60-475 Security and Privacy on the Internet

Dr. A.K. Aggarwal

KFSensor Vs Honeyd
Honeyot Sy!te"
Sunil #urung
$hur!day% &ove"'er (5% (004
Table of Contents
). Introduction
(. Honeyot $echnology
(.) Attac*er!
(.( Honeyot
+. K,Sen!or
4. Honeyd
4.) Product detail
4.( In!tallation
4.+ So"e "a-or di..erence! 'etween K,Sen!or
4.4 How doe! honeyd wor*
4.5 /unning honeyd
4.6 $e!ting honeyd
5. 0onclu!ion
6. /e.erence!
APP1&DI2 A
1. Introduction
It i! !aid that a good de.en!e i! a good o..en!e. Pa!t .ew year!% co"uter !ecurity !cholar!
and co""unity too* thi! idea into con!ideration and develoed a concet o. honeyot.
$raditionally% the idea wa! "ore .ocu!ed on the de.en!ive !ide and they develoed the
ower.ul technologie! and tool! li*e ,irewall and Intru!ion Detection Sy!te" 3IDS4 to
de.end the networ* .ro" intruder!. $oday% they are "ore concerned in !tudying the tye!
o. attac*!5 the variou! tool! u!ed .or attac*ing% the new *ind! o. viru! and other !ecurity
threat! !o that they can de.end their !y!te" "ore !ecurely. $he idea 'ehind the honeyot
i! to create a virtual or in !o"e !cenario a real !y!te"% ut the !y!te" vi!i'le to the
attac*er! !o that they can co"ro"i!ed and ro'e. $he !y!te" will *ee trac* o. the
activitie! and later the logged in.or"ation i! analy6ed to "a*e !ure the roduction
!ervice! and networ* are !ecured with new threat!.
7ance Sit6ner de.ine! honeyot technology a! 8
A honeypot is security resource whose value lies in being probed, attacked, or
compromised.
1
$oday% there are "any co""ercial honeyot !y!te"! availa'le .or e.g. Secter%
K,Sen!or% Honeynet and there are al!o 'een lot o. develo"ent in 9en !ource area.
$hi! aer will loo* into "ore detail the Honeyot technology% the tye! o. honeyot and
the !econd hal. o. the aer will loo* into the co""ercial roduct 8 K,Sen!or and the
oen !ource !o.tware honeyd. I will di!cu!! the !i"ilaritie! and di..erence! 'etween the!e
!o.tware and will detail the .eature! o. honeyd.
)
Sit6ner% 7ance :Honeyot!; $rac*ing Hac*er!<% 3Addi!on =e!ley (00(4 .(+

2. Honeypot Technology
(.) Attac*er!
$he "ain o'-ective o. the honeyot i! to lure the 'ad guy! or attac*er!. So thi! !ection
di!cu!!e! the tye! o. attac*er! and their "otive!. $here are "ainly two tye! o.
attac*er!;
Script Kiddies
$hey are "ore li*e a"ateur% they don>t care the tye o. ho!t or networ* they are
co"ro"i!ing. $hey wanted to get into !y!te" .or .un% or to rove that they are
!ucce!!.ully in hac*ing into !o"e !y!te" or to try to educate the inade?uacy o. the
!ecurity olicy in laced in an organi6ation. ,or !o"e% their "ain goal i! to hac*
co"uter with le!! e..ort u!ing already e@i!ting !crit! or with "inor change! to !crit!.
$hey are "ore intere!ted into hac*ing "ore nu"'er o. co"uter!.
Blachat
$he!e are "ore *nowledgea'le and "ore e@erienced with the internal wor*ing o.
variou! co""unication !y!te"!% the internet and they .ocu! on !y!te" o. high value.
$hey are "o!tly .inancially driven and a..ect the cororate and national level. $hey are
"ore dangerou! 'ecau!e o. their !*ill! level and they oerate !ilently.
A! a er!onal ho"e co"uter u!er% we have a "i!arehen!ion that we are not vulnera'le
to attac*! 'ut we are wrong. :In the 'eginning o. (00(% a ho"e networ* wa! !canned on
average 'y +) !y!te"! a day.< $oday everyone i! target o. attac*er!% a! they are
e@loiting variou! "ean! to get into er!onal co"uter! to get in.or"ation li*e er!onal
data% credit card in.or"ation and in higher level .or any 'u!ine!! their data and !y!te"
re!ource!.
