Honeyd honeypot Configuration and Web listener scripts

Installation and configuration of the Honeyd

The Honeyd software relies on several libraries and ARPD tools:

(1) Libevent: is a library of non-synchronous event notification functions.

By using Libevent, developers can set the functions that are run when certain events occur, and can replace the cyclic checks used by previous programs;

(2) Libdnet: A library of functions that provide cross-platform network-related APIs, including ARP caching, and routing table queries. The transmission of IP packets and physical frames.

(3) Libpcap: is a data packet capture (Packet sniffing) function library, most of the network software is based on it;

(4) ARPD tool: ARPD is executed on the same system as honeyd. is one of the most important honeyd in many collaboration tools. ARPD monitor traffic within the LAN while working. and infer the activity of other systems by looking at the ARP table of the Honeyd system.

When an attempt is made to connect to a system in a LAN, ARPD will attempt to broadcast ARP to the victim's IP address by looking up the ARP table to see that the destination IP address does not exist, assuming that the honeyd has been responded to, stating that the target system does exist. So the target system's IP address and MAC address corresponding to the Honeyd ARP table, and the connection attempt is not action, because this may be legitimate traffic. Assuming that the ARPD does not receive an ARP response from the target, it feels that the target system does not exist. Assuming this is an attack, try to act as the victim's IP address and respond to the attacker. Thus, ARPD will use the MAC address of the Honeyd host to make an ARP response for unused IP addresses within the specified IP address range. This is redirected to the Honeyd host for connection access to the IP addresses that are not used in the specified IP address range. Therefore, this design in the local area network is particularly able to maximize the trick worm attack. Transfer the attack stream. Lays the groundwork for next detection and capture of worms.

You may have to start honeyd before starting the ARPD

There are 2 types of boot ARPD

A.ARPD IP

B.%ARPD IP (% means ARPD path) because the system itself has a ARPD, sometimes you need to specify the path of the ARPD that you installed.

Before you compile and install the above libraries. For compiling the installation, you must ensure that GCC is installed, and that you can see if GCC is installed by using the instruction "gcc-v", if it is not installed, you can enter the command: sudo apt-get install g++ gcc for installation.

Note: You need to install build-essential before you install GCC, which is to provide package list information.

We are doing this in Ubuntu, and the installation packages and tools for all the libraries downloaded online are placed in the Honeyd folder (under the main file folder).

libevent installation of:

Decompression with TAR-ZXVF libevent-1.4.14b-stable.tar.gz

Enter folder with CD Libevent-1.4.14b-stable

Use./configure to detect target characteristics

Compiling with Make

Install with a high-privilege make install

Note: The last step must be run with administrator privileges, that is, before the instruction to add "sudo", or you will not be prompted enough permissions.

The rest of the libraries are basically similar, and some of the minor problems that arise are explained:

libdnet installation of:

TAR-ZXVF libdnet-1.11.tgz

CD libdnet-1.11/

./configure

Make

sudo make install

Libpcap installation of:

TAR-ZXVF libpcap-1.3.0.tar.gz

CD libpcap-1.3.0

./configure

* Hint Error: Flex is missing

Apt-get Install Flex (Installation Flex)

./configure

Make

* Hint Error: failed to find YACC

Apt-get Install Bison (Installation YACC)

Make

sudo make install

Honeyd installation of:

TAR-ZXVF honeyd-1.5c.tar.gz

CD honeyd-1.5c

./configure

* Prompt error: Need to install Libedit or libreadline

Apt-get Install Libedit-dev (Installation libedit)

./configure

* Prompt error: Need to install zlib library

Cd

Unzip Zlib-1.2.8.zip (Installation zlib)

CD zlib-1.2.8

./configure

Make

Make install

CD honeyd-1.5c

./configure

* Prompt Error: Unable to get libc

cp/lib/i386-linux-gnu//libc.so.6/usr/lib/(Get libc)

./configure

* Hint Error: Pcap_parse not defined

CD libpcap-1.3.0 (once again compiled libpcap-1.3.0)

Make clean (required)

./configure

Make

Make install

CD-(Back to HONEYD-1.5C)

Make

sudo make install

Tools ARPD installation of:

Tar arpd-0.2.tar.gz

CD ARPD-0.2/

./configure

Compile an error. The following solutions are available for online queries:

Added #define __FUNCTION__ "" in the Arpd/arpd.c file

Make

sudo make install

Virtual 2 hosts

Select an unused IP address in the LAN. Start ARPD (Here you select 192.168.1.2 and 192.168.1.3, which facilitates the subsequent virtual Windows hosts and Linux hosts), with the MAC address of the 192.168.1.150 host as the MAC address of the two virtual hosts.

