Network Security Hacks [Electronic resources] نسخه متنی

Hack 94 Simulate a Network of Vulnerable Hosts

Use honeyd to fool would-be attackers into
chasing ghosts.

As
the saying goes, you will attract more flies with honey than with
vinegar. (I''ve never understood that saying; who
wants to attract flies, anyway?) A honeypot is used to attract the
"flies" of the Internet: script
kiddies and hacker wannabes that have nothing better to do with their
time than scan for vulnerable hosts and try to attack them. A
honeypot does this by pretending to be a server running vulnerable
services, but is in fact collecting information about the attackers
who think themselves so clever.

Whether you want to simulate one or one thousand vulnerable network
hosts, honeyd (http://www.honeyd.org) makes the job as
simple as editing a configuration file and running a daemon. The
honeyd daemon can simulate thousands of hosts
simultaneously and will let you configure what
operating system each host will appear as
when scanned with operating system detection tools like Nmap [Hack #42] . Each system that
honeyd simulates will appear to be a fully
functioning node on the network. Besides simply creating hosts that
respond to pings and traceroutes, honeyd also
lets you configure what services each host appears to be running. You
can either use simple scripts to emulate a given service or have
honeyd act as a proxy and forward requests to
another host for servicing.

honeyd has several prerequisites that
you''ll need to install before building the daemon
itself. These are
libevent
(http://www.monkey.org/~provos/libevent/),
libdnet (http://libdnet.sourceforge.net), and
libpcap (http://www.tcpdump.org). These can be easily
installed by downloading and unpacking them and then using the
standard./configure && make install
procedure. After the libraries are installed, you can install
honeyd the same way. Then copy the service
emulation scripts from the source distribution to somewhere more
permanent (e.g.,
/usr/local/share/honeyd/scripts). There are only
a few scripts that come with honeyd itself, but
there are additional service emulation scripts available on
honeyd''s contributions page
(http://www.citi.umich.edu/u/provos/honeyd/contribl).

Once honeyd
has
been installed, you''ll need to create a
configuration file that defines the types of operating systems and
services honeyd
will emulate, and the IP addresses honeyd
will respond to. First, create some operating system
templates:

### Windows computers
create windows-web
set windows-web personality "MS Windows2000 Professional 
RC1/W2K Advance Server Beta3"
set windows-web  default tcp action reset
set windows-web default udp action reset
add windows-web tcp port 80 "perl scripts/win2k/iisemulator-0.95 
/iisemul8.pl"
add windows-web tcp port 139 open
add windows-web tcp port 137 open
add windows-web tcp port 5900 "sh scripts/win2k/vnc.sh"
add windows-web udp port 137 open
add windows-web udp port 135 open
create windows-xchng
set windows-xchng personality "MS Windows2000 
Professional RC1/W2K Advance Server Beta3"
set windows-xchng default tcp action reset
set windows-xchng default udp action reset
add windows-xchng tcp port 25 "sh scripts/win2k/exchange-smtp.sh"
add windows-xchng tcp port 110 "sh scripts/win2k/exchange-pop3.sh"
add windows-xchng tcp port 119 "sh scripts/win2k/exchange-nntp.sh"
add windows-xchng tcp port 143 "sh scripts/win2k/exchange-imap.sh"
add windows-xchng tcp port 5900 "sh scripts/win2k/vnc.sh"
add windows-xchng tcp port 139 open
add windows-xchng tcp port 137 open
add windows-xchng udp port 137 open
add windows-xchng udp port 135 open
### Linux 2.4.x computer
create linux
set linux personality "Linux 2.4.7 (X86)"
set linux default tcp action reset
set linux default udp action reset
add linux tcp port 110 "sh scripts/pop3.sh"
add linux tcp port 25 "sh scripts/smtp.sh"
add linux tcp port 21 "sh scripts/ftp.sh"

And then bind them to the IP addresses that you want to use:

bind 192.168.0.10 windows-web
bind 192.168.0.11 windows-xchng
bind 192.168.0.12 linux

Save this configuration file in a good place (e.g.,
/usr/local/share/honeyd/honeyd.conf). Then start
honeyd

and arpd like this:

# arpd 192.168.0.10-192.168.0.12
# cd /usr/local/share/honeyd
# honeyd -p nmap.prints -x xprobe2.conf -a nmap.assoc \
 -0 pf.os -f honeyd.conf
honeyd[5861]: started with -p nmap.prints -x xprobe2.conf -a nmap.assoc -0 pf.os -f 
honeyd.conf
honeyd[5861]: listening on eth0: (arp or ip proto 47 or (ip )) and not ether src 
00:0c:29:e2:2b:c1
Honeyd starting as background process

Now try running
Nmap on the IP addresses
that honeyd is handling:

# nmap -sS -sU -O 192.168.0.10-12
Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
Interesting ports on  (192.168.0.10):
(The 3063 ports scanned but not shown below are in state: closed)
Port       State       Service
80/tcp     open        http                    
135/udp    open        loc-srv                 
137/tcp    open        netbios-ns              
137/udp    open        netbios-ns              
139/tcp    open        netbios-ssn             
5900/tcp   open        vnc                     
Remote operating system guess: MS Windows2000 Professional RC1/W2K 
Advance Server Beta3
Uptime 2.698 days (since Sun Jan 11 03:52:35 2004)
Interesting ports on  (192.168.0.11):
(The 3060 ports scanned but not shown below are in state: closed)
Port       State       Service
25/tcp     open        smtp                    
110/tcp    open        pop-3                   
119/tcp    open        nntp                    
135/udp    open        loc-srv                 
137/tcp    open        netbios-ns              
137/udp    open        netbios-ns              
139/tcp    open        netbios-ssn             
143/tcp    open        imap2                   
5900/tcp   open        vnc                     
Remote operating system guess: MS Windows2000 Professional 
RC1/W2K Advance Server Beta3
Uptime 2.172 days (since Sun Jan 11 16:29:38 2004)
Interesting ports on  (192.168.0.12):
(The 1598 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp                     
25/tcp     open        smtp                    
110/tcp    open        pop-3                   
Remote operating system guess: Linux 2.4.7 (X86)

You can certainly see that honeyd fools Nmap.
But what happens when you try to access one of the
services that are purportedly running?
Try connecting to the port 25 of the fake Windows mail
server:

$ telnet 192.168.0.11 25
Trying 192.168.0.11...
Connected to 192.168.0.11.
Escape character is ''^]''.
220 bps-pc9.local.mynet Microsoft ESMTP MAIL 
Service, Version: 5.0.2195.5329 ready at  
Mon Jan 12 12:55:04 MST 2004
EHLO kryten
250-bps-pc9.local.mynet Hello [kryten]
250-TURN
250-ATRN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-X-EXPS GSSAPI NTLM LOGIN
250-X-EXPS=LOGIN
250-AUTH GSSAPI NTLM LOGIN
250-AUTH=LOGIN
250-X-LINK2STATE
250-XEXCH50}
250 OK

Pretty effective at first glance isn''t it? If
you''d like to specify some real services for
attackers to play with, you can use the proxy
keyword to forward any port to a host on another machine. For
example, this will forward SSH requests from our imaginary Linux host
to the machine at 192.168.1.100:

add linux tcp port 22 proxy 192.168.0.100:22

In addition to running the service emulation scripts,
honeyd can limit inbound or outbound bandwidth,
or even slow down access to a particular service.
This can be used to tie up spammer''s resources, by
holding open an apparently open mail relay. The possibilities
provided by honeyd are limited only by your
imagination and the time you''re willing to spend
building your virtual fly-catching network.