HoneyPot for Network Security - building and testing against exploits.

i
FACULTY OF ACES
Dissertation on
"HoneyPot for Network Security:
Building and testing against exploits"
By
Shantanu Das
Date of Submission:
"16th January 2012"
Supervised by: Dr. Louise Webb

ii
Abstract:
Honeypots are aimed to act in a system in furtherance of misleading outsiders from taking off the
main system. By seducing the stranger to a HoneyPot system, admin can oversees the activeness
of an intruder. The admin can get to know about the faults of a system and re-configure the
system according to the vulnerabilities and make it more secure. An admin needs to configure a
HoneyPot in an effective way so that if an attacker attack the HoneyPot, the attacker must realize
that it’s a real system so that the admin can know about the attackers’ behavior. The aim of this
dissertation is to examine and determine several HoneyPots arena, where I come to an end that
configuring a HoneyPot using a virtual machine (VM) is greatly advised. I also prefer to prevent
HoneyPot finderprinting and describing a running HoneyPot machine which is observed by
several sequences of events.

iii
Acknowledgments:
This dissertation would not have been possible without the support and the help of various
individuals who in one way or another contributed and extended their priceless assistance
in the development and accomplishment of this study.
My extreme appreciation to Dr. Louise Webb for advising me and helping me to choose
this dissertation.
I would like to show my gratitude to my family and friends, who have supported all
through the dissertation.

iv
Contents
Abstract: ....................................................................................................................................... ii
Acknowledgments:....................................................................................................................... iii
Chapter 1: Introduction.................................................................................................................1
1.1 Motivation:..........................................................................................................................1
1.2 Contribution: .......................................................................................................................1
1.3 Outline: ...............................................................................................................................1
Chapter 2: Literature review..........................................................................................................3
Physical and Virtual Machines ...................................................................................................3
2.1: Standalone Computers vs. Virtual Machines....................................................................3
2.2 Virtual Machines Comparison: .........................................................................................4
Intrusion Detection and Monitoring tools..................................................................................6
2.3 Xtail: ...............................................................................................................................6
2.4 TripWire:..........................................................................................................................7
2.5 Snort-...............................................................................................................................9
2.6 Related Work:....................................................................................................................11
Chapter 3: Research Methodology...............................................................................................13
3.1 Introduction:......................................................................................................................13
3.2 Research Approach:...........................................................................................................13
3.2.1 Deductive Approach:...................................................................................................13
3.2.2 Inductive Approach:....................................................................................................14
3.2.3 Executed Research Approach: .....................................................................................14
3.3 Research approach: ...........................................................................................................14
3.3.1 Quantitative Research:................................................................................................14
3.3.2 Qualitative Research: ..................................................................................................14
Chapter 4: The Work ...................................................................................................................16
Designs of HoneyPot:...............................................................................................................16
4.1 Design of UML HoneyPot: ..............................................................................................16
4.2 identifying UML system:.................................................................................................17
4.3 UML HoneyPot Characteristics and Fingerprint Mitigation: ............................................18
4.4 Teletype logging:............................................................................................................19

v
4.5 Design of VMWare:........................................................................................................20
4.6 Form Host-Only HoneyPots:...........................................................................................21
4.7 Firewall:.........................................................................................................................22
4.8 Architecture of Bridged and Host-Only HoneyPots: ........................................................23
4.9 Identifying VMware System: ..........................................................................................24
4.10 Protecting VMware machine from fingerprinting: ........................................................27
Benchmarking VMware: ..........................................................................................................30
4.10 System recommendation and it usage:.........................................................................30
Analyzing, Simulating and Investigating Attacks.......................................................................32
4.12 Serv-U Buffer Overflow Attack: ....................................................................................32
4.12.2 Examine and determine Snort report: .......................................................................34
4.13 Port Scan Investigation (Windows XP)..............................................................................37
4.13.1 Configuration: ...........................................................................................................37
4.13.2 Examine and Determine Snort.......................................................................................37
4.14 Ethereal Buffer Overflow Exploit:.....................................................................................38
4.14.1 Configure ..................................................................................................................38
4.15 NetBus Backdoor (Windows XP):......................................................................................41
4.15.1 Configuration: ...........................................................................................................41
4.16 Subseven Backdoor:.........................................................................................................44
4.17 Windows DCOM (Distributed Component Object Model) RPC (Remote Procedure Call)
Exploit: ....................................................................................................................................46
4.17.1 How to Setup: ...........................................................................................................46
4.17.2 Examine and Determine Snort report:.......................................................................47
4.18 ISS BlackIce Exploit:..........................................................................................................48
4.18.1 Configuration: ...........................................................................................................48
4.19 SHOUTcast Remote Exploit: .............................................................................................49
Chapter 5: Conclusions................................................................................................................52

