I've been thinking about setting up one or two old computers as a little honeypot and was wondering if anyone here had any experience or could point me in the right direction.

I know of several tools (honeywall, honeyd etc..) to use to get me started but I haven't managed to find any good information as to how to implement these and get started.

So far I have a spare Lenovo T42, an old desktop computer and an ISP that gives me 5 public IP's but no knowledge :P

So if anyone has any good links for me, articles, projects, wiki sites or whatever I would be grateful if you could post them :)

Here is a pre-built VMWare Honeyd on Fedora 7 to get you started:

http://www.vmware.com/appliances/directory/1231

Also I know it not a honeypot but have a look at B.A.S.E & OSSIM, there was a long thrend on here about it ~3-4 months ago. They are IDS systems and you could place them infront of your Honey-pot system
.
I've been thinking about setting up one or two old computers as a little honeypot and was wondering if anyone here had any experience or could point me in the right direction.

I know of several tools (honeywall, honeyd etc..) to use to get me started but I haven't managed to find any good information as to how to implement these and get started.

So far I have a spare Lenovo T42, an old desktop computer and an ISP that gives me 5 public IP's but no knowledge :P

So if anyone has any good links for me, articles, projects, wiki sites or whatever I would be grateful if you could post them :)

thank you sir! that looks like just the thing i need right now! :)

gonna check out the other things you mentioned too and give some feedback in this thread..

I've had some experience setting up honeynets and the way i would suggest is to use one of your boxes as a bridge, with one nic going to the internet and the other going to a switch or directly to the other box you want to get hacked. This setup has several advantages:
1. the bridge will be transparent and will have no ip, but traffic still has to go through Iptables. So you can still log all of the traffic with tcpdump, while at the same time hopefully remaining undetectable.
2. You can egress filter on the outbound traffic. I limit the outbound traffic to about 1000 packets per day so that way after the honeypot box does get owned, it wont be used to DOS a children's hospital or something.

I've had some experience setting up honeynets and the way i would suggest is to use one of your boxes as a bridge, with one nic going to the internet and the other going to a switch or directly to the other box you want to get hacked. This setup has several advantages:
1. the bridge will be transparent and will have no ip, but traffic still has to go through Iptables. So you can still log all of the traffic with tcpdump, while at the same time hopefully remaining undetectable.
2. You can egress filter on the outbound traffic. I limit the outbound traffic to about 1000 packets per day so that way after the honeypot box does get owned, it wont be used to DOS a children's hospital or something.

Yes, even better when you add a tap (search for 'snifdet' on this forum, and about half way through the post and on).

thanks for a lot of helpful replies.. I'm looking forward to testing these things throughout the weekend..

one quick question though, what would be the best set up for the "bridge" computer?

can I just as well install any distro here or are there any reccomendations or distro's to avoid?

EDIT: swc666, a 'snifdet' search returns no results, both with and without the quotes and when searching threads and topics througout the whole forum :confused:

what am I doing wrong ? :o

EDIT: swc666, a 'snifdet' search returns no results, both with and without the quotes and when searching threads and topics througout the whole forum :confused:

what am I doing wrong ? :o

Oops... typo, should have been sniffdet:

http://forums.remote-exploit.org/showthread.php?t=8748&highlight=sniffdet

Scan through the post to find relevant info :cool:

thanks for the tip swc666, looks like a useful thread indeed :)

By the way swc666, I read in that thread you tipped me about that you set up a honeypot of your own.. what kind of experiences did you get from that? now I don't think I'll try that hardware hacking you did right there - but setting up a nice honeynet with solid logging and perhaps an IDS would be cool indeed!

The main reason why I wan't to set up a honepot is because I am very interested and i love the idea of having a honeypot to check up on from time to time to see what is going on... secondly, I'm guessing that having a running honeypot over time will be educational in so many ways..

By the way swc666, I read in that thread you tipped me about that you set up a honeypot of your own.. what kind of experiences did you get from that? now I don't think I'll try that hardware hacking you did right there - but setting up a nice honeynet with solid logging and perhaps an IDS would be cool indeed!

The main reason why I wan't to set up a honepot is because I am very interested and i love the idea of having a honeypot to check up on from time to time to see what is going on... secondly, I'm guessing that having a running honeypot over time will be educational in so many ways..

I set up a naked Win2K box on a DMZ, passively tapped just to see the ugly traffic that popped in/out of it. I didn't do anything deep as far as forensics; basically saw a lot of pwnage of the box as an ad server zombie.

I'm planning to put W2K on one of the boxes as well, I'm guessing this will attract a lot of stuff, I just hope it won't end up being torn apart by some script kiddies.

But so far I got BT3 on an old desktop computer which I am planning to use as my bridge, I will take an extra NIC with me home from work today and hopefully I'll get some work done.

First of all, though, I am a bit unsure as to how I am supposed to set up the NIC's on this bridge. If I understand the rooster completely, the NIC's wont have their own IP address and won't be easily detectable by anyone else, they just forward the traffic in the right direction - incoming or outgoing - right?

So how do I set up these NICs to just forward traffic like that?

Cormega, first off honeynets are an awesome way to learn about security, hacking, and networking in general. I would be happy to share with you experiences and setup info.

I was using 3 nics with my setup, two for the bridge and one for remote ssh access, since the honeynet was at work. Using bridge-utils, you will make a virtual interface out of two nics. i'll paste below the firewall script below that i was using. I was also running snort_inline with this which is why you'll see "QUEUE" targets where you would expect "ACCEPT" targets. i've only ben working with linux for about a year, so if this script sucks in some way let me know...appreciate the feedback. You dont have to run snort_inline but its fun to see how much actually gets by snort and its good to block low level boring script kiddie stuff.

I would run a script that had a ton of the sysInternals type tools (fport, procmon...etc) on the honey pot box before you put in out in the wild, so that way you can run the same script after you suspect the box gets jacked so you can compare whats changed in terms of opened ports and new processes...etc. I was also running sebek to capture command line input on the compromised boxes.

