September 11th, 2004 09:38 PM
Windows XP honeypot
I recently received a spare hard disk and am planning to put it to good use before it fills up with data. I'm planning a longish set of honeypot experiments. The modus operandi will be as follows:
1. Install Windows XP on the spare HD.
2. Make an image on the other one with Acronis True Image or dd
3. Unplug my usual hard disk.
4. Log EVERYTHING and monitor what's happening to it.
5. Plug my normal HD in again and save the logs (using Linux while I'm offline!!!).
6. Restore the partition on the spare hard disk and install SP1 and make another image and so on for SP2.
Each configuration will be tested with and without the Windows XP firewall and with and without some tightening (i.e. closing unnecessary services). No third party firewall will be used. This will obviously take a while (a few weeks to a few months) and I'll post the results of each configuration as and when they are available. The box will be kept online using the spare hard disk for about 12 hours, Friday, Saturday and Sunday.
I need some information about how to do the log everything bit though. I would like a set of free programs that would log network connections, changes to files, what files did what at what time and what ports are open at any given time. Ideally, the programs should be scriptable.
September 11th, 2004 09:47 PM
Quick Newb Question: Windows XP Firewall doesn't have a port logging or an activity logging type of thing on it? Sorry I dunno, I've never used their firewall so I wouldn't know. As for the project, it seem's nice.. definitely post results and whatnot as they become available.
September 11th, 2004 09:49 PM
Not as far as I know. I also need a program that will log outgoing connections as well as incoming ones.
Quick Newb Question: Windows XP Firewall doesn't have a port logging or an activity logging type of thing on it?
September 11th, 2004 10:07 PM
Sygate can do that I believe. Just tell it to allow all and log all and it should do it.
<--Best hardware/gaming news out there--|
<--Gamers will love this one
Light a man a fire and you\'ll keep him warm for a day, Light a man ON fire and you\'ll keep him warm the rest of his life.
September 11th, 2004 10:21 PM
Don't run a honeypot that logs to itself.... It's kinda silly... If you get someone who knows what they are doing you will lose everything anyway. The monitoring has to be done from/to separate boxes that are invisible to the attackers. Also remember that if the box logs to another box there is something running that is detectable .... If it's detectable it can be beaten somehow....
I've been thinking about placing a honeypot at home for more than a year.... I still haven't worked out _how_ I want to do it... But I'm getting closer....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
September 11th, 2004 10:26 PM
Windump is tcpdump for windows (http://windump.polito.it/)
I think it requires winpcap however (this can be a pain)
Sysinternal have a few 'monitoring utilities' that you might find handy.
For example filemon and tdimon.
Hope this can be helpfull.
September 11th, 2004 10:29 PM
You can enable logging to help identify the source of inbound traffic and to provide details on what traffic is being blocked. %Windir%\pfirewall.log is the default log file. To enable logging, follow these steps:
1. Click Start, click Run, type Firewall.cpl, and then click OK.
2. Click the Advanced tab.
3. In Security Logging, click Settings.
4. In Log Settings, click to select the Log dropped packets check box, and then click OK.
5. Click OK to close Windows Firewall.
Note Outbound successes are not logged. Outbound traffic that is not blocked is not logged.
When death sleeps it dreams of you...
September 12th, 2004 12:37 AM
FYI- XP firewall DOES have logging. Its not all that great... and not my first choice...
If you want a lot more data... I'd use another box for all your logging... use it as your gateway and grab every single connection and even packet if you want. You can use a snort and iptables/squid box for that (if you have the resources). I'd even setup syslogd and log everything the remote box (in this case your gateway). That way... if and when the box is compromised... you don't have to worry about your logs being modified by the cracker.
The honeypot project has quite a few nice scripts to limit outgoing attacks on other boxes once your honeypot has been compromised. You don't want other people thinking you're trying to compromise their systems too.
There are quite a few nice programs out there for honeypots that will limit what the attacker can do. Make it look like tons of services are running... but they can't exploit those. Then run two or so services that they CAN exploit. You will gather even more info on your attacker with the fake services... Back Officer Friendly comes to mind. Very limited... but useful when using other programs/services too. Makes the box look "juicy"... or look like a honeypot. More than likely you're going to get tons of kiddies... not the "real deal crackers"...
If you haven't read up on this much... then I recommend two books to you.
Know Your Enemy and Honeypots
They are both great reads and will give you TONS of solutions for several different types of honeypots. Just make sure you document EVERYTHING if you want to share your results.
is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
September 12th, 2004 06:45 AM
First off, I don't have an extra box that I can use to do logging. I don't mind occasionally losing some logs as long as I get to keep them most of the time. Phish, thanks for the book names but I don't think I can buy those at the moment (too broke ). And btw, I found those programs but the object of the exercise is to test how good Windows XP really is, with and without patches.
October 14th, 2004 04:59 PM
This looks a little old, but have you thought about potentially getting a copy of VMWare or the "new" Microsoft Virtual PC and potentially monitoring things that way. You can configure the virtual machine on a bridged network so that it gets its own IP address and "hopefully" you wouldn't have to lose everything on your main machine. I'm not security person at all, but that could be a potential configuration solution.