Honeypots mailing list archives
Re: High interaction Windows Honeypot
From: George Bakos <gbakos () ists dartmouth edu>
Date: Thu, 11 Aug 2005 12:52:49 -0400
We've been fielding Windows pots on Qemu, rather than VMWare for some time now, saving a ton of gelt and having source to bang on as well. Just stay away from the kqemu accelerator module for security reasons. You may find that sebek won't work with qemu/bochs because of the old NDIS drivers needed for the emulated realtek interface, but that should be fixed in the new sebek. Get with me off-list if you want implementation details. We haven't written anything formal up yet. g On Mon, 8 Aug 2005 21:39:57 -0500 "Michael A. Davis" <mike () datanerds net> wrote:
Yes, I am. It is pretty much finished. The problem is the new 3.0 integration (i.e. roo) it is all the other features. Also, there are
some
licensing questions that I am currently investigating before
releasing it.
Thanks, Michael A. Davis Chief Executive Officer Savid Technologies, Inc. Main: 708.243.2850 http://www.savidtech.com This email may contain confidential and privileged information for
the sole
use of the intended recipient. Any review or distribution by others
is
strictly prohibited. If you are not the intended recipient, please
contact
the sender and delete all copies of this message.-----Original Message----- From: Stejerean, Cosmin [mailto:cosmin () cti depaul edu] Sent: Monday, August 08, 2005 11:49 AM To: Thorsten Holz; honeypots () securityfocus com Subject: RE: High interaction Windows Honeypot Is anyone working on a Sebek3 program for Windows? Cosmin -----Original Message----- From: Thorsten Holz [mailto:thorsten.holz () mmweg rwth-aachen de] Sent: Monday, August 08, 2005 11:07 AM To: honeypots () securityfocus com Subject: Re: High interaction Windows Honeypot Ahmed Ameen wrote:Hello All, I am currently planning for my CS thesis which I decided to do
on
Windows Honeypots. I was wondering if anyone has experience on building a high interaction honeypot using a windowsenvironment andVMware.Some experience from me and the German Honeynet Project: * For the Honeywall, the easiest way to setup is the Honeywall CDROM Roo (http://www.honeynet.org/tools/cdrom/). This is Linux-based, but that should be no big problem. Just boot a computer with three interfaces (two also works, but for management a dedicated interface is best) and within 20 minutes your are done. Customization is very easy and the web-interface allows you to monitor what's going on. If you really need it, you can also install the Honeywall "by Hand", but that's rather time-consuming... * Unfortunately, no Sebek version 3.x exists for Windows yet. It is in development, but not ready up to now. So you have to use Sebek version 2.x (http://www.honeynet.org/tools/sebek/2/sebek-win32-2.1.5.zip). Just install Windows and you are basically done. If you don't apply some patches, a default installation of Windows will be compromised by a bot in an automated way within several minutes... * If you want to setup a virtual honeynet, just follow the steps outlined in the paper "Virtual Honeynet: Deploying Honeywall using VMware" (http://www.honeynet.org.pk/honeywall/) written by the Pakistan Honeynet Project. Cheers, Thorsten -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.338 / Virus Database: 267.10.2/65 - Release Date: 8/7/2005
-- George Bakos Institute for Security Technology Studies Dartmouth College gbakos () ists dartmouth edu 603.646.0665 -voice 603.646.0666 -fax pub 1024D/081ECB85 1999-04-09 George Bakos <gbakos () ists dartmouth edu> Key fingerprint = D646 8F91 F795 27EC FF8B 8C95 B102 9EB2 081E CB85
Current thread:
- High interaction Windows Honeypot Ahmed Ameen (Aug 08)
- Re: High interaction Windows Honeypot Thorsten Holz (Aug 08)
- <Possible follow-ups>
- RE: High interaction Windows Honeypot Stejerean, Cosmin (Aug 08)
- RE: High interaction Windows Honeypot Stejerean, Cosmin (Aug 08)
- RE: High interaction Windows Honeypot Michael A. Davis (Aug 08)
- RE: High interaction Windows Honeypot Michael A. Davis (Aug 09)
- Re: High interaction Windows Honeypot George Bakos (Aug 11)
- Re: High interaction Windows Honeypot Ahmed Ameen (Aug 12)
- RE: High interaction Windows Honeypot Michael A. Davis (Aug 12)
- Re: High interaction Windows Honeypot Ahmed Ameen (Aug 14)
- RE: High interaction Windows Honeypot mnelson (Aug 16)
- Re: High interaction Windows Honeypot Ahmed Ameen (Aug 17)
- RE: High interaction Windows Honeypot Michael A. Davis (Aug 08)