(.( Honeyot
$he "ain value o. honeyot lie! on 'eing attac*ed !o that the ad"ini!trator can !tudy
their attac*er! and *ind! o. attac*!. $here.ore we could !ay that honeyot i! a tool to
!tudy the current world o. !ecurity% the variou! threat! and "ean!. $he honeyot alone
can>t !olve or i"rove the !ecurity o. the networ*. It ha! to wor* along with the e@i!ting
de.en!ive "echani!" to "a*ing the .ort !tronger.
,ro" the introduction% we *now that the "ain o'-ective o. the honeyot i! to collect
in.or"ation. $he ad"ini!trator "ight u!e honeyot .or two rea!on! a! a roduction or
re!earch uro!e!. $he roduction honeyot will "ea!ure their e@i!ting networ*
vulnera'ility with out!ide threat. A! a re!earch% they want to !tudy the attac*er! !o that
they can 'e 'etter e?uied .or the .uture attac*!. So why are there !o "any tal*! a'out
the honeyotA $he an!wer to thi! i!; we have to *now who our ene"y i!. I. .ollow! the
!aying again 'e!t de.en!e to our !ecurity i! to have 'e!t o..en!e. Bore one i! aware o. the
current i!!ue! that are going around% "ore one get e@erienced. $he other a!ect o. the
honey ot i! we don>t have to go around hac*er!> co"uter to loo* .or the in.or"ation%
it>! very a!!ive. It>! li*e a 'ee hive% we !etu a ot .ull o. honey or !ugar than 'ee will
co"e loo*ing .or it. Si"ilarly% we !etu a !y!te" !o"ewhere on a networ*% and wait .or
hac*er! to co"e and co"ro"i!e our !y!te".
(.+ $ye! o. Honeyot
Deending uon the need o. the organi6ation and what the a"ount o. in.or"ation they
want to gather .ro" the !y!te"% a co"any can i"le"ent honeyot in two .or"!;
7ow Interaction and High Interaction Honeyot
)4 7ow Interaction Honeyot Sy!te"
A! the na"e indicate!% we give out!ider a! "uch a! le!! nu"'er o. activity to
er.or" on the !y!te". $hey have li"ited nu"'er o. acce!! and interaction with
the virtual !ervice! and oerating !y!te". It i! very !i"le to i"le"ent 'y
in!talling o.. the !helve! roduct li*e Secter or K,Sen!or or 'y i"le"enting
oen !ource roduct honeyd. It i! le!! ri!*y a! hac*er! won>t have acce!! to the
"ain 9S and only lay around with the e"ulated !ervice!.
,or e.g.
=e !etu an e"ulated ,$P !ervice to run on the ort () and *ee the !y!te" oen
on the networ*. $he hac*er! will try to log into it. $he !y!te" will record all the
activitie! 'etween two artie!. =e could !et u our honeyot to accet !o"e
co""and to "a*e the attac* real.
$he di!advantage o. the low interaction i! that are li"ited with a"ount o.
in.or"ation we can cature% "o!tly the logging in.or"ation and .ew other a.ter
that and we can only *ee trac* o. the activitie! that early e@i!t!. $he e@i!tence o.
the low interaction o. the honeyot i! detected 'y e@erience hac*er!.
(4 High Interaction Honeyot Sy!te"
$he "ain o'-ective o. thi! !y!te" to do .ull !tudy o. the attac*er! !o in!tead o.
roviding e"ulated !ervice% real !y!te" in rovided to ro'e. =e give the hac*er!
a real interaction with the !ervice and the oeration !y!te". =e can collect "ore
in.or"ation and we can .ind new in.or"ation on variou! tool! and viru!e!.
:An e@cellent e@a"le o. thi! i! how a Honeynet catured encoded 'ac* door
co""and! on a non-!tandard IP rotocol 3!eci.ically IP rotocol ))% &etwor*
Coice Protocol4.<
(
1@a"le! o. high interaction honeyot !y!te"! are; Sy"antec Decoy Server and
Honeynet.
