Re: Windows Honeypot Help

["SecurIT Informatique Inc." <securit () iquebec com>]

Hello,

I was about to write you about Cotse.com's Winetd, but as I was looking for 
the URL, I found out that it is no longer supported.  While trying to find 
archives, I've tumbled on the following message, which may be useful for 
what you are looking for 
http://archives.neohapsis.com/archives/sf/honeypots/2002-q3/0298.html.  It 
seems thatt some of the links discussed in this message are no longer 
valid, so you may be right about not having many options out there.  Maybe 
if you send an e-mail to the fine people at Cotse, they'll agree to send 
you old copy of Winetd even if not supported anymore.

Hope this helps.

Adam Richard
SécurIT Informatique Inc.

At 07:09 AM 16/02/2004, Ted wrote:



> Hello,
>
>   Bottom line up front, I'm looking for some kind of script/software 
> combination that will allow me to emulate services and log interaction 
> with those fake services on a Win2k honeypot. Now for some details.
>
>   I've been wanting to create a honeypot for quite a while now in order 
> to do some personal research on tools and methodologies used by hackers 
> in the wild. Recently, I decided to go ahead and do it. In preperation, I 
> read Lance Spitzner's book and did some research on the net to gain 
> perspective on the various aspects of honeypot development and deployment.
>
>   With that under my belt, I installed a commercial demo on my windows 
> machine in order to get a reasonable understanding of commercial honeypot 
> technology as well as a firsthand knowledge of the frequency of threats. 
> The results of the exercise were impressive from both standpoints. 
> However, due to limited flexibility and high cost of commercial 
> honeypots, I decided to create my own honeypot using freeware available 
> on the net. It is my belief that this approach will lead to a 
> considerably better understanding of the subject and an enhanced ability 
> to react/study various aspects.
>
>   In light of that, I gathered up what appears to be the usual tools 
> (i.e. Snort, Nmap, Netcat etc.) and configured things so that I can 
> identify attacks, have basic logging capability and recieve a call when 
> they occur.
>
>   The next phase for me is to incorporate some more interaction into my 
> honeypot. Since I dont have any data controls in place, I want to stay 
> with a low interaction solution, but I would like to have it emulate at 
> least the banners for certain services and capture automated tool responses.
>
>   Initially, I thought this wouldn't be very difficult but after 
> considerable searching I've decided that either I don't know how to 
> search anymore (perish the thought) or the information isn't very 
> available. My original premise - and current for that matter - was that 
> the best solution would probably be a combination of nc and some sort of 
> script. Maybe Im barking up the wrong tree.
>
>   So, for the immediate future, I'm going to study the nc documentation 
> and maybe perl in hopes that I may figure it out. In the meantime though, 
> if the list can comment and perhaps shorten the development time, I'd 
> really appreciate it. If you're with me to this point here's what I'd 
> like to hear about in no particular order:
>
>   1) Is my current approach for banner emulation/interaction on track?
>   2) If it is, does anyone know where there are examples of previous
>      or current approaches that I can use to model a solution from.
>   3) If I'm making this harder than it has to be, please advise.
>   4) Any other comments you feel are appropriate.
>
>   For my background, my last programming was done in Pascal many moons 
> ago (but not so long that I couldnt pick up another language fairly 
> quickly I believe). I have a passing aquaintence with Linux (which I 
> suppose I'll try to use as a bridge when I put data control/remote 
> logging etc. into the equation). Most of my familiarity has been with MS 
> OSes (no comment required :)). I've done study on forensics and 
> understand networking.
>
>   Sorry for the long post - it won't happen again - but I dislike it when 
> someone asks a question and you dont know how to respond because they 
> didnt identify the problem or their level of understanding very well. I'm 
> trying not to cause the same thing.
>
>   While I'm a fan of learning by doing, I'd still like to see some 
> progress in the form of results along the way. Im shooting for a Proof of 
> Concept that I can tweak and learn from as events unfold.
>
>
>
>   Thanks for your patience,
>    Ted
>
>
> _____________________________________________________________________
> Un mot doux à envoyer? Une sortie ciné à organiser? Faites le en temps
> réel avec MSN Messenger! C'est gratuit!   http://ifrance.com/_reloc/m