From there you could log traffic with tcpdump either on the outbound nic or the virtual interface bridge. I wrote some java programs to parse the data and sum it up by unique communications (ie src ip and port -> dst ip and port) and email it to me every couple of hours.

Feel free to pm any questions, or keep this thread going

Firewall script:

#/bin/sh
IPTABLES="/sbin/iptables"
BRCTL="/usr/sbin/brctl"

$BRCTL addbr br0
$BRCTL addif br0 eth0
$BRCTL addif br0 eth1
ifconfig eth0 0.0.0.0 promisc up
ifconfig eth1 0.0.0.0 promisc up
ifconfig br0 up

$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP

##ethernet filtering
for f in /proc/sys/net/bridge/bridge-nf-*; do echo "1" > $f; done

## Enable IP forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward

## Enable dynamic Ips
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

## Helper modules
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_queue
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_state
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/secure_redirects; do
echo 1 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
echo 200 > /proc/sys/net/ipv4/icmp_ratelimit
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 256 > /proc/sys/net/ipv4/tcp_max_syn_backlog



# Allow all on loopback
$IPTABLES -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT

#bridge rules
ACTIVEIP="192.168.1.129 192.168.1.130 192.168.1.131 192.168.1.132"
for i in $ACTIVEIP;do
#$IPTABLES -A FORWARD -s 123.123.123.123 -m physdev --physdev-is-in -j DROP
$IPTABLES -A FORWARD -i br0 -s $i -m physdev --physdev-is-out -m limit \
--limit 1000/day --limit-burst 1000 -j QUEUE
$IPTABLES -A FORWARD -i br0 -s $i -m physdev --physdev-is-out -j DROP
$IPTABLES -A FORWARD -s $i -d 192.168.1.133 -p udp --dport 1101 -j QUEUE
$IPTABLES -A FORWARD -s $i -d 192.168.1.133 -j DROP
$IPTABLES -A FORWARD -s $i -d 123.123.123.213 -j DROP
$IPTABLES -A FORWARD -s $i -d 123.123.213.213 -j DROP
$IPTABLES -A FORWARD -s $i -d 222.222.222.222 -j DROP
done

$IPTABLES -A FORWARD -m physdev --physdev-is-in -j QUEUE


#bridge....keep this one...simple config
#$IPTABLES -A FORWARD -j QUEUE

#save for eth2
SAFEIP="123.123.123.123 123.123.123.124"
for i in $SAFEIP;do
$IPTABLES -A INPUT -i eth2 -p tcp --dport 22 -s $i -m state --state NEW,ESTABLISHED,RELATED -j QUEUE
done


$IPTABLES -A INPUT -i eth2 -m state --state ESTABLISHED,RELATED -j QUEUE
$IPTABLES -A OUTPUT -o eth2 -m state --state ESTABLISHED,RELATED -j QUEUE
$IPTABLES -A OUTPUT -o eth2 -m state --state NEW -j QUEUE

$IPTABLES -A FORWARD -i eth2 -o eth2 -m state --state ESTABLISHED,RELATED -j QUEUE


Script to start and stop the firewall and snort:
#!/bin/bash
# processname: snort_inline
# config: /etc/snort_inline/snort_inline.conf
BRCTL="/usr/sbin/brctl"
. /lib/lsb/initfunctions
[ f
/usr/local/bin/snort_inline ] || exit 0
start(){
# Start daemons.
echo "Starting ip_queue module:"
lsmod | grep ip_queue >/dev/null || /sbin/modprobe ip_queue;
echo "Starting iptables rules:"
# Put your iptables script with QUEUE targets here.
/etc/firewall.sh
echo "Starting snort_inline: "
/usr/local/bin/snort_inline c
/etc/snort_inline/snort_inline.conf -Q -D -v
RETVAL=$?
echo $RETVAL
[ $RETVAL = 0 ] && touch /var/lock/subsys/snort_inline
}
stop() {
# Stop daemons.
echo "Shutting down snort_inline: "
killall snort_inline
RETVAL=$?
echo $RETVAL
[ $RETVAL = 0 ] && rm -f /var/lock/subsys/snort_inline
echo "\nRemoving iptables rules:"
$BRCTL delif br0 eth0
$BRCTL delif br0 eth1
ifconfig br0 down
$BRCTL del br0
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
}
restart(){
stop
start
}
# Arguments passed.
case "$1" in
start)
start
;;
stop)
stop
;;

Snort_Inline is a good way to go, however if you build a passive tap as discussed in the sniffdet thread, you can monitor/log traffic with 2 nics tapped into the line going into the pot.

I had not heard of a passive tap before reading this thread. Is there an advantage to using them over creating a bridge with bridge-utils?

Is there an advantage to using them over creating a bridge with bridge-utils?

The advantage is that it will be as good as completely undetectable.

I had not heard of a passive tap before reading this thread. Is there an advantage to using them over creating a bridge with bridge-utils?

Either way the nics have to be bridged. For the tap setup the cards are running @ Half Duplex. It allows you to plug into the line promiscuously and sniff.

thank you so much for your post rooster, thats just the sort of detailed info i need to get started.

I think I'll copy your set up as far as possible once i get started to avoid any newbie mistakes.

just out of curiosity - how many boxes did you set up in your honepot besides the bridge, and what did you run on them?

that sysInternal type script sounds like a great idea and i'll remember to do something like that before i go live.. also, i have a computer forensics book in my shelf thats been dusting down for a couple of years now so the plan is that once i decide to take the network down i'll run a forensics investigation on the systems as well..

that tap swc666 is talking about seems pretty cool as well, I wan't to try that out as well but I'll probably wait a little while before i try it..

great to see that this thread is staying alive and people are posting experiences and tips because I really need it to get me started..

unfortunately I probably won't get much done until next week (besides reading this thread) because I'm going away for a couple of days.. but once I'm back I'll start setting up the honeynet piece by piece and post my status here, I almost cant wait to get started :D

Yeah the tap is very cool. I had not appreciated the detectability of the bridge structure. I thought having no ip bought me more invisibility than it really does.

