.prints and the nmap-os-db may or may not match up depending on your versions of nmap and honeyd. My nmap-os-db is in the following location.

/usr/share/nmap/nmap-os-db

Within nmap.prints anything that follows the word “Fingerprint” is available as a personality. As an example below the string “Avaya G3 PBX version 8.3” can be used as a personality in honeyd.conf

In my example I will emulate this Avaya PBX device and I will also emulate a Soalris device. So a diagram of my setup looks like the following.

So now that I’ve decided to also emulate a Solaris and Avaya device I’ll need to add both of these do honeyd.conf. Basically all you’ll need to do is copy and paste from the Windows device you’ve already setup in honeyd.conf then make some minor modifications such as the personality. My honeyd.conf for all three of these honeypots is below.

create default
set default default tcp action block
set default default udp action block
set default default icmp action block

create windows
set windows personality "Microsoft Windows XP Professional SP1"
set windows default tcp action reset
add windows tcp port 135 open
add windows tcp port 139 open
add windows tcp port 445 open

create avaya
set avaya personality "Avaya G3 PBX version 8.3"
set avaya default tcp action reset
add avaya tcp port 4445 open
add avaya tcp port 5038 open

create solaris
set solaris personality "Avaya G3 PBX version 8.3"
set solaris default tcp action reset
add solaris tcp port 22 open
add solaris tcp port 2049 open

set windows ethernet "00:00:24:ab:8c:12"
set avaya ethernet "00:00:24:ab:8c:13"
set solaris ethernet "00:00:24:ab:8c:14"
dhcp windows on eth1
dhcp avaya on eth1
dhcp solaris on eth1

After you’ve added this information to honeyd.conf go ahead and run honeyd with the options discussed in part one, you should see the following.

root@bt:~# honeyd -d -f honeyd.conf
Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
honeyd[2697]: started with -d -f honeyd.conf
Warning: Impossible SI range in Class fingerprint "IBM OS/400 V4R2M0"
Warning: Impossible SI range in Class fingerprint "Microsoft Windows NT 4.0 SP3"
honeyd[2697]: listening promiscuously on eth1: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip )) and not ether src 00:0c:29:88:e6:db
honeyd[2697]: [eth1] trying DHCP
honeyd[2697]: [eth1] trying DHCP
honeyd[2697]: [eth1] trying DHCP
honeyd[2697]: Demoting process privileges to uid 65534, gid 65534
honeyd[2697]: [eth1] got DHCP offer: 192.168.99.159
honeyd[2697]: Updating ARP binding: 00:00:24:c5:59:29 -> 192.168.99.159
honeyd[2697]: [eth1] got DHCP offer: 192.168.99.160
honeyd[2697]: Updating ARP binding: 00:00:24:02:ac:73 -> 192.168.99.160
honeyd[2697]: [eth1] got DHCP offer: 192.168.99.161
honeyd[2697]: Updating ARP binding: 00:00:24:68:0c:45 -> 192.168.99.161
honeyd[2697]: arp reply 192.168.99.159 is-at 00:00:24:c5:59:29
honeyd[2697]: arp reply 192.168.99.160 is-at 00:00:24:02:ac:73
honeyd[2697]: arp reply 192.168.99.161 is-at 00:00:24:68:0c:45
honeyd[2697]: Sending ICMP Echo Reply: 192.168.99.159 -> 192.168.99.254
honeyd[2697]: arp_send: who-has 192.168.99.254 tell 192.168.99.159
honeyd[2697]: Sending ICMP Echo Reply: 192.168.99.160 -> 192.168.99.254
honeyd[2697]: Sending ICMP Echo Reply: 192.168.99.161 -> 192.168.99.254
honeyd[2697]: arp_recv_cb: 192.168.99.254 at 00:50:56:ec:10:84

If everything has gone smooth up to this point you’ve gotten output similar to above. So currently we’ve got three honeypots running on one installation of honeyd. Now the proof is in the pudding by port scanning these devices and see if the ports are open and what OS nmap claims it to be. DHCP gave our Avaya device an IP address of 192.168.99.160, let’s port scan for the two open ports and a port we know to be closed and see what results we get.

