Honeypots mailing list archives
RE: http fake service
From: "Alberto Gonzalez" <albertg () cerebro wwjh net>
Date: Sun, 9 Feb 2003 12:08:01 -0800
Well, Mos't attackers/worms identify a server with its banner. With a HTTP emulation (fake) you can emulate ANY banner you want. If this is a research honeypot, you will probably be receiving plenty of exploits if you emulate some old vulnerabile IIS stuff[1]. Take Bigeye for instance, bigeye will allow you to specify which banner you would like to use upon starting bigeye, so you can have multiple emulation of HTTP servers. Though bigeye is based mostly on research, you will gain plenty of information from an intruder who is just 'spraying and praying' with some new toy, or throws some new exploit at you, and you know have a nice packet dump to investigate. Has anyone done a CGI based Honeypot? Instead of just giving an attacker a vulnerable OS, or emulate something with honeyd (and the likes?). I'm interested to see if anyone has attempted to put a vulnerable CGI(a known one) and give the intruder a chroot() environment and see what they do? Cheers! Alberto Gonzalez [1] - I know most people are after unknown stuff, but small site honeypots tend not to get hit with those, high profile sites (*.sun.com, etc...) will get hit with that stuff, that's not to say they aren't running honeypots. --- "The secret to success is to start from scratch and keep on scratching. -----Original Message----- From: gminick [mailto:gminick () hacker pl] Sent: Sunday, February 09, 2003 8:09 AM To: honeypots () securityfocus com Subject: Re: http fake service On Sun, Feb 09, 2003 at 01:50:13AM -0800, dhanu bahirat wrote:
I am doing a project on honeypot. I am writing a production honeypot, giving fake services. I studied many honeypots like honeyd, tiny honeypot, dtk, etc. Now I am planning to write a http fake service.
[...]
What is actually expected in providing the fake http service.
I don't get it. Could you explain to me what are you trying to achieve by that - as you call it 'fake http service' ? You want to run a honeypot, so, wouldn't it be better to provide a real service ? a real server which can be exploited ? A 'http service' is something more than just a tcp server listening on port 80 and logging requests. It needs an implementation of a protocol. And here's the place where I'm stick, because you're providing a service which is really hard to break since nobody has its code, nobody knows anything about that server, there's no worm which will exploit your server (well, a possibility for the same error is really small) - it's just a way to make attacker more suspicious. Worms as well as script kiddies uses network scanners to search for targets, but there's a difference, worms are attacking everything which is opened (we can say, worms are blind); script kiddies are attacking vulnerable services. First, they're taking a look at name and version of your server, and then if they can, they're trying to attack. But now, what we got is a fake http service, worms just can't break-in with their exploits, script kiddies can't compare signature of your server to any known exploit (well, as long as you aren't responding with some 'Apache-2.....' or another 'MS ISS....' ;)), so I just don't see, what's the deal with that http server. By providing unknown services you're making real stronghold from your honeypot, aren't you ? :) ...or maybe that's just me needing to refresh knowledge about honeypots. Hmm... it's a bit long, so, once more, a general question: what are you trying to achieve by providing that kind of service? -- [ ] gminick (at) underground.org.pl http://gminick.linuxsecurity.pl/ [ ] [ "Po prostu lubie poranna samotnosc, bo wtedy kawa smakuje najlepiej." ]
Current thread:
- http fake service dhanu bahirat (Feb 09)
- Re: http fake service gminick (Feb 09)
- RE: http fake service Alberto Gonzalez (Feb 09)
- Re: http fake service gminick (Feb 09)
- RE: http fake service Alberto Gonzalez (Feb 09)
- Re: http fake service gminick (Feb 09)