Use honeyd to fool would-be attackers into chasing ghosts.
As the saying goes, you will attract more flies with honey than with vinegar. (I've never understood that saying; who wants to attract flies, anyway?) A honeypot is used to attract the "flies" of the Internet: script kiddies and hacker wannabes that have nothing better to do with their time than scan for vulnerable hosts and try to attack them. A honeypot does this by pretending to be a server running vulnerable services, but is in fact collecting information about the attackers who think themselves so clever.
Whether you want to simulate one or one thousand vulnerable network hosts, honeyd (http://www.honeyd.org) makes the job as simple as editing a configuration file and running a daemon. The honeyd daemon can simulate thousands of hosts simultaneously and will let you configure what operating system each host will appear as when scanned with operating system detection tools like Nmap [Hack #42] . Each system that honeyd simulates will appear to be a fully functioning node on the network. Besides simply creating hosts that respond to pings and traceroutes, honeyd also lets you configure what services each host appears to be running. You can either use simple scripts to emulate a given service or have honeyd act as a proxy and forward requests to another host for servicing.
honeyd has several prerequisites that you'll need to install before building the daemon itself. These are libevent (http://www.monkey.org/~provos/libevent/), libdnet (http://libdnet.sourceforge.net), and libpcap (http://www.tcpdump.org). These can be easily installed by downloading and unpacking them and then using the standard./configure && make install procedure. After the libraries are installed, you can install honeyd the same way. Then copy the service emulation scripts from the source distribution to somewhere more permanent (e.g., /usr/local/share/honeyd/scripts). There are only a few scripts that come with honeyd itself, but there are additional service emulation scripts available on honeyd's contributions page (http://www.citi.umich.edu/u/provos/honeyd/contrib.html).
Once honeyd has been installed, you'll need to create a configuration file that defines the types of operating systems and services honeyd will emulate, and the IP addresses honeyd will respond to. First, create some operating system templates:
### Windows computers create windows-web set windows-web personality "MS Windows2000 Professional RC1/W2K Advance Server Beta3" set windows-web default tcp action reset set windows-web default udp action reset add windows-web tcp port 80 "perl scripts/win2k/iisemulator-0.95 /iisemul8.pl" add windows-web tcp port 139 open add windows-web tcp port 137 open add windows-web tcp port 5900 "sh scripts/win2k/vnc.sh" add windows-web udp port 137 open add windows-web udp port 135 open create windows-xchng set windows-xchng personality "MS Windows2000 Professional RC1/W2K Advance Server Beta3" set windows-xchng default tcp action reset set windows-xchng default udp action reset add windows-xchng tcp port 25 "sh scripts/win2k/exchange-smtp.sh" add windows-xchng tcp port 110 "sh scripts/win2k/exchange-pop3.sh" add windows-xchng tcp port 119 "sh scripts/win2k/exchange-nntp.sh" add windows-xchng tcp port 143 "sh scripts/win2k/exchange-imap.sh" add windows-xchng tcp port 5900 "sh scripts/win2k/vnc.sh" add windows-xchng tcp port 139 open add windows-xchng tcp port 137 open add windows-xchng udp port 137 open add windows-xchng udp port 135 open ### Linux 2.4.x computer create linux set linux personality "Linux 2.4.7 (X86)" set linux default tcp action reset set linux default udp action reset add linux tcp port 110 "sh scripts/pop3.sh" add linux tcp port 25 "sh scripts/smtp.sh" add linux tcp port 21 "sh scripts/ftp.sh"
And then bind them to the IP addresses that you want to use:
bind 192.168.0.10 windows-web bind 192.168.0.11 windows-xchng bind 192.168.0.12 linux
Save this configuration file in a good place (e.g., /usr/local/share/honeyd/honeyd.conf). Then start honeyd and arpd like this:
# arpd 192.168.0.10-192.168.0.12 # cd /usr/local/share/honeyd # honeyd -p nmap.prints -x xprobe2.conf -a nmap.assoc \ -0 pf.os -f honeyd.conf honeyd: started with -p nmap.prints -x xprobe2.conf -a nmap.assoc -0 pf.os -f honeyd.conf honeyd: listening on eth0: (arp or ip proto 47 or (ip )) and not ether src 00:0c:29:e2:2b:c1 Honeyd starting as background process
Now try running Nmap on the IP addresses that honeyd is handling:
# nmap -sS -sU -O 192.168.0.10-12 Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on (192.168.0.10): (The 3063 ports scanned but not shown below are in state: closed) Port State Service 80/tcp open http 135/udp open loc-srv 137/tcp open netbios-ns 137/udp open netbios-ns 139/tcp open netbios-ssn 5900/tcp open vnc Remote operating system guess: MS Windows2000 Professional RC1/W2K Advance Server Beta3 Uptime 2.698 days (since Sun Jan 11 03:52:35 2004) Interesting ports on (192.168.0.11): (The 3060 ports scanned but not shown below are in state: closed) Port State Service 25/tcp open smtp 110/tcp open pop-3 119/tcp open nntp 135/udp open loc-srv 137/tcp open netbios-ns 137/udp open netbios-ns 139/tcp open netbios-ssn 143/tcp open imap2 5900/tcp open vnc Remote operating system guess: MS Windows2000 Professional RC1/W2K Advance Server Beta3 Uptime 2.172 days (since Sun Jan 11 16:29:38 2004) Interesting ports on (192.168.0.12): (The 1598 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 25/tcp open smtp 110/tcp open pop-3 Remote operating system guess: Linux 2.4.7 (X86)
You can certainly see that honeyd fools Nmap. But what happens when you try to access one of the services that are purportedly running? Try connecting to the port 25 of the fake Windows mail server:
$ telnet 192.168.0.11 25 Trying 192.168.0.11... Connected to 192.168.0.11. Escape character is '^]'. 220 bps-pc9.local.mynet Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329 ready at Mon Jan 12 12:55:04 MST 2004 EHLO kryten 250-bps-pc9.local.mynet Hello [kryten] 250-TURN 250-ATRN 250-SIZE 250-ETRN 250-PIPELINING 250-DSN 250-ENHANCEDSTATUSCODES 250-8bitmime 250-BINARYMIME 250-CHUNKING 250-VRFY 250-X-EXPS GSSAPI NTLM LOGIN 250-X-EXPS=LOGIN 250-AUTH GSSAPI NTLM LOGIN 250-AUTH=LOGIN 250-X-LINK2STATE 250-XEXCH50} 250 OK
Pretty effective at first glance isn't it? If you'd like to specify some real services for attackers to play with, you can use the proxy keyword to forward any port to a host on another machine. For example, this will forward SSH requests from our imaginary Linux host to the machine at 192.168.1.100:
add linux tcp port 22 proxy 192.168.0.100:22
In addition to running the service emulation scripts, honeyd can limit inbound or outbound bandwidth, or even slow down access to a particular service. This can be used to tie up spammer's resources, by holding open an apparently open mail relay. The possibilities provided by honeyd are limited only by your imagination and the time you're willing to spend building your virtual fly-catching network.