travis@tht:~/documents$ nmap -p 4445,5038,5555 192.168.99.160

Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-15 01:25 EDT
Interesting ports on 192.168.99.160:
PORT     STATE  SERVICE
4445/tcp open   unknown
5038/tcp open   unknown
5555/tcp closed freeciv

Nmap done: 1 IP address (1 host up) scanned in 1.18 seconds

Looks like everything is on the up and up with our Avaya device. Port 5555 is closed because we did not define it in honeyd.conf. I’ll spare you with the nmap scan of the Solaris device but everything was operating as normal for it as well. So the ports are open but how well is this personality thing working? Nmap can try and determine the OS of a device through a number of TCP exchanges. Honeyd tries to use the nmap fingerprint database to send the appropriate TCP responses to a nmap scan so that the personality you’ve assigned to your template will respond as it should. This doesn’t always work properly. New versions of nmap are constantly coming out which means the nmap fingerprint database is changing as well. So nmap may respond properly or it may not, this will just depend on the version of nmap you or an attacker is scanning with. It will also depend on the nmap.prints that honeyd uses as well. You can perform an OS detection in nmap by providing it the -O option, let’s try scanning our Solaris device and see what it returns.

Seeing how this might happen you don’t want to totally rely on the personality in honeyd. The best idea is to open up ports that are common to a particular device. For instance most Linux and Solaris devices have port 22 open while routers and switches will probably have port 161 open (SNMP). The configuration is totally up to you but trying to make your honeypot as sweet as possible is the main goal.

So adding multiple honeypots to your honeyd install is fairly straightforward but there are some things to consider when setting it up. Other topics such as email alerts are coming but for now make sure you can get multiple honeypots running via honyed.

28 Responses to “Honeypot / honeyd tutorial part 2, multiple honeypots”

  1. Vince Says:

    Thanks! Great tutorial! Really looking forward to your next blog posts.

  2. Jacob Says:

    If you set the ‘default tcp action’ to ‘open’ – nmap will pick up the OS when you initiate a scan.

    Also here is a Windows 7 nmap template made in the same style that honeyd uses, nmap 5.5 detects it with 90% confidence. You can paste it into the bottom of the nmap.prints file and include in the honeyd.conf

    FingerPrint Windows_7
    TSeq(Class=TR%IPID=I%TS=100HZ)
    T1(DF=Y%W=2000%ACK=S++%Flags=AS%Ops=MNWNNT)
    T2(Resp=Y%DF=Y%W=0%ACK=S%Flags=AR%Ops=)
    T3(Resp=Y%DF=Y%W=0%ACK=O%Flags=AR%Ops=)
    T4(DF=Y%W=0%ACK=O%Flags=R%Ops=)
    T5(DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
    T6(DF=Y%W=0%ACK=O%Flags=R%Ops=)
    T7(DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
    PU(DF=N%TOS=0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

    FingerPrint Windows_XP_SP3
    TSeq(Class=TR%IPID=I%TS=0)
    T1(DF=Y%W=FAF0%ACK=S++%Flags=AS%Ops=MNWNNT)
    T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
    T3(Resp=Y%DF=Y%W=FAF0%ACK=S++%Flags=AS%Ops=MNWNNT)
    T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
    T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
    T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
    T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
    PU(DF=N%TOS=0%IPLEN=B0%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

    Good work Travis! It is nice to see someone working on honeyd still!

  3. Sammy D Says:

    Jacob, You know that their is already a nmap.prints tool called ‘Hoof Hearted’ that makes prints for use with honeyd and current versions of Nmap. Want a tinyurl?

  4. Jacob Says:

    Sure, thanks

  5. Sammy D Says:

    Yea mann no problem….http://tinyurl.com/5tunshd. It is kind of out dated but it works pretty well. In the hidden wiki they have links to the DL.

  6. travis Says:

    Jacob and Sammy,

    Thanks for the info, I wasn’t aware of using ‘open’ instead of ‘block’ to show the OS nor was I aware of the ‘hoof hearted’ tool. Much appreciated and thanks for the feedback.

  7. Rukender Says:

    Thanks for nice tutorial ……will you please tell me ….how to set static Ip without using DHCP…..

