Professional Documents
Culture Documents
Evaluation of Low-Interaction Honeypots On The University Network
Evaluation of Low-Interaction Honeypots On The University Network
Evaluation of Low-Interaction
Honeypots on the University
Network
i
Acknowledgements:
First, I would like to thank Ola Flygt for being my supervisor and advising me on my
thesis in both writing and content. Second, I would like to thank the IT department and
especially Marcus Westin for his aid in procuring the resources needed to complete this
project, and his insight on certain results. Finally, I’d like to thank Josef Rudberg for
reading through my project and correcting it for grammar mistakes, my girlfriend Josie
for her encouragement and support, and to my family back home who has helped me get
to this point and supported me over the past three years.
ii
Contents
List of Figures v
1 Introduction 1
1.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Previous Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.3 Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.4 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.5 Scope/Limitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.6 Target Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.7 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Method 4
2.1 Scientific Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.2 Method Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.3 Reliability and Validity . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.4 Ethical considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
iii
4 Implementation 14
4.1 Selection of Honeypot Solutions . . . . . . . . . . . . . . . . . . . . . . 15
4.2 Honeyd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.2.1 Honeyd Download . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.2.2 Honeyd Configuration File . . . . . . . . . . . . . . . . . . . . . 16
4.2.3 Honeyd Log File . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.2.4 Honeyd Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
4.3 Kippo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.3.1 Kippo functionality . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.3.2 Kippo Download and Setup . . . . . . . . . . . . . . . . . . . . 19
4.4 Dinonaea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.4.1 Dionaea Functionality . . . . . . . . . . . . . . . . . . . . . . . 19
4.4.2 Dionaea Download and Setup . . . . . . . . . . . . . . . . . . . 20
6 Discussion 42
7 Conclusion 44
References 45
A Appendix A 47
B Appendix B 52
C Appendix C 54
iv
List of Figures
4.1 Network design for Honeypots . . . . . . . . . . . . . . . . . . . . . . . 14
4.2 A sample of linux machine fingerprints from the file nmap.prints . . . . . 15
4.3 Sample of the configuration for a Windows XP computer . . . . . . . . . 16
5.4 Pie chart displaying the connections made to the honeypots. All 194.
addresses are the honeypots (removed for security reasons) . . . . . . . . 21
5.5 Bar chart displaying the different types of connections made . . . . . . . 22
5.6 Pie chart displaying the different types of connections made . . . . . . . 22
5.7 Screenshot of AbuseIPDB’s analysis of IP address 116.31.116.26 . . . . . 23
5.8 Screenshot of AbuseIPDB’s analysis of IP address 59.45.175.30 . . . . . 23
5.9 Pie chart displaying the connections by the destination port . . . . . . . . 24
5.10 Bar graph displaying the number of UDP connections per unique IP . . . 24
5.11 Pie chart displaying the number of UDP connections per unique IP . . . . 25
5.12 Bar graph displaying the number of ICMP connections per unique IP . . . 26
5.13 Pie chart displaying the number of ICMP connections per unique IP . . . 26
5.14 Bar graph displaying the number of connections per unique IP . . . . . . 27
5.15 Pie chart displaying the number of connections per unique IP . . . . . . . 27
5.16 Bar graph displaying the number of successful and unsuccessful SSH lo-
gin attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5.17 Bar graph displaying the top 10 SSH clients used . . . . . . . . . . . . . 28
5.18 Bar graph displaying the most probes received in the time span of one day 29
5.19 Bar graph displaying the most successful logins per day . . . . . . . . . . 29
5.20 Bar graph displaying the top 10 username and password combinations . . 30
5.21 Pie chart displaying the top 10 username and password combinations . . . 30
5.22 Bar graph displaying the top 10 usernames attempted . . . . . . . . . . . 31
5.23 Pie chart displaying the top 10 passwords attempted . . . . . . . . . . . . 31
5.24 Bar graph displaying the top 10 commands entered into the console . . . 32
5.25 Screenshot of a Kipoo TTY log replaying a live attack . . . . . . . . . . 32
5.26 Bar graph displaying the top 10 successful commands entered into the
console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.27 Bar graph displaying the top 10 unsuccessful commands entered into the
console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
5.28 Bar graph displaying the top 10 connections per unique IP . . . . . . . . 34
5.29 Pie chart displaying the top 10 connections per unique IP . . . . . . . . . 35
5.30 Bar graph displaying the most successful logins per unique IP . . . . . . 35
5.31 AbuseIPDB’s report on the IP address 91.197.235.11 . . . . . . . . . . . 36
5.32 Main Page of DionaeaFR . . . . . . . . . . . . . . . . . . . . . . . . . . 37
5.33 Attack map displaying connections made from around the world . . . . . 38
5.34 Pie chart displaying the the connections by the destination port . . . . . . 38
5.35 Pie chart displaying the the connections by the destination port . . . . . . 39
5.36 Pie chart displaying the the connections by the destination port . . . . . . 39
v
1 Introduction
Around the world, billions of attacks on small, medium, and large networks occur on
a daily basis [1]. State-of-the-art firewalls, Intrusion Detection Systems (IDS), and other
detection tools attempt to defend networks against these malicious attacks. Over the years,
these defense tools have been built on information from past attempts at breaking into
a system, successful attempts at breaking into a system, and from stolen data [1]. A
honeypot is designed to reduce and/or eliminate the need for a system breach in order
to learn about what the hackers are using to penetrate the network. A honeypot simply
replicates a real network with fake data that a hacker will attempt to steal from, thereby
showing how and what their intentions are. Their intentions lead to information that is
vital for constructing a better IDS, firewall, and further encrypting the data that needs to
be protected.
1.1 Background
Attackers and blackhat hackers are constantly refining and developing new ways to pen-
etrate and take control of systems around the world. With a honeypot, Threats can be
eliminated before they become serious by watching the behavior of an intrusion to deter-
mine what their mechanisms are, and with this data, further improve security. Honeypots
are described as a trap to attract attackers [1] and they (usually) take shape as a virtual
system on a network. Mimicking the functionality of a real network, a virtual honeypot
network is only a persona set to trap the hacker and gain insight into their methods and
intentions. The founder of The Honeynet Project, Lance Spitzer, described a successful
honeypot as “an information system resource, whose value lies in unauthorized or illicit
use of that resource" [2].
1
intrusions, a honeypot can be used to discover potential threats. This data can be used by
the university’s IT department to be made aware of incoming attacks to see not only what
kind of services are the most susceptible for attacks, but possibly from which Internet
Protocol (IP) address, port, and origin. The goal of this thesis is to raise the IT depart-
ment’s awareness of current threats without harming the infrastructure with the use of a
low-interaction honeypot.
1.4 Motivation
Linnaeus University is, like any other large network, conscious of keeping its information
safe and secure from outside perpetrators. With the mass of personal information and
data that is passed internally and externally, a honeypot could help the university network
detect threats before they become serious [6]. Every network has the potential to have a
vulnerability, and the university network is not an exception. With an awareness of the
potential perpetrator’s intentions, the university may better defend their resources.
Research Questions
RQ1 Which services are the most exploited at Linnaeus University?
RQ2 How are honeypots structured and what are the characteristics of a
honeypot that attract hackers directed towards Linnaeus University?
RQ3 Where do most attacks on the university network originate?
RQ4 Which honeypot solution is the best and what criteria is used in de-
termining that?
Hypothesis
It is hypothesized that this experiment will result in a large number of intruders originating
from botnets and potential blackhat attackers attempting to find a vulnerability in the
Linnaeus network. These vulnerabilities include trying to capture shared secrets between
devices, attempting to infect the network with worms/malware, and possible rootkits.
1.5 Scope/Limitation
The honeypots that were built are specific to the Linnaeus University network. Any con-
clusions made of the data on an outside network cannot similarly be made, since the
data gathered is directly related to attacks against the university network. Furthermore,
there could be many attacks that are not recorded by the honeypots due to the nature of
the attack, or the fact that the low-interactive nature of the honeypot could make it an
un-attractive target for hackers. Another limitation is that the use of only a few honey-
pot versions might not capture every probe against the university network. There could
be other solutions that are more geared towards different vulnerabilities that the chosen
honeypots for this experiment could miss and would otherwise change the outcome of
the data. Finally, even though the nine IP addresses received from the IT department
had no filters or ports blocked on their end, the Swedish University Computer Network
(SUNET) automatically places certain firewall restrictions on these IP addresses. The fact
that these IP addresses still have some port rules (see Appendix C) attached to them, cre-
ates a limitation in some potentially malicious data packets being blocked from arriving
to the honeypots.
