Posted at 11.20.2018
As an Open Source solution honeyd will not offer any support or Graphical User Interface for installation or configuration. The foundation code should be downloaded on the honeyd sponsor, get compiled and the binary and settings data of honeyd be installed. Then your Honeyd binary file could be run from the command line line prompt of the Linux system used. A second more efficient way is to set up the Honeyd bundle as root with the command word:
sudo apt-get install honeyd
To function accurately, honeyd requires also the next libraries to be installed:
libevent: a software library providing asynchronous notification for events
libnet: a lightweight platform/library used for network packet construction
libpcap: a construction used for recording packets transferring through a network
Honeyd includes numerous scripts written in the script languages Python and Perl by both NielsProvos and other contributors which is often used to emulate services on the appropriate slots in the virtual honeypots.
Although installing and running honeyd might seem fairly simple, it is a particularly complicated program with a variety of command line parameters affecting its tendencies. After being correctly installed on our system, the following demand is used to start out honeyd:
honeyd -p /etc/honeyd/nmap. images -d -f /etc/honeyd/honeyd_thesis. conf
In the following, the above guidelines used are described in detail . The first control honeyd instructs the Linux kernel to perform the honeyd binary data file. The -p fingerprints option gives the pathname of the Nmap fingerprint record (here: nmap. prints) which provides the Nmap signature repository that honeyd uses to emulate different os's at the network stack. This may dictate how honeyd will behave towards attackers depending on the emulated operating-system. The -d flag allows honeyd to perform in debug mode with all the current messages getting paper on the existing terminal. This function can be useful when evaluation honeyd and its own operation on the fly. Omitting this flag may cause honeyd to run as a daemon process in the background. Another important command line collection parameter which is not used above is the -i flag. This flag can be used when the computer system hosting the digital honeypots has more than one network interfaces. In cases like this, the -i flag should be used to denote which interface or interfaces would be the ones receiving network traffic for the digital honeypots.
Finally, the -f control line parameter is probably the main one as it lies in the centre of the honeyd construction. The -f flag provides honeyd the road name for the settings file (here: honeyd_thesis. conf) where all information about the exclusive honeypots are held such as which os's are used and which services should be emulated on each honeypot. Honeyd's configuration file is a straightforward straightforward text-based document with a context-free-grammar settings language which may be referred to in Backus-Naur Form (BNF). Although quite straightforward, it offers a wide variety of options as it pertains to configuring the electronic honeypots. Its main role is to designate which are the IP addresses on which the digital hosts will be jogging waiting for the attackers' probes and what services should be emulated on each one of them.
Templates constitute the main of the construction files for virtual honeypots . Honeyd works via the creation of templates which illustrate and simulate specific computer systems configured in great depth. The first rung on the ladder taken to generate a exclusive honeypot is to create a corresponding template that will identify the defining characteristics of the honeypot like the simulated operating system, the ports which the honeypot will listen closely and the assistance being emulated. After that, an IP address will be given to the template mentioning the honeypot and operating at that specific network address. The command word to create a new template is create and the parameter got into should be considered a name in accordance with the system designed to be simulated. Each template should have some other name. Another type of parameter you can use is the default one. This is used in case honeyd will not find any template matching the destination IP address of any packet which is preferred when there is a need for assigning several IP addresses under a common template somewhat than assigning each template to a unique address.
Following the creation of an template, the construction commands define how the online honeypot will behave. The collection and add commands are being used to condition the action of the configured honeypot. The first feature to be defined by the set in place command is the operating-system or personality from the Nmapfingerprint database which will determine the way the computer system will act at the IP network stack. The personality reveals the proper execution of the replies honeyd will be sending back along with other details like the TCP sequence figures, the TCP timestamps and other. It can be chosen from a large number and variety of famous operating systems like Linux, FreeBSD, Mac pc OS, Microsoft House windows, Cisco IOS, etc.
The set command word can also determine the default patterns of the template about the recognized network protocols (TCP, UDP, ICMP), i. e. the way the template reacts to probes at ports that happen to be unassigned. The action taken range from three options:
Open: this signifies that all plug-ins for this network process are wide open by default. This environment applies and then TCP and UDP connections
Block: this indicates that the jacks will dismiss any incoming relationships and packets aimed to them will be fallen by default.
