5.3. HoneypotsΒΆ

Currently the low-interaction honeypots are based on honeyd. Those honeypots are only intended to be targets for port scans. For details about the honeypot configuration please check the configuration template.

The honeypots are requesting IP addresses by DHCP.

Apr 24 10:09:35 test-bench honeyd[1077]: [eth0] got DHCP offer: 10.0.0.133
Apr 24 10:09:35 test-bench honeyd[1077]: [eth0] got DHCP offer: 10.0.0.134
Apr 24 10:09:35 test-bench honeyd[1077]: [eth0] got DHCP offer: 10.0.0.135

A fast nmap scan shows the details about the honeypots:

$ sudo nmap -sVT 10.0.0.133 10.0.0.134 10.0.0.135

Starting Nmap 6.25 ( http://nmap.org ) at 2013-04-24 23:26 CEST
Nmap scan report for 10.0.0.133
Host is up (0.022s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE       VERSION
135/tcp open  msrpc?
139/tcp open  netbios-ssn?
445/tcp open  microsoft-ds?

Nmap scan report for 10.0.0.134
Host is up (0.016s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE       VERSION
80/tcp  open  http?
135/tcp open  msrpc?
139/tcp open  netbios-ssn?
445/tcp open  microsoft-ds?

Nmap scan report for 10.0.0.135
Host is up (0.015s latency).
Not shown: 994 closed ports
PORT    STATE SERVICE    VERSION
21/tcp  open  tcpwrapped
22/tcp  open  tcpwrapped
23/tcp  open  tcpwrapped
25/tcp  open  smtp       Sendmail 8.12.2/8.12.2/SuSE
110/tcp open  tcpwrapped
143/tcp open  tcpwrapped
Service Info: Host: test-bench.; OS: Unix

Nmap done: 3 IP addresses (3 hosts up) scanned in 163.53 seconds