RE: http fake service

["Alberto Gonzalez" <albertg () cerebro wwjh net>]

Well, 

  Mos't attackers/worms identify a server with its banner. With a HTTP
emulation (fake) you can emulate ANY banner you want. If this is a
research honeypot, you will probably be receiving plenty of exploits if
you emulate some old vulnerabile IIS stuff[1]. Take Bigeye for instance,
bigeye will allow you to specify which banner you would like to use upon
starting bigeye, so you can have multiple emulation of HTTP servers.
Though bigeye is based mostly on research, you will gain plenty of
information from an intruder who is just 'spraying and praying' with
some new toy, or throws some new exploit at you, and you know have a
nice packet dump to investigate. 

Has anyone done a CGI based Honeypot? Instead of just giving an attacker
a vulnerable OS, or emulate something with honeyd (and the likes?). I'm
interested to see if anyone has attempted to put a vulnerable CGI(a
known one) and give the intruder a chroot() environment and see what
they do?

Cheers!
  Alberto Gonzalez

[1] - I know most people are after unknown stuff, but small site
honeypots tend not to get hit with those, high profile sites (*.sun.com,
etc...) will get hit with that stuff, that's not to say they aren't
running honeypots.

---
"The secret to success is to start from scratch and keep on scratching. 
 


-----Original Message-----
From: gminick [mailto:gminick () hacker pl] 
Sent: Sunday, February 09, 2003 8:09 AM
To: honeypots () securityfocus com
Subject: Re: http fake service


On Sun, Feb 09, 2003 at 01:50:13AM -0800, dhanu bahirat wrote:
>   I am doing a project on honeypot. I am writing a
> production honeypot, giving fake services. I studied
> many honeypots like honeyd, tiny honeypot, dtk, etc.
> Now I am planning to write a http fake service. 
[...]
> What is actually expected in providing the fake http
> service.
I don't get it. Could you explain to me what are you trying to achieve
by that - as you call it 'fake http service' ?

You want to run a honeypot, so, wouldn't it be better to provide a real
service ? a real server which can be exploited ?

A 'http service' is something more than just a tcp server listening on
port 80 and logging requests. It needs an implementation of a 
protocol. And here's the place where I'm stick, because you're 
providing a service which is really hard to break since nobody has its
code, nobody knows anything about that server, there's no worm which
will exploit your server (well, a possibility for the same error is
really small) - it's just a way to make attacker more suspicious. Worms
as well as script kiddies uses network scanners to search for targets,
but there's a difference, worms are attacking everything which is opened
(we can say, worms are blind); script kiddies are attacking 
vulnerable services. First, they're taking a look at name and version of
your server, and then if they can, they're trying to attack. But now,
what we got is a fake http service, worms just can't break-in with their
exploits, script kiddies can't compare signature of your server to any
known exploit (well, as long as you aren't responding with some
'Apache-2.....' or another 'MS ISS....' ;)), so I just don't see, what's
the deal with that http server. 
By providing unknown services you're making real stronghold from your
honeypot, aren't you ? :) ...or maybe that's just me needing to refresh
knowledge about honeypots. Hmm... it's a bit long, so, once more, a
general question: what are you trying to achieve by providing that kind
of service?

-- 
[ ] gminick (at) underground.org.pl  http://gminick.linuxsecurity.pl/ [
] [ "Po prostu lubie poranna samotnosc, bo wtedy kawa smakuje
najlepiej." ]