Honeypots mailing list archives
honeyd on windows
From: "JaY Lakhani" <jaylakhani () hotmail com>
Date: Thu, 02 Mar 2006 04:35:44 +0000
I am wanting to run a windows version of honeyd, I am also using honeyd on linux
No problems on linux In windows The IP addresses are as follows Firewall 10.10.10.254 Windows HOST 10.10.10.200 ( physical machine that runs vmware workstation) Windows GUEST 10.10.10.201 ( on vmware) Honeyd running on WINDOWS guest 10.10.10.10( I have a static arp entry on the firewall for this address to point to the guests mac)
Here is the command line I use to run honeydc:\honeyd -d -p C:\honeyd\nmap.prints -x C:\honeyd\xprobe2.conf -a C:\honeyd\nmap.assoc -f c:\honeyd\honeyd.conf -i 2 10.10.10.10
I have also tried it without the IP in the endc:\honeyd -d -p C:\honeyd\nmap.prints -x C:\honeyd\xprobe2.conf -a C:\honeyd\nmap.assoc -f c:\honeyd\honeyd.conf -i2
This is the message I get when i run it,listening on \Device\NPF_{365789CA-7C7A-4645-A1CA-DDBE7BDCC4A3}: ip and {dst 10.10.10.10} and not ether 00:00:0c:29:0a:13:2f
I am not sure why it says "not ether 00:00:0c:29:0a:13:2f"; and hope thats not part of my problem
"\Device\NPF_{365789CA-7C7A-4645-A1CA-DDBE7BDCC4A3}" matches with interface 2 when I used WINDUMP -D
So far no problems, I try to ping my honeyd target from the firewall, in the honeyd window i get a message saying Sending ICMP Echo Reply: 10.10.10.10 -> 10.10.10.254 On the firewall I get a message sayin: 10.10.10.10 NO response received -- 1000ms So i ran Ethereal while pinging 10.10.10.10 (honeyd IP on the GUEST OS) In Ethereal packet capture,when the vmware guest machine (10.10.10.201) running honeyd sends an arp broadcast for the honeyd target ip(10.10.10.10)
it doesnot get a response back and the address it shows for SOURCE IP 10.10.10.201 SOURCE MAC: 00:00:0c:29:0a:13:2f (right MAC address) TARGET IP : 10.10.10.10 TARGET MAC: 00:00:00:00:00:00 the arp entry stays incompleteI have tried to hard code a arp entry in the windows guest OS, still the same results I have tried all of the above on WIN XP and WIN 2k ( win xp with SP 2 broke things even more, so killed sp2 and sp1), still the same problems
So it seems like somehow the mac address of the guest OS needs to be tied to the honeyd target IP
Any help to make this run would be great.I run the same exact config file and IP's on a suse machine and it runs just fine.
Thanks a lot
Current thread:
- honeyd on windows JaY Lakhani (Mar 02)