I changed jobs just a little while after setting up this honeynet, so i only got to run a few machines. i'd run 2-3 unpatched xp and 2k3 servers at a time as well a plain ubuntu install for comparison. You'll get a lot more traffic on the windows boxes when you enable/install iis and related services and take down the windows firewall.

so I was wondering about borrowing a Cisco Catalyst 2950 switch from work and add it to the mix to make the net appear even more authentic to an intruder, what are your thoughts about that ?

it might be a bit overkill with a 24 port switch on a honeynet with only three devices though, and the switch I'm talking about is REAL noisy so I haven't really decided yet but I would like some input and see if anyone else would find this to be a helpful addition or not...

so I was wondering about borrowing a Cisco Catalyst 2950 switch from work and add it to the mix to make the net appear even more authentic to an intruder, what are your thoughts about that ?

it might be a bit overkill with a 24 port switch on a honeynet with only three devices though, and the switch I'm talking about is REAL noisy so I haven't really decided yet but I would like some input and see if anyone else would find this to be a helpful addition or not...

I think something that would allow you to set up a DMZ is all you really need.

ok, so if i just get a simple 5 port switch and set up the honeynet in a DMZ thats all I really need ? kinda nice to know because with 3 computers running and an old switch that sounds like a rusty ford it could get a "bit" annoying to have that stuff running in my 1 bedroom apartement over time ;)

I forgot, if you can get your hands on a hub instead of a switch, you should do so, cause with a hub you will be able to pick up traffic between your honeypot boxes.

I think I can get a hold of a hub actually, I'm almost postive I've seen one laying around at work somewhere. Thanks for the tip...

By the way, when setting up snort, where would the best place to put this be? I'm guessing the bridge box?

OK, so I never got a hold of that HUB but thats not my primary concern right now.

I am more or less ready to get started but I realize that there are a few technical questions I need to get answered before I go ahead.


1. I am fortunate enough to have an ISP that provides me with official IP addressing and not NAT addresses - but how important is it to put the honeynet behind an official IP, really?

2. The plan I have right now is to follow the roosters advice and set up one box as a bridge between the internet and the switch containing the other boxes I want to set up in my honeynet. But since this bridge of mine won't need any IP addresses, and my ISP offers 5 official IP addresses, won't the rest of the boxes behind the bridge take one official IP each - giving the impression that they are not on the same network?

I mean, my ISP offers an address in the 81.191.xxx.xxx range and I get 5 of those, but what I really want is to put my entire honeynet behind ONE of these addresses, because that would be the most efficient setup, right?

So how do I solve that, do I set up my W2K box right behind the bridge with a DHCP service and connect the W2K box to the switch so that every other box on the honeynet will get a private IP from this W2K box and at the same time use it as a gateway to the internet?

I figure that this way would provide the W2K box with an official IP so that it would be the first to be discovered in my network - at the same time using the W2K box as the DHCP server for the rest of the honeynet would lead any hackers further into my network.

So what do you guys think of my solution so far? If I'm way off here or you have anny suggestions to improve my set up please do not hesitate to post it here.

For the most part, I think its going to depend on what you want to accomplish. You could tailor your honeynet to test any number of services/configurations and the vulnerabilities that come with them. you could go the dhcp route or the one box per ip. It will be interesting to see what differences in traffic will result. But at the same, you'll probably get a lot of automated garbage regardless.

To me, one of the biggest challenge is how to make sense of the data being logged. I would see a ton of automated bot zombie scans looking for sql, game hosting services, smb/netbios, ssh, etc. I think you really will need a way of filtering the garbage.

I saw a couple of perl scripts on honeynet.org (the scan of the month challenges are interesting) where people came up with some pretty neat ways or parsing and summarizing tcpdump capture files. I'm not very proficient in perl (that's some straight voodo script to me) so i rewrote theirs in a language i know.....java. but it took about 150 lines of code for me to do what they were doing in 10 lines.

So it may be worthwhile just to get anything set up to get a feel for what and how much traffic you can expect just from having a single box connected straight to the internet...well through the bridge of course....if only to get a baseline. then increase the complexity of the network and increase the number of ports/services you want to expose.

great tip, thanks.
I'll follow your advice and start off with a bridge + a W2K box and see where that leads me.

BTW, you said you ran a script on the linux boxes in your honeynet before putting it out to see what might change once the box got compromised, right?
Do you have any tips on how to do something similar with the W2k box?

There was free product called Windows Forensics ToolChest that i was using to collect system info. I think they went commercial with it though. So i made my own script modeled after the way they did it. What you'll get with this is a ton of different little text files containing the output of the .exe listed. Most of them are SysInternals, but all are freely available. Its kind of crude and not very nice looking format wise, but you'll get the info you need to get a picture of what might be changing on the box. I think some of the registry lines might need to be changed depending on the version of windows you are using.

Run a script like this before you put the box in the open, and then after you suspect you have been compromised. Using this technique i've been able to discover new processes and port open after a compromise.



