Getting started with honeyd

This is a quick guide to honeyd (which is included in HoneyDrive of course) inspired by Jonathan whom I had the pleasure to meet at BSides where we discussed about honeypots and some problems related to honeyd’s operation.

I will be explaining the following common scenario: we have a home router with a port forwarding/DMZ feature and we utilize the latter to send traffic to a honeypot emulating an old Linux server to catch some attacks. Details:

  • Public IP address (WAN): <something, e.g. dynamic>
  • IP address of the honeyd VM (LAN): 192.168.1.77
  • IP address of the virtual honeypot (LAN): 192.168.1.50

The first thing to notice is that there are actually two honeypot related machines above. We have the honeyd VM and a “virtual honeypot”. This is because honeyd doesn’t actually run the (fake) services we define by itself so to speak, but it creates “virtual honeypots” for machines we want to emulate. You can think of a virtual honeypot as a separate tiny virtual machine created and controlled by honeyd.

Honeyd can create many virtual honeypots like that and even whole network topologies consisting of many. Each of these virtual honeypots are normally bound to a private IP (let’s say in the 192.168.1.0/24 range). The problem with this scenario is that the router we have on our network doesn’t know where exactly to deliver packets that are destined to one of the virtual honeypots. For this reason we must use a tool called farpd, which affects the operation of the ARP protocol. Using farpd we essentially tell to the router to send every package destined to our virtual honeypot (192.168.1.50) to the honeypot VM (192.168.1.77) instead, where honeyd will get it and “deliver” it properly to the virtual honeypot.

Installing honeyd and farpd is easy via apt:

# apt-get install honeyd farpd

After the installation, a new file should have been created at /etc/default/honeyd which is responsible for the initialization of honeyd. In that file we need to edit the INTERFACE and NETWORK variables where we need to enter appropriate values depending on the network topology we are trying to achieve. In our case these should be “eth0” (normally) and “192.168.1.50” accordingly. And if we want to use the init script we need to set RUN to “yes” as well.

Honeyd also creates its primary configuration file at /etc/honeypot/honeyd.conf. This is where we should enter all the virtual honeypots and all their fake services. Here is an example of a honeyd configuration file:

# FTP Linux server template

create linuxftp

set linuxftp personality "Linux 2.4.7 (X86)"
set linuxftp default tcp action reset
set linuxftp default udp action block
set linuxftp default icmp action open

add linuxftp tcp port 21 "sh /usr/share/honeyd/scripts/unix/linux/suse8.0/proftpd.sh $ipsrc $sport $ipdst $dport"

bind 192.168.1.50 linuxftp

After creating our honeyd configuration file, we need to start farpd as mentioned above. This is easily done as:

# farpd 192.168.1.77 -i eth0

And only then we are ready to start honeyd:

# /etc/init.d/honeyd start

The last command actually starts honeyd with its default settings. The full command to achieve the same would have been:

# /usr/bin/honeyd -f /etc/honeypot/honeyd.conf -l /var/log/honeypot/honeyd.log -p /etc/honeypot/nmap.prints -a /etc/honeypot/nmap.assoc -0 /etc/honeypot/pf.os -x /etc/honeypot/xprobe2.conf -u 1000 -g 1000 -i eth0 192.168.1.50

From now on, FTP connections to 192.168.1.50 will arrive to 192.168.1.77 and honeyd will deliver them to the virtual honeypot where they will be handled by the script we specified in the config file.

Honeyd writes to the honeyd.log file which you can transfer to a MySQL database using Honeyd2MySQL and then visualize the data with Honeyd-Viz.

14 comments

2 pings

Skip to comment form

    • mikkosuomu on December 15, 2014 at 7:41 PM
    • Reply

    I believe on above example it should be “farpd -i eth0 192.168.1.50” if this is the IP claimed by honeyd, right?

      • Ion on December 17, 2014 at 2:43 AM
      • Reply

      No I think it should be .77 (the IP of the honeyd VM). honeyd will then “route” the packets to 192.168.1.50 (the IP of the virtual honeypot created by honeyd).

    • soni on February 16, 2016 at 9:58 AM
    • Reply

    are the honeyd vm and honeypot vm ip addresses random? if not how do we find them?

    after running the above, what is to be done after ftp open *ip_adress*, what result is to be expected?

      • Ion on February 17, 2016 at 6:05 AM
      • Reply

      They are not random, but their exact address doesn’t really matter as long as they are unique and unused in your network. The .77 was a static one I picked for the VM, and the .50 one is defined in the configuration file (last line).

      After honeyd is running all FTP connections will be handled by the /usr/share/honeyd/scripts/unix/linux/suse8.0/proftpd.sh script as defined in the config file. Of course you can write your own scripts with more features etc.

