Building a Honeypot...

Discussion in 'Computer Security' started by obtix, Jan 12, 2005.

  1. obtix

    obtix Guest

    I am building a Honeypot for my college to use in the near future. The
    system is already built and is about an avg. desktop pc, the system is
    and must be running linux (I have already configured a very dependable
    Debian 3.1 box running kernel 2.6.10). Now what I need:
    I need the Honeypot to be able to emulate various Windows system as
    well as Linux, Unix, and Mac OSX systems. Logging is key but more
    importantly it needs to be stable and be able to handle attacks on the
    emulated OSs with out crashing the Debian system.
    I have looking into two solutions so far, one I through out instantly
    and the other (which I was leaning towards) is having many install
    probelms (honeyd - honeyd.org). Any help, suggestions, ideas?
     
    obtix, Jan 12, 2005
    #1
    1. Advertising

  2. obtix

    donnie Guest

    On 11 Jan 2005 16:35:30 -0800, "obtix" <> wrote:

    >I am building a Honeypot for my college to use in the near future. The
    >system is already built and is about an avg. desktop pc, the system is
    >and must be running linux (I have already configured a very dependable
    >Debian 3.1 box running kernel 2.6.10). Now what I need:
    >I need the Honeypot to be able to emulate various Windows system as
    >well as Linux, Unix, and Mac OSX systems. Logging is key but more
    >importantly it needs to be stable and be able to handle attacks on the
    >emulated OSs with out crashing the Debian system.
    >I have looking into two solutions so far, one I through out instantly
    >and the other (which I was leaning towards) is having many install
    >probelms (honeyd - honeyd.org). Any help, suggestions, ideas?

    ##############################
    I just went to www.honeypot.com
    and here's what I found:

    This site is defaced!!!
    --------------------------------------------------------------------------------
    NeverEverNoSanity WebWorm generation 21.

    You might find some honeypot info at:
    http://www.honeynet.org/

    http://www.maconlinux.org/
    There is something about Mac on Linux

    http://www.winehq.com/
    Windows emulation.

    I don't know about the Unix emulator. You didn't mention what the
    install problems are.
    donnie.
     
    donnie, Jan 12, 2005
    #2
    1. Advertising

  3. obtix

    obtix Guest

    Well, thats kinda funny at honeypot.com... When I mean emulation I
    don't mean those actual OS's are running - honeyd is supposed to
    emulate them in scripts. A script will; for example, in a linux system
    cause it to apear as a windows system from the other end of the network.
     
    obtix, Jan 12, 2005
    #3
  4. obtix

    donnie Guest

    On 11 Jan 2005 17:54:01 -0800, "obtix" <> wrote:

    >Well, thats kinda funny at honeypot.com... When I mean emulation I
    >don't mean those actual OS's are running - honeyd is supposed to
    >emulate them in scripts. A script will; for example, in a linux system
    >cause it to apear as a windows system from the other end of the network.

    ##########################
    In other words, you're trying to fool amyone who is trying to
    fingerprint the server. If your honeypot is acting as a web server
    and I use www.netcraft.com to see what your server is running, it's
    only going to give me one current answer. I don't know if you can
    fool it. Of course, there are other ways to fingerprint the server.
    One is by ICMP responses. as shown at:
    http://www.sys-security.com/html/projects/X.html
    Others are by a query to the TCP/IP stack
    http://www.insecure.org/nmap/nmap-fingerprinting-article.html

    Do a google search for OS fingerprinting.
    donnie

    I suggest that you read some docs on
     
    donnie, Jan 12, 2005
    #4
  5. obtix

    obtix Guest

    That is how honeyd does it.. using fingerprint responses (actually if I
    am not mistaken they are the same responses from nmap). I really want
    to use honeyd because of the features but it won't install correctly.
    It is nice because I can make a whole virtual network inside of one
    machine and that machine can have a different IP and MAC for each OS it
    emulates. There is alos the Honeynet CDROM from the Honeynet Project...
    This works awesome as it is but is a bootable cd. I need a more secure
    solution being this is going to used on a college network.
     
    obtix, Jan 12, 2005
    #5
  6. obtix

    donnie Guest

    On 12 Jan 2005 09:57:06 -0800, "obtix" <> wrote:

    >That is how honeyd does it.. using fingerprint responses (actually if I
    >am not mistaken they are the same responses from nmap). I really want
    >to use honeyd because of the features but it won't install correctly.
    >It is nice because I can make a whole virtual network inside of one
    >machine and that machine can have a different IP and MAC for each OS it
    >emulates. There is alos the Honeynet CDROM from the Honeynet Project...
    >This works awesome as it is but is a bootable cd. I need a more secure
    >solution being this is going to used on a college network.

