suggestions for this honeypot

[browolf]

this is what i have:

a hardened xp pro install using DSL modem and kerio personal firewall. Virtual pc installed with a standard xp pro install using the virtual switch networking option.

i prefer virtual pc. I can't understand the networking in vmware.


I tried it using analogx port forwarding to forward ports 445 and 5000 from the host to the virtual pc. which did forward lots of traffic but even though i was using some tools from winternals. regmon, filemon, tcpmon, process explorer. i couldnt really tell what was going on.

on the host i have commview sniffer but i wasnt using it at the time. I did download the windows port of snort but i havent installed it yet. am a bit scared of snort tbh.

any thoughts on what might be better? i mean within the criteria of using virtual pc.

[JP]

Greetings All:


Haha, I just KNOW that i'm soooo going to regret getting involved with this thread, but I just can't help myself.

What on EARTH are you trying to accomplish exactly?

[SirDice]

I have to agree with JP.

You're scared of snort but you're willing to put your Internet connection up for grabs by installing a honeypot without actually knowing how to monitor it.

What happens if someone or something hits your honeypot? I'll tell you what will happen. It'll get 0wn3d in about 3 minutes, turned into a spamrelay and you loose your Internet connection. Try and explain that to your ISP; you where experimenting with a honeypot and you want your connection back. I'll bet they'll laugh their asses off and then hangup.

No offence but I don't think you're ready yet.

[browolf]

well i normally use a kfsensor but it's not hugely useful when it comes to worms.

I set it up because i wanted to to capture those new upp exploting worms bobax and the other one but it's obviously not going to be as straightforward as I'd thought. Perhaps I should be using the NAT networking option....

I'm interested in worm analysis and capturing one seems to be first step.

[browolf]

Originally posted here by SirDice
I have to agree with JP.
What happens if someone or something hits your honeypot? I'll tell you what will happen. It'll get 0wn3d in about 3 minutes, turned into a spamrelay and you loose your Internet connection. Try and explain that to your ISP; you where experimenting with a honeypot and you want your connection back. I'll bet they'll laugh their asses off and then hangup.

well as it is now, althought it isnt doing what i want, i can't be turned into a spamrelay because the virtual pc doesnt have access to the net as such. only incoming connections to port 445 or port 5000 on the host are forwarded to it. there's no proxy running on the host pc.

any other incoming connections are either blocked by the firewall or can be picked up by kfsensor. It i want to stop connections to the virtual pc i can close the port forwarding software.

now that's secure ;-)

[JP]

Greetings:

Ok, I think I understand what you're trying to do now, and you can't accomplish what you're trying to accomplish, the way that you're trying to accomplish it (hehe).

In your case, I would strongly suggest against trying to "catch" worms for "analysis". Perhaps you should start out with a less ambitious approach to learning about information security?

[SirDice]

Probably a safer option, if you want to see what happens, is to run netcat.

nc -L -p 5000 > worm.bin should be enough.

Let it run a while and then checkout worm.bin with a hex viewer and maybe a disassembler (you do know how to read assembly?). That'll get you started.

[browolf]

I understand. Though I'm not going to give up quite yet. I am acutely aware of security concerns. I've just been pondering the implications of port forwarding and I realise in making it secure against, as SirDice says, "being 0wn3d". It's completely useless haha.

Ideally what i need is some dynamic way of port forwarding back to the originating ip but whilst I dont think that's impossible, I'd be really really surprised if such a thing existed.

As I understand it NAT would allow the virtual pc to make outgoing connections to the net.
now would these outgoing connections still have to be okayed thru the firewall? therefore I could still retain some control over what was happening.

Do I still have to use the port forwarding app then to relay incoming connections to the virtual pc?

Originally posted here by SirDice
[Let it run a while and then checkout worm.bin with a hex viewer and maybe a disassembler (you do know how to read assembly?). That'll get you started. [/B]

That's definately a later stage in this process. Running a secure controlled honeypot is way easier than having to figure out assembler. Dusting off my very dusty assembler bible is a treat thats going to have to wait.

stage 1: make honeypot work and be in control
stage 2: document worm activity in windows and thru packet sniffing
stage 3: disassemble worm.

[SirDice]

What's preventing the (infected/0wn3d) virtual machine from crossing over to your host system?

I'd go for brushing up on your assembly skills. It's alot safer and it'll give you a much greater insite into what it does and how.

[groovicus]

Ok, I'm going to go against the grain here...by all means, do it. If you are confident you know what you are doing, and you are fully aware of the possible consequences, then do it.

Ok, I think I understand what you're trying to do now, and you can't accomplish what you're trying to accomplish, the way that you're trying to accomplish it (hehe).

I haven't messed with virtual pc, but I have tinkered with vmware, and if it's anything alike, there will be holes you hadn't anticipated... maybe it's just me, but I didn't (and still don't) have enough time to study how everything interacts, and before I did something like this, I would want to know how everything works....

There are also, for instance, many documented vulnerabilities when running Virtual Pc on a Mac...only sporadic reports it causing problems on Windows, but still...

Just a couple points..

any other incoming connections are either blocked by the firewall or can be picked up by kfsensor

Once it's picked up by KFSensor, it's already too late? Definitions need to be up to date, and possibly customized for your purpose? Just thinking out loud here....

therefore I could still retain some control over what was happening.

The goal is to retain total control...some control implies that at some time you are [b] not[/] in control...that's bad.

A better solution would be a stand-alone box...honeypots by definition are "nonproduction computer assets set up for the express purpose of being a potential target for unauthorized activities." I suppose there is a good reason for that??

Again, do what you want...I would just maybe rethink how you want to do it.