Setting MAC address of honeyd template fails

0

I am trying to set the MAC address of one of my honeyd templates, but keep getting an error message that complaints that that there is no interface that can reach the IP address I want to bind to. This is what I have in my honeyd.conf file:

route entry 30.0.0.1
route 30.0.0.1 link 30.0.0.0/24

create routerone
set routerone personality "Cisco 7206 running IOS 11.1(24)"
set routerone default tcp action reset
set routerone default icmp action open
add routerone tcp port 23 "/etc/honeypot/scripts/telnet/faketelnet.pl"

create winxp
set winxp personality "Linux Kernel 2.4.20"
#set winxp personality "Microsoft Windows XP Professional SP1"
set winxp default tcp action reset
set winxp default udp action block
set winxp default icmp action open
add winxp tcp port 22 proxy 10.0.0.200:22
add winxp tcp port 23 "/etc/honeypot/scripts/telnet/faketelnet.pl"
add winxp tcp port 24 "sh /etc/honeypot/scripts/hello.sh"
set winxp ethernet "00:11:22:33:44:55"

bind 30.0.0.100 winxp
bind 30.0.0.1 routerone

When trying to run the honeyd daemon, I get the following error message:

$ honeyd -d -i ens160:1 -f honeyd.conf 30.0.0.0/24
Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
honeyd[4093]: started with -d -i ens160:1 -f honeyd.conf 30.0.0.0/24
honeyd[4093]: listening promiscuously on ens160:1: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip and (net 30.0.0.0/24))) and not ether src 00:0c:29:40:e7:6a
honeyd[4093]: Demoting process privileges to uid 65534, gid 65534

It works fine when I'm not setting the ethernet address and I can ping it. So, obviously there is an interface that can reach 30.0.0.100. I saw some configurations that are setting a fixed ethernet address in combination with dhcp, but I need to bind to a static IP address.

Any ideas?

arne.z

Posted 2017-01-25T15:38:27.420

Reputation: 113

I don't know that product but what isn't actually working? Just by reading that configuration it looks like you are assigning the winxp entity the IP 30.0.0.100? – Seth – 2017-01-26T09:29:44.797

Answers

0

Okay, so I finally made it work and it turned out I misunderstood the function of the MAC address. I thought it was meant to spoof an arbitrary MAC address but it seems that it is actually used to specify which interface honeyd sends it output to. I had the problem that honeyd send its response through a different interface than the one the request came from. So I configured honeyd to send the response of the winxp template to the interface I want.

Here is the configuration that worked for me:

I'm running honeyd on the br192 interface.

$ ifconfig br192
br192     Link encap:Ethernet  HWaddr 00:0c:29:16:3c:80  
          inet addr:0.1.2.3  Bcast:255.255.255.255  Mask:0.0.0.0
          inet6 addr: fe80::20c:29ff:fe16:3c80/64 Scope:Link
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:103730 errors:0 dropped:0 overruns:0 frame:0
          TX packets:771 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:21835405 (21.8 MB)  TX bytes:72694 (72.6 KB)

My honeyd.conf file:

create winxp
set winxp personality "Microsoft Windows XP Professional SP1"
set winxp default tcp action reset
set winxp default udp action reset
set winxp default icmp action open
set winxp ethernet "00:0c:29:16:3c:80"

bind 10.0.0.200 winxp

Starting honeyd:

$ sudo honeyd -d -i br192 -f /etc/honeypot/honeyd.conf 10.0.0.200/31
Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
honeyd[5524]: started with -d -i br192 -f /etc/honeypot/honeyd.conf 10.0.0.200/31
honeyd[5524]: listening promiscuously on br192: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip and (net 10.0.0.200/31))) and not ether src 00:0c:29:16:3c:80
honeyd[5524]: Demoting process privileges to uid 65534, gid 65534

arne.z

Posted 2017-01-25T15:38:27.420

Reputation: 113

Asked: 2017-01-25T15:38:27.420

Viewed: 349 times

Active: 2017-01-29T21:32:18.627