    ########################
    I just looked at my FreeBSD box and honeyd is in the ports collection.
    I didn't install it since I don't need a honeypot. In any event, we
    might be able to get you through the install problems. Are they
    dependency problems? What error messages are you getting? Search the
    error messages on google. That has helped me a lot.
    donnie.
     
    donnie, Jan 13, 2005
    #6
  7. obtix

    obtix Guest

    Actually I got it installed... I've even gotten it working (since my
    first message, I was one of the first to use the new version there was
    a SMALL problem in a perl dep.). The main problem is that this is my
    last semester now... I need something that will be easy for me to pass
    down the line when I'm gone. Once the script is setup I feel it won't
    be to bad but I was looking for other options - maybe a menu system.
    Also, I have since heard about something called S.P.A.N.K I think that
    this might provide a java based X interface for the person running the
    honeypot.
     
    obtix, Jan 13, 2005
    #7
  8. obtix

    sh4d03 Guest

    obtix wrote:
    > Actually I got it installed... I've even gotten it working (since my
    > first message, I was one of the first to use the new version there was
    > a SMALL problem in a perl dep.). The main problem is that this is my
    > last semester now... I need something that will be easy for me to pass
    > down the line when I'm gone. Once the script is setup I feel it won't
    > be to bad but I was looking for other options - maybe a menu system.
    > Also, I have since heard about something called S.P.A.N.K I think that
    > this might provide a java based X interface for the person running the
    > honeypot.
    >


    Obtix, would you mind if I E-mailed you? I'm VERY interesetd in setting
    up a honeynet - am acutally thinking of starting it tonight. Just want
    to contact you and get you to share your thoughts on what my options are
    and what would best serve what I want to do.

    If you would prefer me to contact you on another Email address which you
    don't wish to publish here just follow the instructions below to contact me.

    Thanks in advance,

    Sh4d03

    --
    If you require more assistance or if my suggestion works please E-mail me at
    sh4d03 [at] TPG [dot] com [dot] au. Additionally, if you are able to provide
    assistance to me and wish to E-mail me directly please also feel free to
    contact me in this manner. Please ensure you include "Newsgroup_sh4d03"
    in the
    subject line. Please pay attention to the capitilisation. Emails sent to
    this the above address which do NOT contain "Newsgroup_sh4d03" in the
    subject line will fail to reach me.
    Thanks,
    Sh4d03
     
    sh4d03, Jan 13, 2005
    #8
  9. obtix

    donnie Guest

    On 12 Jan 2005 23:09:16 -0800, "obtix" <> wrote:

    >Actually I got it installed... I've even gotten it working (since my
    >first message, I was one of the first to use the new version there was
    >a SMALL problem in a perl dep.). The main problem is that this is my
    >last semester now... I need something that will be easy for me to pass
    >down the line when I'm gone. Once the script is setup I feel it won't
    >be to bad but I was looking for other options - maybe a menu system.
    >Also, I have since heard about something called S.P.A.N.K I think that
    >this might provide a java based X interface for the person running the
    >honeypot.

