Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Set up honeyd (ubuntu 12.04)
# installation
sudo apt-get install honeyd
sudo apt-get install nmap #(supported software for port scanning)
# check my eth0 address
ifconfig
### eth0 Link encap:Ethernet HWaddr 00:26:2d:f9:db:be <-----------------use this one
### inet addr:192.168.0.103 Bcast:192.168.0.255 Mask:255.255.255.0
### inet6 addr: fe80::226:2dff:fef9:dbbe/64 Scope:Link
# set up the configuration file
cat >honeyd.conf <<EOL
create default
set default default tcp action block
set default default udp action block
set default default icmp action block
create windows
set windows personality "Microsoft Windows XP Professional SP1"
set windows default tcp action reset
add windows tcp port 135 open
add windows tcp port 139 open
add windows tcp port 445 open
add windows tcp port 475 open
create linux
set linux personality "Linux 2.2.14"
set linux default tcp action block
set linux default udp action block
set linux default icmp action block
add linux tcp port 25 "/usr/share/honeyd/scripts/smtp.pl -n <ozooxo@gmail.com>"
add linux tcp port 8000 "/usr/share/honeyd/scripts/proxy.pl /usr/share/honeyd/scripts/smtp.pl -n <ozooxo@gmail.com>"
set windows ethernet "00:26:2d:f9:db:be"
dhcp windows on eth0
set linux ethernet "00:26:2d:f9:db:be"
dhcp linux on eth0
EOL
# log in my router at http://192.168.0.1
# I get a list, in which 192.168.0.103 is me (eth0), and 192.168.0.105 is honeyd
### IP Address Name(If any) MAC
### 192.168.0.104 00:26:2d:f9:db:be
### 192.168.0.100 Landmass f0:dc:e2:a8:2b:f8
### 192.168.0.103 landmark 00:26:2d:f9:db:be
### 192.168.0.101 Landscape c8:bc:c8:5f:72:1f
### 192.168.0.102 landlubber 90:2b:34:d5:34:66
### 192.168.0.104 landmark 00:24:d7:0e:94:24
### 192.168.0.105 someone 00:26:2d:9a:83:c9
### 192.168.0.106 someone xxxxxxxxxxxxxxxxx
# run honeyd
sudo honeyd -d -f honeypots.conf
### Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
### honeyd[4050]: started with -d -f honeypots.conf
### honeyd[4050]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip )) and not ether src 00:26:2d:f9:db:be
### honeyd[4050]: [eth0] trying DHCP
### honeyd[5226]: [eth0] trying DHCP
### honeyd[4050]: Demoting process privileges to uid 65534, gid 65534
### honeyd[4050]: [eth0] got DHCP offer: 192.168.0.105
### honeyd[4050]: Updating ARP binding: 00:26:2d:9a:83:c9 -> 192.168.0.105
### honeyd[4050]: [eth0] got DHCP offer: 192.168.0.106
### honeyd[4050]: Updating ARP binding: 00:26:2d:34:28:80 -> 192.168.0.106
### honeyd[4050]: arp reply 192.168.0.105 is-at 00:26:2d:9a:83:c9
### honeyd[4050]: arp reply 192.168.0.105 is-at 00:26:2d:9a:83:c9
### honeyd[4050]: Killing attempted connection: tcp (192.168.0.101:54464 - 192.168.0.105:80)
### honeyd[4050]: arp_send: who-has 192.168.0.101 tell 192.168.0.105 <-------- when I use "landscape" to connect honeyd
### honeyd[4050]: arp_recv_cb: 192.168.0.101 at c8:bc:c8:5f:72:1f
### ... ...
### honeyd[4050]: Connection request: tcp (192.168.0.100:54105 - 192.168.0.106:8000)
### honeyd[4050]: Connection established: tcp (192.168.0.100:54105 - 192.168.0.106:8000) <-> /usr/share/honeyd/scripts/proxy.pl /usr/share/honeyd/scripts/smtp.pl -n <ozooxo@gmail.com>
### honeyd[4050]: Expiring TCP (192.168.0.100:54107 - 192.168.0.106:8000) (0x964b870) in state 7
### ... ...
### honeyd[4050]: Killing attempted connection: tcp (192.168.0.100:54109 - 192.168.0.105:8000)
### <----notice that the reaction is different when connecting port 8000 of the two IPs (windows 105 and linux 106)
# check the list of ports
nmap -PN -p 25,135,139,445,475,1337,8000 192.168.0.105
### Starting Nmap 5.21 ( http://nmap.org ) at 2014-04-13 15:11 CDT
### Nmap scan report for 192.168.0.105
### Host is up (0.99s latency).
### PORT STATE SERVICE
### 25/tcp filtered smtp
### 135/tcp filtered msrpc
### 139/tcp filtered netbios-ssn
### 445/tcp filtered microsoft-ds
### 475/tcp filtered tcpnethaspsrv
### 1337/tcp filtered waste
### 8000/tcp filtered http-alt
# what about my own computer?
nmap -PN -p 25,135,139,445,475,1337,8000 192.168.0.103
### Starting Nmap 5.21 ( http://nmap.org ) at 2014-04-13 17:04 CDT
### Nmap scan report for 192.168.0.103
### Host is up (0.00012s latency).
### PORT STATE SERVICE
### 25/tcp closed smtp
### 135/tcp closed msrpc
### 139/tcp open netbios-ssn
### 445/tcp open microsoft-ds
### 475/tcp closed tcpnethaspsrv
### 1337/tcp closed waste
### 8000/tcp closed http-alt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.