When you start Honeyd error "Libdnet.1:can ' t open sharedobjectfile", all the solutions on the Web query are as follows:

Online Introduction If the shared library file is installed under "/usr/local/lib" or other "non-/lib or/usr/lib" folders, then the new Shared library folder will be loaded into the shared library profile/etc/ld.c.conf before running the idconfig command. For example, see the following:

#cat/etc/ld.c.conf

Include/etc/ld.c.conf/*.conf

#echo "/usr/local/lib" >>/etc/ld.c.conf

#Idconfig

However, after we have made the above-mentioned changes, and then after the online review, such as the following changes:

Export a global variable ld_labrary_path, and then go to this folder to find the shared library when it is executed. (Ld_labrary_path's role is to tell loader to find shared libraries in those folders and to set up multiple Search Folders.) Separated by commas between folders)

exportld_labrary_path=/usr/local/lib:$ Ld_labrary_path

Network topology: There are three hosts and one gateway, one Windows host for access to virtual services, IP 192.168.1.115. There is also a Windows host to provide FTP services. IP is 192.168.1.104. An Ubuntu host is used to configure a honeypot with an IP of 192.168.1.150 and a gateway of 192.168.1.1.

After the Honeyd installation succeeds, it uses it to virtualize a Windows host Web server. The configuration file is named: honeyd.conf, file contents such as the following:

Create Windows

Set Windows Personality "MicrosoftWindows NT 4.0 SP3"

Set Windows default TCP action Reset

Set Windows default UDP action Reset

Add Windows TCP port "shhoneyd/honeyd-1.5c/scripts/web.sh"

Bind 192.168.1.2 Windows

The above configuration file creates a template called Windows, which binds a honeypot IP to the template.

The Windows template above tells Honeyd to disguise itself as a Microsoft Windows NT 4.0 SP3 system when a client tries to explore Honeypot's fingerprint. Web-scripted virtual Web service with Honeyd.

Initially we were executing on a virtual machine, and this step was done. The host on the same network segment cannot access the virtual Web service. We found various solutions on the Internet, checked the configuration file honeyd.conf and the virtual server script file web.sh. The findings were not unusual and were examined for several hours. After thinking about what might have been done on a virtual machine, it's time to redo the previous one again under Ubuntu's system, and then enter the following commands in the Ubuntu terminal, for example. If the host has access to 192.168.1.2, the 192.168.1.2 will correspond to it:

honeyd-d-fhoneyd.conf 192.168.1.2

This command-D represents the case of monitoring the honeypot at the terminal, where-F represents the use of honeyd.conf as a configuration file, 192.168.1.2 Represents the 192.168.1.2 of the IP address for the honeypot.

When using 192.168.1.115 host visit 192.168.1.2. The page displays results such as the following:

Can see. Successfully ran the Honeyd Web script. This is a simple Web page that is used to test the success of the Honeypot building.

The Ubuntu host responds to the interview when the demo sample of the terminal is as follows:

192.168.1.115 host successfully established a connection with honeypot 192.168.1.2. and run the Web script.

Similarly, the test IP address for the 192.168.1.3 honeypot process is similar.

Complete the configuration file contents of the experimental content for example as seen in:

Virtual two hosts via configuration file: one Windows host. IP is 192.168.1.2. Open 80. 20. 21,22port. 80port and 22port run virtual service scripts because FTP services are more difficult to emulate, So 21port set FTP service proxy for 192.168.1.104 host, 20port to use, one Linux host, IP 192.168.1.3, open port and virtual service same as Windows host.

Keep the key record of the client visiting the virtual service in the file

Scripts that write Web services and keystrokes in advance are placed in the web.sh file, which is followed by an analysis of the script code.

Using 192.168.1.115 to access virtual Web services, enter username and password as seen below:

The results obtained by the 192.168.1.150 control end are as follows:

The result shows that the 192.168.1.115 host and Honeypot have successfully connected and successfully run the script web.sh file.

Click Login, control host through the Python OS Library call OS class system method, in the terminal with tshark-d "IP dst192.168.1.2"-W Catchlog will catch the packet in the "Catchlog" file, There are packets that include username and password:

Virtual Web service scripts such as the following:

This is a shell script. It is mainly used to write the purple HTML code in the graph, and the HTML code consists of two parts. <body> to </body> Create a Web interface, including username and password two forms, above the JavaScript section, when the event that clicked the login button occurred, It submits the contents of the user username and password two forms to 192.168.1.2 's alternate open port20.

Honeyd honeypot Configuration and Web listener scripts