Honeypots mailing list archives
RE: Very frustrated with Honeyd......
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Thu, 27 Jan 2005 15:11:06 -0500
I'm not a Unix-guy, but here are some suggestions to start with: 1. Your honeyd emulation MUST use a different IP subnet address than the host. 2. Your personality name referencing the nmaps.print file must have exact syntax 3. Impossible SI range error messages are "normal" and don't mean it isn't functioning. They can be fixed by manually fixing associated nmap.prints file and modifying SI= parameter. 4. I don't see the other personalities/templates in your config file. Roger ************************************************************************ *** *Roger A. Grimes, Banneret Computer Security, Computer Security Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI *email: roger () banneretcs com *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode *Author of Honeypots for Windows (Apress) *http://www.apress.com/book/bookDisplay.html?bID=281 ************************************************************************ **** -----Original Message----- From: Mr.Konfess0r [mailto:konfess0r () yahoo com] Sent: Thursday, January 27, 2005 2:40 PM To: honeypots () securityfocus com Subject: Very frustrated with Honeyd...... Ok... I guess I don't know where to start exactly. This is my first time setting up a honey pot and using Honeyd. I read through the documentation and in my interpretation of it all... I have attempted to set it up "as advertised" on a Redhat 9 platform. All of the required RPM's are installed... Here is my "Personality" ===================================================================== ### Win2k Personality create win2k set win2k personality "Windows 2000 server SP2" set win2k default tcp action reset set win2k default udp action reset set win2k default icmp action block set win2k uptime 3567 set win2k droprate in 13 add win2k tcp port 21 "sh scripts/win32/win2k/msftp.sh $ipsrc $sport $ipdst $dport" # This will redirect incomming windows-filesharing back to the source add win2k udp port 137 proxy $ipsrc:137 add win2k udp port 138 proxy $ipsrc:138 add win2k udp port 445 proxy $ipsrc:445 add win2k tcp port 137 proxy $ipsrc:137 add win2k tcp port 138 proxy $ipsrc:138 add win2k tcp port 139 proxy $ipsrc:139 add win2k tcp port 445 proxy $ipsrc:445 bind 192.168.1.130 win2k ===================================================================== My ip address in this case I set to 192.168.1.131 So then I do the following command: "honeyd -f win2k -a nmap.prints -i eth0" and I receive the following messages: ==================================================================== Warning: Impossible SI Range in Class Fingerprint "IBM OS/400 V4R2MO" Warning: Impossible SI Range in Class Fingerprint "Microsof Windows NT 4.0 SP3" Honeyd[2348]: Listening promiscuously on Eth0: arp or ip proto 47 or (udp and src port 62 and dest port 68) or (IP )) and not ether src (my mac address) Honeyd: make_socket_ai:address already in use Honeyd: pyextend_webserver_init: make_socket:address already in use ==================================================================== Of course I've tried various combinations of commands at this point and it feels like I'm just throwing commands at it to get it to work properly. Few questions I have.... Okay, I am just trying to get this initially to work. 1. What am I doing wrong here? 2. Does the IP address need to be the same or different as in the config file? 3. Do I need to set up a route on this box to make this "virutally" seen? My testing method I want to accomplish at this point is just hooking up 2 PC's to a basic switch. 1 of course being the honeyd box. Initially I just want to be able to nmap the box and get an OS fingerprint of Windows. Once I get this far, I think I should be able to get beyond my initial brick wall. Hey ladies and gentlemen, any help that I receive I will greatly appreciate it. I'm sorry I have to ask such "dumb" questions, but I'm hoping that at least someone else out there has the same one. In any case, God bless you all. Thank you.
Current thread:
- Very frustrated with Honeyd...... Mr . Konfess0r (Jan 27)
- Re: Very frustrated with Honeyd...... Hauguet, Francis (Jan 28)
- Re: Very frustrated with Honeyd...... Javier Fernandez-Sanguino (Jan 28)
- Re: Very frustrated with Honeyd...... Niels Provos (Jan 28)
- Re: Very frustrated with Honeyd...... Nathan W. Labadie (Jan 28)
- <Possible follow-ups>
- RE: Very frustrated with Honeyd...... Roger A. Grimes (Jan 27)
- Re: Very frustrated with Honeyd...... Mr . Konfess0r (Jan 28)