(
Sit6ner% 7ance :Honeyot! De.inition! and Calue o. Honeyot!<% htt;DDwww.trac*ing-
hac*er!.co"Daer!Dhoneyot!.ht"l
!. KFSensor
K,Sen!or !erve! 'oth a! the honeyot and an intru!ion detection !y!te". It i! window!
'a!ed !o.tware with a grahical u!er inter.ace "onitoring !y!te". $he K,Sen!or i! a low
interaction honeyot which e"ulate! recon.igured !ervice! and al!o rogra""a'le
!ervice!. $he !o.tware *ee! trac* o. all the co""unication 'etween the !erver and the
out!ide arty. $he detailed .eature! and in!tallation rocedure .or thi! !o.tware are
e@lained in "y .ir!t aer
:K,Sen!or Honeyot and Intru!ion Detection Sy!te"<. Plea!e re.er to the aer .or
detail e@lanation. In thi! I will re!ent !o"e .eature!% .unctionalitie! and te!t .or
co"ari!on.
$he "ain co"onent o. the K,Sen!or it K,Sen!or !erver% which li!ten to all the
con.igured !ervice on 'oth the $0P and EDP ort!. $he "ain oint o. contact .or attac*er
i! a !erver and it run! a! a E&I2 dae"on. $he "onitor ha! a #EI art that di!lay! the
all the activitie! and all the
$he con.iguring K,Sen!or i! very ea!y a! it ha! #EI and !i"le wi6ard to hel in the
roce!!. $he "o!t i"ortant i! con.iguring the !cenario!. Scenario! con!i!t o. li!t o.
currently running !ervice! on variou! ort! *nown a! :7i!ten<. 1ach li!ten on !cenario
can 'e edited and can add a new one.
$he 'a!ic !etu i! roviding the ort nu"'er% the rotocol u!ed% the 'inding IP addre!!
the action to ta*e i. activity i! detected on the li!tening ort and rule can al!o 'e !et.
9ther i"ortant !etu i! the Si" Server which !tand! .or !i"ulated !erver. Fy thi! the
K,Sen!or can !i"ulated oular we'% ,$P% SSH !erver. =e could choo!e .or" the re
con.igured !erver li*e Aache% IIS or !o"e other ,$P !erver or we could "a*e one u!ing
'anner!. $he !o.tware can al!o 'e con.igured to ta*e care o. the D9S attac*% all the
logged data can 'e i"orted in di..erent .or"at and the logged .ile! can 'e directly !aved
into the data'a!e.
So"e o. the other .eature! are;
)4 $he #EI and ea!y wi6ard "a*e! it !i"le and it! really .le@i'le. 0an handle
!i"le echo to other !erver!.
(4 =e can cu!to"i6e "ultile !cenario! 'a!ed on our te!t.
+4 0an li!ten to 'oth $0P and EDP ort
44 E!e o. 'anner .or rogra""a'le !erver.
54 H$$P and SB$P
64 $he event! alert! and data'a!e co"ati'ility.
". Honeyd
Honeyd i! low interaction5 .reely availa'le% oen !ource reac*aged virtual honeyot
!olution. $he !o.tware wa! develoed 'y &iel! Provo! o. the Eniver!ity o. Bichigan.
Since it i! an 9en !ource% the rogra" i! con!tantly develoing and evolving with new
.eature! and .unctionalitie! .ro" contri'utor! .ro" all around. $he !ource code! are
availa'le .or download and cu!to"i6e with one>! re?uire"ent !uch a! de!igning the own
e"ulated !ervice!. $he low interaction cla!!i.ication o. honeyd will only allow e"ulating
the !ervice! and doe!n>t allow attac*er to interact with the oerating !y!te" o. the
honeyot. Si"ilar to K,Sen!or the !ervice! can 'e ran into any $0P ort. $he "ain
o'-ective o. the 'oth !o.tware i! to lure the attac*er% deceive and al!o cature their
activity.
Honeyd i! a dae"on alication which ena'le! the !etu o. "ultile virtual honeyot! on
a !ingle "achine. $he "ain i"ortant di..erence with the K,Sen!or i! that% er!onality
.eature. $hi! .eature or con.iguration will allow con.iguring the each roduction
honeyot with a er!onality o. 9S IP !tac* and it 'ind! a !crit to the e"ulated ort to
vi!uali6e the !ervice. $he honeyd al!o allow to e"ulate co"le@ networ* architecture and
their characteri!tic!.