2
1.6 Target Group
The results from this thesis should directly impact the IT department at Linnaeus Uni-
versity, and indirectly impact university networks around the world. Since this imple-
mentation is catered towards a university network, any other large and/or related network
designs can benefit from these findings. The amount and types of attacks are always
beneficial for any network administrator to be aware of, and the results may reveal new
information about more refined attacks and threats on the web today.
1.7 Outline
Section 2 will go into detail of how each of the research questions will be answered.
Section 3 will answer RQ2 with the background of a honeypot, and the theory behind
it. In section 4 will be the description on how each honeypot solution was setup and the
configuration details. Section 5 will answer RQ1, RQ3, and RQ4, and display the results
from the honeypots and an analysis of what the data tells us. Finally in Sections 6 and 7
is a discussion on the analysis of the data, future research, and concluding remarks about
the project.
3
2 Method
This section will go into detail about how each research question will be answered. It
will also give the reasoning for why the experiment is valid and capable of solving the
research questions in the most precise way possible.
4
3 Background & Theory
In order to understand how and why honeypots are useful in testing purposes or in creat-
ing a safe environment, this section describes the history and current honeypot practices.
This section also describes the process it took to determine the honeypot solutions in the
experiment, and the function they would be serving.
5
The captured information can be directly relevant in the improvements to attack pre-
vention, detection, and/or reaction [8] (see sections 3.4.1 3.4.2 and 3.4.3). If an orga-
nization requires their honeypot to detect threats to improve the overall security of their
network, then instead of using a research honeypot, which has its main purpose in in-
formation gathering, they should use a production honeypot that provides direct security
features [8].
3.4.1 Prevention
Total and complete prevention is not probable with a honeypot, as a honeypot, in essence,
is not designed to keep attackers at bay. In fact, a poorly designed honeypot could allow
an experienced blackhat hacker to take control of the system through the services given
to them. Prevention is not the main security aspect that a honeypot will provide, but
the deterrence or distraction that a honeypot provides that prevents many attacks from
entering into real systems.
If attackers are spending time, energy, and resources focusing on breaking into the
honeypot and extracting data from it, then the less time is spent trying to break into the real
system. Again, this comes with the risk of them gaining control of the real system based
on the level of interaction associated with the honeypot, but essentially, the distraction
should provide a substantial level of prevention.
Most importantly, since most attacks are automated, coming from botnets and zombie
computers, a honeypot can be a scapegoat for these automated attacks instead of them
being pointed towards the real system. Then again, since these automated forms of attacks
are designed to affect everything with an IP stack [8], it might not be the best form of
prevention. Overall, honeypots are not the best form of prevention, and should only be
used more for detection purposes.
3.4.2 Detection
Honeypots are mostly designed for detection. Since it is difficult for many organizations
to detect attacks while distracted by the production environment, a honeypot can be used
as a detection agent that sits idle until a threat occurs [8]. For example, a system without
a honeypot could have a worm in their system with or without the IDS detecting it. How-
ever, with a strategic placement of a honeypot, it could notify the system administrator
that it has been infected and that the next course of action must be taken. Preferably, the
6
worms, viruses, and attacks should stay outside of the firewall, but in the case that some-
thing manages to slip through, it would be beneficial for a company to have a sandboxed
network that can log exactly what is happening to it, to better understand and take care of
the situation.
An IDS is seen as the main guard to a network, and is expected to maintain the security
of a network. However, with the increasing number of false positives, it becomes harder
to know whether a threat is real or not. If the IDS is constantly alarming the security
administrator of a threat that is not real, they could become callous and unsuspectingly
allow a threat that could have been otherwise prevented. If these types of misjudged
threats are not lowered, the real attacks become more powerful. A honeypot is only
successful when it has come into contact with a threat, therefore the number of false
positives with regards to a honeypot is extremely low.
Finally, the biggest risk that a honeypot can solve with regards to detection is when
a false negative occurs. If an IDS fails to detect the threat and it enters the system unin-
hibited, the last line of detection could be a honeypot. Since their primary objective is to
detect new anomalies, they will log and display the attack for the security administrator
to observe and deal with accordingly. It will be simple for the administrator, since the
honeypot does not take part in the production environment, but instead can treat every
connection as hostile [8]. Essentially, any new connections made by an internal honeypot
can be enough for an administrator to at least verify to see if there was in fact a potential
threat to the network. To summarize, honeypots should in no way replace an IDS, but
instead support it with information and its own alert system.
3.4.3 Reaction
If an organization’s data servers have been compromised in some way, and the response
team needs to identify and isolate the problem, a honeypot could provide a full forensic
search without compromising the other real production servers [8]. This, terms of reaction
and recovery, gives honeypots a unique part to offer in a security system. Especially if
the servers in question are allowing services that cannot be stopped immediately, having
access to a honeypot could be the only chance for discovering the real problem. Without
the honeypot, the recovery process would be trying to fix specific bugs without learning
what damage was done, how the attacker was able to gain access, if the attacker still has
access, or if cleanup was successful [8]. From a honeypot analysis, the response team
could determine the entry point of the attack and what the attack did. From this analysis,
a solution can be made to fix the other servers in the system, allowing the organization to
recover.
7
services that keep it functioning [2]. Every interaction made with the high-interaction
honeypot should be logged and monitored as it could be the result of a threat.
A high-interaction honeypot requires a large amount of maintenance and monitoring,
especially if the system becomes compromised. Making a full case study of the situation
could take days to understand what happened [2]. In addition, since high-interaction
honeypots can become fully compromised [2], and the fact that they interact with the real
system, the risk is greater that the hacker can gain real access. There is a trade-off: either
the attacker is fascinated with the honeypot, all of their interactions and keystrokes are
logged, and quality data of their intentions are received, or, the attacker uses the fact that
they can interact with the real system to gain access, and it compromises the production
network.
8
in which the attackers find themselves in is a sandbox, which as previously mentioned,
means that the attacker can abuse the honeypot as much as they want without exposing
critical systems and affecting other systems in the process [9].
3.7 Entrapment
Entrapment implies that the criminal was enticed by the honeypot to commit a crime he
would not have otherwise made if it were not for the very nature of the honeypot. This
defense will not hold if, for example, the defendant was predisposed to commit the crime,
or there was any evidence of planning behind the attack [11]. Entrapment is merely a
required case to determine whether or not the criminal had the correct state of mind to
perform their actions [11].
3. The law enforcement agent has reasonable grounds to believe that the contents of
the hacker’s communications will be relevant to that investigation.
4. Such interception does not acquire communications other than those transmitted
to or from the hacker (i.e. that of innocent parties). This exception is most rele-
vant when the honeypot has detected illicit activity and there is a wish to turn the
situation over to law enforcement to gather evidence for criminal prosecution.
9
3.8.3 Electronic Communications Privacy Act (ECPA)
This act entitles every subscriber or user of a computer network with privacy rights with
the assumption that the interception of their traffic is a violation of their privacy. It was
decided that any "provider of electronic communication" [11] fits under the ECPA, such
as a pager service, booking system, phone service etc. The logic follows that if a honeypot
operator is operating as an electronic communication service, and a hacker is subscribed
or is a user of this service, then the hacker could sue under the clause that their communi-
cations are being monitored and it is an invasion of their privacy.
10
3.10.1 Data Value
With millions of logs to filter through, security experts have had a difficult time interpret-
ing the messages, alerts, and logs that their machines are giving them on a daily basis. The
advantage of a honeypot lies in its collection of data. It only collects data that is important
and needs to be observed [12]. This reduces the strain in shifting through countless logs
to determine which ones are more important and should be taken seriously.
Honeypots provide the data that the administrator requires in a quick and easy-to-
understand format [12]. With this advantage, the administrator can be informed of any
potential threats and respond at a quicker rate. This data could also show attack patterns,
new viruses, trends, and other critical information used for statistical purposes or for
individual study [2].