@ECHO off


SET toolpath=c:\WFT\tools\


%toolpath%mem.exe /p > %1\currently_in_memory.txt
%toolpath%mem.exe /d > %1\memory_drivers_etc.txt

:\ /S /OD /TA > %1\file_last_access_time.txt


%toolpath%psinfo.exe -d -s -h > %1\psinfo.txt
%toolpath%hostname.exe > %1\hostname.txt
%toolpath%uname.exe -a > %1\uname.txt

ver > %1\version.txt
set > %1\environment.txt

%toolpath%uptime.exe > %1\uptime.txt
%toolpath%uptime.exe /a > %1\uptime_historical.txt

%toolpath%whoami.exe > %1\whoami.txt

%toolpath%net.exe config rdr > %1\net_config_rdr.txt
%toolpath%net.exe user > %1\net_user.txt
%toolpath%net.exe localgroup > %1\net_localgroup.txt
%toolpath%net.exe accounts > %1\net_accounts.txt
%toolpath%net.exe accounts /domain > %1\net_accounts_domain.txt

%toolpath%pslist.exe > %1\pslist.txt

%toolpath%pstat.exe > %1\pstat.txt

%toolpath%handle.exe > %1\handle.txt

%toolpath%handle.exe -a > %1\handle_a.txt

%toolpath%psservice.exe > %1\psservice.txt

arp -a > %1\arp.txt

route print > %1\route.txt

netstat -an > %1\netstat.txt

%toolpath%Fport.exe > %1\fport.txt

%toolpath%openports.exe -path -fport > %1\openports.txt

sc.exe queryex > %1\sc.txt

%toolpath%net.exe start > %1\net_start.txt
%toolpath%net.exe share > %1\net_share.txt
%toolpath%net.exe use > %1\net_use.txt
%toolpath%net.exe view > %1\net_view.txt
%toolpath%net.exe session > %1\net_session.txt

%toolpath%drivers.exe start > %1\drivers.txt

%toolpath%nbtstat.exe -n > %1\nbtstat_n.txt
%toolpath%nbtstat.exe -c > %1\nbtstat_c.txt
%toolpath%nbtstat.exe -s > %1\nbtstat_s.txt

%toolpath%promiscdetect.exe share > %1\promiscdetect.txt


%toolpath%psloglist.exe > %1\psloglist.txt
%toolpath%psloglist.exe -s system > %1\psloglist_s_system.txt
%toolpath%psloglist.exe -s application > %1\psloglist_s_application.txt
%toolpath%psloglist.exe -s security > %1\psloglist_s_security.txt

%toolpath%diskmap.exe /d0 > %1\diskmap.txt

%toolpath%ntfsinfo.exe > %1\ntfsinfo.txt

%toolpath%psfile.exe > %1\psfile.txt


dir c:\ /S /AH > %1\hidden_files.txt

%toolpath%streams.exe -s c:\*.* > %1\streams.txt

%toolpath%efsinfo.exe /S:c:\ /U /R /C > %1\efsinfo.txt

dir "%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup" > %1\startup.txt


%toolpath%reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Run /S > %1\reg_run.txt
%toolpath%reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Run Once /S > %1\reg_runOnce.txt
%toolpath%reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Run OnceEx /S > %1\reg_runOnceEx.txt
%toolpath%reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services /S > %1\reg_runServices.txt
%toolpath%reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce /S > %1\reg_runServicesOnce.txt
%toolpath%reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\She llServiceObjectDelayLoad\ /S /S > %1\reg_ShellServiceObjectDelayLoad.txt
%toolpath%reg.exe query HKLM\Software\Policies\Microsoft\Windows\System\Sc ripts /S > %1\reg_Scripts.txt
%toolpath%reg.exe query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run\ /S > %1\reg_Explorer.txt

%toolpath%reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /S > %1\reg_runHKCU.txt
%toolpath%reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Run Once /S > %1\reg_runOnceHKCU.txt
%toolpath%reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Run OnceEx /S > %1\reg_runOnceExHKCU.txt
%toolpath%reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Run Services /S > %1\reg_runServicesHKCU.txt
%toolpath%reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Run ServicesOnce /S > %1\reg_runServicesOnceHKCU.txt
%toolpath%reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System\Shell /S > %1\reg_shellHKCU.txt
%toolpath%reg.exe query HKCU\Software\Policies\Microsoft\Windows\System\Sc ripts /S > %1\reg_ScriptsHKCU.txt
%toolpath%reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\Run\ /S > %1\reg_ExplorerHKCU.txt
%toolpath%reg.exe query "HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}" /S > %1\reg_ExplorerBars.txt
%toolpath%reg.exe query "HKCU\Software\Microsoft\Internet Explorer\TypedURLs" /S /S > %1\reg_ExplorerTypedURLS.txt
%toolpath%reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\RunMRU /S > %1\reg_ExplorerVersion.txt
%toolpath%reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ComDlg32\OpenSaveMRU /S > %1\reg_OpenSaveMRU.txt
%toolpath%reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Uni nstall /S > %1\reg_Uninstall.txt


%toolpath%autorunsc.exe -a -d -e -s -w > %1\autorunsc.txt

%toolpath%psloggedon.exe > %1\psloggedon.txt

thanks for more assistance, rooster - i really appreciate the help you are giving me.

so I've decided to split the project into several parts instead of trying to implement a complete professional honeynet all at once.

part one is just the bridge box and the w2k box, will check processes, services files etc before and after to see what has changed during the attack of the box.

Since the W2K box will be rather out of date and unpatched I have estimated a 7 day period for the first part - this should be enough to generate some (un)wanted action on the box and give me some activity to analyze afterwards.

for part 2 i will implement snort, add another box to the honeynet (probably a linux box of some sort) and patch up the W2K box a bit to make it a bit harder to hack. I haven't decided on the uptime of this net yet but I'm guessing 20 days at least, probably more.

now if that works like I hope I will take on some forensics challenges and see what I can learn from the activites on both boxes while I take some time to think about whether or not to take the project to a third stage with more boxes in a more advanced environment..


either way, part 1 will start in a day or two and I'm really looking forward to see what might happen

either way, part 1 will start in a day or two and I'm really looking forward to see what might happen

A honeypot/-net is something that I have been interested in setting up for quite a while already, but have kept postponing due to the lack of extra hardware to set aside for the task.

Once you get your project started I for one would therefore be really interested in hearing a bit about your findings, either in this thread or a new one.

