beave
commented
8 years ago I should point out, I am not using farpd.
Open beave opened 8 years ago
beave
commented
8 years ago I should point out, I am not using farpd.
Creased
commented
8 years ago Hi there, I've the same trouble...
I've tried with DataSoft version and the last from debian squeeze repos for testing purposes, it doesn't change anything...
My logical network architecture (very simplified) looks like this:
My configuration file (i.e. /etc/honeypot/honeyd.conf):
# Default
create default
set default default tcp action block
set default default udp action block
set default default icmp action block
# Debian
create debian
set debian personality "Linux 2.4.20"
set debian default tcp action block
set debian default udp action block
set debian default icmp action open
add debian tcp port 21 "sh /usr/share/honeyd/scripts/unix/linux/ftp.sh"
add debian tcp port 22 "sh /usr/share/honeyd/scripts/unix/linux/suse8.0/ssh.sh"
add debian tcp port 23 "sh /usr/share/honeyd/scripts/unix/linux/suse8.0/telnetd.sh"
add debian tcp port 25 "sh /usr/share/honeyd/scripts/unix/general/smtp.sh"
add debian tcp port 110 "sh /usr/share/honeyd/scripts/unix/linux/suse8.0/qpop.sh"
add debian tcp port 143 "sh /usr/share/honeyd/scripts/unix/linux/suse8.0/cyrus-imapd.sh"
set debian ethernet "00:0f:1f:f8:17:c7"
# Pour une attribution d'adresse dynamique :
# dhcp debian on eth0
# Pour une attribution d'adresse statique :
bind 172.29.197.241 debianhoneyd daemon configuration file (i.e. /etc/default/farpd):
RUN="yes"
INTERFACE="eth0"
NETWORK="172.29.196.0/22"
OPTIONS="--disable-webserver"farpd daemon configuration file (i.e. /etc/default/honeyd):
RUN="yes"
INTERFACE="eth0"
NETWORK="172.29.196.0/22"Log:
# /etc/init.d/farpd restart
# honeyd -d -f /etc/honeypot/honeyd.conf -l /var/log/honeypot/honeyd.log -p /etc/honeypot/nmap.prints -a /etc/honeypot/nmap.assoc -0 /etc/honeypot/pf.os -x /etc/honeypot/xprobe2.conf -u 104 -g 106 --disable-webserver -i eth0 172.29.196.0/22
Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
honeyd[11245]: started with -df /etc/honeypot/honeyd.conf -l /var/log/honeypot/honeyd.log -p /etc/honeypot/nmap.prints -a /etc/honeypot/nmap.assoc -0 /etc/honeypot/pf.os -x /etc/honeypot/xprobe2.conf -u 104 -g 106 --disable-webserver -i eth0 172.29.196.0/22
honeyd[11245]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip and (net 172.29.196.0/22))) and not ether src 00:0f:1f:f8:17:c7
honeyd[11245]: Demoting process privileges to uid 104, gid 106
honeyd[11245]: Sending ICMP Echo Reply: 172.29.197.241 -> 172.29.197.179
honeyd[11245]: arp_send: who-has 172.29.197.179 tell 172.29.197.241
honeyd[11245]: arp_recv_cb: 172.29.197.179 at 34:64:a9:2c:a3:68
honeyd[11245]: arp reply 172.29.197.241 is-at 00:0f:1f:35:3c:84
honeyd[11245]: update_connect_cb: connection failed: Invalid argumentAs you can see, the arp reply doesn't match the configuration file. Otherwise, maybe you know how to fix the last printed error?
PS: It seems to be the same problem as in this post.
awaldow
commented
8 years ago It looks like honeyd is only using the vendor octets for MAC generation (the first three), if I had to guess. It's probably just something related to first time node generation, it's been long enough since I've looked at it that I can't be sure though. It could be that it has the right address in memory and then randomizes it when it's provisioning the node, which would be a bug. I would shoot the Nova support guys an email saying that honeyd is doing this and see what they say. Otherwise it's time to dive deep into honeyd.c and see where it would be happening. I imagine it's just an operation ordering issue.
On Feb 16, 2016, 06:54, at 06:54, Baptiste MOINE notifications@github.com wrote:
Hi there, I've the same trouble...
I've tried with DataSoft version and the last from debian squeeze repos for testing purposes, it doesn't change anything...
