Previous Page Next Page

2.2. VMware

VMware, Inc. offers a variety of virtualization software solutions and is currently one of the most advanced players in this field. Virtualization software means that the software emulates a complete x86-based computer system and offers the possibility to run one or more operating systems within this virtual machine. In the following, we will refer to the products offered by this company simply as VMware. In principle, all of the following content can also be applied to other kinds of virtualization software solutions like Microsoft Virtual PC or Parallels Workstation/Desktop. For the sake of simplicity, we focus on VMware and point out differences if they exist.

In the remainder of this chapter, we differentiate between the host system and guest system: The computer and operating system instance that executes the VMware process is referred to as the host machine. This is your physical machine on which you install VMware. An operating system running inside a virtual machine is referred to as a guest system or a guest virtual machine. The interaction between these two kinds of systems can be rather transparent. For example, it is possible to share folders and copy and paste text and files between the host and guest system with VMware. We will always point out whether you must execute the commands on the guest or the host system.

We used the term virtual system already, but what exactly does it mean? The host machine shares the CPU and memory resources with the guest virtual machines. Like an emulator, VMware provides a completely virtualized set of hardware resources to the guest operating system. For example, each of your guest systems will have the same graphics adapter and the same network interface, regardless of the actual physical graphics adapter or network interface of the host system. Besides these two devices, VMware also virtualizes hard disks, floppy drives, and DVD/CD-ROM drives for the guest system. Moreover, the sound adapter, a USB controller, and serial and parallel ports are enabled as a pass-through driver to the host system. Figure 2.1 provides a schematic overview of VMware's architecture. The system is (almost) fully equivalent to a physical host. And within the virtualized hardware, can be installed any operating system that can be installed on an x86-based machine — that is, an ordinary Intel or AMD processor.

Figure 2.1. This figure shows a schematic overview of VMware's architecture. A virtual machine monitor mitigates access from the guest operating system to the actual hardware.


VMware is capable of running many different versions of Windows, starting from Windows 95 up to Windows Vista. In addition, the guest system can be Linux, most of the BSD family, Solaris for Intel, Novell NetWare, and some other operating systems. Not all of them are officially supported, but it is nevertheless possible to run them. Please note that you cannot execute operating systems that require a non-x86-based processor, such as a Sun SPARC processor or a processor from the IBM PowerPC family. At the time of this writing, it is not possible to install Mac OS X within VMware.

However, there are a variety of virtualization options available for Mac OS X. VMware offers a product called VMware Fusion that allows you to create virtual machines on a Intel-based Mac. In addition, Parallels Desktop (http://www.parellels.com) is another tool that offers similar functions. This virtulization software is also available for Intel-powered Macs. Moreover, Virtual PC from Microsoft also support a variety of different operating systems, so you are rather flexible on which OS should run on your honeypot.

Regarding performance and scalability, all products offer similar possibilities. The guest systems usually achieve a performance that is slightly lower when compared to a native system, but this is not crucial for a honeypot. After all, the honeypot has no real value within your environment and is used for detecting attacks. Even if the performance is only 50 percent of the native speed, that is enough to learn more about attacks. The scalability depends on the configuration of the host system. For each virtual machine, you should budget at least 256MB RAM or, even better, 512MB. This is the amount of memory the virtual machine will use, and most operating systems require at least that much. In addition, you also need memory for the guest system. For example, if you plan to have three virtual machines running Linux and a host virtual machine running Windows XP, you should have at least 3 x 256MB + 1 x 512MB = 1280MB of RAM. The CPU is also important. Since the virtual machines and the host system share the CPU, you should plan to buy a faster CPU to achieve good performance.

