In the past two tutorials I’ve used DHCP to obtain IP’s for our honeypots running honeyd. Using dhcp is fine when testing honeyd and getting familiar with how honeyd works but a static IP may be more suitable for your environment. In my case I initially fooled around with honeyd via dhcp but when I wanted to implement in a more production environment I realized that static IP’s are more stable and less maintenance. In order to ping our honeypot the router / switch has to know what IP and MAC address our honeypot has so it can update it’s information, going through dhcp does this automatically. I’ll touch on how to add the static IP configuration later but first let’s go over our layout. I’ll be using the same simple layout as in the first tutorial as seen below.
There may need to be some clarification in that diagram. Backtrack is what is actually running honeyd, the address of 192.168.99.135 (labeled Honeyd) which is the honeypot honeyd created can be configured to emulate any operating system. Now for the honeyd config file.
set default default tcp action block
set default default udp action block
set default default icmp action block
create windows
set windows personality "Microsoft Windows XP Professional SP1"
set windows default tcp action reset
add windows tcp port 135 open
add windows tcp port 139 open
add windows tcp port 445 open
set windows ethernet "00:00:24:ab:8c:12"
bind 192.168.99.135 windows
So the only real difference between dhcp and a static IP is the last line of the config. If you go back to the first tutorial you’ll notice the last line is the only difference as well. As a side I’ve used some configs that do not have the MAC address defined in their config but when I did not include the “set windows ethernet” line honeyd would complain and not start. So after you’ve set your config simply start honeyd.
After running honeyd you should get similar output to below.
honeyd[27305]: started with -d -f honeyd.conf
Warning: Impossible SI range in Class fingerprint "IBM OS/400 V4R2M0"
Warning: Impossible SI range in Class fingerprint "Microsoft Windows NT 4.0 SP3"
honeyd[27305]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip )) and not ether src 00:00:24:ca:6b:08
honeyd[27305]: Demoting process privileges to uid 65534, gid 65534
The difference in output between static and dynamic is that you’ll see the IP address your honeypot gets when using DHCP. With static IP configuration you’re not going to get that in your output because you already know the IP you’re using. So the output via DHCP will the lines below included.
honeyd[1870]: Demoting process privileges to uid 65534, gid 65534
honeyd[1870]: [eth0] got DHCP offer: 192.168.99.135
So now you’ve take care of properly setting up honeyd to use a static IP address but now you’ll have to configure the network to use your static IP. In my enterprise production environment I’ve configured this via the DHCP server. I went into the DHCP server and made a static reservation. I also had to configure the switch I plugged my computer into and tell what VLAN that port needed to be assigned to. If you’re trying to get this set up in your work production environment you may have to work with your network team that manages DHCP / DNS / routers & switches. Networks may be managed differently so check with your local team on how you would get a static IP. Now if you’re doing this on a home network for testing then you probably have a wireless router such as Linksys. Inside all of these home wireless routers you can configure static IP’s. Each wireless router will have different steps for configuring static IP’s so refer to your manufacturers documentation on how to do that.
Next in this tutorial is what to run your honeypot / honeyd on? Laptop, desktop, server? These questions will be tackled in future articles.
22 replies on “Honeypot / honeyd tutorial part 3, static IP’s”
Hello travis,
Thanks for replying me and supporting me……
Travis … i m new to honeypot and want to install honeyd…i will tell me my configuration and problem…
I m trying to install honeyd in Backtrack Linux Vmware machine …
when i use “apt-get install honeyd” its not working…after that i download tar file and installed it.
After installation is complete …. will you tell me where i have to create this honeyd.conf file.
About my network….my backtrack machine is having 192.168.5.100 IP address…and for honeyd do i need any more physical machine….?
Travis…i really appreciate your hard work ….and your tutorials are very help….
i need one more help from you….if possible please tell me how to install honeyd in details using tar file….
It will be great help for me….reply ASAP
Rukender,
As far as the honeyd.conf it doesn’t matter where that file is located. If it’s not in the current directory when you run the command then you’ll have to let honeyd know the full path. So if honeyd.conf is in /one/two then your honeyd commmand will have to be “honeyd -f /one/two/honeyd.conf”
You only need another machine for testing. So in my case I ran honeyd in backtrack inside a VM but I needed to port scan and ping from a different VM for everything to show up properly.
