A honey pot is a computer system that is expressly set up to attract and trap an attacker who is attempting to compromise the information systems in an organization. Honeypots can also analyze the ways in which attackers try to compromise an information system, providing valuable insight into potential system loopholes.
A honeypot works by fooling attackers into believing it is a legitimate system; they attack the system without knowing that they are being observed covertly. When an attacker attempts to compromise a honeypot, attack-related information, such as the IP address of the attacker, will be collected. This activity done by the attacker provides valuable information and analysis on attacking techniques, allowing system administrators to trace back to the source of attack if required.
A common setup is to deploy a honeypot within a production system. The figure below shows the honeypot, it is not registered in any naming servers or any other production systems, i.e. domain controller. This way, no one will know about the existence of the honeypot. This is important because only within a properly configured network can one assume that every packet sent to the honeypot is suspect for an attack. If misconfigured packets arrive, the amount of false alerts will rise and the value of the honeypot drops.
Categories of Honeypots
There are two categories of honeypots: production honeypots and research honeypots. A production honeypot is used to migrate risk from an organization, while the second category, research, is meant to gather as much information as possible. These honeypots do not add any security value to an organization, but they can help to understand the blackhat community and their attacks as well as to build some better defenses against security threats.
To make honeypots look more like productive systems, people have begun to setup complex systems consisting of multiple honeypots, IDS and firewalling components. Multiple honeypots can be set on a network to form a honeynet.
Below is the network diagram of a honeynet setup with four Honeypots. The Honeywall acts in bridge-mode, which is the same function as performed by switches. This connects the honeynet logically to the production network and allows the honeynet to be of the same address range.
HoneyDrive has all the major honeypot-related software pre-installed and pre-configured to work out of the box. HoneyDrive is the premier honeypot Linux distro. It is a virtual appliance (OVA) with Xubuntu Desktop 12.04.4 LTS edition installed. HoneyDrive contains all the major honeypot-related software such as Kippo SSH honeypot, Dionaea malware honeypot, Honeyd low-interaction honeypot, Glastopf web honeypot along with Wordpot, Thug honeyclient, and more. Additionally it includes useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, and much more. Lastly, many well-known malware analysis, forensics and network monitoring related tools are also present in the distribution.
HoneyDrive is very simple to install and works mostly without any extra configuration. To install, simply download the .ova from http://sourceforge.net/projects/honeydrive/. If you are using Virtualbox, simply doubleclick the .ova once downloaded to launch the virtual machine importer for HoneyDrive. The VM should import without issue.
Once the import is finished, you will have a new, ready to run HoneyDrive virtual machine available in your inventory.
Then just configure its settings, and start it up.
Honeyd is a flexible low interaction honeypot used for capturing attacker activity.
With Honeyd you can create templates of behaviors for machines and then deploy numerous instances of these templates on a single machine, effectively emulating a full network. Honeyd can be configured to act like a real operating system; in fact there are approximately 1000 personalities of OS’s that we can choose. The primary purpose of Honeyd is detection, specifically to detect unauthorized activity within an organization.
Honeyd is able to fool network fingerprinting tools to think they are dealing with a real operating system.
Honeyd can detect any activity on a UDP or TCP port, as well as some ICMP activity. With Honeyd, we are not only detecting attacks, but also creating emulated services that interact with the attacker. These emulated services allow us to determine what the attacker is attempting to do, what they are looking for. This is done by creating scripts that listen on specific ports and then interact with attackers in a predetermined manner.
The greatest value of Honeyd is not the ports it listens on or the level of emulation, but its ability to monitor millions of IP addresses at the same time.
Honeyd is completely user-customizable through a simple text editor, where you may define such traits including its base operating system, port behavior, and more. Honeyd can simulate a whole slew of port services for each individual honeypot, such as HTTP, FTP, telnet, rsh, SMTP, and plenty more.
Honeyd also has several advanced features, the first of which is proxying. Proxying allows Honeyd to accept a connection from an attacker and then redirect that connection to another system.
Some interesting features that honeyd provides include:
Manipulates TCP/IP packets to create the illusion that there is a host on the network.
Convincingly emulates a plethora of port services.
Can impersonate up to a thousand different operating systems.
User can define unique virtual hosts using simple config files.
Lets you catch spammers and network intruders, as well as observe their behaviors.
Safe and isolated from the true host computers.
The setup of honeyd is very easy. A configuration file is used to tell honeyd what kind of operating system is desired, how it responds to closed ports, and what kind of service is listening on which port. A honeyd configuration file is the heart of your honeypot. The configuration file tells honeyd what operating system to emulate, what ports to open, what services should be run, etc. We can simply create our custom config file under /etc/honeypot/ directory. This custom config file can be tweaked to emulate all sorts of setups. Below is the custom configuration file.