4.) Product Detail
So.tware; honeyd
Cer!ion; honeyd 0.G
7icen!e; oen !ource
Download !ite; htt;DDhoneyd.org
9S; =indow!% 7inu@% Eni@ 8 Solari!
4.( In!tallation
$here are other li'rarie! and ac*age! that need to 'e downloaded;
)4 A/PD
Download the ard-0.).tar.g6
htt;DDwww.citi.u"ich.eduDuDrovo!DhoneydDard-0.).tar.g6
(4 7i'rarie! Deendencie!
- li'event-0.Ga.tar.g6
- li'ca-0.G.+.tar.g6
Fa!ic In!tallation;
9ne ha! to log in with the root u!er. 0reate a .older called Dhoneyd-ac*age!
1@tract and in!tall li'event and lica
1@tract the ac*age! libe#ent;
# tar -zvxf libevent-0.8a.tar.g6
0o"ile the libe#ent;
# cd libevent-0.8a (Note: pwd is /honeyd_packages/ libevent-0.8a)
#. /configure
# make
# make install
Si"ilarly we can e@tract other .ile! and the !y!te" i! ready .or te!ting. Fe.ore that I will
e@lain how the honeyd wor*!.
4.+ So"e "a-or di..erence! 'etween K,Sen!or
Honeyd wa! originally de!igned .or Eni@ !y!te" 'ut today honey i! caa'le o. running in
"o!t ver!ion o. linu@ di!tri'ution and recently it wa! orted to window! environ"ent too.
K,Sen!or i! only de!igned .or =indow!. Honeyd i! ri"arily de!igned a! a roduction
lower level honeyot !o to give the attac*er the elu!ion o. real !y!te" it ha! added
ower.ul .eature than K,Sen!or. $he !o.tware i! very .le@i'le and ro'u!t.
- 9ne o. the "ain di..erent 'etween honeyd and K,Sen!or i! that; K,Sen!or u!e!
the co"uter IP a! the "ain K,Sen!or !erver. So when the ho!t i! ro'ed the IP the
attac*er get! i! that o. the real !y!te" running the !erver. In other hand% honeyd u!e! one
o. the unu!ed IP in the networ* and 'a!ically create a virtual ho!t with honeyot running.
Pa!t .ew year!% honeyd ha! 'een te!ted o. u!ing al"o!t 60%000 IP at one ti"e. Fa!ically%
honeyd "onitor! a large nu"'er o. ho!t and networ* that doe!n>t even e@i!t.
+
- $he honeyd only can li!ten to $0P ort a! co"are to K,Sen!or li!ten to 'oth
$0P and EDP ort.
- 9ne o. the "ain .eature o. the honeyd i! it e"ulate! the variou! oeration !y!te".
0urrently honeyd i! caa'le o. e"ulating al"o!t 4+7 di..erent 9S% router% !witche!. $he
detail o. thi! de!ign i! de!cri'ed in !ection! 'elow. $he honeyd "a*e u!e o. the &"a
.ingerrinting .or thi! roce!!. I& other word! it al!o e"ulate! the IP !tac* !o that when
utilitie! li*e n"a i! u!ed to !can the ho!t% the honeyd will re!ond will con.igure 9S.
K,Sen!or i! not caa'le o. e"ulating and li"ited to only creating variou! !ervice!.
- Since the !o.tware i! oen !ource% "o!t o. the !cholar! in the co""unity
contri'ute to the develo"ent and "a*ing the !o.tware and 'etter with e"ulated !ervice!.
A! the !o.tware evolve in year! to co"e honeyd>! a'ility to detect and cature attac*!
will e@onentially grow.
- It! .ree o. charge while K,Sen!or co!t !o"e "oney.