A guest virtual machine will become our honeypot. Figure 2.2 illustrates this differentiation. The picture gives an overview of the virtual high-interaction honeypot that we will set up during this section. The host system is your physical machine on which we install VMware. The system in dark gray is the guest virtual machine that is running within a simulated environment. As you can see, we are going to configure this honeypot with an IP address from the private network range as defined in RFC 1918 (IP address 192.168.1.2 in dark gray for the guest system). This means that the honeypot in this configuration will not be reachable from the Internet. It serves just for testing purposes and to familiarize you with the concept of high-interaction honeypots. At the end of this section, we show how to change the configuration so that the honeypot is also reachable from other hosts on the Internet. Afterward, your honeypot is "live" and can also be attacked by adversaries from all over the world. At that point you start to collect real information about cyber attacks against your honeypot.

Figure 2.2. Setup of virtual high-interaction honeypot based on VMware.


2.2.1. Different VMware Versions

You should be aware that VMware is a commercial solution. However, VMware, Inc., also offers some versions of the software that you can download and use for free. We continue this section with some background information on the different versions of virtualization software by VMware and then continue with the installation process.

Currently, VMware, Inc., offers several solutions of virtualization software. As just noted, some of them are commercial, and some of them can be used for free. The following four solutions are something to consider when you use VMware to build a virtual honeynet:

We will focus on VMware Player and VMware Server, since these two versions are available for free. For the guest virtual machine, we prefer Windows 2000 for two reasons. First, a Windows honeypot has a high chance of being compromised in a short amount of time. This will give you instant feedback when you set up a high-interaction honeypot. You will quickly learn whether this is the right tool for your work. Second, a Windows honeypot can also be used for some other purposes, such as to analyze a given malware binary. For now, this is not very important, but we will introduce several applications of high-interaction honeypots in later chapters for which Windows-based honeypots are useful. If you want, you can also use other operating systems for your virtual honeypots. In general, the steps outlined in this chapter can be applied to other operating systems, and we mention differences where necessary. Once you are familiar with the concept of high-interaction honeypots, you will most likely want to run different kinds of honeypots.

2.2.2. Virtual Network with VMware

Before starting the installation process, it is important to examine the different possibilities of a virtual network. Our honeypots need to have network access, since we want to learn more about cyber attacks. Up to three virtual network cards can be configured in each virtual machine. Each of them appears to the guest system as a generic Ethernet card with the model AMD PCNet II. You can configure these virtual interfaces like a real network interface; the virtual network is transparent for the guest virtual machines. VMware offers four different ways to configure a virtual network between the host system and the guest virtual machines. Of course, it is also possible to configure no network at all, but this is useless for a honeypot setup because you want your honeypot to be accessible from other machines.

These are the four different methods:

When VMware is installed on your computer, the host system will have a few additional network interfaces. By default, each of the first three networking options creates network interfaces that correspond to the different network modes. On Linux, these interfaces begin with the names vmnet: vmnet0 is dedicated to bridged mode, vmnet1 is dedicated to host-only mode, and vmnet8 is for NAT mode. Six additional interfaces (vmnet2vmnet7) are available if you choose to have custom networking mode. On Windows, these additional interfaces are also available with the same name.

There are two things you should be aware of. First, in bridged mode, the virtual machines use vmnet0, which by default maps to the first available network interface (eth0 on Linux). If you have more than one physical network card in your host system, you should manually map the virtual and physical network interfaces.

Second, in NAT mode, you can establish a connection between the host virtual network interface and a physical network adapter on the host system. This allows you, for example, to connect the virtual machine to a non-Ethernet network. To use this feature, you have to configure the host system accordingly: For Windows as host system, use the Internet connection sharing (ICS; available under Control Panel, Network Connections) option. For Linux, you must enable the IP forwarding option with the help of the command

$ sudo echo "1" > /proc/sys/net/ipv4/ip_forward

For further references and extensive documentation, we recommend that you take a look at the official documentation available at http://www.vmware.com/support/pubs/.

2.2.3. Setting Up a Virtual High-Interaction Honeypot

Now that we have seen the basics of VMware, we will take a look at the actual installation and setup process. As just noted, we will guide you through the process of setting up a virtual honeypot based on VMware Player/Server and Windows 2000 Professional. This virtual machine can then be used as the basis for your experiment with honeypots.

