FrankDzedzy.com

A honeypot is a computer system that is designed with the intent to catch hackers. It is positioned in a network in a spot where it is a good target for hackers. Honeypots can be used to detect malicious activity on a network or to prevent hackers from hacking a network by being a decoy. Honeypots are also frequently used for research to detect and analyze new worms and attacks. There are two basic catagories of honeypots, high-interaction and low-interaction. A high-interaction honeypot is a system that is designed to be completely compromised. A low-interaction honeypot is a system that simulates different parts of a network system. In this article we are going to build a low-interaction honeypot with the Windows program HoneyBot.

Honeybot which can be downloaded here is a Windows program that opens over 1200 TCP and UDP ports and simulates common services on them. It then captures all packet traffic to these ports and logs the packets and IP address. It is able to simulate some basic services by replying on certain ports. It is also able to capture worms and trojans by saving them to a folder. It is an easy to use program that is a good choice for getting your feet wet with honeypots.

First you will have to configure the host machine. You can put Honeybot on any Windows based host. For best results I would recommend that you run it on a dedicated box. By this I mean, don’t have anything else running on the same machine. I run it on windows XP in a virtual machine. You can use Virtual PC, or you could use its free brother, Virtual Server. Just download it from Microsoft and install your version of windows on it. I like using virtual server because it has much more advanced network options than virtual pc. You can run your honeypot on your internal network to alert you to affected machines on your network. However, you will probably get much more interesting results if you expose it to the internet. The best way to do that is to place the honeypot in a DMZ. This is the best method if you are running the honeypot from a home internet connection. You also want to run windows firewall on your machine, and make an exception for Honeybot.

If you are running your honeypot from a designated host, you will want to disable as many network services as possible. Running the command netstat -an will show you all the listening ports on your system. Also the program fport will show you the open ports and the process ID that is using it. There are a few ports you may need to disable from listening in Honeybot. You will probably want to disable port 162 (snmptrap) especially if you have a home router. Other ports you may need to disable are 67, 68 which are dns and dhcp.

After you have closed as many network ports as you can, you can start up HoneyBot. Just press the blue start button to start listening. Once it is running you can click on Debug (View, Debug) to see which ports Honeybot was unable to listen on because of the os. This will also show winsock errors too. You can also add or remove ports in the configure box, while honeybot is not running. Once it is started you should start seeing probes in a very short time.

I was very supprised by the very high amount of traffic was captured by Honeybot. After a day I had several thousand probes. The most popular probes were definitly windows messenger spam coming to ports 1024 – 1030. I also saw a lot of SQL server probes at 1433 and 1434. Honeybot also captured several worms too. I have run honeybot on both my home cable connection and with a static IP address on a T1 line. I received more scans and worms on the static ip address than with my cable.

You can also run a packet sniffer like Wireshark or Snort to get more detailed packet information with your honeypot.

Some example screenshots:

The Main screen.

An IIS Buffer overflow exploit attempt.

An attempt to run a Dabber worm.

A NetDevil trojan upload. It captured the binary file and I have figured out how to run it.