3.10.2 Resources
Another problem faced by security mechanisms is the depletion of resources or the limi-
tation of resources [12]. This refers to when a security mechanism can no longer function
due to the surplus of package intake. For example, if a firewall is set to block all con-
nections and eventually its connection table becomes full, it has run out of resources to
take in more connections and no longer monitors the incoming connections [12]. Even
an IDS could start dropping packets if the sensor buffers become too full without enough
resources to deal with the situation. This leads to the IDS potentially skipping and not
logging critical data packets that are attacks on the system.
Due to the fact that honeypots log and monitor less activity compared to an IDS or
firewall, they typically will not have problems of resource exhaustion [12]. Honeypots
will only capture data that is pointed directly at itself and will not capture production
information. Because of this, honeypots have fewer data to log and monitor, and therefore
fewer resources are required. In the place where an IDS sensor may stop, due to resource
exhaustion, a honeypot will continue to function [12].
Honeypots themselves require significantly less Random Access Memory (RAM),
chip speed, or large disk drives, depending on their level of interaction [12]. Leftover
computers found inside the organization or even the executive’s recently discarded laptop
can be used [12]. A honeypot is not only cost-efficient but also will not require a lot of
resources to provide a helpful tool to the organization.
3.10.3 Simplicity
Simplicity is the single biggest advantage of honeypots [12]. A honeypot does not require
many difficult algorithms, databases to maintain, or rule bases to misconfigure [12]. The
honeypot is simply placed in a strategic location onto the network and regularly checked
for anomalies or used as an alert system. Research honeypots can be more complex if
the operator wants a higher level of interaction and complicated services. However, all
honeypots share the same simple concept; to capture and record any connections made
with it. This simplicity makes honeypots more reliable and less like to be misconfigured,
break, or fail [12].
11
successfully against the organization. Therefore this will cause them to question the extent
of their investment. Since no major attacks or problems have been made, the organization
might not understand the extent of the investment in the firewall and think to cut back
financially. Security measures such as encryptions, strong authentication, and host-based
armoring are victims of their own success [12]. To summarize, if these mechanisms are
successful, the company might cut back on the expense of these products due to the lack
of intrusions that these mechanism provided in the first place.
For this reason, a honeypot’s value is obvious by their function. Every time they are
attacked, the organization may realize the threat is indeed present. This can justify not
only the use of a honeypot itself but also the investment into other security resources [12].
The honeypot can provide the proof that management needs to ensure that their security
mechanisms may stay.
3.11.2 Fingerprinting
Fingerprinting, in both active and passive terms, refer to the capture and identification of a
system [13]. Fingerprinting can be the bane of a honeypot if an attacker recognizes certain
services from previous honeypots. For example, an attacker may be able to recognize a
honeypot by an incorrectly made web server returning an incorrect HTML value, or an
incorrect SSH server error message. Anything that an attacker could discover that is
suspicious or not normal could alert the attacker of the presence of a honeypot and create
a fingerprint of the situation. If a honeypot becomes fingerprinted, its use is nullified.
Honeypot operators should ensure that there are no stray, incorrect, or unusual services
that could raise suspicious for an attacker, especially at higher levels of interaction [12].
One particularly dangerous instance of fingerprinting could occur if the attacker uses
the honeypot to their advantage. By identifying a honeypot on the network, an attacker
can spoof production systems and attack the honeypot [12]. The alerts from this fake
attack will have management confused and in the confusion, allow the attackers to focus
on real attacks.
Lastly, fingerprinting could be the main issue with bad information coming from a
honeypot. An attacker could recognize the existence of a research honeypot and pro-
ceed to feed bad information [12]. This information could lead to an incorrect security
configuration, which could lead to security issues in the future.
12
3.11.3 Risk
As mentioned in section 3.5, a honeypot has a certain level of risk attached to the level
of interaction it has. If a honeypot is compromised and controlled by an attacker, they
can use this honeypot and its resources to further their attack. Either by furthering the
attack into the organization the honeypot is attached to, or turn the honeypot into a piece
of a bigger botnet. The general rule is that the simpler the honeypot is, the less risk is
associated with it [12]. The trade off is, however, that the honeypot might not generate as
precise and unique data as one with a more complicated level of interaction.
Because of these disadvantages, honeypots should not replace security mechanisms
like firewalls and IDS [12]. Instead, a honeypot should add to the overall security in-
frastructure with clear goals and instructions without overstepping the bounds to create a
security risk.
13
4 Implementation
In this section, a detailed description of how the honeypots were implemented will be
presented, specifically with regards to the honeypot itself, setup, configuration, and their
capturing of data. After thorough research into many open source honeypot solutions,
three different honeypot solutions were chosen: Honeyd, Kippo, and Dionaea. In this
section, each solution selection will be explained and the configuration details of each will
be included. Due to security reasons, some of the configurations cannot be released. All
of the configurations displayed in this report are the same as used in the actual experiment
excluding the subnet of IP addresses given from the IT department. The below figure is
the design of the network, which will be explained in detail later in this section.
14
4.1 Selection of Honeypot Solutions
When searching for a suitable honeypot solution, several pieces of influential criteria were
involved in the decision. This criteria was a incorporation of cost, level of interaction,
amount of online sources, online reviews, available documentation, reconfigurability, and
finally, ease of setup. Setup difficulty was not determined until after the experiment was
concluded and could not be factored into the selection process. Yet, without the setup dif-
ficulty, the decision to choose these honeypots solutions were based on the other qualities
listed above. Another factor that was a part of the decision making process in terms of the
level of interaction was the fact that using a high-interaction honeypot is not only expen-
sive, but it could lead to legal issues. With low-interaction honeypots, it is a lot easier to
control the network environment and deters from any serious issues with the core network
and any illegality.
4.2 Honeyd
Honeyd is a small daemon that creates virtual hosts on a network. [14]. Any of these hosts
have the ability to run and personalize most network functions and operating systems. A
single Honeyd host can claim up to 65,536 IP addresses [14], and can emulate routing and
other functions such as web servers, FTP servers, dynamic port binding, etc [14]. In order
to appear realistic, Honeyd reveals itself as a real system when either Xprobe or Nmap
(the two most common fingerprinting tools) are used to determine the operating system
of the host. In Honeyd, the virtual personality is configured using an Nmap fingerprint
found in the nmap.prints database.
Figure 4.2: A sample of linux machine fingerprints from the file nmap.prints
When this personality is configured, the virtual honeypot will react to packets using
the network stack behavior that the particular fingerprint calls for [15]. Every outgoing
packet’s protocol headers are changed to reflect the personality that they are emulating.
Nmap’s fingerprint database is used to simulate Transmission Control Protocol (TCP) and
User Datagram Protocol (UDP) network behavior, and Xprobe is used to simulate Inter-
net Control Message Protocol (ICMP) behavior [15]. The above example is a fingerprint
15
found in the file nmap.prints which specifies the network stack behavior of a Linux ma-
chine.
As aforementioned, the syntax for creating such personalities are difficult due to the
lack of documentation. With the help of several blog posts from the creators of Honeyd
and Nova, Honeyd’s successor, it became easier to understand how the personalities were
configured. The basics are:
1. Both a general name and personality found in nmap.prints are assigned to the virtual
honeypot.
2. The uptime field gives the option to spoof the uptime of a host, referring to the
duration of time since the system was first booted [4].
16
3. Setting the default TCP action refers to how the virtual honeypot will handle incom-
ing TCP traffic. There are three different states that you assign to a certain action
or port on a virtual honeypot[17]:
4. Set as many ports open, closed, or filtered (closed by default) as needed on the
virtual honeypot.
5. Lastly, python and/or pearl based scripts can be assigned that emulated different
functions onto each port.
1. First, an empty file is created, which in this experiment was called /etc/log/honeyd.log.
2. Next, the file permission must be changed to 766 using sudo chmod 766 /etc/log/honeyd.log
so that the file can be read, written to, and executed by the owner, but only can be
read and written to by in group and others.
3. Finally, the Honeyd2mysql script needs to be pointed to the correct log file path,
which in this case is /etc/log/honeyd.log. This step is done in preparation for when
the log data from Honeyd will eventually be transferred into Honeyd-Viz.
17
The command used to disable IP forwarding is: echo 0 > /proc/sys/net/ipv4/ip_forward.