My logical network architecture (very simplified) looks like this:
My configuration file (i.e. /etc/honeypot/honeyd.conf):
# Default create default set default default tcp action block set default default udp action block set default default icmp action block # Debian create debian set debian personality "Linux 2.4.20" set debian default tcp action block set debian default udp action block set debian default icmp action open add debian tcp port 21 "sh /usr/share/honeyd/scripts/unix/linux/ftp.sh" add debian tcp port 22 "sh /usr/share/honeyd/scripts/unix/linux/suse8.0/ssh.sh" add debian tcp port 23 "sh /usr/share/honeyd/scripts/unix/linux/suse8.0/telnetd.sh" add debian tcp port 25 "sh /usr/share/honeyd/scripts/unix/general/smtp.sh" add debian tcp port 110 "sh /usr/share/honeyd/scripts/unix/linux/suse8.0/qpop.sh" add debian tcp port 143 "sh /usr/share/honeyd/scripts/unix/linux/suse8.0/cyrus-imapd.sh" set debian ethernet "00:0f:1f:f8:17:c7" # Pour une attribution d'adresse dynamique : # dhcp debian on eth0 # Pour une attribution d'adresse statique : bind 172.29.197.241 debianhoneyd daemon configuration file (i.e. /etc/default/farpd):
RUN="yes" INTERFACE="eth0" NETWORK="172.29.196.0/22" OPTIONS="--disable-webserver"farpd daemon configuration file (i.e. /etc/default/honeyd):
RUN="yes" INTERFACE="eth0" NETWORK="172.29.196.0/22"Log:
# /etc/init.d/farpd restart # honeyd -d -f /etc/honeypot/honeyd.conf -l /var/log/honeypot/honeyd.log -p /etc/honeypot/nmap.prints -a /etc/honeypot/nmap.assoc -0 /etc/honeypot/pf.os -x /etc/honeypot/xprobe2.conf -u 104 -g 106 --disable-webserver -i eth0 172.29.196.0/22 Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos honeyd[11245]: started with -df /etc/honeypot/honeyd.conf -l /var/log/honeypot/honeyd.log -p /etc/honeypot/nmap.prints -a /etc/honeypot/nmap.assoc -0 /etc/honeypot/pf.os -x /etc/honeypot/xprobe2.conf -u 104 -g 106 --disable-webserver -i eth0 172.29.196.0/22 honeyd[11245]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip and (net 172.29.196.0/22))) and not ether src 00:0f:1f:f8:17:c7 honeyd[11245]: Demoting process privileges to uid 104, gid 106 honeyd[11245]: Sending ICMP Echo Reply: 172.29.197.241 -> 172.29.197.179 honeyd[11245]: arp_send: who-has 172.29.197.179 tell 172.29.197.241 honeyd[11245]: arp_recv_cb: 172.29.197.179 at 34:64:a9:2c:a3:68 honeyd[11245]: arp reply 172.29.197.241 is-at 00:0f:1f:35:3c:84 honeyd[11245]: update_connect_cb: connection failed: Invalid argumentAs you can see, the arp reply doesn't match the configuration file. Otherwise, maybe you know how to fix the last printed error?
PS: It seems to be the same problem as in this post.
Reply to this email directly or view it on GitHub: https://github.com/DataSoft/Honeyd/issues/92#issuecomment-184691927
cvasilatos
commented
8 months ago Any update on this?
Hello,
After some punching around, I managed to get "honeyd" mostly working the way that I want. One thing that I have noticed is that I am unable to "set" the MAC address as per the documentation. For example, my configuration looks like this:
----
create windows set windows personality "Microsoft Windows XP Professional SP1" set windows default tcp action reset add windows tcp port 135 open add windows tcp port 139 open add windows tcp port 445 open
set windows ethernet "00:1a:e2:bc:a0:01" bind 10.55.5.200 windows
----
I can ping 10.55.5.200 and nmap it just fine. However, it appear to not be using the specified MAC address of "00:1a:e2:bc:a0:01". Below is the output.
From the workstation I am pinging from:
----
root@ubuntu:~# ping 10.55.5.200
PING 10.55.5.200 (10.55.5.200) 56(84) bytes of data.
64 bytes from 10.55.5.200: icmp_seq=1 ttl=128 time=20.1 ms
64 bytes from 10.55.5.200: icmp_seq=2 ttl=128 time=10.3 ms
----
From the Honeyd -d output:
----
honeyd[7531]: started with -P -d -f /etc/honeyd/champ.conf
honeyd[7531]: listening promiscuously on ens3: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip )) and not ether src 00:e0:4c:12:7e:93
honeyd[7531]: switching to polling mode
honeyd[7531]: Demoting process privileges to uid 65534, gid 65534
honeyd[7531]: Sending ICMP Echo Reply: 10.55.5.200 -> 10.55.5.250
honeyd[7531]: arp_send: who-has 10.55.5.250 tell 10.55.5.200
honeyd[7531]: arp_recv_cb: 10.55.5.250 at 00:e0:4c:12:7e:92
honeyd[7531]: Sending ICMP Echo Reply: 10.55.5.200 -> 10.55.5.250
honeyd[7531]: arp reply 10.55.5.200 is-at 00:1a:e2:be:cc:99
----
(Note the last line).
From the arp table of the "pinging" machine: 10.55.5.200 ether 00:1a:e2:be:cc:99 C eth0
The MAC is successful with "00:1a:e2:be:cc:99", but I would expect this to be "00:1a:e2:bc:a0:01" as per my template.
Is there any reason it's only using "part" of my specified MAC address?
Hopefully this makes sense. Thank you.