Some prerequisites have to be met by your host system. It should have at least 512MB of RAM to run virtual machines without too much swapping. We recommend at least 1GB of RAM or even more for better performance. Remember that the host system and the virtual machines share the resources of the physical system, so more RAM is even better. A modern processor offers enough performance to execute even several virtual machines in parallel. We recommend that your processor has at least 1GHz to have decent performance. Moreover, you should have at least 4GB of hard disk space for each virtual machine. Your host operating system must be either Windows or Linux. If you want to install the Linux version, please make sure that you have installed a developer environment — that is, a compiler (usually gcc), a linker (usually ld), and additional tools should be installed. Furthermore, you need the kernel header files according to your running Linux version. Please consult the documentation of your Linux distribution if you are unsure.

2.2.3.1. Installation and Setup for VMware Player

VMware Player, the software capable of running preconfigured virtual machines, is the entry solution, and we cover the installation process first. Setting up VMware Player requires only a few steps:

1.
You find the download link at http://www.vmware.com/download/player/. You should fill out a short survey to provide some feedback to VMware Inc. Next, read and, if applicable, agree to the end user license agreement (EULA) before starting the download process. The EULA states that you can use this software "solely for your own internal information processing services and computing needs." In addition, you must have written permission from VMware, Inc., if you want to distribute the software. Please read the EULA yourself to learn more about further details.

2.
Choose an appropriate version of VMware Player. If you want to run the software with guest system Windows, please choose the .exe version. For running it under Linux, you can either choose an RPM-package (suitable for Red Hat, Fedora Core, and other RPM-based distributions) or download the tool with its source code as a tar.gz-ball.

3.
Depending on the version of VMPlayer you are going to use, do one of the following:

a. If you have chosen the Windows version, double click on the downloaded file and follow the on-screen instructions. You can simply accept the default values.

b. If you have chosen the RPM package, install the software with
$ sudo rpm -i VMware-player-VERSION.i386.rpm



VERSION must be substituted with the actual version of VMware Player you downloaded earlier. Afterward, you must start the configuration of the software with the help of the command
$ sudo vmware-config.pl



Again, please follow the on-screen instructions. If you are unsure, just follow the suggestions of the configuration program or consult the online documentation of VMware Player.

c. If you have chosen the tar.gz-ball, extract the software with the command
$ tar xzvf VMware-player-VERSION.i386.tar.gz



VERSION must be substituted with the actual version of VMware Player you downloaded earlier. Afterward, start the installation process via
$ cd vmware-player-distrib/
vmware-player-distrib/ $ sudo ./vmware-install.pl



and follow the on-screen instructions. You can safely accept the defaults given by the installer.

No further configuration is necessary, since all the steps have already been covered during the installation process. If you want to change the configuration under Linux, execute the command

$ sudo /usr/bin/vmware-config.pl

and follow the on-screen instructions.

To start the VMware Player under Windows, double click on the icon, and then the software will start up. For Linux, execute the command

$ /usr/bin/vmplayer

In the following dialog, you can choose a .vmx file (virtual machine format from VMware). This file describes which kind of virtual machine you want to start and contains the necessary configuration — for example, the location of your virtual disk, memory size, and some basic hardware setup information. According to your selection, a guest virtual machine is started, and you can interact with it like with a "normal" computer system. Presumably you will not notice any difference between this virtual machine and a real machine; the virtualization is transparent. Furthermore, you can easily share such a virtual machine with others.

In addition, VMware's Technology Network (VMTN) provides technical and community resources for you. You can download prebuilt virtual appliances at http://www.vmware.com/vmtn/appliances/ and use them with the VMware Player. For example, you can download a preconfigured virtual machine that is configured for web browsing. By using this virtual machine for surfing the World Wide Web, you are safer from attacks by malicious websites. Such a website can only compromise the virtual machine, and all your private data that reside on the host machine are safe. Many other specialized virtual machines are available at the VMTN; just visit the website and explore the different appliances.

Please note that you cannot create your own virtual machines with the software provided by VMware, but you can execute a given guest virtual machine. However, we will show in Section 2.2.4 how you can build your own virtual machines with the help of third-party software.