Next, the Honeyd host needs to be configured so that Address Resolution Protocol (ARP)
requests from the router about the IP addresses of the virtual honeypots are answered. In
order for this request to suffice, a tool called farpd, otherwise known as "Proxy-ARP", is
used to spoof the ARP requests. Farpd, created by Niels Povos (creator of Honeyd), lis-
tens on the host interface and responds with its own Media Access Control (MAC) address
in response to a request from the router for information from the IP of a virtual honeypot.
This allows the Honeyd host to take the responsibility in getting the information from the
internet to the virtual honeypots and back. Without this, either the router needs to have
the specific routes to the virtual honeypots in its routing table or the virtual honeypots will
be unable to interact on the internet. The command used to activate this is:
farpd (host network interface IP) -i (physical network interface)
Once IP forwarding is turned off, and farpd is turned on, Honeyd is ready to be activated.
The command used to start Honeyd is:
s u d o honeyd −d
−f / e t c / h o n e y p o t / honeyd . c o n f
− l / v a r / l o g / h o n e y p o t / honeyd . l o g
−p / e t c / h o n e y p o t / nmap . p r i n t s
−a / e t c / h o n e y p o t / nmap . a s s o c
−0 / e t c / h o n e y p o t / p f . o s
−x / e t c / h o n e y p o t / x p r o b e 2 . c o n f
−u 1000 −g 1000 − i e t h 0 1 9 2 . 1 6 8 . 1 . 1 1 − 1 9
• -d flag denotes that Honeyd will run in the foreground and not in deamon mode so
that the debug messages will be shown on the terminal.
• -f flag tells Honeyd the path to the configuration file that holds the personalities
Honeyd should launch.
• -l flag gives Honeyd where the connections should be written to in a log file.
• -p flag gives Honeyd the path to the Nmap signature database that Honeyd uses to
emulate different operating systems at the network stack [4].
• -a flag reads the file that associates Nmap style fingerprints with Xprobe style fin-
gerprints [18].
• -0 flag reads the database for passive fingerprinting. Allows for dynamic templates
[18].
• -x flag reads Xprobe style fingerprints. The content of this file will denote how
Honeyd reacts to ICMP fingerprinting tools [18].
• -u and -g flag sets the user and group ID of the process. 1000 just happens to be the
point where human user ID’s start in Ubuntu [19].
• -i flag specifies the network interface and IP address of the Honeyd host.
If the configuration file’s syntax is correct, then Honeyd will start in debug mode and
be listening promiscuously on the network interface.
18
4.3 Kippo
Kippo is a medium-interaction honeypot that emulates an SSH service. SSH is used to
connect a user securely into a device to control and change files within the system [20].
4.4 Dinonaea
Dionaea, otherwise known as "the Nepenthes successor", is a malware capturing honeypot
developed in 2009 as a part of The Honeynet Project [21].
• Server Message Block (SMB) – Used as a popular target for worms, SMB is one of
the main protocols offered by Dionaea [21].
19
• HyperText Transfer Protocol (HTTP) – As well as supporting traffic on port 80,
Dionaea generates a self-signed SSL certificate upon startup to include HTTPS [21].
• File Transfer Protocol (FTP) – Dionaea is susceptible all activities involving FTP
including the downloading and uploading of files plus the creation of directories
[21].
• Trivial File Transfer Protocol (TFTP) – Dionaea can serve files over port 60 on a
provided TFTP server [21].
• Microsoft SQL Server (MSSQL) – Using the Tabular Data Stream protocol, Dion-
aea Listens on port 1433 and allows logins to clients and decodes the queries made
on the database [21].
• Voice over IP (VoIP) – Dionaea is able to register and log all SIP (Session Initial
Protocol) messages, and react accordingly [21].
20
5 Results From Honeypot Data
In this chapter, the results of each honeypot will be shown. Please note that some of the
data must be hidden due to security reasons, but conclusions can be drawn nevertheless.
This chapter will also answer the research questions posed at the beginning of this paper
and many references will be made back to these questions in the analysis of the honeypot
data:
• What are the characteristics of a honeypot that attract hackers directed towards Lin-
naeus University ?
The following is a graph of how many connections each honeypot received. The IP
addresses are removed for security reasons.
Figure 5.4: Pie chart displaying the connections made to the honeypots. All 194.
addresses are the honeypots (removed for security reasons)
Each virtual honeypot almost equally received the same amount of connections, which
confirms that they are individually working and are interacting with traffic across the web.
21
Figure 5.5: Bar chart displaying the different types of connections made
Displayed in the graph is an influx of TCP connections. Since more TCP ports were
left open in the Honeyd virtual honeypot configurations, it make sense that the most com-
mon probed ports are over TCP. There are a few ICMP connections as well as a few GRE
tunneled connections. However, since ICMP and GRE do not have much to do with the
connections themselves, more focus will be put on the TCP and UDP connections.
Figure 5.6: Pie chart displaying the different types of connections made
From the following data, IP addresses 59.45.175.30 and 116.31.116.26 were the most
active with the honeypots using TCP as a connection. An investigation into these IP ad-
dresses brings the following results from a project called AbuseIPDB which is sponsored
22
by DigitalOcean. Their goal is to help make the web safer by providing a central repos-
itory for webmasters, system administrators, and other interested parties to report and
identify IP addresses that have been associated with malicious activity online [22].
Both IP address correspond with malicious activity and both were reported with multi-
ple accounts of brute-force attempts on different connection protocols, DDoS, Port Scans,
and SSH abuse. With over 570 reports from webmasters and system administrators com-
bined, and holding the most connections on the honeypots, these two IP addresses are
therefore most likely the contributors to most of the malicious TCP activity.
23
To understand which resources are the most probed from these IP addresses and the
other million connections, the following graph is used to cross reference the amount of
TCP connections with the number of connections per port. This helps determine what
sort of services where the most targeted on the university network.
Figure 5.9: Pie chart displaying the connections by the destination port
The conclusion made from the TCP connections made to the honeypots on the univer-
sity network shows that ports 22, 23, and even 2323 are the most perceptible to brute force
connection attempts and malicious SSH abuse. These connection attempts, as shown in
the data from AbuseIPDB originated from China.
Figure 5.10: Bar graph displaying the number of UDP connections per unique IP
24
Figure 5.11: Pie chart displaying the number of UDP connections per unique IP
The top two addresses used by the honeypots are from the Domain Name Server
(DNS) addresses for Google. Unusual as it is, the conclusion made from this data might
be insignificant, but shows that these connections are Multicast Domain Name System
(MDNS) queries sent from DNS servers to detect a single host’s IP addresses because
of an absence of a central DNS [4]. This data may not show perpetrators on the vir-
tual honeypots, but it does prove that Google’s DNS treats the virtual honeypots like real
hosts, receiving those queries for host identification. The other IP addresses that con-
nected through UDP that are not DNS servers are therefore subject to more investigation.
Unfortunately, since the top ten connections were using TCP, we cannot know for sure
what sort of activity was happening over UDP (see Figure 5.9). Also, since such a small
amount of UDP traffic was captured compared to TCP traffic, no conclusion can be drawn
as to whether or not any malicious activity is happening using UDP.
25
Figure 5.12: Bar graph displaying the number of ICMP connections per unique IP
Figure 5.13: Pie chart displaying the number of ICMP connections per unique IP
Again, the top two origin IP addresses were found in AbuseIPDB’s database involv-
ing malicious activity with the top IP (221.183.16.231) being reported for hacking by 50+
webmasters and/or system administrators. Although nothing can be achieved through
2000 pings over several days, it still goes to show that the honeypots can aid in the detec-
tion of malicious networks through the use of ICMP.
26
Figure 5.14: Bar graph displaying the number of connections per unique IP
Figure 5.15: Pie chart displaying the number of connections per unique IP
Out of the 1.7 million connections, about half (807,591) of them are from The People’s
Republic of China. Furthermore, from only the top ten most connections, half of them are
blacklisted in several databases that contain IP addresses of malicious servers. The results
from this data can be found in Appendix B and the conclusion can be can be drawn that
the most connections and attacks against the university network originate from China.
