honeyd使用

honeyd可以同时模仿上千个不同的计算机

官网

honeyd-1.5c.tar.gz：http://www.honeyd.org

依赖包

libevent-1.3a.tar.gz：http://libevent.org/

libdnet-1.11.tar.gz：http://libdnet.sourceforge.net/

libpcap：http://www.tcpdump.org/release/

arpd-0.2.tar.gz：http://www.citi.umich.edu/u/provos/honeyd/arpd-0.2.tar.gz

安装

出现如下错误：

# cd arpd
# make
gcc -DHAVE_CONFIG_H -I. -I. -I. -I/usr/local/include -I/usr/local/include -I/usr/local/include
-I/usr/local/include -c arpd.c
arpd.c: In function ‘arpd_send’:
arpd.c:268: error: expected ‘)’ before string constant
arpd.c: In function ‘arpd_lookup’:
arpd.c:285: error: expected ‘)’ before string constant
arpd.c:294: error: expected ‘)’ before string constant
arpd.c:297: error: expected ‘)’ before string constant
arpd.c: In function ‘arpd_recv_cb’:
arpd.c:426: error: expected ‘)’ before string constant
make: *** [arpd.o] Error 1

解决办法：

//在arpd.c文件中添加
#define __FUNCTION__ ""

出现如下错误：

# cd honeyd-1.5c
# ./configure
configure: error: need either libedit or libreadline; install one of them

解决办法：

# apt-get install libedit-dev

帮助

# honeyd -h
Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
Usage: honeyd [OPTIONS] [net ...]

where options include:
  -d                     Do not daemonize, be verbose.
  -P                     Enable polling mode.
  -l logfile             Log packets and connections to logfile.
  -s logfile             Logs service status output to logfile.
  -i interface           Listen on interface.
  -p file                Read nmap-style fingerprints from file.
  -x file                Read xprobe-style fingerprints from file.
  -a assocfile           Read nmap-xprobe associations from file.
  -0 osfingerprints      Read pf-style OS fingerprints from file.
  -u uid                  Set the uid Honeyd should run as.
  -g gid                  Set the gid Honeyd should run as.
  -f configfile          Read configuration from file.
  -c host:port:name:pass Reports starts to collector.
  --webserver-address=address Address on which webserver listens.
  --webserver-port=port  Port on which webserver listens.
  --webserver-root=path  Root of document tree.
  --fix-webserver-permissions Change ownership and permissions.
  --rrdtool-path=path    Path to rrdtool.
  --disable-webserver    Disables internal webserver
  --disable-update       Disables checking for security fixes.
  --verify-config        Verify configuration file then exit.
  -V, --version          Print program version and exit.
  -h, --help             Print this message and exit.

For plugin development:
  --include-dir          Prints out header files directory and exits.
  --data-dir             Prints out data/plug-in directory and exits.

默认配置文件

# cat /etc/honeypot/honeyd.conf 

route entry 10.0.0.1
route 10.0.0.1 link 10.2.0.0/24
route 10.0.0.1 add net 10.3.0.0/16 10.3.0.1 latency 8ms bandwidth 10Mbps
route 10.3.0.1 link 10.3.0.0/24
route 10.3.0.1 add net 10.3.1.0/24 10.3.1.1 latency 7ms loss 0.5
route 10.3.1.1 link 10.3.1.0/24

# Example of a simple host template and its binding
create template
set template personality "Microsoft Windows XP Professional SP1"
set template uptime 1728650
set template maxfds 35
# For a complex IIS server
add template tcp port 80 "sh /usr/share/honeyd/scripts/win32/web.sh"
add template tcp port 22 "/usr/share/honeyd/scripts/test.sh $ipsrc $dport"
add template tcp port 23 proxy $ipsrc:23
add template udp port 53 proxy 141.211.92.141:53
set template default tcp action reset
# Use this if you are not running honeyd as 'honeyd' user:
# Debian-specific (use nobody = 65534 instead of 32767)
# set template uid 65534 gid 65534

create default
set default default tcp action block
set default default udp action block
set default default icmp action block

create router
set router personality "Cisco 1601R router running IOS 12.1(5)"
set router default tcp action reset
add router tcp port 22 "/usr/share/honeyd/scripts/test.sh"
add router tcp port 23 "/usr/share/honeyd/scripts/router-telnet.pl"

bind 10.3.0.1 router
bind 10.3.1.1 router
bind 10.3.1.12 template
bind 10.3.1.11 template
bind 10.3.1.10 template
set 10.3.1.11 personality "Microsoft Windows NT 4.0 SP3"
set 10.3.1.10 personality "IBM AIX 4.2"

举例

编写一个telnet连接时，使用脚本应答

# vi test.sh
echo SSH-1.5-2.40
while read name
do
    echo "$name"
done

编写一个honeyd启动时，加载的配置

#vi config.sample

create linux    //创建模板名称
set linux personality "Linux 2.4.20"    //设置指纹名称
set linux default tcp action reset 

add linux tcp port 21 open      //打开21端口
add linux tcp port 23 "/home/scripts/test.sh"

bind 192.168.254.131 linux      //为虚拟主机绑定ip

启动arpd

虚拟出ip地址

# arpd 192.168.254.131
arpd[417]: listening on eth4: arp and (dst 192.168.254.131) and not ether src 00:0c:29:b9:5d:31

启动honeyd

# honeyd -d -f /usr/local/share/honeyd/config.sample 192.168.254.131
Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
honeyd[373]: started with -d -f /usr/local/share/honeyd/config.sample 192.168.254.131
honeyd[373]: listening promiscuously on eth4: (arp or ip proto 47 or (udp and src port 67 and
dst port 68) or (ip and (host 192.168.254.131))) and not ether src 00:0c:29:b9:5d:31
honeyd[373]: Demoting process privileges to uid 65534, gid 65534

启动telnet测试

# telnet 192.168.254.131
Trying 192.168.254.131...
Connected to 192.168.254.131.
Escape character is '^]'.
SSH-1.5-2.40
dir
dir

测试成功

honeyd[373]: listening promiscuously on eth4: (arp or ip proto 47 or (udp and src port 67 and
dst port 68) or (ip and (host 192.168.254.131))) and not ether src 00:0c:29:b9:5d:31
honeyd[373]: Demoting process privileges to uid 65534, gid 65534
honeyd[373]: Connection request: tcp (192.168.254.1:50408 - 192.168.254.131:23)
honeyd[373]: Connection established: tcp (192.168.254.1:50408 - 192.168.254.131:23) <->
/home/scripts/test.sh

其他命令

为蜜罐动态分配ip

set xxx ethernet "dell"
dhcp xxx on eth1

创建动态模版

dynamic xxx