Yeah, I've been playing with the idea myself for quite a while and now I'm fortunate enough to be able to borrow most of the equipment I need from my employer so I decided to get started.


I will share anything of interest in this forum, I am also considering creating a new thread to make it easier to keep track of my findings and the current status of my honeynet project..

if I create a new thread, the link for it will be posted here - if I don't create a new thread I will just post everything of interest in this thread..

I will share anything of interest in this forum, I am also considering creating a new thread to make it easier to keep track of my findings and the current status of my honeynet project..

if I create a new thread, the link for it will be posted here - if I don't create a new thread I will just post everything of interest in this thread..

Great to hear, even though I fear that if you do find something interesting it will only fuel my interest in carrying out the same test myself :D I have also been thinking about adding an additional open, or probably WEP encrypted, wireless access point to my planned honeynet. Not to sniff passwords or anything like that, probably would just cut off wan access completely anyway and intercept what type of internet pages my “visitors” would try to access. But mainly to check how widespread the cracking and exploitation of WEP encrypted networks are over where I live. For this I would naturally need a quite powerful AP, but since I live in a rather densely populated area I do figure that even with a normal AP placed by the window with a parabolic reflector attached to the antenna I would reach quite a lot of people around me.

However, I do think a new thread would be the best way to go as your findings might spawn some additional discussions that would not fit well under the heading of the current thread.

However, I do think a new thread would be the best way to go as your findings might spawn some additional discussions that would not fit well under the heading of the current thread.

I think your right, I'll probably create one thread to keep track of the status of the honeynet project while keeping this thread moving with the discussion of a proper honeynet setup and the support questions relatet to that matter.

I really hope I find something to make you decide to create a honeynet of your own because it would be nice to track the progress of other peoples honeynets as well and be able to compare findings.

That WEP idea of yours sounds interesting, though. It could generate some really interesting results if your wifi is able to cover a large and densely populatet area.. Have you given any thought to how you would monitor and log the wifi? I'm just wondering if you would use whatever feature is implemented in your AP or if you had anything else in mind..

That WEP idea of yours sounds interesting, though. It could generate some really interesting results if your wifi is able to cover a large and densely populatet area.. Have you given any thought to how you would monitor and log the wifi? I'm just wondering if you would use whatever feature is implemented in your AP or if you had anything else in mind..

I really haven’t given it so much thought yet as it is still all in planning state until I get some spare cash. I would probably start with checking out what kind of modded firmwares there are out there and how extensive log features they provide. I believe that this would be the easiest way to implement it as the router could take care of all the work itself.

On the other hand I would still need a tap between the router and my honeynet, as I naturally would want my guests to be able to access the rest of my honeynet using the wlan connection, and be able to track their actions. The logs of this tap would also most likely be easier to read out some interesting information from as they would not be littered with botnet spam or other kind of automated attacks.

Sounds like a great idea and you would not have to worry about all the annying botnet scans and script kiddie attemps at all, but if you would get any hits past your AP is another question.. maybe if you made your AP appear to be part of an enterprise network by giving it a SSID designated to make any nearby hackers interested.

But, back to my W2K box - I've set it up wit IIS now and I'm guessing this will be the primary entry point for any hackers that will give it a shot - now I understand that IIS can write pretty detailed activity logs and that I can select what to log and not to log.
I've read that IIS's default logging setup does not log commands that are run from cmd.exe if a hacker manages to gain shell access through this service - does anyone know how to enable such logging so I can read any commands entered if a hacker manages to spawn a command shell throug IIS?

I've only played around with it a little bit, but you can use Sebek for that. Its a client/server app designed to capture cmd.exe usage. The client gets installed on you w2k box and sends UDP packets to the third interface of you bridge box where the server side of the app is listening. The client is supposed to be very difficult to detect and the server side has a variety of logging options.

You will see firewall rules related to it in the script i posted for allowing the honeypot boxes to send UDP on port 1101 to the third interface, and nothing else. which reminds me you may want that big old noisy switch you mentioned earlier to segment off your third interface for remote access and make the honeypot boxes have to go through the bridge to get to it so that can you drop everything else.

thanks for the tip - i will definitely look into it later on today.

I decided not to go for the Cisco switch, at least for part one of the honeynet.
The main reason is that I don't think its too necesarry for such a small honeynet, maybe I will reconsider it for part 2 or 3 if i get that far but for now I'll settle with a normal 5 port linksys switch since there is only one machine on the honeynet side of the bridge so far.

But I'm getting real close now :) the first part of the honeynet will go live either after work today or tomorrow. I know its been a slow progress but I've had a lot to do at work so I haven't had the motivation to sit in front of a computer on my spare time when I do it at work for 8-12 hours a day :)

Either way, the current status is that I'll have to gather some tools and create a forensic script much like the one the_rooster posted earlier to run before the w2k box goes online and after - and I'll have to configure tcpdump on my bridge to get the traffic logs going smoothly. On top of that I'll also look into sebek later on today to see how it is set up and if it doesen't look too complex I'll also add that to the mix.

So I made the mistake of having my W2K box online for about 5 mins yesterday and it was all that was needed for the Alexa toolbar to install itself and also the regfix.com spam message to appear ( check : http://phorums.com.au/archive/index.php/t-149887.html )

That kind of messed up my project a bit since I haven't had the chance to run any forensic scripts yet to get the info I want from a clean W2K box.
But do you think I should reinstall W2K on this box to get it right? I'm not sure if these two spyware/spam incidents will have too much effect on the computer setup.

Either way I downloaded Spybot and removed it quickly.

I also consider immunizing the W2K box with spybot to avoid as much spam of this sort as possible, considering that I really want a real live person taking control of the box and not just a ton of spyware.. what do you think ?

