Honeypots mailing list archives

Re: Very frustrated with Honeyd......

From: "Nathan W. Labadie" <ab0781 () wayne edu>
Date: Fri, 28 Jan 2005 09:27:45 -0500

Answered inline...

On Thu, Jan 27, 2005 at 07:39:42PM -0000, Mr.Konfess0r wrote:

====================================================================
Warning: Impossible SI Range in Class Fingerprint "IBM OS/400 V4R2MO"
Warning: Impossible SI Range in Class Fingerprint "Microsof Windows NT 4.0 SP3"


Taken from the honeyd FAQ:
http://honeyd.org/faq.php#warning

"These warnings result from inconsistent entries in Nmap's fingerprint 
database. It is possible that the TCP Sequence number generator and the 
corresponding numerical ranges in the Fingerprint do not agree. It is 
safe to ignore these warnings."

Honeyd[2348]: Listening promiscuously on Eth0: arp or ip proto 47 or (udp and src port 62 and dest port 68) or (IP )) 
and not ether src (my mac address)
Honeyd: make_socket_ai:address already in use
Honeyd: pyextend_webserver_init: make_socket:address already in use
====================================================================


The "make_socket" error is happening because there is already as service 
listening on that port. Most likely there's already a webserver running. 
Use "--webserver-port=port" when starting it to specify another port.

1. What am I doing wrong here?


See above.

2. Does the IP address need to be the same or different as in the config file?


Taken from the FAQ:
http://honeyd.org/faq.php#existing

"Honeyd normally requires its own IP address space. If only one IP 
address is available on a dial-up modem or DSL line, it is still 
possible to use Honeyd for certain ports by enabling NAT.

Use your NAT (iptables, ipf, pf, etc.) to forward traffic to a Honeyd 
machine running behind the NAT on a private IP address space. The 
traffic is forwarded by port redirection, i.e. a port for the one 
existing IP address is redirected to the virtual IP address of a Honeyd 
host and a corresponding port on that virtual machine."

3. Do I need to set up a route on this box to make this "virutally" seen?


If you have address space, use arpd to claim all the unused addresses.
http://www.citi.umich.edu/u/provos/honeyd/arpd-0.2.tar.gz

My testing method I want to accomplish at this point is just hooking up 2 PC's to a basic switch. 1 of course being 
the honeyd box. Initially I just want to be able to nmap the box and get an OS fingerprint of Windows.


There's no reason to get an OS fingerprint of Windows. If you look 
through the nmap.prints file all of the fingerprints are already there.

Thanks,
Nate

-- 
Nathan W. Labadie
Sr. Security Specialist
Network Services
Wayne State University

Current thread:

Very frustrated with Honeyd...... Mr . Konfess0r (Jan 27)
- Re: Very frustrated with Honeyd...... Hauguet, Francis (Jan 28)
- Re: Very frustrated with Honeyd...... Javier Fernandez-Sanguino (Jan 28)
  - Re: Very frustrated with Honeyd...... Niels Provos (Jan 28)
- Re: Very frustrated with Honeyd...... Nathan W. Labadie (Jan 28)
- <Possible follow-ups>
- RE: Very frustrated with Honeyd...... Roger A. Grimes (Jan 27)
- Re: Very frustrated with Honeyd...... Mr . Konfess0r (Jan 28)