27
5.2 Kippo Results
Kippo gathered over 40,000 connections in about two weeks. Each time an attacker at-
tempted to login into the honeypot using SSH, Kippo recorded all the interactions from
this connection and directly uploaded this data to Kippo-Graph, where the data was vi-
sualized. The following graphs represent each connection’s attempt to gain access to the
honeypot through SSH and also which SSH client was used the most:
Figure 5.16: Bar graph displaying the number of successful and unsuccessful SSH
login attempts
Figure 5.17: Bar graph displaying the top 10 SSH clients used
Only a few number of connections were successful, regardless of the relatively simple
login credentials. It is also not surprising to see Putty listed as the top client, due to
its popularity and ease of use. These probes continuously attacked the system from 500
connections in one day to over 8000 connection attempts in one day, as shown in the
following graph:
28
Figure 5.18: Bar graph displaying the most probes received in the time span of one
day
With each connection attempt, taking into account the success rate was quite low, not
every connection was granted access. The following graph details how many successful
connections were made each day:
Figure 5.19: Bar graph displaying the most successful logins per day
As expressed in the data, the login attempts were very few, yet still present every day
on the Kippo honeypot. For every login attempt, a probe tries to establish an SSH connec-
tion by trying to login as a certain user and their password combination respectively. The
following graphs explain the different results concerning the most common combinations:
29
Figure 5.20: Bar graph displaying the top 10 username and password combinations
Figure 5.21: Pie chart displaying the top 10 username and password combinations
The attackers used similar user name and password combinations to attempts to enter
the system. Both "root" and "admin" are keywords used to try and gain a higher privilege
inside the system. The guessed passwords are most likely using a dictionary attack based
on default passwords, common phrases, and eventually random characters until the system
is broken into. Fortunately, for the attackers, the user name and password combination
was easy enough to guess. Unfortunately, for the attackers, the system was a honeypot
that was recording their every move. The following graphs can be used to show which
user name and passwords are the most used in brute forcing SSH:
30
Figure 5.22: Bar graph displaying the top 10 usernames attempted
This data can be used to show which user names and passwords should absolutely
not be used when setting up a machine with SSH. This data can also show that one of
the criteria that a honeypot has that directs attackers towards the university network is an
open and easily crackable SSH connection. This leads to the next section explaining what
these attackers attempted to do once inside the Kippo honeypot and what commands were
executed inside it.
31
Figure 5.24: Bar graph displaying the top 10 commands entered into the console
Since these input values are the most used by attackers, it is important to understand
what each do, and by this we can draw a conclusion as to what most attackers are after.
The following screen shot is taken from a Kippo TTY log, where it shows the actual
commands typed into the terminal. While watching the video play, it is clear to see that
this is completely automated. The commands are almost instantly typed in and executed.
This particular log was from an attack from Warsaw, Poland:
With some help from the IT department, and some sources online, this is the best
guess of what was attempted within the system:
Although /gweerwe323f was the most executed command, it failed to execute any
file by the name of gweerwe323f as shown in figure 5.27. Not only did the file fail to
32
execute, it is a part of a seemingly new and unknown attack. The closest we have come to
seeing /gweerwe323f is in recent blog posts and several SSH honeypot paste bins from the
past month asking about the source, with no answers about what it is [25]. Speculations
from both online articles and the IT department say that it might be a fork of a popular
SSH bot Mirai in which the author of the malware recently released its source code on
Github earlier this year [26]. If the suspicion is correct, this means that the following code
snippets show the worm checking for different files within the system for write access and
attempting to find a part of the system open for a root exploit. In both:
show the user trying to deposit a hidden file in file names that start with "." and in "tmp"
respectively. This is a common thing for applications to do, yet it is suspicious that there
is no chmod command to enable the user to run the original file that has been modified.
After the attacker has probed the file, the final "rm command" is used to clean up all
evidence that the attacker did anything to that file and to the system.
Figure 5.26: Bar graph displaying the top 10 successful commands entered into the
console
Using the top ten successful commands, it is clear to see which commands can directly
impact the system. If the system has been set up similarly to the production network in
any way, then this data can reveal better what an attacker can do to the production network
to be able to better defend against it. However, it is still interesting to note unsuccessful
commands to discover what they might be looking for that was not available on the Kippo
honeypot:
33
Figure 5.27: Bar graph displaying the top 10 unsuccessful commands entered into
the console
It seems that the most entered command is also the most unsuccessful. The only guess
here is that this particular attack is searching for a very specific system like an IP camera,
security mechanism, or specific operating systems that holds this file to be executed by the
worm. Due to very little information about this recent SSH input, it is currently unknown
what exactly the file is and why these attackers want it to be executed.
Figure 5.28: Bar graph displaying the top 10 connections per unique IP
34
Figure 5.29: Pie chart displaying the top 10 connections per unique IP
As shown in the graphs, the largest number of attacks came from China. As shown in
section 5.1.4, Honeyd received the same results as Kippo when it comes to the origin of
the most attacks. Yet, interestingly enough, the most probing IP address (116.31.116.26)
only established five logins with the Kippo honeypot. This is revealed in the following
graph on successful connections per IP:
Figure 5.30: Bar graph displaying the most successful logins per unique IP
From this data, a conclusion can be made, that most of the input data seen in section
5.2.1 is coming from the IP address 91.197.235.11. The following shows the results from
this IP address in AbuseIPDB’s Database [22].
35
Figure 5.31: AbuseIPDB’s report on the IP address 91.197.235.11
Regardless of the 10,000 connections coming from China, it is in fact the attacks that
came from this Russian IP address that should be the most scrutinized as these attacks
had the most success. The rest of the attacks were scattered around the globe and did not
have as many successful logins.
36
5.3 Dionaea Results
Dionaea, the malware capturing honeypot, proved to be almost useless of the three honey-
pot solutions. In over 40,000 connections and over 12,000 different IP addresses, Dionaea
failed to capture a single piece of malware. These results were less than satisfactory, but
from a conversation with the IT department, they speculated that "worms and malware
generally don’t ’wander around’ on the Internet, but are distributed inside one’s corpo-
rate network after one machine has been infected". This, in addition to SUNET’s port
blockage on the incoming line or even in the Dionaea configuration, could have lead to
the results received. Regardless of the lack of malware, Dionaea still managed to record
the connections made from all around the globe. These results also backup the results re-
ceived in Honeyd and Kippo in terms of connection origin and port. The following screen
shot displays the main page of DionaeaFR, a visualization program that takes the Dionaea
logs, and converts them into an easily readable format:
37
• tcp/1433 → MSSQL
Once a connection is made asking for any of these services, Dionaea records the con-
tact and writes the information in the log file. The following figure shows an attack map
revealing the origin of all the connections asking for one of these services:
Figure 5.33: Attack map displaying connections made from around the world
Looking at the data, it is apparent that the Dionaea honeypot’s services were properly
marketed across the globe with connections from different IP addresses in different coun-
tries. The following graphs detail the majority of connections by IP address and ports to
show which service was the most targeted and from where.
Figure 5.34: Pie chart displaying the the connections by the destination port
38
Figure 5.35: Pie chart displaying the the connections by the destination port
Looking at figure 5.34, several of the IP addresses, including the top connection
202.73.98.66 from Indonesia are listed in AbuseIPDB’s database [22]. The analysis from
the list of ports in figure 5.35 show that connections on port 23 are the most used. The
second most probed port are connections on port 5060, which uses the Session Initiation
Protocol (SIP), a signaling protocol widely used in Voice over IP (VoIP). VoIP can be
targeted and exploited to steal data, misuse calls, or even use the microphone or webcams
without approval [28]. Each individual connection is able to be analyzed on Dionaea, and
further investigated if need be. An excerpt from the analysis of the connections is shown
below which includes important information about where the connection came from, how,
and when it was received. The sensor’s IP address was edited for security reasons.
Figure 5.36: Pie chart displaying the the connections by the destination port
Overall, Dionaea was unable to capture any malware, which could be seen as either
positive for the university network in terms of knowing they have little to worry about
regarding malware, there was something wrong with the Dionaea honeypot, or the blocked
ports from SUNET prevented any malware from transmitting on the incoming line. From
the connections, it proves that there was plenty of activity regarding the outside world’s
39
ability to connect to the honeypot. The conclusion here would be that the university
network is not vulnerable to malware attacks directly from the internet, and if malware
were to enter the network, it would have to be brought on a device directly into the system.
