Honeyd Intrusion Detection System

Introduction

Honeyd is a tool which can be used for creating virtual hosts on a network. These virtual hosts can be configured to simulate different types of servers, allowing the user to proceed several simulated computer network configurations. In computer network security, Honeyd can be utilized in building a Honeypot. Honeypot is a computer security mechanism set to detect any unauthorized or malicious use of information system. To protect information and network security, we can create several Honeypots as “bait” to confuse, record or even backtrack the hackers. When we have the “trail” that hackers left behind, we can analysis it to improve the security of our system. Moreover, Honeypot can also pretend to be a “valuable” network to attract hacker to attack. It may contain some bugs and phishing components and it can let hackers “drop into” the honeypot.

Honeypot Basic Structure

honeypot_structure

Honeypot Real Cases

  • In 1995, Kevin Mitnick was arrested due to the Honeypot created by Tsutomu Shimomura.
  • In 2017, Dutch police used honeypot techniques to track down users of the darknet market Hansa.

Installation

Step 1: Download Honeyd 1.6d package

The version utilized in this example is Honeyd 1.6d. It is committed by DataSoft until 2013 and it can be downloaded from: https://github.com/DataSoft/Honeyd

Step 2: Install Honeyd dependencies

However, to ensure Honeyd can be installed successfully, the following dependencies have to be installed first:

  • libevent (for event notification)
  • libdnet (for packet creation)
  • libpcap (for packet sniffing)
  • libpcre (Perl regular expression library; optional; for subsystems)

For Ubuntu Linux, you also need to install:

  • bison flex (parser generator)
  • libtool (genetic library support script)
  • automake (automate compilation process)

You may install these dependencies in Ubuntu by following command in Terminal:

$ sudo apt-get install libevent-dev libdumbnet-dev libpcap-dev libpcre3-dev libedit-dev bison flex libtool automake

Step 3: Install Python 2.7 and GCC

Python 2.7 and GCC are also necessary in Honeyd installation. You can install it by running following commands:

$ sudo apt-get install python
$ sudo apt-get install gcc

Step 4: Install Honeyd 1.6d

Afterwards, download Honeyd 1.6d and extract the package in a directory. To install Honeyd, run the following commands in Terminal:

$ ./autogen.sh
$ ./configure
$ make
$ sudo make install

Configuration

Before the configuration, make sure that nmap fingerprint database has been installed since Honeyd need the operating systems personalities from this database. To check Nmap Fingerprint Database has been installed or not, run the following command in Terminal:

$ grep "^Fingerprint" nmap.prints | more

If the Nmap Fingerprint Database has been installed, there will be a list of operating system personalities shows in Terminal. Otherwise, you need to download and install Nmap from: https://nmap.org/download.html

To configure a honeypot by Honeyd, a configuration file (“honeyd.conf”) has to be created first. If you want to create a virtual host by DHCP, you can configure as following:

create <virtual_host_name>
set <virtual_host_name> personality “<OS_personality_name>”
set <virtual_host_name> default tcp action <status>
set <virtual_host_name> default udp action <status>
set <virtual_host_name> default icmp action <status>
add <virtual_host_name> tcp port <port_number> <status>

set <virtual_host_name> ethernet “<MAC Address>”
dhcp <virtual_host_name> on <network_interface_name>

Or you can bind with a specific IP address instead of using DHCP:

create <virtual_host_name>
set <virtual_host_name> personality “<OS_personality_name>”
set <virtual_host_name> default tcp action <status>
set <virtual_host_name> default udp action <status>
set <virtual_host_name> default icmp action <status>
add <virtual_host_name> tcp port <port_number> <status>

set <virtual_host_name> ethernet “<MAC Address>”
bind <ip_address> <virtual_host_name>

You may also add any scripts to the virtual host:

add <virtual_host_name> udp port <port_number> "<your_script_path>"

Once the configuration completed, you may run the Honeyd with designated configuration file by the following command:

$ sudo honeyd -d -f honeyd.conf

References

Honeyd: https://en.wikipedia.org/wiki/Honeyd Honeypot: https://en.wikipedia.org/wiki/Honeypot_(computing) Developments of the Honeyd Virtual Honeypot: http://www.honeyd.org/index.php DataSoft Honeyd: https://github.com/DataSoft/Honeyd Honeypot/Honeyd Tutorial: http://travisaltman.com/honeypot-honeyd-tutorial-part-1-getting-started/ Honeyd - The Basics: http://books.gigatux.nl/mirror/honeypot/final/ch04.html