2.2.3.2. Installation and Setup for VMware Server

With the VMware Server software, you can also create your own guest virtual machines that you can then use as virtual honeypots. The installation process is similar to the one for the VMware Player and requires three steps:

1.
You find the download link at http://www.vmware.com/download/server/. You should fill out a short survey before proceeding to the next step.

2.
Before you can download the software, you must log in. If you already have an account, sign in. If not, create an account and register at the VMware website. Afterward, you should read the Agreement to use the software and, if you accept it, agree to the terms. Then you can start the downloading process by choosing the appropriate version for your host system. For Windows systems, you should download the VMware Server for Windows Operating Systems version and for Linux systems the Download VMware Server for Linux version in either RPM or tar.gz format. In addition, you should also download the client package for your operating system so that you have an additional option to interact with your VMware Server.

3.
Depending on the version of VMPlayer you are going to use, do one of the following:

a. If you have chosen the Windows version, double click on the downloaded file and follow the on-screen instructions. You can simply accept the default values.

b. If you have chosen the RPM package, install the software with

$ sudo rpm -i VMware-server-VERSION.i386.rpm

VERSION must be substituted with the actual version of VMware Server you downloaded earlier. Afterward, start the configuration of the software with the help of the command

$ sudo vmware-config.pl

Again, please follow the on-screen instructions. If unsure, just follow the suggestions of the configuration program or consult the online documentation.

c. If you have chosen the tar.gz archive, extract the software with the command
$ tar xzvf VMware-server-VERSION.i386.tar.gz



VERSION must be substituted with the actual version of VMware Player you downloaded earlier. Afterward, start the installation process via
$ cd vmware-server-distrib/
vmware-server-distrib/ $ sudo ./vmware-install.pl



and follow the on-screen instructions. You can safely accept the defaults given by the installer.

To start the VMware Server under Windows, double click on the icon and then the software will start up. For Linux, execute the command

$ sudo /etc/init.d/vmware start

The main interface of VMware will start, and you should make yourself familiar with the different possibilities. In the following, we show you how to create a virtual high-interaction honeypot with VMware. Please note that VMware offers many more possibilities. For more options, please consult the VMware documentation, since this is out of the scope of this book.

2.2.4. Creating a Virtual Honeypot

At this point, you should have a running VMware Player or VMware Server. We are now going to set up a virtual honeypot within our guest virtual machine. In the first step, we install a basic operating system. This process is very similar to installing an operating system on a normal, physical machine. In the second step, we install some additional software at the host and guest system to enable a flexible way to collect information about information entering and leaving the honeypot. And in the last step we show how you can set up multiple honeypots to create a virtual honeynet.

2.2.4.1. Using VMware Server or VMware Workstation

If you use VMware Server or (an evaluation version of) VMware Workstation, you can create a guest virtual machine on your own. Choose File, New, Virtual Machine, or press CTRL + N to start the configuration process. Follow the on-screen instructions from the configuration wizard to configure the basics of your new virtual machine. You can accept the recommendations of the configuration program to obtain a flexible system. The only exception is the Network Type. Choose "Use network address translation (NAT)," since we will set up a virtual honeypot using NAT first. Later on, we will change the network type to bridge mode to enable full network access for the virtual honeypots.

Once this is done, you have a skeleton of a virtual machine. Now you can install an operating system within this system. You have two options for the installation process: Either you use a bootable Windows 2000 CD-ROM or a CD-ROM with your OS of choice. After having inserted the CD-ROM, boot up the virtual machine, and the installation process starts. The second option is to use an ISO image of an OS. You can configure your virtual CD-ROM drive to treat a given ISO image as a normal CD-ROM. To configure this, choose Commands, Edit virtual machine settings at the main status window. Then select the CD-ROM drive, and change the connection to use an ISO image. Afterward, this ISO image is treated as if it would be a real CD-ROM drive.

