Re: Virtual Honeynets under VMWare in Windows (troubleshooting)

[Tom Fischer <mcalpine () openzilla de>]

It's a different approach, but maybe it can help you:

http://www.smokinggun.de/index.php?p=78

Especially point 6 seems interesting for you.

Barrett Weisshaar wrote:
> Hello All,
>
> As part of a research project, I've recently decided to take a crack at
> setting up a virtual honeynet (Gen II) on my desktop system.
> Essentially, it's a Windows XP desktop with 1 gig of memory and about 50
> gigs of free disk, 2.6 ghz proc, etc - Reasonable system for running a
> few virtual honeypots.  Now, as my basis for documentation I am using
> the configuration found at the Pakistan Honeynet Project
> (http://www.honeynet.org.pk/honeywall/index.htm), since the Spanish
> documentation seems to focus on a hybrid solution instead.  The site
> unfortunately is geared towards a Linux host for vmware, and this is (I
> think) the source of my current issues.
>
> In short, All my internal honeypots can ping each other, but they cannot
> ping any outside hosts on the network.  The Honeywall itself doesn't
> seem to complain too much, happily logging data as I attempt to ping the
> default gateway and such from each host.  My current VMware network
> interface setup is this:
>
> VMNet0: bridged to host
> VMNet1: host-only
>
> In theory, the Honeywall is supposed to have one bridged
> connection(vmnet0), one host-only connection(vmnet1), and all honeypots
> are set to host-only (vmnet1).
>
> For some reason unbeknownst to me, Windows keeps trying to assign VMnet1
> an IP address (why it shows up in the Host OS's network connections, I
> don't know).  Actually, it seems to be VMware doing it, which seems odd
> since I had assumed that would be left to the guest OS.  I even tried
> disabling the TCP stack with no luck.  Even more strangely, if I set the
> subnet of VMNet1 to the same as the outside network (I'm testing this on
> a closed network behind a router before I unleash it in the wild), it
> assigns itself the first IP address in that mask, which ends up being
> pingable from the honeypot machines!  If this is supposed to just be a
> dummy layer 2 link between the Wall and the honeypots, why is this
> happening?
>
> Basically, I'm convinced I'm missing a step, and since the only docs I
> have to go on document setting things up for linux Vmware, I feel I must
> be missing a step.  Has anyone gone through this that could steer me in
> the right direction?  I'd hate to have to run a VMware machine naked and
> rely on forensics alone to determine the outcome (kinda defeats the
> purpose of this whole project)
>
> Regards,
>
> -Barrett