    And the interface u mentioned in your tutorial is virtual or it must be present in real.

    clear my droughts

  8. travis Says:

    Rukender,

    Sorry. I looked back at saw that I didnt actually categorize my 3rd article of doing static IP’s http://travisaltman.com/honeypot-honeyd-tutorial-part-3-static-ips/ hopefull that should get you started. As far as interfaces that you see in the configuration files such as eth0, eth1, etc, all those interfaces are real interfaces in the Linux OS. Hope this helps if not let me know.

  9. dv Says:

    boss dere is no /usr/share/honeyd/nmap.prints in bt5
    kindly help

  10. dv Says:

    i got it…………..

  11. Edwanny Soto Says:

    Hey Travis.
    I need some help, i was able to get thing running up and smootly with the one honeypot and i was able to ping wiithin backtrack itself and from my host that was yesterday, but today i can only ping from my host computer and not within the virtual machine. Also i inputed more than one honeynet but for some reason my ports are close? do you have any idea what this problem can be?

  12. travis Says:

    Edwanny,

    Go to hear things are working better. I cannot ping within backtrack to the honeypot so we’re consistent there. When it comes to ports not being open on your other honeypots I would have to look into it, can you post your conf?

  13. max Says:

    nmap.prints is kinda outdated . is there a new version of it?

  14. travis Says:

    I would assume that gets updated when you get the newest version of nmap.

  15. Mike Says:

    Hey,

    a more up-to-date version of nmap.prints really would be a great help. I tried to convert fingerprints from the nmap-os-db, but failed. Whats about the tool mentioned above? Couldn’t find it. OR is there a ways to manually convert current nmap prints to the old format honeyd understands?

  16. Chainsaw in the Distance Says:

    Mike, you can get a working fingerprint of an up-to-date machine is to install nmap 4.0 or older from oldapps.com or somewhere and scan a machine running that OS with it. When nmap fails to recognize the machine, it should output an error message and a fingerprint of the host. Pop that into honeyd and it should convince nmap that it is whatever operating system you need it to look like.

    Oh, and ignore the stuff SammyD said, it doesn’t check out. Think they’re a troll.

    If you want to go the manual rout, here’s a side by side conversion table from some of my old notes. I broke it into sections by which line the tests are in. Then each test has its own little section, with two columns, with the new version of the test values on the left and the old version on the right.

    I don’t have answers for all of them, but this might make a good starting point.

    =============================================
    <>

    =================================================
    Class (old version used by Honeyd)
    —————————————————————————
    copy a value from a similar operating system
    ==============================================
    ==============================================
    GCD (new version) | gcd (old version)
    ——————————————————————————
    copy the value from before the closing % like so:
    %GCD=1-6% | %gcd=<6%
    ==============================================
    ==============================================
    TI (new version) | IPID (old version)
    ——————————————————————————
    BI | BI
    I | I
    RD | RD
    RI | RPI
    some hex value | C
    Z | Z
    ==============================================
    ==============================================
    SI (old version used by Honeyd)
    —————————————————————————–
    the new version of nmap doesn't use this one. I'd copy a value from a similar os, and hope for the best.
    ==============================================

    <>

    ==============================================
    R (new version) | Resp (old version). only appears in T2 and T3
    —————————————————————————————
    Y | Y
    N | N
    ===============================================
    ===============================================
    DF (new version) | DF (old version)
    —————————————————————————————
    Y | Y
    N | N
    ===============================================
    ===============================================
    A (new version) | ACK (old version)
    ——————————————————————————-
    O | O
    S | S
    S+ | S++
    Z | O
    ===============================================
    ===============================================
    W (new version) | W (old version)
    ——————————————————————————-
    [a hex value] | [a hex value]
    0 | 0
    ===============================================
    ===============================================
    F (new version) | Flags (old version)
    ——————————————————————————-
    A | A
    E | ?
    F | F
    P | P
    R | R
    S | S
    U | U
    ===============================================
    ===============================================
    O (new version) | Ops (old version)
    ——————————————————————————-
    L | ? possibly E
    M | M
    N | N
    S | ?
    T | T
    W | W
    ===============================================

