Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

honeyd

From: andy spencer <andy.t.spencer () googlemail com>
Date: Sun, 23 Oct 2005 17:04:40 +0000
Found your book very helpful but have a problem setting honeyd up on
windows machine

1. on win98/me receive ip_open: result too large

2. on win2k either receive no infomation using following command
honeyd -d -p NMAP.PRINTS  -x XPROBE2.CONF -a NMAP.ASSOC -f
honeyd.config -i 1 10.0.0.0/24

where honeyd.config contains
###example honeyd template-windows_98###
#create and bind template
#create and bind template
create windows_98
set windows_98 personality "Windows 98"
annotate "Windows 98" finscan
bind 10.0.0.3 windows_98
#set port behavior
set windows_98 default tcp action reset
set windows_98 default udp action reset
add windows_98 udp port 135 block
add windows_98 udp port 137 block
add windows_98 udp port 138 block
add windows_98 udp port 389 block
#add windows_98 tcp port 137 "sh c:\honeyd\scripts\netbios.sh"
add windows_98 tcp port 135 open
add windows_98 tcp port 137 open
add windows_98 tcp port 139 open
add windows_98 tcp port 5132 open
#set template system variables
set windows_98 uptime 343412
set windows_98 uid 27218 gid 33876
###end of windows_98 example template###
result is

C:\honeyd>honeyd -d -p NMAP.PRINTS  -x XPROBE2.CONF -a NMAP.ASSOC -f
honeyd.config -i 1 10.0.0.0/24
listening on \Device\NPF_{AF2D94D6-40C2-4AB7-B377-F36019F95CEA}: ip
and (dst net 10.0.0.0/24) and not ether src 00:0a:e4:32:29:a7
exiting on signal 2
Terminate batch job (Y/N)? Terminate batch job (Y/N)?


when I try to use a defaul config file as referenced in the book (as follows)

ANNOTATE "Windows Millennium Edition v4.90.300"
ANNOTATE "Microsoft Windows.NET Enterprise Server (build 3615 beta)"
ANNOTATE "Windows 98"
ANNOTATE "Windows 2000 SP2"
ANNOTATE "Windows NT 4.0 SP 6a + hotfixes"
ANNOTATE "Windows XP Pro"

###Set up Default Template###
CREATE DEFAULT Default
SET DEFAULT PERSONALITY "Windows Millennium Edition v4.90.300"
SET DEFAULT Default TCP ACTION RESET
SET DEFAULT Default UDP ACTION RESET
ADD Default UDP PORT 135 BLOCK
ADD Default UDP PORT 137 BLOCK
ADD Default UDP PORT 138 BLOCK
ADD Default TCP PORT 135 BLOCK
ADD Default TCP PORT 137 BLOCK
ADD Default TCP PORT 139 BLOCK
SET Default UPTIME 111010
SET Default UID 50603 GID 38706

Receive
d.cfg:1: parse error
parsing configuration file failed

Am trying to send ping 10.0.0.3 from a machine connected directly via RJ45 cable
(source machine has address 192.168.68.13 destination machine
192.168.68.3 and the src machine has extra routing 10.0.0.0 mask
255.0.0.0 192.168.68.3

Can see the blocks leaving and arriving using windump but honeyd shows nothing

Can you help?

Andy Spencer
Previous By Date Next
Previous By Thread Next

Current thread: