Windows Honeypot Help

[Ted <padmin () adelphia net>]

Hello,

  Bottom line up front, I'm looking for some kind of script/software combination that will allow me to emulate services 
and log interaction with those fake services on a Win2k honeypot. Now for some details.

  I've been wanting to create a honeypot for quite a while now in order to do some personal research on tools and 
methodologies used by hackers in the wild. Recently, I decided to go ahead and do it. In preperation, I read Lance 
Spitzner's book and did some research on the net to gain perspective on the various aspects of honeypot development and 
deployment.

  With that under my belt, I installed a commercial demo on my windows machine in order to get a reasonable 
understanding of commercial honeypot technology as well as a firsthand knowledge of the frequency of threats. The 
results of the exercise were impressive from both standpoints. However, due to limited flexibility and high cost of 
commercial honeypots, I decided to create my own honeypot using freeware available on the net. It is my belief that 
this approach will lead to a considerably better understanding of the subject and an enhanced ability to react/study 
various aspects.

  In light of that, I gathered up what appears to be the usual tools (i.e. Snort, Nmap, Netcat etc.) and configured 
things so that I can identify attacks, have basic logging capability and recieve a call when they occur.

  The next phase for me is to incorporate some more interaction into my honeypot. Since I dont have any data controls 
in place, I want to stay with a low interaction solution, but I would like to have it emulate at least the banners for 
certain services and capture automated tool responses. 

  Initially, I thought this wouldn't be very difficult but after considerable searching I've decided that either I 
don't know how to search anymore (perish the thought) or the information isn't very available. My original premise - 
and current for that matter - was that the best solution would probably be a combination of nc and some sort of script. 
Maybe Im barking up the wrong tree.

  So, for the immediate future, I'm going to study the nc documentation and maybe perl in hopes that I may figure it 
out. In the meantime though, if the list can comment and perhaps shorten the development time, I'd really appreciate 
it. If you're with me to this point here's what I'd like to hear about in no particular order:

  1) Is my current approach for banner emulation/interaction on track?
  2) If it is, does anyone know where there are examples of previous  
     or current approaches that I can use to model a solution from.
  3) If I'm making this harder than it has to be, please advise.
  4) Any other comments you feel are appropriate.

  For my background, my last programming was done in Pascal many moons ago (but not so long that I couldnt pick up 
another language fairly quickly I believe). I have a passing aquaintence with Linux (which I suppose I'll try to use as 
a bridge when I put data control/remote logging etc. into the equation). Most of my familiarity has been with MS OSes 
(no comment required :)). I've done study on forensics and understand networking. 

  Sorry for the long post - it won't happen again - but I dislike it when someone asks a question and you dont know how 
to respond because they didnt identify the problem or their level of understanding very well. I'm trying not to cause 
the same thing.

  While I'm a fan of learning by doing, I'd still like to see some progress in the form of results along the way. Im 
shooting for a Proof of Concept that I can tweak and learn from as events unfold.



  Thanks for your patience,
   Ted