Honeypot Comparison
Category Honeyd Dionaea Kippo
Cost Open Source Open Source Open Source
Level of interaction Low Low Medium
Amount of Online Sources Medium Medium High
Online Reviews High High High
Available Documentation Very Low Low Medium
Reconfigurability Very High Low Low
Setup Difficulty Very High Low Very Low
40
dependencies has finished. The simplicity factor, along with the vast amount of online
resources, places this honeypot solution in second place.
41
6 Discussion
The purpose of this study was to evaluate several low-interaction honeypots and their
detection of potential threats in the university network. In order for this to happen, three
honeypots were deployed to capture and analyze different connections on different ports.
The selection of Kippo, Honeyd, and Dionaea as tools, as explained in section 4.1, helped
the process of capturing probes around the world to show which services are the most
threatened.
Analyzing the interaction between the honeypots, the attackers, and the overall con-
nection data in such a short span of time gives an incredible insight into how significant
honeypots can be as a security mechanism. With the simple distributions like Kippo and
Dionaea, they can add an extra layer of security to the network infrastructure without as
much configuration time. However, with Honeyd, it might be more of a complication than
an addition, but if the administrator would like to test for specific machines and network
patterns, then Honeyd provides these functions. One of the major advantages of these
low-interactive honeypots is that they can be deployed and left alone to gather data with-
out any maintenance. The only requirement is to check the logs regularly or when there
has been a breach to see exactly what kind of malicious data is currently on the internet.
Hypothesized at the beginning of this experiment was that the results would reflect a
number of botnets and blackhat hackers attempting to inflict malicious bugs and rootkits
into the university network. Although the experiment did wield a large number of probes
from what seems to be botnets around the world, the botnets did not attempt to inflict as
malicious damage as hypothesized. From the results, it shows that it was uncommon for
malware to be lingering on the internet waiting to be downloaded, and definitely not the
intruders first line of attack. Instead the results showed a majority of its intruders abusing
the services that runs on ports 22 and 23.
The results of this thesis compared similarly to the results of two master theses from
Chalmers and Halmstad University [4] [3]. In these theses, they also found botnet attacks
made on ports 22 and 23 and found a significant amount of malicious TCP traffic origi-
nating from China. However, one of the major differences found between this project and
theirs, was that port 445 was a profoundly attacked resource. As mentioned in section
1.2, port 445 uses SMB which is a vulnerable application-layer network protocol asso-
ciated with communications between Microsoft services [5]. The difference however, is
that activity over port 445 was one of the ports blocked from SUNET’s end which made
it impossible to receive connections over this port. It is suspected that these blocked ports
from SUNET disallowed Dionaea from downloading any malware that should have been
captured during the experiment.
To be able to draw conclusions from the results of the honeypot logs, specific visual-
ization tools gave the data an extremely easily readable format. The three visualization
tools were Honeyd-Viz for Honeyd, DionaeaFR for Dionaea, and Kippo-Graph for Kippo.
Dionaea, Kippo, and all the virtual honeypots from Honeyd were each given a public IP
address from the IT department with some restrictions from SUNET as previously men-
tioned. Besides this, there was nothing between the honeypots and the internet. From the
limited capture time, (two weeks for Dionaea and Kippo, three days for Honeyd) the data
gathered lead to the following conclusions:
1. The most attacked service was using SSH and Telnet on ports 22 and 23. These ports
held more than 50% of the traffic and the input from these interactions came from
many blacklisted servers. From the logs, it looks like many automated connections
are made on these ports most likely from botnets or other zombie computers.
42
2. The characteristic of a honeypot that will attract hackers towards Linnaeus Univer-
sity are open ports. Any open ports are vulnerable for exploitation. In this particular
experiment, every port that was opened had been scanned and, in the case of ports
22 and 23, section 5.2 shows exactly what an attackers does to take advantage of
that.
3. The most attacks on the university network originate from the People’s Republic of
China. Honeyd and Kippo showed China as their most common perpetrator and
Dionaea had china in the top 10. This data is in coherence with online sources that
also acknowledge China as one of the leaders of cyber-attacks [29][30][20].
4. The best honeypot solution of the three is Honeyd due to its reconfigurability, scal-
ability, and ability to advertise services. Honeyd is able to replicate an unprece-
dented amount of services, including machines and specific scripts attached to each
port. The ability to manipulate the configuration file and decide exactly how the
honeynet, or collection of honeypots, should function gives the user the power to
decide what they want to test. For these reasons, Honeyd was the best of the three
low-interaction honeypots.
Although much of the data received in this experiment was reflected in other theses,
future research in the field of analyzing malicious traffic on a university network can
explored in three different areas:
The first area for future research would be to explore the incoming traffic without the
blocked ports from SUNET. Since this experiment’s results might be more realistic in
terms of the Internet Service Provider (ISP) blocking these ports, these rules disallowed
the entry of potentially many different malicious packets that could be analyzed to show
different results.
The second area for future research involves the implementation of several different
levels of new and upcoming honeypot solutions. Since this experiment only handled low-
interaction honeypots, it could be beneficial to analyze the data captured using the latest
honeypot technology of different levels. Using a high-interaction honeypot could give a
whole new plethora of data that could impact the university more than a low or medium-
interaction solution could.
The last area of potential future research is to go a step further and help create a
security plan regarding the data received from the honeypots. Since a honeypot’s purpose
is to research malicious data on one’s network, then this data could be used to alter the
security plan to ensure the prevention of an attack surrounding the data gathered. The
process included in discovering an abused resource, and creating a plan to counteract
these attacks, could be explored in future research.
43
7 Conclusion
The university network is under the scrutiny of the internet at all times. Aiding in the
detection and elimination of cyber attacks, a honeypot can be a valuable asset to any net-
works security plan. Although the honeypot selection process and setup can be difficult,
the eventual repercussions of a honeypot will produce valuable data to stay ahead of the
current cyber threats. This particular experiment dealt with machines that had virtually
no protection, but, it shows what could happen if the university were to leave services
open and unsecured. In doing this, it revealed exactly what attackers around the world are
capable of, only after a matter of days, which further proves how imperative it is to build
a secure infrastructure.
44
References
[1] S. Russell and P. Norvig, Virtual honeypots: from botnet tracking to intrusion detec-
tion, 3rd ed. Addison-Wesley Professional, 2007.
[5] “What is an SMB Port? What is Port 445 and Port 139
used for?” 2016. [Online]. Available: http://www.thewindowsclub.com/
smb-port-what-is-port-445-port-139-used-for
[6] T. Holtz, “How to use honeypots to improve your network security,” eWeek, 2008.
[8] Lance Spitzner, “The Value of Honeypots, Part One: Definitions and Values
of Honeypots,” 2001. [Online]. Available: https://www.symantec.com/connect/
articles/value-honeypots-part-one-definitions-and-values-honeypots
[10] J. Bradshaw, “Does Your Honeypot Interaction Match Your Security Operations Ser-
vice Level Agreement? – TRAPX Security.” [Online]. Available: https://trapx.com/
does-your-honeypot-interaction-match-your-security-operations-service-level-agreement/
[13] D. Gibson, CompTIA Security+ get certified get ahead SYO-401 study guide.
YCDA, LLC, 2014.
45
[16] ——, “Honeyd,” 2007. [Online]. Available: https://github.com/DataSoft/Honeyd
[17] “Ports not actually blocked on HoneyD,” 2013. [Online]. Available: https:
//ubuntuforums.org/showthread.php?t=2113540
[22] “AbuseIPDB - IP address abuse reports - Making the Internet safer, one IP at a
time,” 2017. [Online]. Available: https://www.abuseipdb.com/
[23] Rouse Margaret, “What is ICMP (Internet Control Message Protocol)? - Definition
from WhatIs.com,” 2015. [Online]. Available: http://searchnetworking.techtarget.
com/definition/ICMP
[25] Joanbtl, “December 30, 2016 – HoneyPot World,” 2016. [Online]. Available:
https://honeypotworldblog.wordpress.com/2016/12/30/december-30-2016/
[28] Yonatan Reuben, “5 Signs That Your VoIP System is Hacked | GetVoIP,” 2015.