If you now start this virtual machine, the installation process begins. Install the operating system within the guest virtual system like you would install it on an ordinary computer. After all, the virtualization software provides you with virtual hardware that is (almost) indistinguishable from a real computer system. To continue our example, please install Windows 2000 within the guest virtual system.

2.2.4.2. Using VMware Player and QEMU

With the VMware Player software alone, you are only able to execute a given guest virtual machine with a .vmx file (virtual machine format from VMware). In this section, we show you how to create your own virtual machines with the help of the open source software QEMU, a free emulator available at http://fabrice.bellard.free.fr/qemu/. With this software, you can achieve similar results as with VMware. However, VMware is easier to use and offers more flexibility, whereas QEMU emulates a real computer system. These instructions to use QEMU in order to build a virtual machine were first published in a slightly different form at http://www.hackaday.com/.

QEMU itself is also virtualization software and capable of most of the features VMware Workstation offers (snapshots, multiple guest virtual machines, and more). It is released under the terms of the GNU Public License (GPL), and thus you can freely distribute it. We advise you to also use the QEMU Accelerator since it increases the performance of QEMU significantly. You can find more information about this accelerator at http://fabrice.bellard.free.fr/qemu/kqemu-doc.html. Binary packages of QEMU for Windows (http://www.h7.dion.ne.jp/~qemu-win/) and Mac OS X (http://www.kju-app.org/kju/) are also available. Moreover, you can find many ready-to-run images of QEMU virtual machines with a free operating system at the Free OS Zoo (http://www.oszoo.org/).

We now describe the process of using QEMU to configure a virtual machine file for VMware. First, you have to install QEMU itself. If you are using Windows, you can download the latest version from http://free.oszoo.org/ftp/qemu/win32/release/. After the download has finished, double click the installer and follow the on-screen instructions. If you are using Linux, you have two options. First, if your distribution offers QEMU, you can use the package manager and install it. For example, if you are using Debian, you can install QEMU via

$ sudo aptitude install qemu

Second, you can install QEMU from its source. Download the latest version from http://fabrice.bellard.free.fr/qemu/download.html and install with the usual command sequence:

$ tar xzvf qemu-VERSION.tar.gz
$ cd qemu-VERSION
$ ./configure
$ make
$ sudo make install


To create your own virtual machine files, you need the qemu-img.exe program (Windows) or the qemu-img program (Linux), respectively. The following command will create a VMware disk file for you:

C:\Program Files\Qemu>qemu-img.exe create -f vmdk WindowsXPPro.vmdk
 4G Formating 'Win200Pro.vmdk', fmt=vmdk, size=4194304 kB

Please note that this command sequence is for the Windows version of QEMU. The Linux version is similar — just ignore the .exe extension.

A file "Win2000Pro.vmdk" with a maximum disk size of 4G has been created. Since this is a dynamic growing file system, the actual file is less than 1MB in size for now. You should move this file to the directory where you store your virtual machine files.

In the next step, we create the .vmx file that stores information about the guest virtual machines and is used to configure various parameters. Open your favorite editor and create a file with the name "Win2000Pro.vmx." Insert the following content to create a new virtual machine:

config.version = "8"
virtualHW.version = "3"

# We use the filesystem we created in the previous step
ide0:0.present = "TRUE"
ide0:0.filename = "Win2000Pro.vmdk"
ide0:0.redo = ""

# The size of the virtual memory we want to use
memsize = "512"
MemAllowAutoScaleDown = "FALSE"

# We use the physical CD-ROM drive of the host systemide1:0.present = "TRUE"
ide1:0.fileName = "auto detect"
ide1:0.deviceType = "cdrom-raw"
ide1:0.autodetect = "TRUE"
ide1:0.startConnected = "TRUE"

# We disable the support for a floppy drive
floppy0.present = "FALSE"

# Enable the Ethernet interface, the USB controller, and
# the sound support
ethernet0.present = "TRUE"
ethernet0.addressType = "generated"
ethernet0.generatedAddress = "00:0c:29:42:23:0a"
ethernet0.generatedAddressOffset = "0"
usb.present = "TRUE"
sound.present = "TRUE"
sound.virtualDev = "es1371"

