Honeypots mailing list archives
Re: Very frustrated with Honeyd......
From: "Nathan W. Labadie" <ab0781 () wayne edu>
Date: Fri, 28 Jan 2005 09:27:45 -0500
Answered inline... On Thu, Jan 27, 2005 at 07:39:42PM -0000, Mr.Konfess0r wrote:
==================================================================== Warning: Impossible SI Range in Class Fingerprint "IBM OS/400 V4R2MO" Warning: Impossible SI Range in Class Fingerprint "Microsof Windows NT 4.0 SP3"
Taken from the honeyd FAQ: http://honeyd.org/faq.php#warning "These warnings result from inconsistent entries in Nmap's fingerprint database. It is possible that the TCP Sequence number generator and the corresponding numerical ranges in the Fingerprint do not agree. It is safe to ignore these warnings."
Honeyd[2348]: Listening promiscuously on Eth0: arp or ip proto 47 or (udp and src port 62 and dest port 68) or (IP )) and not ether src (my mac address) Honeyd: make_socket_ai:address already in use Honeyd: pyextend_webserver_init: make_socket:address already in use ====================================================================
The "make_socket" error is happening because there is already as service listening on that port. Most likely there's already a webserver running. Use "--webserver-port=port" when starting it to specify another port.
1. What am I doing wrong here?
See above.
2. Does the IP address need to be the same or different as in the config file?
Taken from the FAQ: http://honeyd.org/faq.php#existing "Honeyd normally requires its own IP address space. If only one IP address is available on a dial-up modem or DSL line, it is still possible to use Honeyd for certain ports by enabling NAT. Use your NAT (iptables, ipf, pf, etc.) to forward traffic to a Honeyd machine running behind the NAT on a private IP address space. The traffic is forwarded by port redirection, i.e. a port for the one existing IP address is redirected to the virtual IP address of a Honeyd host and a corresponding port on that virtual machine."
3. Do I need to set up a route on this box to make this "virutally" seen?
If you have address space, use arpd to claim all the unused addresses. http://www.citi.umich.edu/u/provos/honeyd/arpd-0.2.tar.gz
My testing method I want to accomplish at this point is just hooking up 2 PC's to a basic switch. 1 of course being the honeyd box. Initially I just want to be able to nmap the box and get an OS fingerprint of Windows.
There's no reason to get an OS fingerprint of Windows. If you look through the nmap.prints file all of the fingerprints are already there. Thanks, Nate -- Nathan W. Labadie Sr. Security Specialist Network Services Wayne State University
Current thread:
- Very frustrated with Honeyd...... Mr . Konfess0r (Jan 27)
- Re: Very frustrated with Honeyd...... Hauguet, Francis (Jan 28)
- Re: Very frustrated with Honeyd...... Javier Fernandez-Sanguino (Jan 28)
- Re: Very frustrated with Honeyd...... Niels Provos (Jan 28)
- Re: Very frustrated with Honeyd...... Nathan W. Labadie (Jan 28)
- <Possible follow-ups>
- RE: Very frustrated with Honeyd...... Roger A. Grimes (Jan 27)
- Re: Very frustrated with Honeyd...... Mr . Konfess0r (Jan 28)