CIS 458 Lab 8: Honeypots

This lab assignment should be done alone. While you may discuss with other students, your work should be your own.

The honeyd program is a popular low-interaction honeypot. In this part of the assignment, we will be exploring the use of honeyd. Because we need root access for ativities in this lab, please use the SEED virtual machine (explained at the start of lab). The virtual machine does not yet have honeyd installed on it, but it may be installed with apt-get install honeyd as root.

honeyd needs some addresses to listen to, and we need to set up our machines routing tables to be able to reach these addresses. This lab will assume that the addresses in 10.99.* are not in use and will use them. To set up your routing table to route any traffic for these addresses though loopback (back to the same physical machine), run the command route -n add -net gw After running the command, you can use route to check if this was successful (you should see an entry for this network in your routing table with a gateway of localhost).

Create a blank file called honeyd.conf, then run honeyd with the command honeyd -d -i lo -f honeyd.conf. This runs honeyd with output to the command line, on the loopback interface using your configuration file.

1. In a different terminal ping any host in the 10.99 network. What do you observe?

2. (2 points) Is this behavior that you would want from a honeypot? Why?

To change the default behavior, we can set a default template for honeyd handling of traffic. To create a default that denies all connections, add the following lines to your honeyd.conf:

create default
set default default tcp action block
set default default udp action block
set default default icmp action block

3. Run honeyd with this configuration and try to ping a host on the network. What happens? Explain why.

Now, lets add a host to our honeypot network. Add the following entry:

create winxp
set winxp personality "Microsoft Windows XP Professional SP1"
bind winxp

Run honeyd with the new configration. As root, run the command nmap (while honeyd is still running)

4. Explain the output of nmap. What did nmap do? What does the output mean?

5. Based on your observations, what is honeyd's default behavior for a host?

We can modify the behavior of our honeypot host by changing the action taken for specific ports using lines like add winxp tcp port 135 open to open port 135. Set the default action for tcp on winxp to reset (similar to how you set it to block for the default template). Open some tcp ports typically open on a windows xp machine: 135, 139, and 445. When you add these, keep the bind line at the bottom.

6. Now what is your nmap output when run on this virtual host? Is it what you expect? Explain.

Create a virtual linux machine in your honeyd.conf. The personality line defines OS-specific characteristics. You can find a list of valid personailties in /etc/honeypot/nmap.prints. Open tcp ports 21, 23, and 79.

7. What does your config file look like so far?

8. (2 points) Based on running nmap against this linux machine, (and perhaps some google queries), why would this machine be attractive to an attacker?