Monday, February 25, 2008

Homemade Honeypots

Developing your own honeypot is not as complicated as it might seem. Using a variety of commonly found security tools, some basic code, and a lot of creativity, you can create many different honeypots. There is no blueprint for developing your own honeypot. It all depends on what you want it to do, the resources you have on hand, and the technologies you feel most comfortable with. The purpose of this chapter is to give you examples of the different technologies and solutions that can be created. It is hoped that by reviewing these different possibilities, you will have a better understanding of what your options are and how to best develop and implement them.
Homemade honeypots have a variety of possible uses. Perhaps you want to detect certain probes or scans, or you need to capture the payload of a specific attack. For this you need nothing more than a simple program that emulates, or perhaps simply listens on, a single port and captures all the activity to that port. This is an example of a low-interaction honeypot designed for limited interaction. On the other extreme, homemade honeypots can create the illusion of a complete operating system, allowing attackers to execute their activities but in a controlled environment. This is a more complex honeypot with far greater levels of interaction, designed to gather more information on attackers.
The variety of homemade honeypots is limited only by the imagination of security professionals, a very imaginative group indeed. Homemade honeypots can run the gamut from very simple to very advanced, which is why they are covered in the middle of this book, between the relatively simple and relatively complex honeypots that are commercially available. In this chapter we are going to cover two specific implementations of homemade honeypots: port monitoring and caged environments. These two types of honeypots represent the different extremes, from the low-interaction system to the more advanced caged environments.
Port monitoring is the simpler of homemade honeypots. Port monitoring honeypots are nothing more than a solution that monitors a specific port or a variety of ports. The goal of the port monitoring can be as simple as capturing connections to a service, such as with BOF, or it can entail response or emulation capabilities, such as with Specter. Either way, these solutions tend to be low interaction, limiting the attacker to an emulated service to interact with.
A chroot or jailed environment is the more advanced of the two categories we cover here. Instead of emulating the services, a caged environment is created. This caged environment exists within a real operating system. The advantage of the caged, or jailed, environment is that it creates the illusion of a real operating system. The attacker has nearly the same functionality as it would if it had compromised a real computer. However, its actions are more closely monitored and controlled.
Both solutions have advantages and disadvantages. Choosing between them depends on what you want to achieve. Port monitoring solutions are easy to develop and implement and have less risk. But they also have limited capabilities: There is little attackers can interact with. This solution is mainly for a specific, predefined purpose, such as detecting attacks or capturing automated tools. A chroot or jailed environment, while more complicated to develop and implement, is more flexible and can give us far greater information on attackers.
These two solutions are not the only methods for developing your own honeypots. There are countless other varieties. For example, Brad Spencer developed a simple sendmail honeypot that emulates a vulnerable mail relay that can be used for spam. By simply modifying the parameters used with sendmail, Brad has created a homemade honeypot that captures spammers. George Bakos has developed Tiny Honeypot. This suite of tools lets you to build a honeypot that appears to allow attackers to successfully hack into it, regardless of what they do. Both of these homemade solutions can be found on the CD-ROM.
The two solutions we will focus on—port listeners and jails—represent some of the most common methods you will find. They also represent two dramatically different approaches and technologies, demonstrating the different potentials of homemade honeypots. We will begin with the simpler solution of the two, port monitoring.