|
|
Although Honeyd already provides sophisticated ways to respond to network traffic, the realism of a honeypot comes with the services an adversary can talk to. The effort you put into providing a realistic service pays back directly by receiving more detailed information from the adversary. In the following, we give some brief examples on how to configure and write your own services.
In the simple case, a service is an application that reads input from stdin and writes output to stdout. Internet services that are started via Inetd are one example.
Let's say we just want to create a very simple service that says "hello" to the user and then echos back all the input the user sends. We could achieve this with the shell script shown in Figure 4.12.
#!/bin/sh echo "Hello you!" while read data do echo "$data" done |
Save this file under Honeyd's scripts directory as hello.sh. In the following, you need to have your Honeyd set up so that you can reach the virtual honeypots via the loopback interface.
The configuration file shown in Figure 4.13 creates a template that has your hello.sh configured to run on TCP port 23; this is the port used by telnet. Save this configuration file as test.config and then start honeyd with
honeyd -d -i lo -f test.config
create test add test tcp port 23 "scripts/hello.sh" bind 10.1.0.2 test |
It is important that the script is executable and that you specified the correct path in Honeyd's configuration file; otherwise, you are going to receive error message. If everything is set up correctly, you should be able to connect to the virtual honeypot at 10.1.0.2, simply by typing
telnet 10.1.0.2
You should now see a single line saying "Hello you!" and then an echo for every line that you type into the console. Because we are running Honeyd in debug mode, you will see additional information about the established connection in the terminal window in which Honeyd is running. If you do not see any information there that usually indicates that Honeyd is not seeing your network packets, and you should go back to the earlier section and make sure that your routes are set up correctly.
Whenever Honeyd receives a connection for this port, it starts a new process that executes the specified script. If you plan to deploy Honeyd on a busy network, this might cause hundreds of new processes to be started and could slow down your system significantly. Fortunately, there are several other ways to create services that have better performance. You can find more information on this and also on how to create more realistic services in Chapter 5.
One word of caution: Shell scripts are notorious for problems with command injection attacks. It is important to properly escape and quote all input before manipulating it.
|
|