Re: IIS honeypot

["Ryan C. Barnett" <rcbarnett () hushmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe,
You can run IISEmulator by RFP and HD Moore - http://sourceforge.net/projects/iisemul8/

> From the website -
"The goal of this project is to create a functioning web server which
is indistinguishable from Microsoft's IIS product at a topical level.
This server can be run standalone, through inetd, or as a module of the
"honeyd" project."

I was actaally using it while testing web server fingerprinting tools
(HTTPrint, Hmap, etc...) and it fooled all of them.  Here is an example
session of running out of inetd on a Solaris box -

##############################
bash-2.03# telnet localhost 81
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
OPTIONS * HTTP/1.0

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Wed, 4 Aug 2004 17:01:13 GMT
Content-Length: 0
Accept-Ranges: bytes
DASL: <DAV:sql>
DAV: 1, 2
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL,

 PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL,

 PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Cache-Control: private

Connection closed by foreign host.
######################

Hope this helps.

- -Ryan

> Can anyone point me to some articles discussing IIS honeypots.  Either

> low or high interaction is fine.  I googled it and not much returned.
>
> thanks
> J
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkERUAUACgkQ0C5r6NXO9mJSdgCgoxTvN7n9iYPdpH9C+1aC0j5NgDQA
oLOiFhPVzCQmx/zHozoyo1IBWIrX
=6HpL
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427