4.4 How doe! Honeyd wor*!
+
Sit6ner% 7ance :Honeyot!; $rac*ing Hac*er!<% 3Addi!on =e!ley (00(4 .77

A! "o!t o. the low interaction honeyot% when connection i! "ade on one o. the $0P
ort the interaction with !ervice i! catured. Honeyd "a*e u!e o. the not u!ed IP addre!!
on the networ*. $he "ain co"onent! o. honey are;
I. Configuration file
$he con.iguration .ile i! where we de.ine the er!onality o. the 9S or the router and
de.ine the variou! $0P where we de.ine the virtual !ervice!. A! !aid 'e.ore in one
con.ig .ile we can con.igure any nu"'er o. 9S and router with di..erent !ervice!.
Felow i! the e@a"le o. the con.iguration .ile.
# Example of a simple host template and its binding
annotate "!" #.0 - #.$" fragment old
create template
set template personalit% "!" #.0 - #.$"
add template tcp port 80 open
add template tcp port $$ open
add template tcp port $& open
set template default tcp action reset
bind '($.')8.'.80 template
$he to level we have to create a !y!te" any 9S or% a router. So we !tart with create
co""and .ollowed 'y the na"e o. the !y!te". In the e@a"le% a'ove we have the !y!te"
na"ed te"late. It i! .ollowed 'y the !et o. :set< and :add< co""and to add the variou!
!ervice!. A.ter the !y!te" i! na"ed we have to !et what *ind o. er!onality the !y!te" i!
8 here i! !et to AI2 4.0 8 4.0. It i! i"ortant that the !y!te" .ingerrinting !hould "a
with that o. the detail! in nmap.print. $hi! i! the "ain con.iguration that .ool! the n"a
when honeyot i! !canned u!ing the n"a utility. Serie! o. tc ort connection i! added
a.ter the er!onality i! created. A'ove we have oened ort G0% ((% (+. A! regular tc
connection we could oen% clo!ed or re!et the ort.
At 'ind the na"e o. the !y!te" that i! template with the IP addre!! that i! not u!ed 'y the
real !y!te" in the networ*.
II. The n$ap fingerprinting files n$ap.print and %probe2
Honeyd u!e! n"a .ingerrinting .ile! to create the networ* !tac* 'ehavior o. a virtual
honeyot. $he .ingerrinting are !i"ilar to one 'elow;
*ingerprint !+!" ).,.',m on -.! /$
0-e123lass4056gcd47'0#6-!47'E6!8!54!60-4$9:;
0'25*4<6=4E*$63>4-??6*lags4-6/ps4@<=<<0<<@;
0$2+esp4A65*4<6=4063>4-6*lags4+6/ps4;
0&2+esp4A65*4<6=4E*$63>4/6*lags46/ps4<<0;
0#25*4<6=4063>4/6*lags4+6/ps4;
0,25*4<6=4063>4-??6*lags4+6/ps4;
0)25*4<6=4063>4/6*lags4+6/ps4;
0B25*4<6=4063>4-6*lags4+6/ps4;
8C2+esp4<
$he .ile data a'ove give! the detail initial connection rocedure o. articular !y!te". $he
value! are u!ed .or the initial three way hand!ha*e "a*ing the connection. $he detail o.
the i"le"entation o. the .ingerrinting can 'e .ound in the a'!tract 'y the &iel! Provo!%
can 'e .ound in htt;DDniel!.@tdnet.nlDaer!Dhoneyd-ea'!tract.d.
III. Scrit! .or running the !ervice!.
$o run the !ervice% one ha! to rogra" the erl !crit to !i"ulate the .t or other !ervice!.
$he ac*age co"e with the 5 8 6 di..erent *ind! o. !crit! and other! can 'e downloaded
.or" the !ite .or .ree a! it! oen !ource.
4.5 /unning Honeyd
Honeyd i! a!!igned an IP addre!! that i! not u!ed 'y any !y!te" on the networ*.
$here.ore attac*er! are ro'ing the !y!te" that doe!n>t e@i!t and it i! a!!u"ed that the
attac* i! u!ually ho!tile% "o!t li*e the !can or attac*. $he "ain concern now i! that how
do we redirect the tra..ic to the !y!te" that doe!n>t even e@i!t. =e can>t con.igure the
honeyd to do that 'ut we have to get the tra..ic to the honeyd. $here are variou! way! one
can i"le"ent that.
,or the te!t uro!ed I u!ed the A/P !oo.ing% 'ut one can al!o con.igure the router to
have a !tatic routing where the IP o. the ho!t running a honeyd !hould oint to the IP o. a
virtual honeyot.