vi
References and Bibliography .......................................................................................................54
Appendices .................................................................................................................................58
Appendix A: TripWire ..............................................................................................................58
A.1 Setting Up TripWire- ......................................................................................................58
Appendix B: UML.....................................................................................................................59
C.1 Setup UML.....................................................................................................................59
Appendix C: Design of VMware................................................................................................61
C1- Setup VMware:..............................................................................................................61
C2- Network Setup: Internet Connection Sharing (ICS).........................................................61
C.3 Network configuration in VMware:................................................................................63
C.4 Configuring Static IP address for guest OS-.....................................................................65
C.5 configuring Host machine IP Forwarding:.......................................................................66
Table of Figure:
Figure 1 - Tripwire flow chart.......................................................................................................................................8
Figure 2- ram usage by three modes of snort. .............................................................................................................10
Figure 3: Research approach (deductive and inductive) .............................................................................................13
Figure 4- likely design of UML Honeypot..................................................................................................................16
Figure 5- screenshot of /proc/cpuinfo file ...................................................................................................................17
Figure 6– o/p of UML bootlog file..............................................................................................................................18
Figure 7 - skas mode [host kernel]..............................................................................................................................19
Figure 8 – allowing tty logging to capture keystrokes. ...............................................................................................20
Figure 9– log of keystrokes (done by users) ...............................................................................................................20
Figure 10– Architecture of Host-Only HoneyPot .......................................................................................................21
Figure 11- Architecture of Bridged and Host-Only HoneyPot....................................................................................23
Figure 12– System information of VMware machine.................................................................................................25
Figure 13– example of automatically generated MAC address by VMware...............................................................26
Figure 14– MAC address of Gentoo ...........................................................................................................................26
Figure 15– MAC address of Redhat............................................................................................................................26
Figure 16– finding system information.......................................................................................................................27
Figure 17– protecting VMware from fingerprinting ...................................................................................................28
Figure 18– using Ultraedit editing Virtual IDE CDROM. ..........................................................................................28
Figure 19– how to change MAC address in windows platform. .................................................................................29
Figure 20– Total usage of systems by VMware..........................................................................................................31
Figure 21- RAM and CPU use when running multiple guest machines......................................................................31
Figure 22- shows a screenshot of Serv-U ftp program (version 4.1)...........................................................................32
Figure 23 – shows exploit of Serv-U (version 4.1) .....................................................................................................33
Figure 24 – exploits launched command prompt to the target machine......................................................................33
Figure 25– log information of Snort............................................................................................................................34

vii
Figure 26– records of FTP MDTM overflow attempt.................................................................................................34
Figure 27– sub-folder of log which contains more info about the overflow attack.....................................................35
Figure 28– code found in Snort report ........................................................................................................................35
Figure 29– same source code on linux system............................................................................................................36
Figure 30 - ATTACK-RESPONSE directory listing (Snort report)............................................................................36
Figure 31– Screenshot of SuperScan...........................................................................................................................37
Figure 32– report of port scan attack created by Snort by the help of SuperScan.......................................................38
Figure 33- Exploiting Ethereal....................................................................................................................................39
Figure 34– capturing screenshot of Ethereal...............................................................................................................39
Figure 35– Corrupted packet info. Captured by Ethereal............................................................................................40
Figure 36– Snort report of Ethereal bufferflow attack ................................................................................................41
Figure 37– Installation of NetBus. ..............................................................................................................................42
Figure 38– NetBus Client............................................................................................................................................42
Figure 39– Snort rule editing to identify NetBus ........................................................................................................43
Figure 40– Updating Snort rule in order to record NetBus in Snort............................................................................43
Figure 41– NetBus report captured by Snort...............................................................................................................44
Figure 42– Subseven Client Application [version 2.1.5] ............................................................................................44
Figure 43– Subseven EditServer screenshot ...............................................................................................................45
Figure 44– exploit alert of Subseven Backdoor captured by Snort.............................................................................46
Figure 45– An intruder gained access to victims system by running metasploit.........................................................47
Figure 46– Snort report of DCOM RPC exploit. ........................................................................................................47
Figure 47– BlackIce exploited by metasploit..............................................................................................................48
Figure 48– BlackIce exploit report given by Snort. ....................................................................................................49
Figure 49– buffer overflow attempt of BlackIce by intruder ......................................................................................49
Figure 50– executing SHOUTcast server on Redhat system.......................................................................................50
Figure 51– executing SHOUTcast attack....................................................................................................................50
Figure 52– Snort report of SHOUTcast Remote exploit .............................................................................................51
Figure 53– detailed Snort report of SHOUTcast Remote exploit................................................................................51
Figure 54– setup UML................................................................................................................................................59
Figure 55– execution of UML.....................................................................................................................................60
Figure 56– UML virtual Consol..................................................................................................................................60
Figure 57– Internet Connection Sharing (ICS) ...........................................................................................................61
Figure 58– Choosing Ethernet adapter........................................................................................................................62
Figure 59– Selecting connection manually .................................................................................................................62
Figure 60– Selecting the connection to bridge............................................................................................................63
Figure 61– Selecting Host-only option. ......................................................................................................................63
Figure 62– deactivating DHCP in VMware................................................................................................................64
Figure 63– deactivating NAT in vmware....................................................................................................................64
Figure 64– applying static ip address to Gentoo guest machine. ................................................................................65
Figure 65– Applying static ip to Redhat. ....................................................................................................................65
Figure 66– applying static ip in winows XP ...............................................................................................................66
Figure 67– choosing ip forwarding .............................................................................................................................67
Figure 68– setting up IP forwarding............................................................................................................................67

1
Chapter 1: Introduction
1.1 Motivation:
A HoneyPot is an internet-attached server that acts as a trap, attracting in potential
attackers to look over their activities and oversees how an attacker are able to break into a
system.
Firstly, a HoneyPot system nearly acts like a real machine that an intruder deceitfully
thinks that he is taking advantage of a real system. If a HoneyPot system configured
properly by an administrator, an attacker won’t be able to compare between two systems.
And second, by observing several impacts in a system, an admin can improve the security
of that system by analyzing it. An admin can also find the limitations of a HoneyPot and
compared to the real system, he/she can configure the HoneyPot which is more alike to real
system so that vulnerabilities and limitations in the main machine can be discovered and
fix them.
1.2 Contribution:
The dissertation provides a deep analysis of HoneyPot machines and its possible exploits
and how to prevent it.
This dissertation is formed based on Ryan C. Barnett works named ‘Monitoring VMware
HoneyPots’ (Barnett 2002), here in this paper, the author mentioned about methods that
has been implemented to create and oversee the HoneyPot machines based on VMware
platform. To supervise a HoneyPot machine, Ryan used Xtail, where Xtail is a tool which
is use to oversee the file volume and show the outcome if there is any alteration in the file.
With the addition of Ryan’s paper (Barnett 2002), I overviewed about several guest
operating systems that are based on VMware platform (e.g. Redhat, Windows XP and
Gentoo). I also took an overview about Xtail which I have got ineffectual; hence I selected
Snort and Tripwire tools.
1.3 Outline:
The rest of the part of dissertation are outlined as follows-

2
Chapter 2 is about literature review. This chapter describes about physical and virtual
machines where it shows differences between standalone computers and virtual machines
as well as comparisons between UML and VMware systems. Chapter 3 describes about
research methodology. Chapters 4 describe about my whole work of HoneyPot, i.e.
structures and remedy of HoneyPot, investigate the performances of HoneyPots using
VMware, talk over and investigate about several types of attacks that are done by using
VMware HoneyPot machines. Chapter 5 describes about the conclusion.

3
Chapter 2: Literature review
Physical and Virtual Machines
2.1: Standalone Computers vs. Virtual Machines
It is possible to build a HoneyPot using a physical system or using a virtual system.
Physical system is a standalone computer which is only used to carry out operation as a
HoneyPot. On the other hand, a virtual machine acts like a computer which is configured
in a host machine.
Whether or not, a HoneyPot is configured in a physical system or virtual system, both have
pros and cons.
The root advantage of a HoneyPot which is in physical system is that it is the main system,
which is same to a real OS. And there are three capital drawbacks of physical HoneyPots.
- High cost: to configure a physical HoneyPot system, it is really needed that the
system is consisting of several operating systems with lots of configurations. Also,
to create a network of HoneyPots which is HoneyNet, it is really very important to
have a wide range of applications and services. So, configuring a dedicated system
for each configuration would be very costly.
- The main aim to configure a dedicated HoneyPot is to stay focused for an attack
and oversees the network if there are any intrusions; therefore, using the resource of
a CPU is idle almost all the time.
- It is not easy to configure, examine and determine physical honeypot systems,
hence its time absorbing. Also the admin needs to converge different systems and
manually investigate them.
There are some benefits of configuring a HoneyPot on a virtual machine.
- It is inexpensive; more than one virtual HoneyPots (i.e. HoneyNet) can be
configured in a system and for that, only one physical machine is needed. Several
OS with various config can be run together at the same time using only one host
system.
- Multiple virtual systems is running on a single host where the system is stay
focused and wait for any attacks, an admin can perform his/her real task by the side
of this several virtual machine running, hence it uses proper CPU resources and
does not stay idle.

4
- Effortless settings and smooth to take care. It’s possible to set up different virtual
machine to a single host, so an admin can oversees and config the all virtual
machines using a single machine (host). Also the admin doesn’t need to go for
config manually each and every machine separately if there is any problem goes on.
- As virtual machines are running on a single host, hence one set of hardware is
needed. The admin doesn’t need to reinstall the whole OS to fix it on a virtual
system if the system is hacked, for that virtual machine allows the admin an
alternative way to make snapshots of the present OS, and then return to the original
state of the system, the sate when previously the machine was hacked (appendix F).
Virtual machine has some drawbacks as well if a HoneyPot is configured on a virtual
machine–
- A single physical host system can run a restrict number of operating systems; this
can happen may be because of limited processor speed, ram or memory space of
the host system.
- A major disadvantage is that if a single hardware fails to operate, the whole system
(HoneyNet) goes down.
- To take fingerprint of a VM is easy for an intruder if the system is not taken any
countermeasures.
2.2 Virtual Machines Comparison:
There are two types of application system for virtual machine – open source application
and commercial application. Virtual system can be created using different kinds of
software; each software has their own method to configure virtual machine. This section of
the dissertation will review about three types of virtual systems. This are-
- Xen
- User Mode Linux (UML)
- VMware
Xen:
It is an open source project which is produced by computer laboratory of University of
Cambridge, UK. It creates an environment to create more than one virtual machines, where
each of virtual machine runs an operating system.
Apart from UML and VMware, the main benefit of Xen is its high speed. Another
advantage of Xen over UML and VMware is it supports several OS images in a low
performance environment and for this advantage, there is also a disadvantage, that is, with
the Xen architecture, the guest operating system needs to be connected, that means, it’s not

5
possible to install OS to guest OS without using OS distribution cd. A major disadvantage
of Xen is it needs a big collection of code patching in order to connect Xen with the Linux
OS kernel. Moreover, Xen is new system; hence it has little documentation than others
which helps to configure a strong honeypot.
UML (User Mode Linux):
It is another way of Linux kernel which helps to drive program inside the central linux
system. By the help of host system (i.e. interface), UML communicates with hardware of
the system.
VMware:
It is program that is mentioned as virtualization. It is adaptable with Intel x86 hardware
system. VMware allows running multiple OS on a single system on a same time with
individual hdd, desktop and everything.
UML vs. VMware:
As UML is open source software, hence it is very much flexible. People can download
many features for free and can make it more secure while using as a honeypot. Some of the
aspect are-
tty logging – protect logging of all UML tty traffic to the host
hppfs – it’s a UML file system which permits access in the UML/proc to be summarily
rewritten from the host, appointing it available to build the UML to act like a physical box
skas mode – UML can perform in a form which build process address spaces which are
identical to the host.
On the other hand, VMware is a commercial based system, so manufacturer of VMware
provide supports and services to their customer. It also supplies “point & click GUI’s” that
can be a source of help for the beginners.
Another difference between UML and VMware is, UML is only linux based system. It
does not support windows. Majority of people uses windows as their operating system;
hence a major amount of exploits can be finding in windows platform. On the other hand,
VMware supports both linux and windows platform and easier to strengthen the honeypot
security features.