Reset: this means that all slots for the given protocol are finished by default. To get a TCP port, honeyd will reply with a TCP RST packet to a SYN packet whereas for a UDP interface with a UDP-port unreachable message.
Finally, honeyd gives the option to spoof the uptime of a host, referring to the duration of time since the system was initially booted. The place uptime command does indeed exactly that. If no uptime is identified, honeyd assumes an arbitrary value up to 20 days and nights.
Following the collection control is the add set of directions. The add directions constitute the guts of the template as they are people which symbolize what applications will be working on each interface and which are the services that can be remotely utilized by the outside world. The syntax of the add command word requires to specify the network process, the amount of the port and a proper action. Even as we see in the above mentioned configuration, the options open, block and reset that are used for the default patterns of the template can also be applied to a per-port basis. The key difference here's that apart from just starting or closing slots, predefined scripts can be called and emulate different services on different jacks. This probability of integrating scripts written in programming dialects within the honeyd construction gives virtual honeypots a higher degree of realism. A realistic service to which an adversary can speak can grant a lot more detailed information about an attacker. Seemingly, the more scripts jogging on ports, the higher the possibilities for getting together with attackers.
The following example from our settings file starts off a telnet simulator service for TCP connections on slot 23:
add Linux1 tcp port 23 "/usr/share/honeyd/scripts
/unix/linux/suse8. 0/telnetd. sh"
When a remote hosts attempts to determine connection with the aforementioned Linux1 template-personality on dock 23, honeyd will start a fresh process performing the shell script ". /telnetd. sh". The script is getting source data via stdin and it is sending replies back again to the sender via its stdout. Apart from TCP associations, scripts can also be used to interact with distant users through UDP relationships. Important to point out is that when honeyd receives a new connection using one of its honeypots' interface, it forks (begins) a fresh process that will execute the given script. This can be sometimes quite risky as it could lead to a performance bottleneck if the online honeypots get overwhelmed with network traffic, e. g. if deployed in a active network .
The last demand that ought to be implemented to configure successfully the virtual honeypot is the bind command line whose role is to bind the created template with the Ip on which it'll be operating almost.
The Ethernet option for the collection command can be used to assign explicitly a distinctive Apple pc address to each configured template. As stated early, physical addresses are essential for network communication and via proxy ARP the honeyd number can reply using its own MAC address to the ARP demands regarding the honeypots. A drawback of this is the fact attackers can certainly realize the presence of exclusive machines as all the IP addresses of the honeypots will relate to one Apple pc address. While using set ethernet command, this risk is wiped out and no dependence on configuring proxy ARP is present as honeyd takes care of all the ARP procedures . Attention should get to avoid any Mac pc address collisions when assigning these to the electronic hosts, as physical addresses should be unique for each system.
The Honeyd platform comes with a built-in mechanism for gathering information regarding the connection makes an attempt launched from adversaries concentrating on the virtual honeypots. Honeyd has the capacity to populate documents with log information for both connection tries by attackers and established connections for any protocols. The command line used to log the network activity regarding the digital honeypots is the next:
:/etc/honeypot$ honeyd -p /etc/honeyd/nmap. prints -d -f /etc/honeyd/honeyd_thesis. conf -l thesis. log
The -l command word line option allows the packet-level logging in honeyd. It takes merely one parameter which is the log record which will be used to set-up the connection logs. In cases like this, the log filethesis. log. It is important that the directory where the log data file resides, should have the authorization to be writable by the user who is running honeyd. The log record contains information about enough time an association was attempted, the foundation IP address and slot of the attacker wanting to connect, the vacation spot Ip and dock of the digital honeypot under assault, the protocol included and when the attempt is successful and the connection eventually establishes, the starting and closing point of the connection in time and also other information like the full total variety of bytes sent.
The packet-level log data files can be hugely useful when found in mixture with data mining tools. They will offer a great deal of helpful information regarding the connection makes an attempt launched by adversaries. Scripts written in Perl, Python or other programming languages can extract useful information and statistics from the log documents including the number of IP addresses probing our virtual honeypots on a daily basis, a list with the most frequent ports to be attacked and other data presenting an information on the scanning activity of the virtual hosts from the attackers. This sort of log documents can get extremely large over time and health care should be taken regarding the control capabilities of the data mining tools found in each case.
Apart from packet-level logging, the option for service-level logging is also provisioned by honeyd . Whereas packet-level logging gives a general view of the entire network traffic dealt with by the electronic honeypots, service-level log data files give a more in depth take on the ongoing classes. When scripts emulating services on different slots are being used in honeypots and these scripts have additional logging features, a great deal of interesting information can be attained about the attackers' activities and methods they use to have a system under their control.
As an Open up Source low-interaction honeypot, honeyd presents a great selection of interesting features as those were mentioned previously. Being an Open Source software tool indicates that its distribution is free and anyone can get access to the foundation code . This means that individuals and teams owned by the network security community can customize and donate to its source code adding more emulated services which will improve the connection level between the attacker and the digital honeypots providing us with even more info about the methods they use to break into systems. Over the next years we can expect an exponential climb in our potential to capture malicious tendencies via honeyd. Alternatively, being an Start Source solution, honeyd does not offer any support for maintenance or troubleshooting from an official source.
As a low-interaction honeypot honeyd is basically deployed as a development honeypot used to identify and catch network problems. No real complete operating-system emerges but adversaries are limited by the network services emulated by the scripts. So, honeyd introduces a low risk to organizations for their overall security when released . An established by the attacker honeypot becomes worthless, so camouflaging honeyd is an issue that needs to be tackled. Xinwen Fu et al. show that an adversary can fingerprint honeyd through measuring the latency of the links simulated and proposed a camouflaged honeyd capable of behaving like its encompassing network environment .
Another concern to be attended to is the scripts emulating network services in honeyd. These need to be written by side and because of this not so many scripts are present. CorradoLeita et al. have proposed a way which can relieve this problem by automatically creating new scripts . Finally, the fact that no alerting built-in system is out there in honeyd as well as that only command-line software is offered are two shortcomings of its design. Chao-His Yeh et al. in their work have suggested a Graphical User Interface (GUI) for honeyd supplying a variety of interesting features .
Dionaea  can be an open source low connection honeypot that can be further categorized in to the category of malware collector honeypots. The aim of these low conversation honeypots is to generate vulnerabilities on specific services, to be able to attract malware exploiting the network and if possible, catch and download a backup of the malware.
As nowadays the amount of malware attacks is increasing, these copies could be very useful for monitoring and inspecting in a safe environment the behavior of the malware and finding defending security solutions. In books, two means of malware evaluation have been proposed , static and energetic analysis. As their brands suggest, static research is simply the task of reading the code and trying to figure out the purpose of the malware, while strong examination includes the execution of the code of malware in a secure manner. Usually, these two types of examination are put together and the productivity of the static analysis can be quite useful for the strong one.
The collected malware copies are usually stored in the form of a binary document. Malware enthusiasts such as Dionaea can download a great amount of binaries although in most cases these data may represent the same malware. A binary should have different MD5 hash in order to be characterized as unique . From your perspective of detection, two types have been proposed: diagnosis of existing malware based on patterns or examples and zero-day detection strategies. Zero-day malware is defined as "a harmful software which is not diagnosed by anti-virus programs credited to insufficient existing computer virus signatures or other malware recognition techniques" .
Dionaea is usually known as Nepenthes'  successor. The primary advancements on the features of the new malware collector in comparison to Nepenthes include :
the protocol execution in python scripting language
the use of libemu catalogue for shell code recognition instead of structure matching which takes a duplicate of the shell code, thus making difficult the detection of zero-day malware
support for ipv6 addresses and TLS encryption
development of the VOIP module
As mentioned above, Dionaea developers used python to apply the network protocols. This selection permits an easier execution compared to C language for occasion. However, the main reason for this choice was to cope with the new technology of malware that utilize API to access services.
SMB is the basic protocol supported by Dionaea. The SMB (Server Note Stop) protocol works on slot 445  and is used from Windows operating systems for record and printer posting over TCP. Akamai's  internet article for the next and third one fourth of 2012 (body 3), shows that slot 445 was the most targeted port as of this period, as it enticed almost 1 / 3 of the total network invasion traffic.
Figure. Percentage of global internet invasion traffic through the 2nd and 3rd quarter of 2012, by targeted plug-ins 
The SMB protocol has known vulnerabilities which is a common focus on specifically for worms. That is the reason for which it has been decided on by the coders of Dionaea as the main protocol and, as it'll be shown in the next chapter, the majority of the captured copies of malware originated from that slot.
Other important protocols that Dionaea helps are the following:
HTTP and secure HTTP (HTTPS) are also backed on dock 80
FTP, but the possibility of the attack with an ftp service is quite low. Dionaea helps ftp protocol on slot 21. It implements an ftp server which can create web directories and also upload/download files
TFTP, tftp server is provided on slot 69 and it is implemented to check the udp connection code
MSSQL, Dionaea also emulates a Microsoft SQL server on interface 1433. Attackers have the ability to login to the server but as there is absolutely no real repository provided by Dionaea, there is absolutely no further interaction
MYSQL, Dionaea also implements Mysql cable stream protocol on slot 3306
SIP, as stated above a new module for promoting VOIP was added to Dionaea. The VoIP protocol implemented is SIP. The procedure of this component consists in looking forward to incoming SIP communications, logging all data and replying appropriately to the demands. Only when destructive messages are recognized, Dionaea moves the code to the emulation engine.
The main function of Dionaea is to discover and analyze the offered payload of the attacker to be able to gain a duplicate of the malware. To achieve success this, Dionaea offers different ways of relationship with the attacker. For example, it can offer a command quick cmd. exe home window to the attacker and react consequently to the suggestions directions or use the URLDownloadToFileapi to obtain a record through http. If the prior operation is prosperous, Dionaea should know the positioning of the document that the attacker will try to send and attempts to download the document. One very interesting feature of Dionaea is the fact that it can send the downloaded record to an authorized for further examination than simply stocking it on drive.
Dionaea is also a great monitoring tool. It files all the activities on the slots it listens but also will keep record of connections to other jacks. All these noted data are retained in a log document in text format. Although we can choose the format of the log document, for instance filtration system the log announcements or form the incidents from the newest to the least recent ones, it is still quite difficult to learn and gain useful information. Therefore, Dionaea creates ansqlite database with all the saved activities and helps it be easier for an individual to make concerns and obtain useful information from the honeypot.
From the log document we can retrieve useful data to understand the procedure of the honeypot. Dionaea documents three types of connections: reject, acknowledge and connect. Connection endeavors to the jacks that Dionaea will not listen are designated as 'reject'. Alternatively, attempts to checked ports are marked as either 'connect' or 'agree to'. Regardless, Dionaea records in the log record and additionally in the sqlite repository, valuable information about these associations including the timestamp of the connection, the IP addresses of the neighborhood and remote coordinator and the equivalent slots and protocols.
Except of the information about the associations, Dionaea also retains in data source other significant furniture such as download dining tables which contain information about the identification of the bond, the url from which the malware was downloaded and also the downloaded md5 hash.
The installation of Dionaea requires some basic knowledge of Linux os's, as it is important to install all the required dependencies first but there are of help and detailed instructions in the state website too.
Dionaea is a flexible software tool and can be easily configured regarding to your needs by editing and enhancing the configuration data file. More specifically, in the construction data file we can change the next:
We can change the directory of the log record and moreover we can decrease the amount of the produced data. By default, Dionaea documents every event in the log record. We can filtering the end result data by changing the levels value from 'all' to only 'warning, error' for example. Dionaea writes the last event at the end of the log document. Thus, it is absolutely useful to turn this action in logging section, so that the last event can be read directly at the first type of the log record.
Moreover, we can alter the road of the downloaded binaries and bi-streams folders. Bi-directional channels allow us to replay an attack that Dionaea captured on IP-level. Once we mentioned previously, with Dionaea we can submit straight the downloaded malware to third people for further examination. Within the submit portion of the configuration file, we can revise all these details. Yet another interesting feature is that people can physically configure the IP range that Dionaea can pay attention to and also add ipv6 addresses. By default, Dionaea listens to all the IP addresses it will get.
Finally, we can configure the modules section which is considered the most crucial of the settings files. The modules section includes a list of services which Dionaea facilitates and we can enable or disable a few of them. For example, we can allow and modify the pcap module if we want to keep information about rejected connection efforts or also, if we are enthusiastic about the operating system of the attackers, we can allow the p0f service.
Kippo  is a medium relationship honeypot which emulates an SSH server. It provides an relationship shell to the intruder while monitoring and saving all the activities. Furthermore, it was created to monitor brute push attacks.
Secure shell (SSH)  is a network protocol which gives encrypted communication between two devices. SSH allows users to get usage of remote devices via a shell or interactive command collection in a secure manner. The port used by SSH protocol by default is 22 . Generally, a customer can gain access to an SSH server by stepping into a valid username and password through an SSH customer tool. From that point of view, SSH servers are vulnerable to password problems.
Especially SSH dictionary or brute drive attacks are incredibly common and quite easy to be launched even by unqualified attackers. These types of attacks are based on the fact that lots of users choose their credentials from a tiny domain name . Thus, brute pressure disorders try all the possible username and password combinations before correct one is available, in an robotic way. This feature could be very useful for SSH server honeypot implementations. To be able to have as much successful logins as you can in our SSH honeypot, it is recommended to choose credentials that rely on automatic dictionary strike tools.
Cisco's white newspaper about SSH login activity  shows that for a complete of around 1, 56 million login attempts, username 'root' was used almost in 35 percent of all cases. The next figure depicts the 10 most used usernames according to the results of the research conducted by Cisco.
Figure. Top 10 10 attempted usernames 
In addition, other surveys , [ ] give some interesting information about the most commonly used passwords in connection attempts. The most notable password combinations include versions of the username such as 'username' or 'username123' and passwords like '123456' or even 'security password'. The results about the usernames used are almost the same like the people in Cisco's research.
Kippo is integrated in python dialect. As we mentioned previously, Kippo in essence emulates an SSH server on interface 22 and logs all login tries to that slot. Every time a login is successful, Kippo screens all the type directions of the attacker and replies to these instructions in order to convince the attacker that she interacts with a genuine system. A list of the available commands can be found in Kippo's directory site.
More specifically, the top features of Kippo include:
a fake data file system. The attacker can truly add or remove files with the appropriate command
Kippo saves documents that have been downloaded by the attacker with the control wget, in a specific secured folder
Kippo provides ability to the attacker to add fake file articles, using for example the cat command
provides fake result for a few specific commands such as vi, useradd, etc.
tries to fool the attacker with some reactions to specific commands, for instance exit command does not work, meaning the attacker thinks that has disconnected but still can be checked by kippo.
all the classes are recorded and can be easily replayed with the original timestamps
all data are kept in an sql repository.
Kippo information all the useful information in a log file but also in ansql repository. The main dining tables of the repository include:
authentication table, comprising information about the login make an effort, the timestamp of the attempt as well as the usernames and passwords which have been used
client stand, which is made up of information about the SSH client version that has been used
input table, with information about the input commands that contain been inserted. Also, in that table we've information about the period id, the timestamp and additionally if the command word was successful or not
sessions table, containing information about the id of the connection, the length and timestamp of the bond and the IP address of the attacker
sensors stand providing information about the ssh server and the Ip of the host
finally, the ttylog stand which, as stated above, is made up of information about how to replay periods with the related timestamps
The installation of Kippo is rather easy if someone comes after the instructions of the home site and installs the latest version of the software. In the settings document of Kippo we can customise the honeypot regarding to our needs. We are able to modify the IP of the coordinator if we want to change the default which is 0. 0. 0. 0 and also the listening dock which is by default 2222.
Port 2222 is an alternate port and may be quite ideal for screening purposes but as long as most ssh problems are recognized on port 22, this choice would reduce the number of recorded attempts. Thus, it's important to improve the default slot to 22. To achieve success this, we need root privileges to the system but this isn't recommended scheduled to security reasons. Instead, port redirection can be used as suggested in Kippo's home page or by using other existing alternatives, such as authbind .
In addition, in the settings file we can change the name of an individual in the interaction shell. By default, it is "sales", which is quite appealing to attackers. Furthermore, we can set the desired security password for our server. By default, it is '123456' which as we have shown above, it is roofed in dictionary problems and could ensure a large number of successful logins. Besides that, Kippo creates a dedicated security password databases, where we can add more valid passwords. Also, some other configurations are the web directories of important folders including the downloaded folder, a fraudulent data file system folder and password and source data safe-keeping folders. Finally, we can alter the credentials to be able to hook up Kippo log data with the sql database