Honeypot is a device on the computer network designed to capture malicious traffic. It disguises itself as real production system but contains dummy information. Often located behind the firewall inside the network and it is used to learn about intruders and detect vulnerabilities. Any connections to it on strange ports may mean that they may be a vulnerability or wrong configuration on the firewall. It can also disguise itself as routers or firewalls. Honeypots are becoming leading security tools especially detecting latest tricks and exploits.
HoneyBOT – brief
“Development began as a small project to capture attacks of Code Red and Nimda worms which were propagating widely on the internet “in 2001. In September 2005 they had first public release and it’s maintained by Atomic Software solutions.
HoneyBOT open a large number of listening sockets on computer where it is installed. These sockets appear open so that any attempt to connect to them or even an attempt to scan a port is logged as shown on the Figure A1. It requires windows operating system and it has its own graphical user interface therefore is quite user friendly.
It has been created and developed by Niels Provos who is a Principal Engineer for Google Inc. It has been released it in 2007 under GNU General Public License therefore it developed rapidly due to many people who contributed by fixing bugs and developing the code.
Honeyd is a small daemon that allows you to create virtual nodes on the network.
They can disguise themselves as any operating system or device such as router or switch. It offers wide range of functionality for instance it allows for virtual host to claim multiple addresses. It is supported on unix based operating systems with some attempts towards windows platform – even more complex to set it up.
It has very simple and straightforward options. Even thought by default it opens large number of services (1339) it allows for selection of ports to be opened as well.
It has a build in email alert function that sends a daily e-mail with all the log files.It also checks for updates and allows for anytime log export.
Honeyd is far more complex in terms of functionality, it emulates different operating systems using the same fingerprint database used by nmap (nmap.prints).It also can disguised itself as routers, here’s example:
set router personality “Cisco 4500-M running IOS 11.3(6) IP Plus”
add router tcp port 23 “/usr/bin/perl scripts/router-telnet.pl”
set router default tcp action reset
set router uid 2500 gid 2500 set router uptime 1736485
bind 192.168.1.150 router
Another important function is ability to run subsystems, as in above example of router there is a script that is added to the port that will creating some interaction between the system and attacker. With the large number or these so called subsystems it’s possible to create the most ‘real’ environment and log the attackers moves.
An example of outcome for telneting into above router shown below:
I believe that two tools that I have compared has many strengths and weaknesses. Starting with HoneyBOT it is very easy to install and use due to graphical user interface and very user-friendly controls, there is plenty of web based guides and support and updates provided by Atomic software solutions. The weakness is the default configuration that opens more than a thousand ports which makes it look too obvious rather than a real production server. Another disadvantage is the way the file logs are presented , without any sort of programming skills to apply some filtering it may be really time talking to go through them in order to indentify the attacker. Lastly the fact that it’s a really small application and requires an operating system to run is a huge weakness due to power consumption, cost and management.
Honeyd is quite advanced in terms of functionality, it allows to create multiple honeypots at the time and to link multiple ip addresses with one honeypot. It can disguise itself as a real production system due to subsystem functionality that enables to run perl scripts that are executed while intruder tries to connect. Additionally it can also emulate routers and actually route traffic therefore ‘disguised’ network topologies may be created .Daemon is really small and it doesn’t need a dedicated server to run, all of the above can be managed from a single configuration file which is a big advantage. The most important weakness is the complexity of advanced functions and hardly any support.
To conclude even though honeyd scored slightly less points than HoneyBOT I believe it’s a better piece of software. The scope for further development is extraordinary, the implementation of the whole spoofed networks with subsystems and routing is just great environment for detection of latest exploits etc.It has some weaknesses but in my opinion support will come as soon as people realise the potential. The developer is currently working on the new release.