        • soni on March 2, 2016 at 8:43 PM

        hello,

        i am trying to do the following please tell me where i might have gone wrong.

        i have a test.conf and its path is /etc/honeypot/test.conf

        my script file is put in /usr/share/honeyd/scripts/unix/linux/suse8.0/hello.sh

        my test.conf has the following code:

        create test
        add test tcp port 21 “/usr/share/honeyd/scripts/unix/linux/suse8.0/hello.sh”
        bind 10.1.0.2 test

        and my hello.sh contains:

        #!/bin/sh
        echo “Hello you!”
        while read data
        do
        echo “$data”
        done

        now i run my honeyd and telnet 10.1.0.2
        ideally it has to reply
        Hello you!

        but what i get is

        telnet: Unable to connect to remote host: Connection timed out

        i checked if it is a problem with routing. But before starting the honeyd i ran the following:

        sudo route -n add -net 10.0.0.0/8 gw 127.0.0.1

        ping -n -c1 10.1.0.1

        and i got a reply

        but when i try telnet 10.1.0.1 i still get telnet: Unable to connect to remote host: Connection timed out

        please help.

        • Ion on March 3, 2016 at 3:50 AM

        Hi, you are connecting to wrong port as it seems. Telnet listens/connects to port 23 by default. You’re using port 21 (usually FTP). Either change the port in your config file or telnet 10.1.0.2 21.

        • soni on March 8, 2016 at 6:16 PM

        even after changing to port 23 i get the same error.

    • Archana on April 17, 2016 at 11:41 AM
    • Reply

    farpd: bad pcap filter: non-network bits set in “192.168.43.46/8”

    what does this error mean?

    • robi on September 6, 2016 at 6:25 AM
    • Reply

    ubuntu honeyd[3520]: honeyd_logstart: open(“/var/log/honeypot/honeyd.log”): Permission denied
    any solution.

      • Ion on September 7, 2016 at 11:40 PM
      • Reply

      Hi robi, it seems like a permissions issue? What if you `sudo chmod 777 /var/log/honeypot/honeyd.log` beforehand?

        • Ade Jodi Harmawan on February 22, 2017 at 6:40 AM

        I am a new user and want to learn about honeypot on ubuntu and I am having a bit of trouble in this section

        root @ honeydrive: ~ # Honeyd -d -f /etc/honeypot/honeyd.conf
        Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
        Honeyd [2114]: started with -d -f /etc/honeypot/honeyd.conf
        Honeyd [2114]: listening promiscuously on eth0 (ip proto arp or 47 or (udp and src and dst port 67 port 68) or (ip)) and not ether src 08: 00: 27: 38: d1: ec
        Honeyd [2114]: demoting process privileges to 65534 uid, gid 65534
        Honeyd [2114]: **update_check: failed to resolve host.**

    • Don Harper on October 8, 2016 at 11:08 AM
    • Reply

    I try to edit the honeyd.conf file – Just wondering do you need to add route for bind 192.168.1.50 linuxftp to work? Cheers

    • Nate on March 24, 2017 at 3:58 PM
    • Reply

    I have a problem establishing an FTP connection even though I can ping the virtual honeypot.

    On the virtual honeypot end:
    honeyd[23258]: Connection request: tcp (10.215.56.145:45698 – 10.215.56.99:21)
    honeyd[23258]: Connection established: tcp (10.215.56.145:45698 – 10.215.56.99:21) /bin/sh /usr/share/honeyd/scripts/unix/linux/ftp.sh 10.215.56.145 45698 10.215.56.99 21
    honeyd[23258]: Connection dropped by reset: tcp (10.215.56.145:45698 – 10.215.56.99:21)

    On the source end (attacker’s PC):
    #ftp 10.215.56.99
    ftp: connect: Connection reset by peer.

    Why is this happening?

    • Alina on May 10, 2017 at 7:28 AM
    • Reply

    I have a problem when using honeyd-1.5c on centos
    I run the daemon with the -l command to save the log files, but the file does not write any calls to the ip addresses specified in the honeyd configuration file as bind 192.168.100.1 template
    (So any calls to the address 192.168.100.1 DO NOT FIX in the logfile)
    Calls to other addresses in the log file are recorded
    Any solution?

  1. […] Security Bloggers Network, Ioannis Koniaris, […]

  2. […] Honeyd, created by Niels Provos. Although it is a single honey pot in GNU / Linux or Windows the attacker will see multiple honeycomb servers. What’s the trick? Honeyd creates virtual IP addresses, each one with the ports and services that we want to emulate. To help understand the concept, imagine a router device connected by a modem to the Internet and with a hard disk connected to several virtual machines running, each one with different ports and services open. A basic tutorial on how to install and start using Honeyd can be read in this link. […]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Read previous post:
HoneyDrive 3 VMware guide

I've recently become a happy owner of VMware Fusion and my first goal was to see how can HoneyDrive be imported...

Close