18

I have a spare computer lying around at my house, so I decided to turn it into a honeypot. So far, I have installed Windows XP (no service pack) on it and have set up rules on my router to forward (some) ports to the honeypot. Since my router doesn't support DMZ, I have to manually create rules. Currently, I forward TCP ports 80, 100-140 and 1000-1500 (I chose those values pretty much randomly). On the honeypot, I use Wireshark to monitor the network traffic.

However, the honeypot doesn't seem to get infected. I only receive very little traffic from the outside.

What am I doing wrong? Do I have to forward other ports? Do I have to somehow advertise my presence on the internet?

Thanks for any input!

P.S.: I do know about the dangers of running a honeypot inside of a home network.

ryyst
  • 281
  • 1
  • 2
  • 4
  • 1
    You might want to consider running the honeypot as a virtual machine on top of a system set up for good security. It will save you a lot of pain later. And you might want to consider generating some traffic in the box. – symcbean Dec 28 '11 at 11:13
  • @symcbean: What do you suggest to generate traffic? – ryyst Dec 28 '11 at 11:46
  • 1
    @ryyst Put a link to the ip somewhere (http://yourip). They will pick up on it, believe me. I never ever advertised FTP on my server and I get nowhere near the Alexa top 100.000 sites, but attacks are almost daily on port 21. A domain with mx records helps too. – Luc Oct 11 '12 at 21:51

3 Answers3

19

If you just want to get your honeypot machine compromised and part of a botnet, you will need to be running vulnerable services on the machine. The vulnerable services you choose will have to match the ports that you have forwarded to the honeypot machine and will also have to match the services that worms are actively trying to exploit.

For a Windows XP machine, forwarding ports 137, 138, 139 and 445 should get you plenty of attack traffic. These ports are for NetBIOS and Samba and they all receive a constant stream of traffic from the internet.

Forwarding port 80 will only be useful if you are running a web server on the honeypot machine. You can go in two directions with a web server; either run an old version of the HTTP daemon itself that has known vulnerabilities or run a current version and then run a vulnerable web application such as an older version of Wordpress or phpMyAdmin on it.

You can just try running services and hoping that they are vulnerable and that worms are trying to exploit them but it might be more effective to look up the services that specific worms target and run those.

The other direction to solve this problem from is to enable logging on your ingress point and see what traffic is hitting you. I suspect you will see a lot of traffic on the ports I mentioned above but you will probably see traffic on other ports as well. Find out what the ports are used for an run that service on your machine.

There are a few things I would add to this regarding honeypots:

The purpose of a honeypot is to study what the attacker or worm does once it compromises a host. You will want to set up extensive monitoring and logging on the box itself so that you actually gain some useful information out of the exercise. It's also important that you know when you have been compromised. Most honeypots are run inside virtual machines in order to give you an easy way to compare the current state of the machine to a known good copy. It is not adequate to do this from within the honeypot because rootkits can modify the very tools you are using to do the comparison.

You will want to be monitoring all traffic to and from the honeypot machine. By this, I mean full packet captures. The normal way to do this is with a spanning port on your switch but it can probably be done in the hypervisor of the VM if your switch doesn't have that capability. You would normally not do it within the honeypot.

You said that you are aware of the dangers of running your honeypot inside your home network. I presume that means you're also aware of the precautions you will have to take before putting it online. Specifically, configuring your network and firewall so that the honeypot machine can't contact any of the rest of your local network. It's also good practice to be careful about which outbound connections you allow it to initiate to the internet. The first thing it will often try to do is to download a rootkit and the worker programs which you are probably interested in, however the next thing is often to start attacking more targets, and this is not something you would normally want to allow.

There also exist specific tools for creating honeypots. These tools include entire hypervisor and VM stacks that enable all the things I have mentioned above. On the same site you can find tools for logging, monitoring and analysing and also a load of information on how to run a honeypot and who you're likely to see attacking it.

Ladadadada
  • 5,163
  • 1
  • 24
  • 41
  • Using Wireshark, I pretty much only see `SSDP` and `IGMP` traffic. I have checked that the ports are forwarded correctly by trying to access the honeypot through a proxy (I only have one network available), which worked. Is Wireshark just not seeing everything or am I doing something wrong? – ryyst Dec 28 '11 at 11:52
  • Did Wireshark see the traffic when you were testing that the ports were forwarded correctly? – Ladadadada Dec 28 '11 at 12:03
  • Yes, it detected the TCP connection and displayed the IP of the proxy. – ryyst Dec 28 '11 at 12:15
  • 1
    @ryyst: Some ISPs may filter traffic so that ports 137-139 (and others) can't even reach you. I'd suggest running a "noisy" port scan on the ports you want to reach from a host on another network. Watch your logs when you run the scan -- if you don't see your scan, then the packets are probably getting filtered by your ISP. (Don't run a "stealth" scan -- these packets won't show up in your logs by design.) – bstpierre Dec 28 '11 at 12:47
  • @bstpierre: I ran the port scan. The traffic reaches the honeypot through all forwarded ports. I also downloaded multiple virus-infected programs, but they either don't generate traffic, or the traffic doesn't show up in Wireshark. – ryyst Dec 28 '11 at 17:27
9

What you created is a high-interaction honeypot, ie a live system waiting to be compromised and later analysed by a foresics investigator (that being you of course). I would start with a linux-based, low-interaction honeypot. It creates a virtual filesystem and fake services that can make attackers (or their automated tool) believe this is a "real" system, while you'll just run a honeypot service. A very easy tool to setup and catch probes is Kippo, a SSH honeypot. I have been developing a visualization tool for it as well that might be of interest to you (and of course you'll get a nice presentation of your data). Another well-known low-interaction honeypot is honeyd, but it's a bit more difficult to set up, depending on what you intend to do of course (honeyd can simulate an entire network architecture with routers, servers, workstations, etc).

Ion
  • 646
  • 5
  • 11
3

While most of those answers are correct, I feel like they are missing some bits of info.

First I'd like to clarify that it depend on the type of Honeypot you are installing, then it decides if you want to install extensive monitoring or not as with Low-Interaction Honeypot, you don't want to do any extensive configuration in general. but if you are using High-Interaction or Physical Honeypot with its own IP which is mostly used in Research category.

This means that whatever you designate as a honeypot, it is your expectation and goal to have the system probed, attacked, and potentially exploited, Honeybot works by opening over 1000 UDP and TCP listening sockets on your computer and these sockets are designed to mimic vulnerable services. Also its a detection and response tool, rather than prevention which it has a little value in.

Depend on the software you are using most of them are with email and notification alerts. like honyed, mantrap, honeynets. Which is all better deployed over firewalls.

One more thing to keep in mind, Honeypots are worthless if they are not attacked, if you are as mentioned will or want to capture Full packets, this means you are as well giving a skilled attacker opportunity to hijack your honeypot. And if If an attacker manages to compromise one of your honeypots, he could try to attack other systems that are not under your control. These systems can be located anywhere in the Internet, and the attacker could use your honeypot as a stepping stone to attack sensitive systems.

amrx
  • 309
  • 2
  • 7