# This is the title display in the VMware Player window
displayName = "Windows 2000 Professional"

# We use Windows XP Professional as guest virtual system
guestOS = "win2000Pro"

# Name of the memory file created while running VMware Player
nvram = "Win2000Pro.nvram"
MemTrimRate = "-1"

# Internal configuration
uuid.action = "create"
ols.syncTime = "TRUE"
checkpoint.vmState = ""

					  


The configuration file defines all components of your virtual machine. Options like the amount of virtual memory, CD-ROM drive, or network configuration are set. The comments inside the file explain what each section is about and should be enough to make you familiar with the structure of such a .vmx file.

Now all prerequisites are fulfilled to start the installation process. Insert your Windows 2000 Professional CD-ROM in the CD-ROM drive and then double click on the file you just created. Now the VMware Player will boot from the CD-ROM, and you can install Windows 2000 Professional within the guest virtual system.

Some further tips and tricks to configure your guest virtual machine:

If you are a more experienced user, you can also use QEMU instead of VMware Player or VMware Server, since QEMU offers most of the functionality we need for our virtual honeypot. In Section 2.4.2 we will take a closer look at QEMU in conjunction with Argos.

2.2.5. Adding Additional Monitoring Software

You now have a guest virtual machine with a running instance of Windows 2000 Professional. In the next step, we install some additional software at both the host and guest system that allows us an extended monitoring of what is going on at our honeypot. With the help of these additional tools, we are able to closely monitor our honeypot. This mainly aids in the day-to-day handling of the honeypot and for forensics. The extended logging data lets us collect more information about what is going on at the system.

2.2.5.1. Monitoring at the Host System

At the host system, we can monitor several aspects. First, we can capture all network data entering and leaving the honeypot system. Since all this data passes through the host system, we can use tcpdump or Wireshark/Tshark at the interface used to connect the guest virtual system to the network. We thus capture all network communication of the honeypot and can use this information later on to study attacks. This process is transparent for the honeypot systems, and there are no indications left that reveal this monitoring.

Moreover, you should also enable a firewall on the host system. Imagine that a piece of autonomous spreading malware compromises your Windows honeypot. Presumably, it then tries to propagate further by attacking other systems. Since you do not want other systems on the Internet infected by this piece of malware, you should block outgoing, malicious connections ("extrusion prevention"). As an additional layer of defense, you can also enable an inbound firewall on the host system that blocks access to common ports used by autonomous spreading malware. As a best practice, we advise you to block both ingoing and outgoing traffic on TCP and UDP ports 445, 135, 139, and 1025 to mitigate the risk involved. These ports are commonly used by Windows-based machines for different tasks (e.g., remote procedure calls) and had several critical security vulnerabilities in the past. By blocking outgoing traffic on these ports, you can make sure that your honeypot will not attack other vulnerable systems located elsewhere on the Internet on these ports. By blocking inbound connections, you make sure that no "boring attacks" happen at your honeypot. In addition, you can also install an IDS like Snort (http://snort.org) on the host system to learn more about the actual attacks against your honeypot. We will not cover this process in more detail for now. In Section 2.5 we introduce a powerful approach to safeguarding your honeypot that enables this kind of protection system.

2.2.5.2. Monitoring at the Guest System

In the previous section we briefly introduced several methods to collect additional information at the host system. This provides more information about cyber attacks, but the most valuable information can be collected at the honeypot itself — within the guest virtual machine. If we are able to closely monitor this system, we can, for example, observe what the attacker is typing, which tools he is executing and how he is escalating his privileges. Here is another example of why we must closely monitor the virtual honeypot: Imagine that the attacker uses an encrypted session via SSH to connect to the honeypot. If he then downloads additional tools via an SSL-encrypted website, the network dumps collected at the guest system are pretty useless. Since the complete session is encrypted and we do not know the correct key to decrypt the network stream, the tcpdump logs are rather useless to us. However, if we can observe the keystrokes and everything else at the honeypot itself, we can see which commands the attacker executes within the SSH session and which tools he downloads from the SSL-encrypted website. This way we can learn more about his procedures and study the attacker in more detail.