As far as installing honeyd apt-get would be the best solution but you can also install from a tar. I would just follow honeyd’s steps for installing the tar. I would have to see what error message you’re getting to know during the install process to properly help you.
hey can u plz tell how to maintain logs of attackers who r hittin ports????
dv,
You can maintain logs with the “-l” (dash L option) and save those logs wherever you like on the file system. My latest article discusses this and how you can get email alerts when attackers hit your honeypot. If that doesn’t answer your question let me know.
It is the “not ether src …” condition that causes the honeyd to ignore incoming pings from the same machine.
Take care about the “or (ip ))” condition. It can be seen in the output. I had the same. I did a mess in a real network because I was receiving and handling traffic that I was not recipient of. It caused duplicating packets, cycles and other problems. To supply other parameters (like IP address) as well is sufficient. I run it as follows:
honeyd -f /etc/honeypot/honeyd.conf -d -p /etc/honeypot/nmap.prints -a /etc/honeypot/nmap.assoc -0 /etc/honeypot/pf.os -x /etc/honeypot/xprobe2.conf -u 119 -g 132 –disable-webserver -i eth0 10.3.0.1
-u, -g is UID, GID of the user honeyd.
10.3.0.1 is the listening address (entry router).
Martin,
Interesting setup, thanks for your feedback.
err.. sir travis, i’m new in research about honeyd for my final year project. so i want your feedback as soon as possible. can i learn with u step by step configuration honeyd by email. for your information i need your guide more than this because i had try set template using your tutorial but i got error and i have use ubuntu 11.04 for my virtual honeyd. i stuck in template because i don know suitable mac address..
hi
im configuring a router inside honeyd ,with static ip address
is it possible for you to give me a sample please
because i cant run any os without mac address and when run the other codes for honeyd i receive eror,thank so much in advance
my host os ip address is 10.0.3.124
pegah,
I’m happy to help where I can but the config I used is in the first black box above. What are the error messages you’re getting?
Dear travis
your config works good , but what i need is to bring the router inside my network topology in honeyd.conf
i have tried so many times with different ip addresses for the entry route, but can’t to get it to work, is there a command that i am missing or…. i am confused , i copy my ifconfig for you:
eth0 Link encap:Ethernet HWaddr 00:16:3e:d3:f2:1e
inet addr:172.16.8.176 Bcast:172.16.255.255 Mask:255.255.0.0
inet6 addr: fe80::216:3eff:fed3:f21e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:67674 errors:0 dropped:0 overruns:0 frame:0
TX packets:69653 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6985250 (6.9 MB) TX bytes:12954920 (12.9 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:107969 errors:0 dropped:0 overruns:0 frame:0
TX packets:107969 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:13224755 (13.2 MB) TX bytes:13224755 (13.2 MB)
here is my simple config file that is not working:
route entry 172.16.26.65
route 172.16.26.65 link 172.16.26.70/32
route 172.16.26.65 link 172.16.26.71/32
create windows
set windows personality “Microsoft Windows XP Professional SP1”
set windows default tcp action reset
add windows tcp port 135 open
add windows tcp port 139 open
add windows tcp port 445 open
set windows ethernet “00:00:24:ab:8c:12”
create routerone
set routerone personality “Cisco 7206 running IOS 11.1(24)”
set routerone default tcp action reset
add routerone tcp port 23 “scripts/router-telnet.pl”
set routerone ethernet “00:00:24:ab:8c:13”
bind 172.16.26.70 routerone
bind 172.16.26.71 windows
And this is the output from the honeyd
honeyd[17478]: started with -d -f /etc/honeypot/honeyd.conf
honeyd[17478]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip )) and not ether src 00:16:3e:d3:f2:1e
honeyd[17478]: Demoting process privileges to uid 65534, gid 65534
honeyd[17478]: update_check: failed to resolve host.
honeyd[17478]: TTL exceeded for dst 224.0.0.1 at gw 172.16.26.65
honeyd[17478]: No reverse routing map for 172.16.26.65
honeyd[17478]: TTL exceeded for dst 224.0.0.1 at gw 172.16.26.65
honeyd[17478]: No reverse routing map for 172.16.26.65
i can not ping the entery or any of the ip adresses……
if you have anything in yourmined to fix this routing please let me know ( the config file is example , you can write or edit it how you want )
Thank you in advance
Hello travis,
I have my honeyd already setup and I am looking forward to filter some of the broadcast traffic comming to my honed system.
