Honeypot / honeyd tutorial part 3, static IP’s
In the past two tutorials I’ve used DHCP to obtain IP’s for our honeypots running honeyd. Using dhcp is fine when testing honeyd and getting familiar with how honeyd works but a static IP may be more suitable for your environment. In my case I initially fooled around with honeyd via dhcp but when I wanted to implement in a more production environment I realized that static IP’s are more stable and less maintenance. In order to ping our honeypot the router / switch has to know what IP and MAC address our honeypot has so it can update it’s information, going through dhcp does this automatically. I’ll touch on how to add the static IP configuration later but first let’s go over our layout. I’ll be using the same simple layout as in the first tutorial as seen below.
There may need to be some clarification in that diagram. Backtrack is what is actually running honeyd, the address of 192.168.99.135 (labeled Honeyd) which is the honeypot honeyd created can be configured to emulate any operating system. Now for the honeyd config file.
set default default tcp action block
set default default udp action block
set default default icmp action block
create windows
set windows personality "Microsoft Windows XP Professional SP1"
set windows default tcp action reset
add windows tcp port 135 open
add windows tcp port 139 open
add windows tcp port 445 open
set windows ethernet "00:00:24:ab:8c:12"
bind 192.168.99.135 windows
So the only real difference between dhcp and a static IP is the last line of the config. If you go back to the first tutorial you’ll notice the last line is the only difference as well. As a side I’ve used some configs that do not have the MAC address defined in their config but when I did not include the “set windows ethernet” line honeyd would complain and not start. So after you’ve set your config simply start honeyd.
After running honeyd you should get similar output to below.
honeyd[27305]: started with -d -f honeyd.conf
Warning: Impossible SI range in Class fingerprint "IBM OS/400 V4R2M0"
Warning: Impossible SI range in Class fingerprint "Microsoft Windows NT 4.0 SP3"
honeyd[27305]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip )) and not ether src 00:00:24:ca:6b:08
honeyd[27305]: Demoting process privileges to uid 65534, gid 65534
The difference in output between static and dynamic is that you’ll see the IP address your honeypot gets when using DHCP. With static IP configuration you’re not going to get that in your output because you already know the IP you’re using. So the output via DHCP will the lines below included.
honeyd[1870]: Demoting process privileges to uid 65534, gid 65534
honeyd[1870]: [eth0] got DHCP offer: 192.168.99.135
So now you’ve take care of properly setting up honeyd to use a static IP address but now you’ll have to configure the network to use your static IP. In my enterprise production environment I’ve configured this via the DHCP server. I went into the DHCP server and made a static reservation. I also had to configure the switch I plugged my computer into and tell what VLAN that port needed to be assigned to. If you’re trying to get this set up in your work production environment you may have to work with your network team that manages DHCP / DNS / routers & switches. Networks may be managed differently so check with your local team on how you would get a static IP. Now if you’re doing this on a home network for testing then you probably have a wireless router such as Linksys. Inside all of these home wireless routers you can configure static IP’s. Each wireless router will have different steps for configuring static IP’s so refer to your manufacturers documentation on how to do that.
Next in this tutorial is what to run your honeypot / honeyd on? Laptop, desktop, server? These questions will be tackled in future articles.
January 26th, 2012 at 1:27 am
Hello travis,
Thanks for replying me and supporting me……
Travis … i m new to honeypot and want to install honeyd…i will tell me my configuration and problem…
I m trying to install honeyd in Backtrack Linux Vmware machine …
when i use “apt-get install honeyd” its not working…after that i download tar file and installed it.
After installation is complete …. will you tell me where i have to create this honeyd.conf file.
About my network….my backtrack machine is having 192.168.5.100 IP address…and for honeyd do i need any more physical machine….?
January 26th, 2012 at 1:38 am
Travis…i really appreciate your hard work ….and your tutorials are very help….
i need one more help from you….if possible please tell me how to install honeyd in details using tar file….
It will be great help for me….reply ASAP
January 31st, 2012 at 8:13 am
Rukender,
As far as the honeyd.conf it doesn’t matter where that file is located. If it’s not in the current directory when you run the command then you’ll have to let honeyd know the full path. So if honeyd.conf is in /one/two then your honeyd commmand will have to be “honeyd -f /one/two/honeyd.conf”
You only need another machine for testing. So in my case I ran honeyd in backtrack inside a VM but I needed to port scan and ping from a different VM for everything to show up properly.
As far as installing honeyd apt-get would be the best solution but you can also install from a tar. I would just follow honeyd’s steps for installing the tar. I would have to see what error message you’re getting to know during the install process to properly help you.
February 21st, 2012 at 5:14 pm
hey can u plz tell how to maintain logs of attackers who r hittin ports????
February 22nd, 2012 at 6:53 pm
dv,
You can maintain logs with the “-l” (dash L option) and save those logs wherever you like on the file system. My latest article discusses this and how you can get email alerts when attackers hit your honeypot. If that doesn’t answer your question let me know.