Project 12 for CNIT 122 - honeyd (10 pts.)

What You Need

A Linux machine, real or virtual. I used BackTrack 5 R1 virtual machine.
Any second machine with nmap. I used a Windows 8 Developers Preview virtual machine.

Purpose

Honeypots are useful to gather information about attackers, and to distract them. The Linux program honeyd is very easy to use and powerful.

Starting the Linux Machine

Start your machine as usual. Open a Terminal window.

In a Terminal window, enter this commands, and then press Enter:

ping samsclass.info

Make sure you are getting replies, and then press Ctrl+C to stop the pings.

In a Terminal window, enter this commands, and then press Enter:

ifconfig

Find the interface that goes to the Internet and make a note of it. In my case it is eth2, as shown below:

Installing honeyd

If you are using BackTrack 5 R1, honeyd is already installed. If not, you may need to install it with this command:


apt-get install honeyd

Creating the Config File

In a Terminal window, enter this command, and then press Enter:

nano honeyd-winxp.conf

Type in the configuration below. This tells honeyd to emulate a Windows XP machine.

create default
set default default tcp action block
set default default udp action block
set default default icmp action block

create windows
set windows personality "Microsoft Windows XP Professional SP1"
set windows default tcp action reset
add windows tcp port 135 open
add windows tcp port 139 open
add windows tcp port 445 open

set windows ethernet "00:00:24:ab:8c:12"
dhcp windows on eth2

In the last line, specify the interface that goes to your network--in my case it was eth2.

Save the file with Ctrl+X, Y, Enter.

Running honeyd

In a Terminal window, enter this command, and then press Enter:

honeyd -d -i eth2 -f honeyd-winxp.conf

The -d switch tells honeyd not to run as a daemon, so you can see what it's doing.

The -i specifies which interface to use; yours may not be eth2.

The -f switch tells honeyd what config file to use.

Honeyd should start, with the usual unimportant warning messages, and get an IP address from DHCP, as shown below:

Saving the Screen Image

Make sure you can see the "got DHCP offer" message, as shown above.

Save a screen capture with a filename of "Proj 12a from YOUR NAME".

Scanning the Honeypot

From your other machine, run a default nmap scan of the honeypot's IP address.

You should see ports 135, 139, and 445 open, as shown below:

Saving the Screen Image

In the Nmap window, scroll up as needed to make the three green "open" messages visible, as shown above.

Save a screen capture with a filename of "Proj 12b from YOUR NAME".

Turning In Your Project

Email the images to cnit.122sam@gmail.com with a subject of "Project 12 from YOUR NAME".

Source

http://travisaltman.com/honeypot-honeyd-tutorial-part-1-getting-started/

Last modified 10-7-11 3:01 pm