This lab assignment should be done alone. While you may discuss with other students, your work should be your own.
The honeyd program is a popular low-interaction honeypot. In this
part of the assignment, we will be exploring the use of
honeyd. Because we need root access for ativities in this lab, please
use the SEED virtual machine (explained at the start of lab). The
virtual machine does not yet have honeyd installed on it, but it may
be installed with
apt-get install honeyd as root.
honeyd needs some addresses to listen to, and we need to set up our
machines routing tables to be able to reach these addresses. This lab
will assume that the addresses in 10.99.* are not in use and will use
them. To set up your routing table to route any traffic for these
addresses though loopback (back to the same physical machine), run the
route -n add -net 10.99.0.0/16 gw
127.0.0.1. After running the command, you can
route to check if this was successful (you should see
an entry for this network in your routing table with a gateway of
Create a blank file called honeyd.conf, then run honeyd with the command
honeyd -d -i lo -f honeyd.conf. This runs honeyd with output to the command line, on the loopback interface using your configuration file.
1. In a different terminal ping any host in the 10.99 network. What do you observe?
2. (2 points) Is this behavior that you would want from a honeypot? Why?
To change the default behavior, we can set a default template for honeyd handling of traffic. To create a default that denies all connections, add the following lines to your honeyd.conf:
create default set default default tcp action block set default default udp action block set default default icmp action block
3. Run honeyd with this configuration and try to ping a host on the network. What happens? Explain why.
Now, lets add a host to our honeypot network. Add the following entry:
create winxp set winxp personality "Microsoft Windows XP Professional SP1" bind 10.99.0.5 winxp
Run honeyd with the new configration. As root, run the command
nmap 10.99.0.5 (while honeyd is still running)
4. Explain the output of nmap. What did nmap do? What does the output mean?
5. Based on your observations, what is honeyd's default behavior for a host?
We can modify the behavior of our honeypot host by changing the action taken for specific ports using lines like
add winxp tcp port 135 open to open port 135. Set the default action for tcp on winxp to reset (similar to how you set it to block for the default template). Open some tcp ports typically open on a windows xp machine: 135, 139, and 445. When you add these, keep the bind line at the bottom.
6. Now what is your nmap output when run on this virtual host? Is it what you expect? Explain.
Create a virtual linux machine in your honeyd.conf. The personality line defines OS-specific characteristics. You can find a list of valid personailties in
/etc/honeypot/nmap.prints. Open tcp ports 21, 23, and 79.
7. What does your config file look like so far?
8. (2 points) Based on running nmap against this linux machine, (and perhaps some google queries), why would this machine be attractive to an attacker?