RE: Very frustrated with Honeyd......

["Roger A. Grimes" <roger () banneretcs com>]

I'm not a Unix-guy, but here are some suggestions to start with:

1. Your honeyd emulation MUST use a different IP subnet address than the
host.
2. Your personality name referencing the nmaps.print file must have
exact syntax
3. Impossible SI range error messages are "normal" and don't mean it
isn't functioning. They can be fixed by manually fixing associated
nmap.prints file and modifying SI= parameter. 
4. I don't see the other personalities/templates in your config file.

Roger

************************************************************************
***
*Roger A. Grimes, Banneret Computer Security, Computer Security
Consultant 
*CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI
*email: roger () banneretcs com
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by
O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of Honeypots for Windows (Apress)
*http://www.apress.com/book/bookDisplay.html?bID=281
************************************************************************
****

-----Original Message-----
From: Mr.Konfess0r [mailto:konfess0r () yahoo com] 
Sent: Thursday, January 27, 2005 2:40 PM
To: honeypots () securityfocus com
Subject: Very frustrated with Honeyd......



Ok... I guess I don't know where to start exactly. This is my first time
setting up a honey pot and using Honeyd. I read through the
documentation and in my interpretation of it all... I have attempted to
set it up "as advertised" on a Redhat 9 platform. 

All of the required RPM's are installed...

Here is my "Personality" 

=====================================================================
### Win2k Personality
create win2k
set win2k personality "Windows 2000 server SP2"
set win2k default tcp action reset
set win2k default udp action reset
set win2k default icmp action block
set win2k uptime 3567
set win2k droprate in 13
add win2k tcp port 21 "sh scripts/win32/win2k/msftp.sh $ipsrc $sport
$ipdst $dport"
# This will redirect incomming windows-filesharing back to the source
add win2k udp port 137 proxy $ipsrc:137 add win2k udp port 138 proxy
$ipsrc:138 add win2k udp port 445 proxy $ipsrc:445 add win2k tcp port
137 proxy $ipsrc:137 add win2k tcp port 138 proxy $ipsrc:138 add win2k
tcp port 139 proxy $ipsrc:139 add win2k tcp port 445 proxy $ipsrc:445
bind 192.168.1.130 win2k
=====================================================================

My ip address in this case I set to 192.168.1.131

So then I do the following command:

"honeyd -f win2k -a nmap.prints -i eth0"

and I receive the following messages:

====================================================================
Warning: Impossible SI Range in Class Fingerprint "IBM OS/400 V4R2MO"
Warning: Impossible SI Range in Class Fingerprint "Microsof Windows NT
4.0 SP3"

Honeyd[2348]: Listening promiscuously on Eth0: arp or ip proto 47 or
(udp and src port 62 and dest port 68) or (IP )) and not ether src (my
mac address)
Honeyd: make_socket_ai:address already in use
Honeyd: pyextend_webserver_init: make_socket:address already in use
====================================================================

Of course I've tried various combinations of commands at this point and
it feels like I'm just throwing commands at it to get it to work
properly.


Few questions I have.... Okay, I am just trying to get this initially to
work. 

1. What am I doing wrong here?
2. Does the IP address need to be the same or different as in the config
file? 
3. Do I need to set up a route on this box to make this "virutally"
seen?

My testing method I want to accomplish at this point is just hooking up
2 PC's to a basic switch. 1 of course being the honeyd box. Initially I
just want to be able to nmap the box and get an OS fingerprint of
Windows. 

Once I get this far, I think I should be able to get beyond my initial
brick wall. 


Hey ladies and gentlemen, any help that I receive I will greatly
appreciate it. I'm sorry I have to ask such "dumb" questions, but I'm
hoping that at least someone else out there has the same one. In any
case, God bless you all. Thank you.