Ard i! !o.tware develoed 'y the Dog Song% what it doe! i! that it .ind! the no e@i!ting
!y!te" on the networ* and .orward! any connection to the" to honeyot% thi! rincile i!
called A/P !oo.ing. 9ther way to .orward the tra..ic i! u!ing A/P ro@y.
4.6 $e!ting with honeyd
$e!ting .or ,$P and H$$P !erver were conducted i! co"ared with K,Sen!or
$he honeyot wa! !etu with a con.iguration that oened the ort () and ran the ,$P
!crit downloaded .ro" the internet.
$he honeyd wa! run in 7inu@ ,edora 'o@ !ince we didn>t have to u!e any router
con.iguration .or tra..ic .orwarding. $he ard utility .ul.illed the uro!e o. it. $he router
u!ed wa!. D7I&K 8 4 ort! .or DS7D0a'le. $he IP !u'net )H(.)6G.0.0D(4
$he IP addre!! o. the ho!t i! )H(.)6G.).)(( and the IP addre!! o. the virtual honeyot i!
)H(.)6G.0.)().
,ir!t ard utility wa! run to .orward all the non e@i!ting IP that i! )H(.)6G.0.)() to the
honeyot. E!ing .ollowing co""and;
$han the honeyot wa! run a! dae"on
$he otion .or the honeyd co""and can 'e .ound in the Aendi@ A
)4 /unning ,$P in honeyd re!ult.
=e can !ee that we initiated a connection to the honeyot !y!te" )H(.)6G.0.)() and the
!erver re!on!e with !o"e re!on!e!.
$he !a"e te!t er.or"ed in K,Sen!or;
,$P e"ulation
Aim; I! to interact with the ,$P !i"ulator and to !ee whether K,Sen!or !erver re!ond
with correct in.or"ation;
Description: u!ing telnet and we will try to e!ta'li!h the connection through ort () and
er.or" !o"e .unction on decoy .t !erver IP )+7.(07.(+G.))+.
Test ondition:
$he !creen!hot e@lain the te!t condition.
/e!ult!;
onclusion: $he event wa! generated a! the connection wa! clo!ed. $he ,$P li!tener
*ee! trac* o. the vi!itor in.or"ation% ort nu"'er% and do"ain. It al!o *ee trac* o. the
u!erna"e and a!!word u!ed to gain acce!! and the variou! tran!action! "ade during the
connection eriod.
+4 H$$P connection;
$he !erver re!onded with the inde@ age which had a te@t. $hi! Site i! under
con!truction.
,ro" the!e te!ting I .ound out that 'oth had good re!ult! in roviding the !ervice! with
right re!ult. K, !en!or wa! 'etter 'ecau!e it had a u!er .riendly #EI. $he re!ult! were
ea!y to read and tran!late. 9n the other hand% honeyd wa! very hard to con.igure and
there are very li"ited !ervice! availa'le at the re!ent.
$he two "o!t o. the !igni.icant .eature o. the honeyd% which I wa! not a'le to er.or" a
te!t !ince due to the lac* o. re!ource wa! creating a virtual networ*. I have re!ented here
with the con.iguration .ile and the te!t conducted 'y the author o. the honeyd. $he
!a"le e@a"le! here are ta*en .ro" hi! a'!tract.
route entr% '0.0.0.'
route '0.0.0.' link '0.0.0.0/$#
route '0.0.0.' add net '0.'.0.0/') '0.'.0.' latenc% ,,ms loss 0.'
route '0.0.0.' add net '0.$.0.0/') '0.$.0.' latenc% $0ms loss 0.'
route '0.'.0.' link '0.'.0.0/$#
route '0.$.0.' link '0.$.0.0/$#
create routerone
set routerone personalit% "3isco B$0) running !/- ''.'2$#;"
set routerone default tcp action reset
add routerone tcp port $& "scripts/router-telnet.pl"
create netbsd
set netbsd personalit% "<etD-5 '.,.$ running on a 3ommodore miga
2)80#0 processor;"
set netbsd default tcp action reset
add netbsd tcp port $$ prox% EipsrcF$$
add netbsd tcp port 80 "sh scripts/Geb.sh"
bind '0.0.0.' routerone
bind '0.'.0.$ netbsd
$he con.iguration a'ove re!ent the routing toology and de.ine! two er!onality
routerone and net'!d.
