HoneyD -- A Virtual Honeypot

Introduction
Welcome, fellow hackers! This time, I will review a very nice hacking tool that I really find interesting: honeyd (pronounced “honey-dee” or “honey-daemon”). It is a powerful virtual honeypot tool written by Niels Provos and released as open source under the GNU General Public License, as part of the Honeynet project. It runs on GNU/Linux distributions and *BSD’s.

To anyone who doesn’t know, a honeypot is a public or private computer that is intentionally left insecure, unpatched, without an antivirus or firewall, etc. which actually encourages malicious hackers to attack it. This is a perfect tool for catching potential black-hat network intruders or spammers and monitoring their behavior, or even giving hackers a huge playground to explore andput their networking skills to the test without disrupting others.

If you have the cash, you can even set up multiple honeypots in your home or workplace, which act as convincing “decoy machines” that can help protect your legitimate computers from crackers. Networks like these are called honeynets. Now, let’s back up a bit. Note the keywords in the first sentence: If you have the cash. Setting up a honeynet as a hobbyist can be hard, space-wise and money-wise, but honeyd solves both of these issues completely with a quite revolutionary technology: virtual honeypots.

HoneyD is a Virtual Honeypot

Your typical, run-of-the-mill honeypots are made up of physical computers interlinked together, and finally, to the internet, should you wish. While it is foolproof, works effectively, and makes logging and forensics simple, it can be very costly to set up for a hobbyist, as it requires them to buy many large servers,  baby them, and run up the home electric bill. Remember that in most cases, more = better. There is also the additional risk of a malware infection leaking out of a honeypot onto a legitimate computer and destroying it.

The best way to solve this problem virtual honeypot, which is basically a daemon running on one or a several computers that generates virtual honeypot computers and places them on the network. Instead of having to buy and set up multiple physical computers, you now only need one computer which can generate as many virtual honeypots as you wish.

honeyd is an open source application that tries to achieve that goal. Each and every honeypot is defined as a config file that you load and deploy. You can define virtually any aspect of these honeypots with a simple text editor, such as its operating system, ports, and more. Through the “honeyd-common” package, found in most Debian/*buntu repositories, honeyd can emulate a whole slew of port services, such as HTTP, FTP, telnet, rsh, SMTP, and plenty more.

When would a virtual honeypot be used in the real world? Here is an example scenario: a small company has three servers full of important data that it needs to protect vigilantly, as it cannot risk a malicious hacker break-in. All of the servers have an IDS (intrusion detection system) installed. If one of the servers is running honeyd, it will appear to any attackers that there are hundreds of computers on the network, when really there are only three.

The attacker will have to do much more research and perhaps think twice before hacking, for if they make one mistake and attack a honeypot, then the IDS will have them caught red-handed. Their IP address and attack methods will be logged, their port listings and network traffic recorded, and the timeframes noted. Remember that all of the attack’s details can be accessed and observed in real-time from the three legitimate servers running honeyd. It truly is the perfect trap, don’t you think?


  Feature List

• Manipulates TCP/IP packets to create the illusion that there is a host on the network.
• At the time of this writing, honeyd supports up to 65,536 hosts at once.
• Convincingly emulates a plethora of port services.
• Can impersonate up to a thousand different operating systems.
• User can define unique virtual hosts using simple config files.
• Lets you catch spammers and network intruders, as well as observe the their behaviors.
• Safe and isolated from the true host computer(s).