I think that you will probably be fine after a sweep with a few anti-spyware programs. After all, as you say, you are not interested in the damage done by bots so this incident should not spoil your project in any way. But on the other hand, if you want to make sure that you start off a absolutely clean plate reinstalling W2K won’t really take too long.

I think that it is a good idea to set up the box with some sort of live anti-spyware program to filter out a bit of all the spam and bot traffic. Just make sure that it doesn’t implement any anti-intrusion features as you probably want to make it as easy as possible for any 1337 hacker to get in ;)

After you clean your Win2K box, I'd run CloneZilla (http://gpartedclonz.tuxfamily.org/)or VMWare converter (http://www.vmware.com/products/converter/) and great a base image you can revert to.

Also have a look at AutoPatcher 2000 (http://www.autopatcher.com/autopatcher2000/)so you can patch the box to what every level you want without putting it on the network ;)

I decided to re-install to have a completely spyware free machine to put online, all thats left for me now is to check out sebek like the rooster suggested. get snort_inline up and running on the bridge and get a tcpdump going there as well.. I'm hoping that I can finish all of this today and put the system online because I'm getting somewhat impatient here :)

but thanks for the replies, when I'm done reinstalling - I will put spybot on the W2K to avoid most of the bot traffic but thats all.. like Tron says, I don't wanna give the 1337's too much trouble :)

and I will definitely check out the CloneZilla and VMWare converter as well, that sounds like some real useful tools for a project like this considering I'll have to reinstall each time I move the project to the next stage

EDIT:

progress is a slow process indeed ;)

the_rooster is giving me great help via PM to understand his scripts better to make everything right, however a power failure set me back yesterday and I did not get to do half of what I expected so I'm still not quite ready to put the honeynet online but I'm gonna focus all my time and energy this weekend on this project and hopefully I will have a nice little honey running by tomorrow or sunday :)


UPDATE:

just a quick status update here, I'm pretty far behind my planned schedule due to some unforseen setbacks but I'm not too far away from setting the project online either.

what I've done so far.

put snort_inline on my bridge box
adopted the firewall script the_rooster posted on page 2 and also the stop/start script he made for snort & iptables
put sebek on the w2k box
put sebek on the bridge (not completely configured yet)
I reinstalled W2k on the box and installed spybot to avoid annoying spam bot traffic.
installed 3 NICS on my bridge, one is dedicated for SSH, the other two are for the bridge

what still needs completion:

sebek configuration on host & guest
fine tuning the_roosters scripts as they are not written for BT3 (the first script works fine(almost) but the second script gives an error in the line where it tries to run /lib/lsb/linitfunctions as this is not the proper path for BT3 or it might not be on BT3 at all. I'm not sure what initfunctions is so this part remains to be resolved)
write the forensic script that I'm supposed to run on the W2k box before its put online, half of this job is done already and I don't expect any major challenges here

on top of this I'm having some issues with the firewall script the_rooster supplied me with, when I run it it blocks any incoming/outgoing connections because of the IPTABLES rules - I thought this would not be the case once snort_inline was in place but it still is.. even the eth2 nic i've dedicated for SSH sessions is blocked so I can't control the bridge remotely either... hope to work this out soon..

anyway, that was an update for those of you that are following this thread.. I know I said I would have the honeypot online by now, but - well, I'm not that skilled with linux/BT3 yet so I've had a lot of unnecessary setbacks that would not be an issue if I knew my way around linux a bot better..
but I'm hoping that working on this project will help me along the way, though :)

DOH'!!

So this is my last day of work before going on a 14 day vacation.

I was REALLY hoping to get the honeynet up and running by now but I've been somewhat busy and I have also met some challenges along the way which kinda messed up my timeframe.

HOWEVER, I have completed a lot of the things that needed doing so when I get back from work, at least I won't have to do much to complete the first stage.

For those of you who are interested, I found a great tutorial site which contains tutorials for setting up a bridge box with snort_inline etc...

check out www.openmaniak.com , they have a lot of different tutorials there which are quite simple to follow.

As for me, I have bought THIS (http://www.amazon.co.uk/Virtual-Honeypots-Tracking-Intrusion-Detection/dp/0321336321/ref=sr_1_1?ie=UTF8&s=books&qid=1213956009&sr=8-1) book and I hope to get through most of it during my vacation time.

So even though I may have had to delay this project for a while now, I won't give it up.

Stay tuned in about 2-3 weeks and I'll post more updates here and start a status thread for the honeypot once its up and running.

Am I behind schedule or what? :(

Well, just to keep you guys posted, I have NOT given up this project at all but I have had other things on my mind for the last couple of weeks.

I am currently reading up on honeynets in a book called "Virtual Honeypots - from botnet tracking to intrusion detection" to make sure that I won't forget everything I've learned so far while I wait for the time to get back to work on this project.

I will continue with status updates etc. once I'm back at it.

Here is a pre-built VMWare Honeyd on Fedora 7 to get you started:

http://www.vmware.com/appliances/directory/1231

Also I know it not a honeypot but have a look at B.A.S.E & OSSIM, there was a long thrend on here about it ~3-4 months ago. They are IDS systems and you could place them infront of your Honey-pot system
.

By your mean of In-front indicate it as IPS system when it works In Inline mode but IDS can be placed anywhere cause they will get a copy of each packet destined for internal host.thus generating a alarm and taking action as request block or reset.based on action

OK, after to reading a book called Virtual Honeypots, I've somehow decided to start with a virtual honeypot :P

I will launch this after 8 hours of sleep and a couple of hours more of work :) I will start of with a VM image of a Win 2000 machine and I will log all traffic and keystrokes on the machine. I will also limit outgoing traffic and block a lot of the common ports both incoming and outgoing to avoid worm traffic to and from the honeypot.

Once online I will create a thread in this sub forum and post the status, results etc and keep this thread going when it comes to issues regarding the implementation and set-up of honeypots..

