Last active
November 7, 2016 21:06
-
-
Save ozooxo/10600945 to your computer and use it in GitHub Desktop.
Set up honeyd (ubuntu 12.04)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # installation | |
| sudo apt-get install honeyd | |
| sudo apt-get install nmap #(supported software for port scanning) | |
| # check my eth0 address | |
| ifconfig | |
| ### eth0 Link encap:Ethernet HWaddr 00:26:2d:f9:db:be <-----------------use this one | |
| ### inet addr:192.168.0.103 Bcast:192.168.0.255 Mask:255.255.255.0 | |
| ### inet6 addr: fe80::226:2dff:fef9:dbbe/64 Scope:Link | |
| # set up the configuration file | |
| cat >honeyd.conf <<EOL | |
| create default | |
| set default default tcp action block | |
| set default default udp action block | |
| set default default icmp action block | |
| create windows | |
| set windows personality "Microsoft Windows XP Professional SP1" | |
| set windows default tcp action reset | |
| add windows tcp port 135 open | |
| add windows tcp port 139 open | |
| add windows tcp port 445 open | |
| add windows tcp port 475 open | |
| create linux | |
| set linux personality "Linux 2.2.14" | |
| set linux default tcp action block | |
| set linux default udp action block | |
| set linux default icmp action block | |
| add linux tcp port 25 "/usr/share/honeyd/scripts/smtp.pl -n <ozooxo@gmail.com>" | |
| add linux tcp port 8000 "/usr/share/honeyd/scripts/proxy.pl /usr/share/honeyd/scripts/smtp.pl -n <ozooxo@gmail.com>" | |
| set windows ethernet "00:26:2d:f9:db:be" | |
| dhcp windows on eth0 | |
| set linux ethernet "00:26:2d:f9:db:be" | |
| dhcp linux on eth0 | |
| EOL | |
| # log in my router at http://192.168.0.1 | |
| # I get a list, in which 192.168.0.103 is me (eth0), and 192.168.0.105 is honeyd | |
| ### IP Address Name(If any) MAC | |
| ### 192.168.0.104 00:26:2d:f9:db:be | |
| ### 192.168.0.100 Landmass f0:dc:e2:a8:2b:f8 | |
| ### 192.168.0.103 landmark 00:26:2d:f9:db:be | |
| ### 192.168.0.101 Landscape c8:bc:c8:5f:72:1f | |
| ### 192.168.0.102 landlubber 90:2b:34:d5:34:66 | |
| ### 192.168.0.104 landmark 00:24:d7:0e:94:24 | |
| ### 192.168.0.105 someone 00:26:2d:9a:83:c9 | |
| ### 192.168.0.106 someone xxxxxxxxxxxxxxxxx | |
| # run honeyd | |
| sudo honeyd -d -f honeypots.conf | |
| ### Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos | |
| ### honeyd[4050]: started with -d -f honeypots.conf | |
| ### honeyd[4050]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip )) and not ether src 00:26:2d:f9:db:be | |
| ### honeyd[4050]: [eth0] trying DHCP | |
| ### honeyd[5226]: [eth0] trying DHCP | |
| ### honeyd[4050]: Demoting process privileges to uid 65534, gid 65534 | |
| ### honeyd[4050]: [eth0] got DHCP offer: 192.168.0.105 | |
| ### honeyd[4050]: Updating ARP binding: 00:26:2d:9a:83:c9 -> 192.168.0.105 | |
| ### honeyd[4050]: [eth0] got DHCP offer: 192.168.0.106 | |
| ### honeyd[4050]: Updating ARP binding: 00:26:2d:34:28:80 -> 192.168.0.106 | |
| ### honeyd[4050]: arp reply 192.168.0.105 is-at 00:26:2d:9a:83:c9 | |
| ### honeyd[4050]: arp reply 192.168.0.105 is-at 00:26:2d:9a:83:c9 | |
| ### honeyd[4050]: Killing attempted connection: tcp (192.168.0.101:54464 - 192.168.0.105:80) | |
| ### honeyd[4050]: arp_send: who-has 192.168.0.101 tell 192.168.0.105 <-------- when I use "landscape" to connect honeyd | |
| ### honeyd[4050]: arp_recv_cb: 192.168.0.101 at c8:bc:c8:5f:72:1f | |
| ### ... ... | |
| ### honeyd[4050]: Connection request: tcp (192.168.0.100:54105 - 192.168.0.106:8000) | |
| ### honeyd[4050]: Connection established: tcp (192.168.0.100:54105 - 192.168.0.106:8000) <-> /usr/share/honeyd/scripts/proxy.pl /usr/share/honeyd/scripts/smtp.pl -n <ozooxo@gmail.com> | |
| ### honeyd[4050]: Expiring TCP (192.168.0.100:54107 - 192.168.0.106:8000) (0x964b870) in state 7 | |
| ### ... ... | |
| ### honeyd[4050]: Killing attempted connection: tcp (192.168.0.100:54109 - 192.168.0.105:8000) | |
| ### <----notice that the reaction is different when connecting port 8000 of the two IPs (windows 105 and linux 106) | |
| # check the list of ports | |
| nmap -PN -p 25,135,139,445,475,1337,8000 192.168.0.105 | |
| ### Starting Nmap 5.21 ( http://nmap.org ) at 2014-04-13 15:11 CDT | |
| ### Nmap scan report for 192.168.0.105 | |
| ### Host is up (0.99s latency). | |
| ### PORT STATE SERVICE | |
| ### 25/tcp filtered smtp | |
| ### 135/tcp filtered msrpc | |
| ### 139/tcp filtered netbios-ssn | |
| ### 445/tcp filtered microsoft-ds | |
| ### 475/tcp filtered tcpnethaspsrv | |
| ### 1337/tcp filtered waste | |
| ### 8000/tcp filtered http-alt | |
| # what about my own computer? | |
| nmap -PN -p 25,135,139,445,475,1337,8000 192.168.0.103 | |
| ### Starting Nmap 5.21 ( http://nmap.org ) at 2014-04-13 17:04 CDT | |
| ### Nmap scan report for 192.168.0.103 | |
| ### Host is up (0.00012s latency). | |
| ### PORT STATE SERVICE | |
| ### 25/tcp closed smtp | |
| ### 135/tcp closed msrpc | |
| ### 139/tcp open netbios-ssn | |
| ### 445/tcp open microsoft-ds | |
| ### 475/tcp closed tcpnethaspsrv | |
| ### 1337/tcp closed waste | |
| ### 8000/tcp closed http-alt |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment