calin radoni's humble web presence
docstoolboxabout
calin radoni's humble web presence |
homedocstoolboxabout
|
Installing Honeyd 1.0 and Arpd 0.2 under Fedora Core 4 (with gcc 4.0.0)
It was not so easy I was used to be the last time when I have did it, but, somehow I have managed to do it right.
Warning: about this document
This article contains things that may seems trivial to some and things that may seems impossible to do to others (this I hope not to happend). My intention was to be usefull to as many readers as possible.
Warning: about the code
The modifications and configurations I have made had a deadline: no more that 8 hours of work splitted over two days. The result should work without problems. I must mention that was the first time when I have analized the code for mentioned applications. As always, there is enough space for code improvements and, probably, those will be treated in another article. Definitelly it is not my coding practice.
The goal is to install the Honeyd Virtual Honeypot, version 1.0 under Fedora Core 4. Theoretically this is a simple thing to do. Beside installing, I want to use the latest OS fingerprints from nmap and from xprobe2.
As you will see by reading this article, or by trying yourself to install it, there are some problems. The correct steps for a successfull install will be shown in this small article.
The files used were the latest at the date 07 July 2005. Here is the list:
honeyd-1.0.tar.gz
arpd-0.2.tar.gz
honeyd to work:
libdnet-1.10.tar.gz and libevent-1.1a.tar.gz.
FYI: honeyd also requires libpcap but this library comes
with the default setup in Fedora Core 4
nmap-os-fingerprints file from
nmap-3.81.tgz or from the /usr/share/nmap/
directory in Fedora Core 4
xprobe2.conf file from
xprobe2-0.2.2.tar.gz
As a short note here are the problems that I have encountered (and solved):
make for honeyd-1.0 will failmake for arpd-0.2 will failnmap-os-fingerprints file had an entry with a syntax error
xprobe2.conf had a new OS fingerprint format comparing
with the one that comes bundled in honeyd-1.0.tar.gz
Read this section if you are interested in the technical details or skip to the next one.
Here is the list:
honeyd 1.0 does not compile under gcc 4.0.0
arpd 0.2 does not compile under gcc 4.0.0
nmap 3.81's OS fingerprints
xprobe2.conf
that comes with honeyd 1.0 and xprobe2.conf from
the xprobe2 0.2.2
honeyd 1.0's
personality.h file
honeyd 1.0's
personality.c file
Maybe you are bored to read this, if you readed some of my previous articles, but the
first thing to do before compiling is to have some sort of playground.
You can name it /playground, /var/playground,
/tmp/playground or any name you like. I will use the name /playground
for that directory.
Inside your playground directory make another one called Honeyd
and copy there the source files:
# cp libdnet-1.10.tar.gz /playground/Honeyd/ # cp libevent-1.1a.tar.gz /playground/Honeyd/ # cp honeyd-1.0.tar.gz /playground/Honeyd/ # cp arpd-0.2.tar.gz /playground/Honeyd/ # cp xprobe2-0.2.2.tar.gz /playground/Honeyd/
You must download the modified files. Here is an archive with all required files: honeydFC4 (archive's SHA1 checksum is: 0edc4e3aab9d0e0c70d3f7d8d73f359464a020e3).
Installing libdnet-1.10 is as simple as:
# cd /playground/Honeyd # gzip -d libdnet-1.10.tar.gz # tar -xvf libdnet-1.10.tar # cd libdnet-1.10 # ./configure # make # make install
To install libevent-1.1a do the following:
# cd /playground/Honeyd # gzip -d libevent-1.1a.tar.gz # tar -xvf libevent-1.1a.tar # cd libevent-1.1a # ./configure # make # make installand verify that everything is OK by running the regression tests:
# make verifyNow you must talk with the dynamic linker and tell him about the new libraries:
# ldconfig /usr/local/lib
Extract the archive:
# cd /playground/Honeyd # gzip -d arpd-0.2.tar.gz # tar -xvf arpd-0.2.tar # cd arpdFor
arpd-0.2 to compile under gcc 4.0.0 the file
arpd.c must be modified. Replace it with the one from the archive
honeydFC4, then compile and install:
# ./configure # make # make install
Extract the archive:
# cd /playground/Honeyd # gzip -d honeyd-1.0.tar.gz # tar -xvf honeyd-1.0.tar # cd honeyd-1.0To compile it and use the OS fingerprints from nmap-3.81 and xprobe2-0.2.2 you must replace some files. Here is the list of the files that should be replaced:
dhcpclient.c - is modified to compile with gcc 4.0.0;
personality.h - is modified to read the xprobe2-0.2.2 OS fingerprints;
personality.c - is modified to read the xprobe2-0.2.2 OS fingerprints;
nmap.prints - nmap 3.81's OS fingerprint file. Modified because the
original file had a syntax error in one of the fingerprints;
xprobe2.conf - the OS fingerprint database from the version
0.2.2 of xprobe2.
# ./configure # make # make install
Note
If you have installed Fedora Core 4 as "minimal", the you must use ./configure --without-python instead of ./configure because of missing python development libraries. This may apply to other Linux distributions as well.
Before lauching the honeyd for the first time you must create a configuration for it.
You can consult the samples provided (config.sample and config.ethernet
from the /usr/local/share/honeyd directory), read the honeyd's
documentation and build your own file.
For a fast start you could use a configuration file like this:
create default set default default tcp action block set default default udp action block create template set template personality "Microsoft Windows XP SP2" set template uptime 1234567 add template tcp port 135 open add template tcp port 139 open add template tcp port 445 open bind 192.168.1.100 template bind 192.168.1.101 template bind 192.168.1.102 templateSave the file as
/usr/local/share/honeyd/honeyd.conf. The IP Addresses should be in the same network
segment with the hosting machine, or you should modify the routing table of your router to allow the packets destined to
those IP Addresses to reach your honeyd hosting computer.
Modify the rules of your firewall to accept packets for the IP Addresses defined in the honeyd's configuration file. You should have something like this:
$IPTABLES -A INPUT -d 192.168.1.100 -j ACCEPT $IPTABLES -A INPUT -d 192.168.1.101 -j ACCEPT $IPTABLES -A INPUT -d 192.168.1.102 -j ACCEPT $IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Let's create a script to start arpd. The contents should be like this:
#!/bin/sh /usr/local/sbin/arpd '192.168.1.100-192.168.1.102'and another one to start
honeyd:
#!/bin/sh MONITOREDIP='192.168.1.100-192.168.1.102' /usr/local/bin/honeyd -f /usr/local/share/honeyd/honeyd.conf \ -p /usr/local/share/honeyd/nmap.prints \ -x /usr/local/share/honeyd/xprobe2.conf \ -a /usr/local/share/honeyd/nmap.assoc \ -g 99 -u 99 \ -l /var/log/honeyd \ --disable-webserver \ $MONITOREDIPNow we must create and set permissions for the log file:
# touch /var/log/honeyd # chown 99:99 /var/log/honeyd # chmod 750 /var/log/honeydBy launching those scripts you should be able to ping the 192.168.1.100 - 192.168.1.102 IP addresses.
Warning
The scripts above are setting the honeyd's user and group as nobody:nobody !
The results, using the previous scripts, are written in the /var/log/honeyd file.
This is a subject for another article. I am hoping to write it soon.
This document is copyrighted (c) 2005 by Calin Radoni. Permission is granted to copy and/or distribute this document.
No liability for the contents of this document can be accepted. Use the concepts, examples and information at your own risk. There may be errors and inaccuracies that could be damaging to your system. Proceed with caution, the author do not take any responsibility.
All copyrights are held by their respective owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.
Hosted on http://www.oocities.org/calinradoni Last page modification is 12 July 2005