I have also created a blog for this project: The HoneyProject (http://honeyproject.blogspot.com) which will also be used to post info about this and other honeynet projects I will start in the future... at first I wanted to create a website, but I decided that it would be too much work to create and maintain so I went the easy route and got myself a blogspot :)

OK, so my HDD totally crashed at the worst possible time last week (if you read my blog you can see a more detailed description of the incident there) and I haven't had the time to work any more on the project until now.

On the other hand, though, Lance Spitzer from www.honeynet.org tipped me about their mailing list which I joined instantly and I have received a lot of useful tips from the users there already.

Now my plan is to implement a complete honeynet on one machine using VMWare ;)

Since I got the W2K VM host all ready and installed, I need to install Honeywall as a VM on the same host machine, get the config right and hopefully I can get this thing up and running soon :)

I have also made some minor changes on my blog (http://honeyproject.blogspot.com), with links both to this forum and to the remote exploit main site to raise awareness about this community and the BackTrack distro.

OK, so my HDD totally crashed at the worst possible time last week (if you read my blog you can see a more detailed description of the incident there) and I haven't had the time to work any more on the project until now.

On the other hand, though, Lance Spitzer from www.honeynet.org tipped me about their mailing list which I joined instantly and I have received a lot of useful tips from the users there already.

Now my plan is to implement a complete honeynet on one machine using VMWare ;)

Since I got the W2K VM host all ready and installed, I need to install Honeywall as a VM on the same host machine, get the config right and hopefully I can get this thing up and running soon :)

I have also made some minor changes on my blog (http://honeyproject.blogspot.com), with links both to this forum and to the remote exploit main site to raise awareness about this community and the BackTrack distro.

If you have a choice of OS to run as a VMware session for your honeypot, you should choose something like Win98 or WinME. :)

LOL, sorry I see I've mistyped the previous post a bit .. my host OS is XP but on that host I have set up a guest VM machine with an unpatched Windows 2000 Professional...

But win ME and 98 would most definitely be a good addition if i really want to attrackt some bad traffic ;)

What you need to do is set it up so that if they get a remote shell they get this:

http://www.computerbrains.com/ccs64/

What you need to do is set it up so that if they get a remote shell they get this:

http://www.computerbrains.com/ccs64/

hahaha, that would be sweet.. however, it wouldn't be the same without a live camera feed of the reaction of whoever maintains access and suddenly finds themselves in a C64 prompt :p

Ahhh, I finally got a virtual honeypot working fine using a host machine with VMWARE and one Windows 2000 Proffesional guest machine and one Honeywall guest machine.

I will continue this thread to have a Q&A thread for honeypot's and I'm about to create a status thread in this same sub forum as well.

The project kinda ended up in me creating a blog about my honeypot attempts called "The Honeyproject" (http://honeyproject.blogspot.com) and I plan to keep it going and posted with relevant info, news and after a while I'll give a go at authoring some pretty thorough HOWTO's as well after gaining some more knowledge and experience about this particular topic

So to follow my status you can either check out the thread I'm about to start or drop by my site once in a while.. (I'd appreciate some traffic ;) )

So to follow my status you can either check out the thread I'm about to start or drop by my site once in a while.. (I'd appreciate some traffic ;) )I have silently been following the progress of your honeypot project since the very beginning and will make sure to keep myself updated through both your blog and future thread. It seems to be developing into quite an interesting project and I hope you will find the time to keep posting both the problems you run into and hopefully the results you soon should start to get.

Thank you for your reply and support Tron :) My plan is to finally author a couple of thorough guides to honeywall set-up and forensics.... once I reach a certain level of knowledge myself :)

I have been really exited about this for a long while but I had some setbacks in the beginning which stalled it for a little while.
But now I'm really psyched about finally getting somewhere and you can expect regular status updates etc from now on :)


STATUS THREAD : http://forums.remote-exploit.org/showthread.php?t=16020

Just a quick question about my set-up.

I have now went and installed a w2k3 enterprise server as my primary honeypot, I have also patched it to rise the level of security (to avoid SQL worms which pwnd my W2k box in 1 min)

But I feel that my box should be somewhat vulnerable as well so that it will look appealing to anyone who decides to check it out, how can I make this happen?

I have, for instance, opened for telnet and http acces - but I haven't configured any services running on these ports yet..

My point is that I don't want my honeypot to be so secure that anyone checking it out won't bother trying, but I don't really want it to be too vulnerable either because the last thing I want is to get infected by a worm or something boring like that..


One last thing, is there anything I can do to make my server more "visible" - right now I'm just waiting for someone to discover it and try to access it somehow but that wont happen just over night to say the least so I was wondering if there was something I could do to "promote" my honeypot box to make my "target audience" aware of its existanse etc .. ?

But I feel that my box should be somewhat vulnerable as well so that it will look appealing to anyone who decides to check it out, how can I make this happen?

...

My point is that I don't want my honeypot to be so secure that anyone checking it out won't bother trying, but I don't really want it to be too vulnerable either because the last thing I want is to get infected by a worm or something boring like that..

Leave something attractive for the attackers, and place it in directories where they can find it. A /public directory is a good choice, and for file types the two obvious choices are financial data and pr0n . Make or download some XLS spreadsheets and name them things like "Credit Card Accounts" or "Income Tax Summaries 2007". You might want to add in some boring generic word processing documents, too, just so it looks real. Changing things like the write dates will make it look more realistic, too.

I'll leave downloading pr0n to you, ;) although I'd suggest that be in a subdirectory of a user's /home directory. Not too many users will store pr0n in a /public directory.

The point is to keep it realistic and interesting enough that the attacker actually spends some time working it, but not so over the top that it's an obvious fake. Files with financial data is good; files name like "Stolen Nuclear Missile Codes", not so much.

