Difference between revisions of "Honeyd"

From ArchWiki
Jump to: navigation, search
(Configuration)
(fix heading levels, and use AUR template)
(7 intermediate revisions by 6 users not shown)
Line 1: Line 1:
=Introduction=
+
[[Category:Networking]]
 +
[[Category:Security]]
 +
==Introduction==
 
Honeyd is an open source computer program that allows a user to set up and run multiple virtual hosts on a computer network. These virtual hosts can be configured to mimic several different types of servers, allowing the user to simulate an infinite number of computer network configurations. Honeyd is primarily used in the field of computer security by professionals and hobbyists alike.
 
Honeyd is an open source computer program that allows a user to set up and run multiple virtual hosts on a computer network. These virtual hosts can be configured to mimic several different types of servers, allowing the user to simulate an infinite number of computer network configurations. Honeyd is primarily used in the field of computer security by professionals and hobbyists alike.
  
 
This page goes over how to get a simple setup up and running. My server uses IP address 192.168.1.10. My honeyd daemon will listen at 10.0.0.1.
 
This page goes over how to get a simple setup up and running. My server uses IP address 192.168.1.10. My honeyd daemon will listen at 10.0.0.1.
  
=Installation=
+
==Installation==
Install Honeyd from the AUR. Using yaourt:
+
Install the {{AUR|honeyd}} package from the [[Arch User Repository|AUR]].
 
+
[user@host ~]# yaourt -S honeyd
+
  
=Configuration=
+
==Configuration==
 
Create these files:
 
Create these files:
  
{{File|name=/root/default.conf|content=
+
{{hc|/root/default.conf|
 
+
 
create host
 
create host
 
set host default tcp action reset
 
set host default tcp action reset
Line 19: Line 18:
  
 
bind 10.0.0.1 host
 
bind 10.0.0.1 host
 
 
}}
 
}}
  
{{File|name=/tmp/hello.sh|content=
+
{{hc|/tmp/hello.sh|
 
+
 
#!/bin/sh
 
#!/bin/sh
 
echo "Led Zeppelin, great band or greatest band?"
 
echo "Led Zeppelin, great band or greatest band?"
Line 30: Line 27:
 
         echo "$data"
 
         echo "$data"
 
done
 
done
 
 
}}
 
}}
  
Line 39: Line 35:
 
Open up 2 shells on your server. In the first shell, start the honeyd program. In the second shell, use nc to connect to honeyd. The output should be as follows:
 
Open up 2 shells on your server. In the first shell, start the honeyd program. In the second shell, use nc to connect to honeyd. The output should be as follows:
  
{{Command|name=honeyd -d -p /usr/share/honeyd/nmap.prints -f default.conf 10.0.0.0/8
+
{{hc|$ honeyd -d -p /usr/share/honeyd/nmap.prints -f default.conf 10.0.0.0/8
|output=Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
+
|Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
 
honeyd[3985]: started with -d -p /usr/share/honeyd/nmap.prints -f default.conf 10.0.0.0/8
 
honeyd[3985]: started with -d -p /usr/share/honeyd/nmap.prints -f default.conf 10.0.0.0/8
 
Warning: Impossible SI range in Class fingerprint "IBM OS/400 V4R2M0"
 
Warning: Impossible SI range in Class fingerprint "IBM OS/400 V4R2M0"
Line 51: Line 47:
 
^Choneyd[3985]: exiting on signal 2}}
 
^Choneyd[3985]: exiting on signal 2}}
  
{{Command|name=nc 10.0.0.1 23
+
{{hc|$ nc 10.0.0.1 23
|output=Led Zeppelin, great band or greatest band?
+
|Led Zeppelin, great band or greatest band?
 
greatest
 
greatest
 
greatest
 
greatest
Line 61: Line 57:
 
  killall honeyd
 
  killall honeyd
  
I would recommend the book "Virtual Honeypots: From Botnet Tracking to Intrusion Detection" by Niels Provos to anybody who would like to really get to know honeyd.
+
You can read "Virtual Honeypots: From Botnet Tracking to Intrusion Detection" by Niels Provos for more information.
  
=More Resources=
+
==More Resources==
  
 
http://www.honeyd.org/faq.php  
 
http://www.honeyd.org/faq.php  
  
http://en.wikipedia.org/wiki/Honeyd
+
[[Wikipedia:Honeyd]]
  
 
http://ulissesaraujo.wordpress.com/2008/12/08/deploying-honeypots-with-honeyd/
 
http://ulissesaraujo.wordpress.com/2008/12/08/deploying-honeypots-with-honeyd/
 
 
[[Category:Security]]
 

Revision as of 13:45, 10 July 2012

Introduction

Honeyd is an open source computer program that allows a user to set up and run multiple virtual hosts on a computer network. These virtual hosts can be configured to mimic several different types of servers, allowing the user to simulate an infinite number of computer network configurations. Honeyd is primarily used in the field of computer security by professionals and hobbyists alike.

This page goes over how to get a simple setup up and running. My server uses IP address 192.168.1.10. My honeyd daemon will listen at 10.0.0.1.

Installation

Install the honeydAUR package from the AUR.

Configuration

Create these files:

/root/default.conf
create host
set host default tcp action reset
add host tcp port 23 "/tmp/hello.sh"

bind 10.0.0.1 host
/tmp/hello.sh
#!/bin/sh
echo "Led Zeppelin, great band or greatest band?"
while read data
do
        echo "$data"
done

On your firewall, add the following route:

Destination IP 	Netmask 	Gateway
10.0.0.0	        255.0.0.0	192.168.1.10

Open up 2 shells on your server. In the first shell, start the honeyd program. In the second shell, use nc to connect to honeyd. The output should be as follows:

$ honeyd -d -p /usr/share/honeyd/nmap.prints -f default.conf 10.0.0.0/8
Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
honeyd[3985]: started with -d -p /usr/share/honeyd/nmap.prints -f default.conf 10.0.0.0/8
Warning: Impossible SI range in Class fingerprint "IBM OS/400 V4R2M0"
Warning: Impossible SI range in Class fingerprint "Microsoft Windows NT 4.0 SP3"
honeyd[3985]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip and (net 10.0.0.0/8))) and not ether src MAC_ADDY_HERE
honeyd[3985]: Demoting process privileges to uid 99, gid 99
honeyd[3985]: Connection request: tcp (192.168.1.10:60109 - 10.0.0.1:23)
honeyd[3985]: Connection established: tcp (192.168.1.10:60109 - 10.0.0.1:23) <-> /tmp/hello.sh
honeyd[3985]: Connection dropped by reset: tcp (192.168.1.10:60109 - 10.0.0.1:23)
^Choneyd[3985]: exiting on signal 2
$ nc 10.0.0.1 23
Led Zeppelin, great band or greatest band?
greatest
greatest

^C

There, you have a simple, basic, set up of honeyd. To kill honeyd, issue the command

killall honeyd

You can read "Virtual Honeypots: From Botnet Tracking to Intrusion Detection" by Niels Provos for more information.

More Resources

http://www.honeyd.org/faq.php

Wikipedia:Honeyd

http://ulissesaraujo.wordpress.com/2008/12/08/deploying-honeypots-with-honeyd/