$he re!ult .ro" the traceroute.
E traceroute -n '0.&.0.'0
traceroute to '0.&.0.'0 2'0.&.0.'0;H )# hops max
' '0.0.0.' 0.#,) ms 0.'(& ms 0.(& ms
$ '0.$.0.' #).B(( ms #,.,#' ms ,'.#0' ms
& '0.&.0.' )8.$(& ms )(.8#8 ms )(.8B8 ms
# '0.&.0.'0 B(.8B) ms B(.B(8 ms B(.($) ms

$hi! .eature "a*e! the honeyd "ore ower.ul than the K,Sen!or a! it can create a virtual
networ* toograhy.
&. Conclusion
,ro" all the o'!ervation! and te!ting% honeyd i! indeed a good honeyot !olution a! it
rovide! with 9S "i"ic! which K,Sen!or doe!n>t and al!o the virtual networ*
toograhy. In other hand it>! very hard to con.igure while K,Sen!or #EI "a*e! it ea!ier
to under!tand and i"le"ent .a!ter.
'. (eferences
). 7ance Sit6ner :Honeyot!; $rac*ing Hac*er!<% 3Addi!on =e!ley (00(4
(. htt;DDwww.*ey.ocu!.netD*.!en!orD
- E!er "anual
- =e'!ite
+. $he &orton antiviru! !o.tware we'!ite - htt;DDwww.!y"antec.co"Dinde@.ht"
4. htt;DDwww.honeyd.orgD
5. Provo! &iel!% :Honeyd; A Cirtual Honeyot Dae"on<% Eniver!ity o. Bichigan.
htt;DDniel!.@tdnet.nlDaer!Dhoneyd-ea'!tract.d.
)**+,-I. / )
,)0+
hone%d - 9one%pot 5aemon
S1,2*SIS
hone%d I-dPWJ I-l logfileJ I-p fingerprintsJ I-x xprobeJ I-a assocJ
I-f fileJ I-i interfaceJ Inet ...J
-+SC(I*TI2,
honeyd creates virtual hosts for !8 addresses matching the
specified net.!t can simulate an% 038 and C58 service. !t replies to
!3@8 echo re1uests. 3urrentl%H all C58 ports are closed b% default and
honeyd Gill repl% Gith an !3@8 unreachable port message if the
configured personalit% permits that.
0his enables a single host to claim addresses on a K< for netGork
simulation. 0he net argument ma% contain multiple addresses and netGork
ranges.
!n order for honeyd to receive netGork traffic for !8 addresses
that it should simulateH it is necessar% to either explicitl% route
traffic to itH use prox% arp or run arpd(8) for unassigned !8 addresses
on a shared netGork.
honeyd exits on an interrupt or termination signal.
0he options are as folloGsF
-d 5o not daemonizeH and enable verbose debugging messages.
-P /n some operating s%stemsH it is not possible to get event
notifications for pcap via select(3). !n that caseH honeyd
needs to run in polling mode. 0his flag enables polling.

-W 8rint a list of interfaces. ** WIN32 ONLY **
-l logfile
Kog packets and connections to the logfile specified b%
logfile.
-p fingerprints
+ead nap st%le fingerprints. 0he names defined after the
token are stored as personalities. 0he personalities can be
used in the configuration file to modif% the behaviour of the
simulated 038 stack.
-x xprobe
+ead xpro!e st%le fingerprints. 0his file determines hoG honeyd
reacts to !3@8 fingerprinting tools.
-a assoc
+ead the file that associates nap st%le fingerprints Gith
xpro!e st%le fingerprints.
-f file
+ead the configuration in file. !t is possible to create
host templates Gith the configuration file that specif% Ghich servers
should run and Ghich scripts should be started to simulate them.
-i interface
Kisten on interface.
net 0he !8 address or netGork 2specified in 3!5+ notation; or !8
address ranges to claim 2e.g. LL'0.0.0.&MMHLL'0.0.0.0/')MM
orL'0.0.0.,-'0.0.0.',MM;. !f unspecifiedH honeyd Gill attempt to
claim an% !8 address it sees traffic for.