Inside the honeyd config file, we are creating the Windows template. The “create default” section simply tells honeyd to drop traffic unless it is defined later in the configuration file. We use “create” within the config file to create a template for a honeypot, so you can create as many honeypots as you’d like within the honed.conf config. “Set” and “add” commands are used to add the various services. In the Windows template we are defining a number of things, such as first we are setting the personality, meaning when another device on the network connects to this honeypot it will appear to be a Windows XP Pro SP1. In the Windows template we can also open ports 135, 139, and 445, which are common ports that are open on a Windows system. The “set Windows ethernet” sets a MAC address for our honeypot. This will be needed if you run your honeypot via dhcp. You can make the MAC address of any type like aa:bb:cc:dd:ee:ff. Finally we have to bind the IP address of our honeypot. The dhcp statement tells the Windows template to acquire an IP address from dhcp. To bind the static IP address in our honeypot we have to write “bind StaticIP personality name”, for example “bind 192.168.2.10 Windows”.
We have plenty of options when choosing a personality for honeypot. Honeyd takes advantage of Nmap and the way it fingerprints devices. The list of personalities is located in the nmap.prints file; you should be able to find this file by using the following command.
Within nmap.prints anything that follows the word “Fingerprint” is available as a personality. As an example below, the string Apple Mac OS 8.5 and Sun Solaris 2.5 – 2.5.1 can be used as a personality in honeyd.conf. The file data below gives the detailed initial connection procedure of this particular system. The values are used for the initial three way handshake making the connection.
We can add multiple personalities in our custom honeyd.conf. The honeyd.conf for all three (Windows, Apple and Solaris) of these honeypots is below.
After seting up the honeyd.conf file properly, we have to run the following command to set the proper permissions for honeyd logs.
Now we can simply launch honeyd by the following command.
Here –l option is used to save results in the log, -f option is used to read the configuration in file. We use -d option so it doesn’t run on the background.
This allow for more verbose output so that we can troubleshoot as needed.
After successful deployment of honeyd, on the BackTrack machine we use the Nmap to fingerprint the honeyd. Below is the Nmap command and output. With “-sV” option we can find out service versions which are running on remote hosts.
We have to run honeyd2mysql for converting the log file to MySQL database. It is a script used to populate a MySQL database with data extracted from the honeyd honeypot’s log. To run this script, we have to go to the /honeydrive/honeyd2mysql/ and run the below command.
To see graphical statistics from honeyd we can use Honey-Viz. Honeyd-Viz is a full featured script to visualize statistics from a honeyd honeypot. Honeyd-Viz currently shows 20 charts. There are also geolocation data extracted and displayed with Google visualization technology using a Google Map, an Intensity Map, etc. We can view honeyd stats via Web browser by visiting http://localhost/honeyd-viz/.
Above, you see the initial start screen for Honeyd-Viz. The results aren’t delivered in real-time, so you have to click ” GENERATE_THE_HONEYD_GRAPHS(); “. What follows is incredibly detailed information.
Connections by protocol (bar chart & pie chart)
This vertical bar chart and pie chart displays the distribution of incoming connections by protocol.
Connections by destination IP(bar chart & pie chart)
This vertical bar chart and pie chart displays the distribution of incoming connections by destination IP.
Connections per day/week
This horizontal bar chart displays the most connections per day (Top 20) against the honeypot system.
This line chart displays the daily/weekly activity on the honeypot system. Curves indicate connection attempts over a daily/weekly period.
Connections per IP(bar chart & pie chart)
This vertical bar chart and pie chart displays the top 10 unique IPs ordered by the number of overall connections to the system.
UDP/TCP/ICMP connections per IP(bar chart & pie chart)
This vertical bar chart and pie chart displays the top 10 unique IPs ordered by the number of UDP/TCP/ICMP connections to the system.
Connections by destination port (bar chart & pie chart)
This vertical bar chart and pie chart displays the most accessed resources (ports) of the honeypot system.
Geolocation information gathered from the top 10 IP addresses probing the system
The above table displays the top 10 IP addresses connected to the system (ordered by volume of connections).
Number of connections per unique IP (bar chart & pie chart)
The above bar and pie chart visualizes the top 10 IPs ordered by the number of connections to the system.
Graph – Gallery
In this tab you can see all the images in this single page with the help of Fancybox.
Risk in Honeyd
Honeyd introduces limited risk to an organization. The honeypot is not designed to provide attackers with a complete operating system; instead, attackers are limited to the functionality emulated by the scripts.
The only other risk is that misconfiguring a Honeyd honeypot can have a more drastic effect on networks. If you mistakenly configure Honeyd to receive the traffic of valid systems, you can cause a great deal of damage to your production activity.
Honeypots have their advantages and disadvantages. They are clearly a useful tool for luring and trapping attackers, capturing information and generating alerts when someone is interacting with them. A honeypot is a valuable resource, especially to collect information about proceedings of attackers as well as their deployed tools. No other mechanism is comparable in efficiency of a honeypot if gathering information is a primary goal, especially if the tools an attacker uses are of interest. Honeypots are considered an effective method to track hacker behavior and heighten the effectiveness of computer security tools.
Honeyd is a flexible low interaction honeypot used for capturing attacker activity. The possibility to generate different virtual honeypots on one machine with even different simulated operating systems enhances the usability of this honeypot even further. It’s great for simulating victims and collecting a lot of interesting information. Honeyd is flexible and extensible, can be applied in many areas of information security.