Security Reconnaissance with Honeyd and HoneyWeb

Honeypots help detect and analyze network attacks.

ITPro Today

February 18, 2003

4 Min Read
ITPro Today logo in a gray background | ITPro Today

Do you have layered security in place? If so, do your layers include features that help you determine which kinds of attacks are targeting your networks? Many of you probably have probing and attack-detection tools in place, such as an Intrusion Detection System (IDS), but you can take that sort of attack-detection technology further by adding a honeypot to your network.

I've written about various honeypot technologies in the past, including information about various network, system, and service emulators. For example, some honeypot technologies can mimic particular system architecture, and others can emulate services such as SMTP mail servers to help thwart spammers. You can find several articles about honeypots through a search [http://search.winnetmag.com/query.html?qt=honeypot&site=security] of our Web site.

On Lance Spitzner's Tracking Hackers Web site, [http://www.tracking-hackers.com] he defines a honeypot as "a security resource [whose] value lies in being probed, attacked, or compromised." If you're interested in honeypot technology, know that a new version of Honeyd [ http://www.citi.umich.edu/u/provos/honeyd] was released over the weekend, along with a new challenge for people to contribute to the project.

Niels Provos, who developed Honeyd, explains that "Honeyd is a virtual honeypot running as a small daemon to create virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems." Honeyd monitors unused IP addresses on a network to develop a virtual network of honeypots to help detect probing and intrusion.

Honeyd listens for TCP, UDP, and some types of Internet Control Message Protocol (ICMP) traffic to help detect activity directed at your network's unused IP addresses, to which no one should be sending traffic in the first place. If you want to establish bogus services to interact with potential intruders, you can use Honeyd to do that as well. One of Honeyd's slick features is its ability to spoof a given system type at the kernel level to help thwart tools such as Xprobe and Nmap, which are designed to detect exact OS types, such as Windows or a Cisco Systems router OS.

Along with the release of Honeyd 0.5, Provos has issued an invitation to contribute to the Honeyd project by developing useful feature additions and improvements. Potential contributors can work on developments such as additional service emulators and forensics tools for analysis and visualization of Honeyd log files and a GUI. You can read more about the challenge [http://www.citi.umich.edu/u/provos/honeyd/challenge.html] at the Honeyd Web site, hosted at the University of Michigan.

Other useful honeypot tools work in conjunction with Honeyd, or you can run them standalone. One such tool is HoneyWeb, [http://www.var-log.com/files] written by Kevin Timm. HoneyWeb is a new tool that can emulate various Web server platforms, including Apache, Netscape, and Microsoft IIS. HoneyWeb deceives intruders by emulating HTTP headers and delivering Web pages.

For example, HoneyWeb looks at incoming URL requests, determines which platform they suit, and returns headers and Web pages that emulate that platform. As I interpret the somewhat sparse documentation, the tool can also track URL requests persistently. So if the same user makes a UNIX-style request and then a Microsoft-style request (in a configurable time frame), the system can return a 404 error to maintain consistency with the type of Web platform being emulated. HoneyWeb can spoof other kinds of content, and it can return bogus directory listings for a given root path URL or a bogus rendition of an .htaccess file.

Timm developed HoneyWeb in the Python programming language. To learn more about HoneyWeb, [http://www.var-log.com/files/HoneyWeb.txt] visit the Web site and also read the readme text in the program archive file. If you want to try HoneyWeb, you need to obtain a copy of Python [http://www.python.org] for your platform. HoneyWeb also supports Secure Sockets Layer (SSL) by using Stunnel as an add-on. You can obtain Stunnel at the Stunnel Web site. [http://www.stunnel.org]

If you don't use a honeypot on your network, why not consider installing one? It might pick up on subtle forms of probing and identify attacks that your IDS might not be able to detect. Using a honeypot can increase your awareness of the type of attacks your network faces and help you keep your network more secure.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like