Leave something attractive for the attackers, and place it in directories where they can find it. A /public directory is a good choice, and for file types the two obvious choices are financial data and pr0n . Make or download some XLS spreadsheets and name them things like "Credit Card Accounts" or "Income Tax Summaries 2007". You might want to add in some boring generic word processing documents, too, just so it looks real. Changing things like the write dates will make it look more realistic, too.

I'll leave downloading pr0n to you, ;) although I'd suggest that be in a subdirectory of a user's /home directory. Not too many users will store pr0n in a /public directory.

The point is to keep it realistic and interesting enough that the attacker actually spends some time working it, but not so over the top that it's an obvious fake. Files with financial data is good; files name like "Stolen Nuclear Missile Codes", not so much.

Just to build on that.

Budget Reports, Purchase Orders, Expense Reports, Financial Summaries, General Ledgers, Employee Personnel Files, You'll want a smattering of PDF's, GIF's, JPG's and such.

Just don't throw everything into one directory. A server would have a things broken down, Financial, Human Resources, Engineering, Production, Customer Service and such...

You want to lure them in, force them to browse around looking for things. Another trick is to reduce the bandwidth to the device, so that it takes some time to browse around. The longer they're there, the more you can collect on them.

Just to build on that.

Budget Reports, Purchase Orders, Expense Reports, Financial Summaries, General Ledgers, Employee Personnel Files, You'll want a smattering of PDF's, GIF's, JPG's and such.

Just don't throw everything into one directory. A server would have a things broken down, Financial, Human Resources, Engineering, Production, Customer Service and such...

You want to lure them in, force them to browse around looking for things. Another trick is to reduce the bandwidth to the device, so that it takes some time to browse around. The longer they're there, the more you can collect on them.

Agreed. Of course, it also depends somewhat on whether you're attempting to make the honeypot look like a home user or a business. Give a little forethought as to what form you fictional victim will take, and then create files that are consistent with that idea.

Home users tend to be careless ("I'm too small, no one would want my data") while companies tend to be a little more clued in about security problems. On the other hand, companies have larger, more complex systems, -with the kind of directory structure streaker outlined- which may be more vulnerable due to a skipped setting or other misconfiguration.

Thanks guys , great tips - I will definitely take note of these and get to it soon..

But should I just create a drive on the server to make it appear like a shared public network station used for storage, or should I take it one step further and implement users with profiles and add those types to files on each user's profile folder?

I must admit I'm more tempted by creating a public drive and break it down into several folder like streaker suggests to make it simple .. however, should the public folder be shared in some sort so people will be able to browse them?

Agreed. Of course, it also depends somewhat on whether you're attempting to make the honeypot look like a home user or a business. Give a little forethought as to what form you fictional victim will take, and then create files that are consistent with that idea.

Home users tend to be careless ("I'm too small, no one would want my data") while companies tend to be a little more clued in about security problems. On the other hand, companies have larger, more complex systems, -with the kind of directory structure streaker outlined- which may be more vulnerable due to a skipped setting or other misconfiguration.

I have been planning to make it appear as a small business network, and not a home network. I figure that this will be more interesting to anyone who might take a look..

Thanks guys , great tips - I will definitely take note of these and get to it soon..

But should I just create a drive on the server to make it appear like a shared public network station used for storage, or should I take it one step further and implement users with profiles and add those types to files on each user's profile folder?

I must admit I'm more tempted by creating a public drive and break it down into several folder like streaker suggests to make it simple .. however, should the public folder be shared in some sort so people will be able to browse them?

You could make a /profiles directory and share it with user names inside, but when you create the user directories inside the /profiles directory edit permissions and remove all rights to those directories. That would actually emulate how it's really done. When AD creates a profiles directory for a user, only that user normally has rights to it. Even the admin normally cannot get into it without granting himself rights or taking ownership of it.

The point of this is to make it look like a File Server with the directory structure there, but they won't be able to browse through anything. Then you leave your 'Trap' share just waiting to be exploited.

You could make a /profiles directory and share it with user names inside, but when you create the user directories inside the /profiles directory edit permissions and remove all rights to those directories. That would actually emulate how it's really done. When AD creates a profiles directory for a user, only that user normally has rights to it. Even the admin normally cannot get into it without granting himself rights or taking ownership of it.

The point of this is to make it look like a File Server with the directory structure there, but they won't be able to browse through anything. Then you leave your 'Trap' share just waiting to be exploited.

Point taken :)

I'll go for your solution and emulate a file server with user profile storage etc.. I might even throw in a open /public folder as well and create some intriguing sub-folders to which I will deny access..

Thanks guys , great tips - I will definitely take note of these and get to it soon..

But should I just create a drive on the server to make it appear like a shared public network station used for storage, or should I take it one step further and implement users with profiles and add those types to files on each user's profile folder?

I must admit I'm more tempted by creating a public drive and break it down into several folder like streaker suggests to make it simple .. however, should the public folder be shared in some sort so people will be able to browse them?Directories that are set up for "public use" are usually made to be browsed by the users, so that would be normal, as would setting up different privileges for the users on a Win2003 server.

OK, so I created both a Public and a Profiles folder which both are readable - but the subfolders are locked so I'm one step closer to making this box look legit.

How about the Windows firewall settings in Win2003 server? Should I do something specific here to make the box look appealing to anyone? I have allowed incoming ICMP requests - but denied all outgoing...

Anything else I should think of?

BTW, by running my entire honeynet in VMWare I have used the following set-up for my honeywall:

ETH0 - bridged interface
ETH1 - Host only interface
ETH2 - NAT interface.

ETH0 and ETH1 are bridged and works like a switch, providing the other box I currently run in VMWare with connectivity to the internet.

ETH2 is set up as a NET'ed interface on a local VMWare subnet (192.168.101.0) for me to be able to access the Honeywalls' "Walleye" WEB GUI through the IP on that interface.

But I still don't have any internet connectivity on my honeywall :/ I would love to be able to download snort update rules etc.. but as of this moment, I can't work it out.

Any tips?