At the guest system, we are going to install the tool Sebek, which can collect all the necessary information to reconstruct what exactly the attacker did on the honeypot. With it we can overcome the limitations of simple network logging at the guest system and other drawbacks, as just pointed out. Sebek is developed by the Honeynet Project and is available at http://www.honeynet.org/tools/sebek. We will discuss Sebek in more detail in Section 2.5.1. For now, you can think of Sebek as a mechanism that transparently captures information about everything that happens at the honeypot system. Basically Sebek helps us to closely monitor the inner status of the honeypot.

Download the latest version of Sebek from http://www.honeynet.org/tools/sebek. Choose the version for Windows-based system and download it to your guest virtual machine. Then execute the binary and follow the on-screen instructions. You have to answer a few questions and then reboot the virtual machine. Afterward, your honeypot is equipped with Sebek, and you can easily collect a huge amount of information. To leave no signs of Sebek on the honeypot system, delete the downloaded installer and empty the trash can of your Windows 2000 installation afterward.

2.2.6. Connecting the Virtual Honeypot to the Internet

We introduced the different network capabilities of VMware in Section 2.2.2. In our current setup, the guest virtual machine uses NAT networking, and therefore it is not reachable by other systems on the Internet. We have chosen NAT networking for test purposes. You can safely play around with your honeypot without fear that an attacker might compromise the system while you are experimenting with it.

Now we want to connect our honeypot to the real Internet. First, shutdown the guest virtual machines and then choose Commands, Edit virtual machine settings at the main status window. In the configuration window you see the settings from the Ethernet adaptor. Change the settings from NAT networking to Bridged Networking and click the OK button. Now your guest virtual machine will use bridged networking in the future.

Before you power on your honeypot, make sure that you have a second IP address the honeypot can use. Either your ISP can provide you with one or, if you are setting up the honeypot within a corporate environment, consult your network administrator. Read Section 2.5 carefully to learn how to safeguard your honeypot. This helps you to mitigate the risk involved when running such a system.

Once you have configured a safeguard for your honeypot, boot up the guest virtual machine and configure the Windows honeypot to use the second IP address. Make sure that your honeypot can reach other systems on the Internet and also that other systems can reach your honeypot. Now your honeypot is live — that is, it receives malicious network traffic and collects information about malicious activities. Congratulations!

2.2.7. Building a Virtual High-Interaction Honeynet

Until now, we have set up a virtual high-interaction honeypot based on Windows 2000 Professional. However, it is also possible to build a whole virtual high-interaction honeynet — that is, a network of honeypots. The process is easy: Just repeat the steps we have outlined in Section 2.2.4 to set up additional guest virtual machines. You can then configure these machines as honeypots, similar to the steps described in that section. The different guest virtual machines can then interact with each other and form a high-interaction honeynet.

How you configure your honeypots depends on what you want to achieve. For example, if you are interested in attacks against Windows systems, install Windows in the configuration you are interested in. However, if you want to observe attacks against Linux servers, set up your honeypot as a "normal" Linux server and connect it to the Internet. Another approach is to install software on the honeypot that has vulnerabilities that were published in the preceding few weeks or months. For example, if a new security advisory is published for a popular web application, you could set up a honeypot with just this particular web application and then observe attacks against it.

With a virtual high-interaction honeynet you can even collect more information about the tools, tactics, and motive of attackers. You can study attacks against different operating systems or different network services. In addition, you can observer how attackers proceed on different kinds of systems and which tools they use. With the virtual approach it becomes easy to manage the honeynet. You can dynamically add or delete honeypots from the honeynet or, by simply resetting the virtual machine, rebuild parts of the honeynet. Per guest virtual machine you should reserve at least 256MB RAM, but 512MB RAM is better. This gives the guest system enough memory to interact with, and they run more fluently. Thus, the underlying host system should be equipped with a rather large amount of memory, preferably at least 1GB.

Previous Page Next Page