[Online]. Available: https://getvoip.com/blog/2015/03/25/signs-voip-hack/
[29] Fingas Jon, “Sit back and watch hacks around the world in real time,” 2014.
[Online]. Available: https://www.engadget.com/2014/06/24/live-hacking-map/
46
A Appendix A
The following IP-addresses will be hidden for security reasons, which will be marked with
an asterisk (*).
create default
set default default tcp action open
set default default udp action open
set default default icmp action open
create switch
set switch personality "Cisco Catalyst 4006 Switch running NmpSW 7.4(2)"
set switch uptime 9401532
set switch default tcp action open
add switch tcp port 22 open
add switch tcp port 23 open
set switch ethernet "64:00:6a:85:45:39"
#dhcp switch on eth0
bind 194. switch*
create router
set router personality "Cisco 1601R router running IOS 12.1(5)"
set router default tcp action open
add router tcp port 22 "/usr/share/honeyd/scripts/test.sh"
add router tcp port 23 "/usr/share/honeyd/scripts/router-telnet.pl"
set router ethernet "64:00:6a:85:45:40"
bind 194. router*
#dhcp router on eth0
create windowsNT
set windowsNT personality "Microsoft Windows NT 4.0 SP3"
set windowsNT uptime 5981234
set windowsNT default tcp action open
add windowsNT tcp port 21 open
add windowsNT tcp port 22 open
add windowsNT tcp port 23 open
add windowsNT tcp port 25 open
add windowsNT tcp port 53 open
add windowsNT tcp port 443 open
add windowsNT tcp port 110 open
add windowsNT tcp port 119"/usr/share/Honeyd/scripts/win32/win2k/exchange-nntp.sh"
add windowsNT tcp port 135 open
add windowsNT udp port 136 open
add windowsNT udp port 137 open
add windowsNT udp port 138 open
add windowsNT tcp port 139 open
add windowsNT tcp port 143 "/usr/share/Honeyd/scripts/win32/win2k/exchange-imap.sh"
add windowsNT tcp port 1433 open
add windowsNT tcp port 80 "/usr/share/Honeyd/scripts/web.sh"
add windowsNT udp port 53 open
add windowsNT tcp port 389 "/usr/share/Honeyd/scripts/win32/win2k/ldap.sh"
47
add windowsNT udp port 1434 open
add windowsNT tcp port 901 open
add windowsNT udp port 1026 open
add windowsNT tcp port 1026 open
add windowsNT tcp port 1900 open
add windowsNT tcp port 5000 open
add windowsNT udp port 3389 open
add windowsNT udp port 4899 open
add windowsNT tcp port 1080 "/usr/share/Honeyd/scripts/mydoom1.pl-l/usr/share/Honeyd/scripts/mydoom
add windowsNT tcp port 10080 "/usr/share/Honeyd/scripts/mydoom1.pl-l/usr/share/Honeyd/scripts/mydoom
add windowsNT tcp port 8080 open
add windowsNT tcp port 3128 open
add windowsNT tcp port 3410 open
add windowsNT tcp port 8866 open
add windowsNT tcp port 17300 open
add windowsNT tcp port 5554 "/usr/share/Honeyd/scripts/cmdexexp.pl-p winxp-l/usr/share/Honeyd/scripts/
add windowsNT tcp port 9898 "/usr/share/Honeyd/scripts/cmdexexp.pl-p winxp-l/usr/share/Honeyd/scripts/
add windowsNT tcp port 9996"/usr/share/Honeyd/scripts/cmdexexp.pl-pwinxp-l/usr/share/Honeyd/scripts/c
add windowsNT tcp port 1234 "/usr/share/Honeyd/scripts/win32/win2k/msftp.sh"
add windowsNT tcp port 5900 "/usr/share/Honeyd/scripts/win32/win2k/vnc.sh"
set windowsNT ethernet "64:00:6a:85:45:41"
bind 194. windowsNT*
#dhcp windowsNT on eth0
create WindowServer
set WindowServer personality "Microsoft Windows Server 2003 Standard Edition"
set WindowServer uptime 290438
set WindowServer default tcp action open
set WindowServer default udp action open
add WindowServer tcp port 21 open
add WindowServer tcp port 22 open
add WindowServer tcp port 23 open
add WindowServer tcp port 25 open
add WindowServer tcp port 53 open
add WindowServer tcp port 443 open
add WindowServer tcp port 110 "/usr/share/Honeyd/scripts/win32/win2k/exchange-pop3.sh"
add WindowServer tcp port 119 "/usr/share/Honeyd/scripts/win32/win2k/exchange-nntp.sh"
add WindowServer tcp port 135 open
add WindowServer udp port 136 open
add WindowServer udp port 137 open
add WindowServer udp port 138 open
add WindowServer tcp port 139 open
add WindowServer tcp port 143 "/usr/share/Honeyd/scripts/win32/win2k/exchange-imap.sh"
add WindowServer tcp port 1433 open
add WindowServer tcp port 80 "/usr/share/Honeyd/scripts/win32/win2k/iis.sh"
add WindowServer udp port 53 open
add WindowServer udp port 1434 open
add WindowServer tcp port 389 "/usr/share/Honeyd/scripts/win32/win2k/ldap.sh"
add WindowServer tcp port 901 open
48
add WindowServer udp port 1026 open
add WindowServer tcp port 1026 open
add WindowServer tcp port 1900 open
add WindowServer tcp port 5000 open
add WindowServer udp port 3389 open
add WindowServer udp port 4899 open
add WindowServer tcp port 1080 open
add WindowServer tcp port 3127 "/usr/share/Honeyd/scripts/mydoom1.pl-l/usr/share/Honeyd/scripts/mydoo
add WindowServer tcp port 3128 "/usr/share/Honeyd/scripts/mydoom1.pl-l/usr/share/Honeyd/scripts/mydoo
add WindowServer tcp port 8080 open
add WindowServer tcp port 3410 open
add WindowServer tcp port 8866 open
add WindowServer tcp port 17300 open
add WindowServer tcp port 4444 "/usr/share/Honeyd/scripts/cmdexe2003.pl-p win2003-
l/usr/share/Honeyd/scripts/cmdexe2003"
add WindowServer tcp port 8967 "/usr/share/Honeyd/scripts/cmdexe2003.pl-p win2003-
l/usr/share/Honeyd/scripts/cmdexe2003"
add WindowServer tcp port 9898 "/usr/share/Honeyd/scripts/cmdexe2003.pl-p win2003-
l/usr/share/Honeyd/scripts/cmdexe2003"
add WindowServer tcp port 20168 "/usr/share/Honeyd/scripts/cmdexe2003.pl-p win2003-
l/usr/share/Honeyd/scripts/cmdexe2003"
add WindowServer tcp port 1234 "/usr/share/Honeyd/scripts/win32/win2k/msftp.sh"
add WindowServer tcp port 5900 "/usr/share/Honeyd/scripts/win32/win2k/vnc.sh"
set WindowServer ethernet "64:00:6a:85:45:42"
#dhcp WindowServer on eth0
bind 194. WindowServer*
create WinXPComputer
set WinXPComputer personality "Microsoft Windows XP Professional SP1"
set WinXPComputer uptime 5981234
set WinXPComputer default tcp action open
add WinXPComputer tcp port 21 open
add WinXPComputer tcp port 22 open
add WinXPComputer tcp port 23 open
add WinXPComputer tcp port 25 open
add WinXPComputer tcp port 53 open
add WinXPComputer tcp port 443 open
add WinXPComputer tcp port 110 open
add WinXPComputer tcp port 119"/usr/share/Honeyd/scripts/win32/win2k/exchange-nntp.sh"
add WinXPComputer tcp port 135 open
add WinXPComputer udp port 136 open
add WinXPComputer udp port 137 open
add WinXPComputer udp port 138 open
add WinXPComputer tcp port 139 open
add WinXPComputer tcp port 143 "/usr/share/Honeyd/scripts/win32/win2k/exchange-imap.sh"
add WinXPComputer tcp port 1433 open
add WinXPComputer tcp port 80 "/usr/share/Honeyd/scripts/web.sh"
add WinXPComputer udp port 53 open
add WinXPComputer tcp port 389 "/usr/share/Honeyd/scripts/win32/win2k/ldap.sh"
49
add WinXPComputer udp port 1434 open
add WinXPComputer tcp port 901 open
add WinXPComputer udp port 1026 open
add WinXPComputer tcp port 1026 open
add WinXPComputer tcp port 1900 open
add WinXPComputer tcp port 5000 open
add WinXPComputer udp port 3389 open
add WinXPComputer udp port 4899 open
add WinXPComputer tcp port 1080 "/usr/share/Honeyd/scripts/mydoom1.pl-l/usr/share/Honeyd/scripts/myd
