RE: honeyd win32 not responding to ping

["Roger A. Grimes" <roger () banneretcs com>]

Common problem on the Windows version.  First, use Ethereal or some
other type of sniffer to verify that the traffic is getting to the host
machine, and to see if Honeyd is responding.

The problem is two fold:
1.  There is a known MAC address problem where Honeyd-Win32 cannot
respond back through a router.  It's porter, Michael Davis is aware of
this and will fix the bug when he gets a few moments to spare from his
real job.

2.  Make sure you have the routing table setup on the host to be able to
route messages back out off the host.  Oftentimes, this takes setting
the default route to something other than the host machine's normal
default gateway.  I've had one or two previous responses to this same
issue last year with the exact ROUTE ADD examples.  Search on the mail
list for this same subject.  If you can't find it, email me back and I
will search on my side, find, and send.

My Honeypots for Windows book should be out within the next month.  It
has three chapters on Honeyd, including all the little bugs and how to
fix them.  But I'll gladly assist you as best I can for free.

Roger

************************************************************************
***
*Roger A. Grimes, Banneret Computer Security, Computer Security
Consultant 
*CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), A+
*email: roger () banneretcs com
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by
O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of upcoming Honeypots for Windows (Apress)
************************************************************************
****



-----Original Message-----
From: Jeff [mailto:jeffduh99 () hotmail com] 
Sent: Friday, June 25, 2004 11:59 PM
To: honeypots () securityfocus com
Subject: honeyd win32 not responding to ping



Hi all,

I am attempting to run Honeyd win32 on Windows XP and am having a bit of
trouble.  It appears that everything is running properly.  However, I am
unable to ping the honeypot.  Here is the setup.

create win2k
set win2k personality "Windows 2000 server SP2"
add win2k tcp port 80 "scripts/web.sh"
set win2k default tcp action reset
set win2k default udp action reset

bind 192.168.0.2 win2k
set 192.168.0.2 uptime 1327650

When I start honeyd with this command "honeyd.exe -d -f
c:\tools\honeyd\honeyd.conf -l c:\tools\honeyd\log\log.txt" I get this
response "listening on
\Device\NPF_{C3FF3A45-AC8E-48D5-8FD7-F4186D95A5A0}: ip  and not ether
src 00:e0:b8:6d:21:2d"

When I try to ping 192.168.0.2, it does not respond.  Any ideas about
where I'm going wrong?  Any help is appreciated.  Thanks,

Jeff