Honeyd-WIN32
Honeyd-WIN32 is the Windows-ported version of Honeyd, the open-source darling of the UNIX honeypot world. Written by Niels Provos in 2002 as a low-interaction UNIX/Linux honeypot, Honeyd enjoys widespread support, a fairly extensive feature set, demonstrated scalability, and a moderately active development community. (For more information about the original Honeyd for UNIX/Linux, go to http://www.honeyd.org.) In 2003, Michael Davis created the open-source Windows version of Honeyd. Honeyd is currently in version 0.8, whereas Honeyd-WIN32 hasn't been updated since version 0.5. Although Honeyd-WIN32 lacks a user-friendly GUI, its price (free) and features make it a popular choice among honeypot administrators.
Unlike the other honeypots in this review, Honeyd-WIN32 can partially emulate hundreds of OSs at the IP stack level. In Honeyd-WIN32 lingo, the OS IP stack being emulated is called a personality. Honeyd-WIN32's IP stack emulation lets it mimic Address Resolution Protocol (ARP), Internet Control Message Protocol (ICMP), TCP, and UDP packets at a level that its competitors can't. The ability to simulate TCP flags, Time to Live (TTL) settings, timestamps, network latency, and routing paths lets Honeyd-WIN32 simulate more realistic scenarios at the network level. Honeyd-WIN32 achieves this simulation by mapping its lower-layer responses to the OS fingerprinting databases of Xprobe2 (a fingerprinting utility by Fyodor Yarochkin and Ofir Arkin) and Insecure.org's Network Mapper tool (Nmap), instead of letting the underlying host OS respond. This feature is important because, for example, if the host computer is running Win2K Server and the honeypot is emulating Windows NT Server 4.0, the intruder might notice the minor IP stack discrepancies that exist. To accomplish the IP stack emulation, Honeyd-WIN32 requires an IP network address that's different from that of the host computer. This requirement significantly complicates new installations for most users and involves setting up static routes on the host.
Honeyd-WIN32 is extremely flexible. One instance of it can emulate one or more OS personalities, thousands of IP addresses, and thousands of ports. The OSs that Honeyd-WIN32 can emulate include every flavor of Windows, UNIX, Linux, Sun Microsystems' Sun Solaris, FreeBSD, and Cisco Systems' IOS Software. Honeyd-WIN32 can support any number of UDP and TCP ports, each of which you can configure to be open, closed, or blocked (as if a firewall is involved). You can even have the honeypot respond with an emulated service. Using any scripting language that the host supports, you can employ scripts or compiled programs to create services beyond simple port listeners. The scripted services ensure that intruders won't be compromising additional real hosts from within the honeypot.
Installing Honeyd-WIN32 can be a bear. Before you can run Honeyd-WIN32, you must install WinPcap (free packet-capture architecture for Windows at http://winpcap.polito.it) so that Honeyd-WIN32 can interact with arriving packets before the underlying host IP stack does. After installing Honeyd-WIN32, you must create a text configuration file that tells Honeyd-WIN32 the personalities to load, the ports and services to offer, and the states of those ports and services. You can download and install already created service scripts, most of which are written in Perl or the UNIX/Linux shell-scripting languages. You have to install the scripting environments and engines needed to support the language used in the selected service script.
You should also install an IDS (to detect and provide alerts for security events) and a packet sniffer (to capture network packets). Most Honeyd-WIN32 administrators use the open-source Snort system (http://www.snort.org) for the IDS and the free Ethereal software (http://www.ethereal.com) for the packet sniffer. As with any open-source solution, installation errors are easy to make and troubleshooting them can make reading Windows event log messages seem fun. To complicate matters, because Honeyd-WIN32 is a ported product, you don't always know whether the problem is with Honeyd in general or only the ported version.
Besides the complex installation, the biggest downside of Honeyd-WIN32 is that it's a low-interaction honeypot with no complex Windows services emulations. Although Honeyd-WIN32 excels on the network layer, it falls short on the application layer. If you want to mimic a Windows computer, you must determine which ports to offer and develop (or find) appropriate scripts. Although Honeyd-WIN32 is useful for capturing an intruder's initial investigations, it won't keep an intruder busy for very long if you don't include fully simulated applications and emulated data sets.
Honeyd-WIN32's real-time logging activities are limited to summarized packet and connection information displayed in the command console, as Figure 1 shows. Honeyd-WIN32 stores this same information, sometimes with more detail, in a text-based log file. Each scripted service can also have a separate, specialized log to capture even more related information.
Honeyd-WIN32 is the most popular Windows honeypot in use today. Other honeypot vendors support its scripts and have attempted to copy its feature set. Unfortunately, like most powerful open-source tools, Honeyd-WIN32 takes a fair amount of text-based configuration and patience to install and use. Even then, its lack of complex scripted services and lack of Windows-specific configuration options dampen its overall use as a full-featured honeypot.
Register
Hell March 31, 2004