I have tried using iptables [Default Linux Firewall] to stop the traffic from a particulat Source IP but it didn’t work for honeyd since it works as completely a separate kernel.
Can you suggest me some alternative that how could I Filter traffic based on IP Address on my honeyd?!
Thanks
VI,
Maybe understanding your end goal would better help me out. But for my implementation I would parse the honeyd logs looking for things to alert on and I built some logic in the script that parsed the logs to ignore certain IP’s that I knew would touch the honeyd system. In part 5 (http://travisaltman.com/honeypot-honeyd-tutorial-part-5-email-alerts/) I go into the details of how I accomplished this. Let me know if that helps solve your problem.
Hi,
First of all, thanks for your complete tutorail. It was really interesting and helped me alot.
I want to run to fake host that one of them has static ip and the other obtain ip from dhcp.
the range of IPs in lan is 192.168.1.x. So the windows machine gets a related ip from dhcp. but I have problem with linux machine. There is an error “Template “linux” is configured with ethernet address but there is no interface that can reach 10.10.10.2″.
I have used “ifconfig eth1 10.10.10.1 netmask 255.255.255.0” to solve this problem. but now how should I set the linux machine to use eth1 instead of eth0?
set windows ethernet “00:00:24:22:8c:12”
set linux ethernet “00:00:24:22:8c:14”
dhcp windows on eth0
bind 10.10.10.2 linux
guest,
Yea I would try eth1 and see if that solves your problem.
Hi Travis,
Thank you very much for this guideline you have created.
I have HoneyD and Farpd running. The problem is while HoneyD is running, I keep getting a bunch of irrelevant traffic and its building up my log file quick. The traffic I am getting is show as: “TTL Exceeded for dst 225.0.0.1 at gw 10.1.10.12” How do I filter this stuff out?
Thanks for your help.
Jay-
Hi Travis,
Is it too late to jump on this? I’m trying to emulate/simulate 1000/5000 nodes for a network management software. The farthest I’ve gotten is 96 nodes, where 88 nodes where discovered and the rest were dropped. The problem is, I’m only working on a 10.10.21.xxx network, and that basically means I can only have up to 255 nodes up for use. Which also includes the other computers in the office. If I emulate a network within my VM, I can produce 65536 virtual nodes which I can ping from outside the VM(10.10.21.94) but can not be pinged from the outside of my computer (10.10.21.50). I can only ping the nodes I created on 10.10.21.xxx if I have “dhcp template on eth0”.
My question is, is there a way to get another network up for my 1000 node discovery? I know that my 10.10.21.xxx network is currently only on 1 office router. I can request additional routers for my work, but I need advice on how to connect them.
Thanks for any help,
Alvin
Alvin,
That’s a bit outside my experience, I didnt try and emulate that many devices. If I come across the solution to this configuration I’ll let you know.
Hi Travis,
Thank you very much for this guideline you have created.
I have HoneyD and Farpd running. The problem occurring is while HoneyD is running, I keep getting a bunch of irrelevant traffic and its building up my log file quick. The traffic I am getting show as: “TTL Exceeded for dst 225.0.0.1 at gw 10.1.10.12? How do I filter this stuff out?
Thanks for your help.
Jay-
hello everyone,
this is what iam getting in the last line of final output.. Please help me with this.
update_check: failed to resolve host.
Thankyou
hello, i have problem in config honeyd..
warning : interface_new: bad interface configuration: eth0 is not ip.
i create configuration :
create default
set default default tcp action block
set default default udp action block
set default default icmp action block
create windows
set windows personality “Microsoft Windows XP Professional SP1”
set windows default tcp action reset
add windows tcp port 135 open
add windows tcp port 139 open
add windows tcp port 445 open
set windows ethernet “00:00:24:ab:8c:12”
bind 192.168.99.135 windows,
but problem interface_new: bad interface configuration: eth0 is not ip
hello everyone,
this is what iam getting in the last line of final output.. Please help me with this.
update_check: failed to resolve host.
Thankyou