    #########################
    I'm glad it's installed. I just don't know what you mean by pass down
    the line. You mentioned that it's your last semester. Apparently,
    it's a school project. Does your grade depend on what you leave for
    the next class? I don't know what scripts are needed. You shouldn't
    have to provide an X based interface for next crew. That should be
    there problem.
    donnie
     
    donnie, Jan 13, 2005
    #9
  10. obtix

    obtix Guest

    Yeah, it would be great to have some more input as well as assist you
    with anything. Email me at . I am on a small vacation
    for the weekend but will be using the web-based stuff to check it on a
    daily basis.
     
    obtix, Jan 14, 2005
    #10
  11. obtix

    obtix Guest

    Ok... since being at my college I have helped put together three
    classes dealing with other kids on the same major/minor track as me
    (Info Tech and Cyberlaw). The classes where, Computer Forensics,
    Hacking (for lack of a better term, mainly dealing with various
    technology), and the class the honeypot is for Cyber Security. I am not
    actually in the class; however, the college does give me "FREE" credit
    to get them in the right direction (thanks to my chair and adviser
    being friends to me). Anyways... I have already built a few computers
    for my dept. Digital Playground (fileserver, webserver, etc...). Last
    semester was the first time my Cyber Security class ran, kids in the
    class used to tools offered to them to cause damage in some switches
    that were over looked (by the dumbass admin). Honeyd will allow me to
    emulate (on the same machine) routers and other operating systems for
    the kids to crack. I have also added a virtual terminal giving the kids
    access to nmap, nessus, and various DoS/DDoS, and packet generators
    that can only be used agianst certain IP address. Though when I leave
    this school there will be no one to admin the honepot, at this point my
    adviser will be handling it when I am gone but to make it easier I need
    some ideas.
     
    obtix, Jan 14, 2005
    #11
  12. obtix

    sh4d03 Guest

    obtix wrote:
    > Yeah, it would be great to have some more input as well as assist you
    > with anything. Email me at . I am on a small vacation
    > for the weekend but will be using the web-based stuff to check it on a
    > daily basis.
    >


    Obtix I can't get E-mails to you. I keep getting a reply back from the
    Mail Delivery Subsystem claiming:

    ----- The following addresses had permanent fatal errors -----
    <>
    (reason: 550 5.7.1 Access denied)

    I've tried using both standard and SSL connections.

    Any ideas?

    Sh4d03

    --
    If you require more assistance or if my suggestion works please E-mail me at
    sh4d03 [at] TPG [dot] com [dot] au. Additionally, if you are able to provide
    assistance to me and wish to E-mail me directly please also feel free to
    contact me in this manner. Please ensure you include "Newsgroup_sh4d03"
    in the
    subject line. Please pay attention to the capitilisation. Emails sent to
    this the above address which do NOT contain "Newsgroup_sh4d03" in the
    subject line will fail to reach me.
    Thanks,
    Sh4d03
     
    sh4d03, Jan 14, 2005
    #12
  13. obtix

    obtix Guest

    yeah, that is what happened when i tried to email you. i'm not sure
    where the problem is (on my end or your end) but i will take a look at
    my mail server after my vacation since everything else seems to be
    working otherwise. until then see if you can send an email to
    .
     
    obtix, Jan 14, 2005
    #13
  14. obtix

    donnie Guest

    On 13 Jan 2005 20:33:12 -0800, "obtix" <> wrote:

    >Though when I leave
    >this school there will be no one to admin the honepot, at this point my
    >adviser will be handling it when I am gone but to make it easier I need
    >some ideas.

    #######################
    It all sounds good. I don't know how much easier you can make it for
    them. It's not an easy task in the first place. I think you've done
    enough from what you've said.
     
    donnie, Jan 14, 2005
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Patriot

    Building to Building wireless

    Patriot, Nov 4, 2003, in forum: Cisco
    Replies:
    2
    Views:
    563
    Walter Roberson
    Nov 4, 2003
  2. to-X-ic

    LeBrea Tarpit or other 'Honeypot'?

    to-X-ic, Jul 9, 2003, in forum: Computer Security
    Replies:
    0
    Views:
    1,164
    to-X-ic
    Jul 9, 2003
  3. Richard H

    Honeypot file

    Richard H, Oct 31, 2003, in forum: Computer Security
    Replies:
    2
    Views:
    731
    Volker Birk
    Nov 1, 2003
  4. Careers
    Replies:
    0
    Views:
    480
    Careers
    Feb 3, 2004
  5. Tom

    Is an Unsecured WiFi Spot a Honeypot?

    Tom, Dec 13, 2006, in forum: Wireless Networking
    Replies:
    4
    Views:
    2,714
    Axel Hammerschmidt
    Dec 14, 2006
Loading...

Share This Page