    <>
    ===============================================
    DF (new version) | DF (old version)
    ——————————————————————————-
    Y | Y
    N | N
    ===============================================
    ===============================================
    TOS (new version) | TOS (old version)
    ——————————————————————————-
    you can copy this one exactly.
    ===============================================
    ===============================================
    IPL (new version) | IPLEN (old version)
    ——————————————————————————-
    Octal Value | Hex Value
    ===============================================
    ===============================================
    RIPL (new version) | RIPTL (old version)
    ——————————————————————————–
    hex value | hex value
    G | 328 or 148
    ===============================================
    ===============================================
    RID (new version) | RID (old version)
    ——————————————————————————–
    hex value | F
    G | E
    ===============================================
    ===============================================
    RIPCK (new version) | RIPCK (old version)
    ——————————————————————————–
    I | F
    Z | F
    G | E
    ===============================================
    ===============================================
    RUCK (new version) | RUCK (old version)
    ——————————————————————————–
    G | E
    some number | F
    ===============================================
    ===============================================
    ULEN (old version)
    ——————————————————————————-
    Doesn’t seem to show up in new version, best guess, set it to 134.
    ===============================================
    ===============================================
    RUD (new version) | DAT (old version)
    ——————————————————————————–
    G | E
    I | F
    ===============================================

    Suggestions:

    The old format didn’t use anything in the OPS, WIN, and IE lines, so they can be cut, but don’t get rid of them entirely.

    make multiple conversions from different signatures of the same OS.

    Scan the new fingerprint once it’s in honeyd, and tweak it until the confidence percentages are good.

    Some of the values, such as the O values from the OPS category can be copied in for Ops in T1 and T3 if there is nothing there, it can help eliminate alternative operating system possibilities in the results

    Good luck.

  17. travis Says:

    @chainsaw, thanks for the info

  18. Menpan Says:

    I have install Honeyd on Ubuntu in VMware,

    when i using nmap version 6.01
    os not view “No exact OS matches for host”

    could you help me ?

  19. travis Says:

    Menpan,

    What is the target of your nmap?

  20. Menpan Says:

    This is my honeyd configuration and i want to get the os using nmap
    create default
    set default personality “Microsoft Windows XP Home Edition”
    set default default tcp action reset
    set default default udp action reset
    set default default icmp action open
    add default tcp port 80 “/usr/bin/perl /usr/share/honeyd/honeyd_kit-1.0c-a/scripts/win32/iis-0.95/iisemul8.pl”
    add default tcp port 139 open
    add default tcp port 137 open
    add default udp port 137 open
    add default udp port 135 open

    bind 192.168.43.200 default

    ### Cisco router
    create router
    set router personality “Cisco IOS 11.3 – 12.0(11)”
    set router default tcp action reset
    #set router default udp action reset
    add router tcp port 23 “/usr/bin/perl /usr/share/honeyd/honeyd_kit-1.0c-a/scripts/router/cisco/router-telnet.pl”
    set router uid 32767 gid 32767
    set router uptime 1327650

    bind 192.168.43.201 router

    ## Ftp
    create template
    set template personality “Linux kernel 2.4.19 (X86)”
    set template uptime 0428938
    add template tcp port 21 “sh /usr/share/honeyd/ftp.sh”
    #set template default tcp action block
    #set template default udp action reset
    set template default tcp action reset

    bind 192.168.43.202 template

  21. travis Says:

    Menpan,

    Try “default tcp action open” at the top of your config and see if that changes your results. Also did you view the contents of nmap.prints to make sure you made the correct personality?

  22. Menpan Says:

    Thaks ser,

    Now iwan to ask how tu run service (ftp,ssh, etc)in honeyd and run web in honey.

  23. travis Says:

    Menpan,

    Do you want a real listening service like ssh, ftp, etc or do you just want to open up the ports?

  24. Menpan Says:

    yes ser I want a real listening service like ssh, ftp, etc, so i cant try to login to the services.

  25. travis Says:

    I’ve played with that feature only a little bit. I would refer to Honeyd documentation. I know it can be done just not sure of the details.

  26. Menpan Says:

    do you have the file documentation?
    so i can make ssh,ftp,etc like real service.

  27. travis Says:

    Menpan,

    I’m sure there may be more documentation out there but here (http://www.honeyd.org/contrib.php) are a limited number of scripts that you can run to simulate a real service.

  28. archana Says:

    hi
    when i use dhcp

    it says aborting dhclient after 12 tries

    please help tell me where i might be going wrong

Leave a Reply