add WinXPComputer tcp port 10080 "/usr/share/Honeyd/scripts/mydoom1.pl-l/usr/share/Honeyd/scripts/my
add WinXPComputer tcp port 8080 open
add WinXPComputer tcp port 3128 open
add WinXPComputer tcp port 3410 open
add WinXPComputer tcp port 8866 open
add WinXPComputer tcp port 17300 open
add WinXPComputer tcp port 5554 "/usr/share/Honeyd/scripts/cmdexexp.pl-p winxp-l/usr/share/Honeyd/sc
add WinXPComputer tcp port 9898 "/usr/share/Honeyd/scripts/cmdexexp.pl-p winxp-l/usr/share/Honeyd/sc
add WinXPComputer tcp port 9996"/usr/share/Honeyd/scripts/cmdexexp.pl-pwinxp-l/usr/share/Honeyd/scr
add WinXPComputer tcp port 1234 "/usr/share/Honeyd/scripts/win32/win2k/msftp.sh"
add WinXPComputer tcp port 5900 "/usr/share/Honeyd/scripts/win32/win2k/vnc.sh"
set WinXPComputer ethernet "64:00:6a:85:45:43"
#dhcp WinXPComputer on eth0
bind 194. WinXPComputer*
create LinuxComputer
set LinuxComputer personality "Linux 2.0.34-38"
set LinuxComputer uptime 2903245
set LinuxComputer default tcp action open
set LinuxComputer default udp action open
add LinuxComputer tcp port 21 "/usr/share/Honeyd/scripts/unix/linux/ftp.sh"
add LinuxComputer tcp port 22 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/SSH.sh"
add LinuxComputer tcp port 23 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/telnetd.sh"
add LinuxComputer tcp port 25 open
add LinuxComputer tcp port 53 open
add LinuxComputer tcp port 110 "/usr/share/Honeyd/scripts/unix/general/pop/pop3.sh" ’
add LinuxComputer tcp port 135 open
add LinuxComputer udp port 136 open
add LinuxComputer udp port 137 open
add LinuxComputer udp port 138 open
add LinuxComputer tcp port 139 open
add LinuxComputer tcp port 143 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/cyrus-imapd.sh"
add LinuxComputer tcp port 443 open
add LinuxComputer tcp port 389 open
add LinuxComputer tcp port 465 open
add LinuxComputer tcp port 515 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/lpd.sh"
add LinuxComputer tcp port 990 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/proftpd.sh"
add LinuxComputer tcp port 993 open
add LinuxComputer tcp port 2086 open
add LinuxComputer tcp port 9080 open
50
add LinuxComputer tcp port 587 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/sendmail.sh"
add LinuxComputer tcp port 1433 open
add LinuxComputer tcp port 80 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/apache.sh"
add LinuxComputer udp port 53 open
add LinuxComputer tcp port 113 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/ident.sh"
add LinuxComputer udp port 1434 open
add LinuxComputer tcp port 901 open
add LinuxComputer udp port 1026 open
add LinuxComputer tcp port 1026 open
add LinuxComputer tcp port 1900 open
add LinuxComputer tcp port 5000 open
add LinuxComputer udp port 3389 open
add LinuxComputer udp port 4899 open
add LinuxComputer tcp port 1080 open
add LinuxComputer tcp port 8080 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/apache.sh"
add LinuxComputer tcp port 3128 open
add LinuxComputer tcp port 3410 open
add LinuxComputer tcp port 8866 open
add LinuxComputer tcp port 17300 open
set LinuxComputer ethernet "64:00:6a:85:45:44"
#dhcp LinuxComputer on eth0
bind 194. LinuxComputer*
create BSDComputer
set BSDComputer personality "OpenBSD 2.6-2.8"
set BSDComputer default tcp action open
set BSDComputer default udp action open
add BSDComputer tcp port 21 "/usr/share/Honeyd/scripts/unix/linux/ftp.sh"
add BSDComputer tcp port 22 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/SSH.sh"
add BSDComputer tcp port 23 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/telnetd.sh"
add BSDComputer tcp port 25 open
add BSDComputer tcp port 53 open
add BSDComputer tcp port 110 "/usr/share/Honeyd/scripts/unix/general/pop/pop3.sh"
add BSDComputer tcp port 135 open
add BSDComputer udp port 136 open
add BSDComputer udp port 137 open
add BSDComputer udp port 138 open
add BSDComputer tcp port 139 open
add BSDComputer tcp port 143 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/cyrus-imapd.sh"
add BSDComputer tcp port 443 open
add BSDComputer tcp port 389 open
add BSDComputer tcp port 465 open
add BSDComputer tcp port 515 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/lpd.sh"
add BSDComputer tcp port 990 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/proftpd.sh"
add BSDComputer tcp port 993 open
add BSDComputer tcp port 2086 open
add BSDComputer tcp port 9080 open
add BSDComputer tcp port 587 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/sendmail.sh"
add BSDComputer tcp port 1433 open
51
add BSDComputer tcp port 80 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/apache.sh"
add BSDComputer udp port 53 open
add BSDComputer tcp port 113 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/ident.sh"
add BSDComputer udp port 1434 open
add BSDComputer tcp port 901 open
add BSDComputer udp port 1026 open
add BSDComputer tcp port 1026 open
add BSDComputer tcp port 1900 open
add BSDComputer tcp port 5000 open
add BSDComputer udp port 3389 open
add BSDComputer udp port 4899 open
add BSDComputer tcp port 1080 open
add BSDComputer tcp port 8080 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/apache.sh"
add BSDComputer tcp port 3128 open
add BSDComputer tcp port 3410 open
add BSDComputer tcp port 8866 open
add BSDComputer tcp port 17300 open
set BSDComputer ethernet "64:00:6a:85:45:45"
#dhcp BSDComputer on eth0
bind 194. BSDComputer*
B Appendix B
1. IP address: 59.45.175.30
2. IP address: 116.31.116.26
3. IP address: 194.71.11.173
52
• AbuseIPDB reports: 0
• Connections: 10440
4. IP address: 54.243.196.213
5. IP address: 202.73.98.66
6. IP address: 91.189.88.161
• ISP: Canonical
• Hostname: keeton.canonical.com
• Organization: Canonical
• Connection Type: Unknown
• Location: United Kingdom
• AbuseIPDB reports: 27
• Connections: 8997
7. IP address: 54.243.175.138
8. IP address: 50.19.225.125
53
• ISP: Amazon Technologies
• Hostname: ec2-50-19-225-125.compute-1.amazonaws.com
• Organization: Amazon.com
• Connection Type: Corporate
• Location: Ashburn, Virginia USA
• AbuseIPDB reports: 0
• Connections: 7273
9. IP address: 188.92.75.10
C Appendix C
510 deny tcp any any eq 445
520 deny tcp any any eq 42
530 deny udp any any eq bootps
540 deny udp any any eq bootpc
550 deny udp any any range 135 netbios-ss
560 deny tcp any any range 135 139
570 deny udp any any eq tftp
580 deny udp any any eq sunrpc
590 deny tcp any any eq sunrpc
600 deny tcp any any eq 161
610 deny udp any any eq snmp
620 deny tcp any any eq 162
630 deny udp any any eq snmptrap
640 deny tcp any any eq 593
645 deny tcp any any eq 4786
647 deny udp any any eq 4786
740 deny udp any any eq ntp
750 deny tcp any any eq 1433
760 deny udp any any eq 1434
770 deny tcp any any eq 1434
780 deny udp any any eq 1900
790 deny tcp any any eq 1900
800 deny tcp any any eq 2967
810 deny udp any any eq 2967
830 deny tcp any any eq 4865
840 deny tcp any any eq 17
850 deny udp any any eq 17
54
860 deny tcp any any eq chargen
870 deny udp any any eq 19
55