nexusnode
February 7th, 2013, 10:07 PM
Hey everyone!
First of all, thank you to everyone who reads or answers!
I am playing with honeyd for a little "weekend project" and I have it up and running but I am getting some off behaviour that I wanted to check by someone. I have looked round the net but I can't find anything relevant, I don't know whether I am unique to my problem or possibly more likely that I just can't define the search terms well enough to get the right results.
I run Ubuntu 12.10 on my laptop, on which I have VMWare Player (5.0.1 build-894247) installed. In VMWare Player I have an Ubuntu 12.04.1 Server installed.
In the VM I have HoneyD compiled from source and installed from https://github.com/DataSoft/Honeyd as of a few days ago.
My configuration is pretty simple - at this stage I am only testing really:
create default
set default default tcp action block
set default default udp action block
set default default icmp action block
create windows
set windows default tcp action block
set windows default udp action block
set windows default icmp action allow
set windows personality "Microsoft Windows XP Professional SP3"
add windows tcp port 135 open
add windows tcp port 139 open
add windows tcp port 445 open
set windows ethernet "00:0c:38:8d:8c:17"
dhcp windows on eth0
and my honeyd init command is:
sudo honeyd -d -f honeyd.conf 192.168.1.10-192.168.1.190
Just to be clear, I know that the DHCP in this network will give me an IP at roughly the .100 mark.
The only other thing to note is that for VMWare Player to allow the VM to use promiscuous mode I have also run this command:
sudo chmod a+rw /dev/vmnet0
So that lot should be pretty standard. Maybe a little boring, but would (and on the most part does) work:
Honeyd V1.6a Copyright (c) 2002-2007 Niels Provos
honeyd[1053]: started with -d -f honeyd.conf 192.168.1.10-192.168.1.190
honeyd[1053]: listening promisciously on eth0: (arp or ip proto 47 or [and so on]
honeyd[1053]: [eth0] trying DHCP
honeyd[1053]: Demoting process privileges to uid 65534, gid 65534
honeyd[1053]: [eth0] got DHCP offer: 192.168.1.113
honeyd: Error opening the DHCP IP address dump file: Bad address
honeyd[1053]: Updating ARP binging: 00:0c:38:18:4f:a5 -> 192.168.1.113
And here is the weird bit. On a third machine, i.e. completely seperated from the virtual host and virtual machine. I run an nmap against the IP address that the honeypot has got (192.168.1.113) and it tells me that every single port is open...
First of all, thank you to everyone who reads or answers!
I am playing with honeyd for a little "weekend project" and I have it up and running but I am getting some off behaviour that I wanted to check by someone. I have looked round the net but I can't find anything relevant, I don't know whether I am unique to my problem or possibly more likely that I just can't define the search terms well enough to get the right results.
I run Ubuntu 12.10 on my laptop, on which I have VMWare Player (5.0.1 build-894247) installed. In VMWare Player I have an Ubuntu 12.04.1 Server installed.
In the VM I have HoneyD compiled from source and installed from https://github.com/DataSoft/Honeyd as of a few days ago.
My configuration is pretty simple - at this stage I am only testing really:
create default
set default default tcp action block
set default default udp action block
set default default icmp action block
create windows
set windows default tcp action block
set windows default udp action block
set windows default icmp action allow
set windows personality "Microsoft Windows XP Professional SP3"
add windows tcp port 135 open
add windows tcp port 139 open
add windows tcp port 445 open
set windows ethernet "00:0c:38:8d:8c:17"
dhcp windows on eth0
and my honeyd init command is:
sudo honeyd -d -f honeyd.conf 192.168.1.10-192.168.1.190
Just to be clear, I know that the DHCP in this network will give me an IP at roughly the .100 mark.
The only other thing to note is that for VMWare Player to allow the VM to use promiscuous mode I have also run this command:
sudo chmod a+rw /dev/vmnet0
So that lot should be pretty standard. Maybe a little boring, but would (and on the most part does) work:
Honeyd V1.6a Copyright (c) 2002-2007 Niels Provos
honeyd[1053]: started with -d -f honeyd.conf 192.168.1.10-192.168.1.190
honeyd[1053]: listening promisciously on eth0: (arp or ip proto 47 or [and so on]
honeyd[1053]: [eth0] trying DHCP
honeyd[1053]: Demoting process privileges to uid 65534, gid 65534
honeyd[1053]: [eth0] got DHCP offer: 192.168.1.113
honeyd: Error opening the DHCP IP address dump file: Bad address
honeyd[1053]: Updating ARP binging: 00:0c:38:18:4f:a5 -> 192.168.1.113
And here is the weird bit. On a third machine, i.e. completely seperated from the virtual host and virtual machine. I run an nmap against the IP address that the honeypot has got (192.168.1.113) and it tells me that every single port is open...