Published: 17 Feb 2003
Honeypots are a useful tool for learning about attackers' techniques and motives. The latest cool tool in the honeypot1 toolbox is an incredibly flexible traffic manipulation engine called "honeyd," authored by Niels Provos of the University of Michigan . Honeyd allows you to construct networks of computers that don't exist. It can fool Nmap and ICMP scanners and build incredibly powerful honeypot systems--all running on a single low-end computer.
How does it work? Honeyd functions best in cooperation with Dug Song's arpd--a tool for spoofing ARP traffic. ARP spoofing is used for "capturing" the IP address of a machine that doesn't exist, and directing traffic aimed at that machine somewhere else. Arpd automates this process for honeyd, allowing honeyd to reliably "see" traffic for entire networks at a time.
Honeyd listens for traffic aimed at an address arpd has captured, interacting with it as if it were a real host. ICMP, TCP and UDP traffic is handled within the honeyd application, so there's no stress on the underlying system's real IP stack.
Honeyd "understands" ICMP messages and will reply to them appropriately, which makes for lots of fun. But the icing on the cake is honeyd's ability to spoof Nmap and other stack-fingerprinting scan tools.
Stack-fingerprinting works by sending special combinations of test packets against a target and identifying the target's OS by differences in how various OSes reply to the tests. Honeyd "inverts" an Nmap fingerprint database and, when the test packets are received, sends back answers that perfectly spoof the unique properties of whatever IP stack you tell it to spoof. Do you want an entire subnet of computers (that don't exist) to appear to be Cray supercomputers? How about a network of supercomputers with a flaky network connection? No Problem!
Here's an example of a simple honeyd configuration file that shows some of the fun tricks you can play with it:
set aixbox personality "AIX 4.0 - 4.2"
add aixbox tcp port 80 "sh scripts/web.sh"
add aixbox tcp port 23 proxy 10.23.1.2:23
set aixbox default tcp action reset
bind 10.21.19.102 aixbox
The "create aixbox" directive tells honeyd we want to define a new artificial personality template for an emulation called "aixbox." Then we set the personality to be "AIX 4.0 - 4.2"--which matches exactly the name of the Nmap fingerprint we want to spoof. Honeyd will use the personality name to look in Nmap's fingerprint database to decide how it should react to the tests as they are received.
Then, we define a few services. On TCP port 80, we tell honeyd to invoke "sh scripts/web.sh," which is a shell script that outputs a banner resembling a popular Web server running on an AIX box. On port 23, honeyd is configured to automatically proxy traffic to another machine's Telnet port. The proxy capability is very useful if you want to emulate a Web server farm with a couple of ghost Web servers that just proxy the HTTP connections to your real Web server. "default tcp action reset" tells honeyd to send a RST packet when it gets a connection on an unserved port, just like a normal system. Lastly, we associate the personality template to the IP address of the machine we want it to simulate: 10.21.19.102.
Now, you can ping and Nmap 10.21.19.102 to your heart's content:
root# nmap -O 10.21.19.102
Starting nmap V 2.54BETA ( a href="www.insecure.org/nmap/ ">www.insecure.org/nmap/ )
Interesting ports on (10.21.19.102):
Port State Service
23/tcp open telnet
80/tcp open http
Remote operating system guess: AIX 4.0 - 4.2
Of course, honeyd is logging all this activity--interesting fodder for further research.
I've only scratched the surface of the fun tricks you can play with this delightful new tool. It's available in source code form that builds on BSD, Linux and Solaris. I'd rate it as an advanced-level tool; it requires a fair bit of experience to build and deploy.
Spoofing, diversion and obfuscation are all part of honeyd's arsenal.
About the author:
Marcus J. Ranum is an independent security consultant and author. He is the founder of NFR Security and built the first commercial firewall product, DEC SEAL. 1For more information on honeypots, see the Honeynet Project or Lance Spitzner's Tracking Hackers Web site.