RE: Setting up honeyd on winxp sp2

["Roger A. Grimes" <roger () banneretcs com>]

As others have suggested, running Honeyd on XP is problematic.  Consider
running it on an W2K or other box.  

If you've setup the router directly in front of the PC, you should not
need the route add command on the PC...but you need to direct the
traffic (to the new IP network range) to the PC using a static route on
the router.

Honeyd for Windows also has a problem sending packets back out past the
router because of a MAC problem (I think that was what Michael Davis
said...), but it should be fixed when Win32-Honeyd is updated.

If you are stuck with XP, consider demoing Kfsensor (expensive) or
PatriotBox (inexpensive) as your first Windows-based honeypot.  That way
you can get up and running in a few hours, and then come back and
troubleshoot Honeyd on Windows afterward...and customize it with lessons
learned.

Roger

************************************************************************
***
*Roger A. Grimes, Banneret Computer Security, Computer Security
Consultant 
*CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI
*email: roger () banneretcs com
*cell: 757-615-3355
*Author of Malicious Mobile Code:  Virus Protection for Windows by
O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of Honeypots for Windows (Apress)
*http://www.apress.com/book/bookDisplay.html?bID=281
************************************************************************
****

 

-----Original Message-----
From: Edmund Dorsey [mailto:edorsey () gmail com] 
Sent: Monday, April 25, 2005 2:34 PM
To: honeypots () securityfocus com
Subject: Setting up honeyd on winxp sp2

Hi Everyone,
   As part of a school project I have been attempting to set up honeyd
on a windows box.  Because the project is for learning purposes only
I've been trying to keep things as simple as possible.

RIght now my network topology looks like this

        
Cable Modem -------> Hub --------> Router -------> Internal Network
                                 |
                                 |
                       honeyd Machine

I put the honeyd machine outside the router to try and make it easier
for traffic to get to honeyd (not sure if this was a good idea).

I'm using a simple honeyd.config file provided in the book Honeypot for
Windows.  The problem I am having is not so much in configuring honeyd
itself but is in getting traffic to my honeyd machine.  I know honeyd
requires it's own virtual address space but I'm not sure how to set that
up in windows or if I even need to.

The config file I'm using sets up one virtual Exchange Server and uses
"bind 10.0.0.1 Exchange Server 2003".  I assume then that I need to
create the virtual address 10.0.0.1 on the honeyd machine but I'm not
sure how to go about that.

One I have the virtual address set up I think I need to add a static
route using the "route" command on the honeyd machine so it directs any
relevant incoming traffic to the honeyd machine.  Is this correct?

Anyway, I realize these questions are more network related than honeypot
but I haven't been able to find any resources online that might explain
the process in more detail.  Thank you for any help you can provide.

Best Regards,

Ed Dorsey