How to add a new service or port？

[bbxc]

How to add a new service or port？

uc berkeley 4.3bsd 4.3BSD

but "netstat -alp " can not find listen port!

[sookyp]

Hi @bbxc ,

you can create new services for a specific device using the service tag. It requires 3 attributes: protocol, port, and execute. These services basically determine how the honeypot should respond to different types of network traffic.

• The protocol defines whether it is tcp, udp, or icmp traffic the honeypot should look for. Other protocols are currently not supported.
• The port determines the port number, can be any unsigned 16-bit integer, that is between 0-65535.
• The execute specifies the action the honeypot takes, once a packet which is addressing that specific protocol-port combination is intercepted. It accepts open, closed, filtered, block, proxy, or any valid shell command. Open and closed port behavior is defined according to nmap documentation. All port states are in correspondence with nmap's definitions. The difference in behavior between filtered and block is, that block does not generate a reply, while filtered responds with an ICMP error type 3 code 13 packet. The proxy allows you to send the intercepted packets once routed through your defined virtual network to a remote machine given its IPv4 address and a network tunnel type (either gre or ipip). You can also give any valid shell commands, or invoke scripts between quotation marks in case you would like to process the packets manually. Keep in mind that the honeypot executes the command per packet and expects a properly constructed IP packet back.

Once you created the devices you need in your virtual network, you have to assign them an IP address. The bind tag serves this purpose, its ip attribute accepts strings formatted as an IPv4 address. Essentially, this tells the honeypot to behave according to the services mentioned above only, when the intercepted packets are addressed to one of the ip addresses listed in the bind tags. Of course, the devices have to be accessible from your defined entry point in the virtual network.

TL;DR:

In short, <service protocol="tcp" port="21" execute="closed"/> tells the honeypot to respond to intercepted TCP packets addressing port 21 in a way that would be expected from a machine running the operating system given in the personality tag having a closed port. For every other protocol-port combination not listed in the service tags, the default behavior defined by the action tag takes place. In order to interact with these machines in your virtual network, you have to assign them an IP address using bind tags.

As for netstat, all services are emulated so these won't show up on netstat output. The traffic is intercepted by the farpd daemon which executes ARP poisoning on the defined address range. Then the honeypot simply executes a live capture on the given network interface.

I hope this helps clear up any confusion.