6
VMware is only compatible with intel X-86 hardware system where UML is not bind to
Intel X-86 hardware system.
Above shows the difference between standalone and virtual machines, comparisons
between virtual machines, about their pros and cons. And these virtual machines uses
different kinds of intrusion detection and monitoring tools according to their requirements.
Below, I have discussed about this intrusion detection and monitoring tools.
Intrusion Detection and Monitoring tools
To build a full active HoneyPot and increase its strength, it’s compulsory to install
intrusion detection and monitoring tools in HoneyPot.
Intrusion detection and monitoring tools can be categorize into two types which are -
System monitoring- this section is involved with system log actions and report if is there
any change to the system. Tripwire and Xtail can be categorized in this section.
And
Network monitoring- functions involved with detection of intrusions and log actions of a
network. Snort can be categorized in this section.
Here, the section below, it discussed about three various types intrusion detection and
monitoring tools. They are Snort, Xtail and TripWire. Snort and TripWire are used to build
the Honeypot in this dissertation.
2.3 Xtail:
Xtail monitors one or more files, and displays all data written to a file since command
invocation. It is dearly suitable for monitoring various log files at the same time.
If an entry given on the command line is a directory, all files in that directory will be
monitored, including those created after the xtail invocation. If an entry given on the
command line doesn’t exist, xtail will watch for it and monitor it once created. When
switching files in the display, a banner showing the pathname of the file is printed.

7
On a host operating system, Xtail is configured and it observes the REDO file of the
VMware. According to my analysis, Xtail only shows those info which are joined at the
last of the file. So theoretically, if latest info is put at the mid stage, then the newly added
info is not stored. Latterly preserving the outcome result to a file the analyzing process
comes next.
According to own analysis, to find the attack codes, it takes a lot of time to open and
searching for it, hence Hex editor [it’s a computer program which is used to view and edit
binary files] can be used. Hex editor is really effective for showing unchanged files. By the
help of Hex editor, it is possible to see unchanged file contents of an attack where it is
nearly not possible to view by a text editor, this is because, the Xtail report can be
intensely large and admin needs to find out the attack.
2.4 TripWire:
TripWire is a detection system which helps to identify if is there any addition, deletion or
alteration of files in the system. If an intruder hack a system and put suspicious code, with
the help of tripware, it is possible to view any modifications made in the honeypot and get
to know about the intruder’s characteristics.
TripWare is available in open source and commercial version. In this dissertation, I have
used the open source version of TripWare.
TripWare is a security and data integrity tool which is proper for monitoring and notifying
if there any changes to the system.
‘twpol.txt’ named policy file keeps regulations of TripWire, regarding different types of
violations. TripWire helps to identify any violation and supports an admin to get to know
about caused problem. If caused violation is not from system failure, an admin can inspect
the irregularity; otherwise an admin can bring up the software system up to date to fix any
bug so that the Tripwire does not show them as irregularities.
The following flow chart shows the use of Tripwire-

8
Figure 1 - Tripwire flow chart
According to the flow chart, the first step is to install, customize and initialize the
Tripwire. Second step is to run change report into the Tripwire. The change report checks
the whole system to check if there is any violation. If there is no change in the system, then
the system is stable and the system waits for another interval. But if the system found any
changes, the admin must needs to investigate it to find is there any legitimate changes or
not. If the result is no, the admin needs to fix the break-in, otherwise it needs to check if is
there any policy file problem. If the problem is not regarding policy file, the admin can
update the database and if the problem is regarding the policy file, then whole policy file
needs to be update.
2.4.1 Methods of detection-
Tripwire is a HIDS (Host Based Intrusion Detection System). Usually IDS comes with a
default group of controls. An admin can modify this default controls according to his/her
requirements.
TripWire looks over the files and add up digital signatures according to the file which are
in the system TripWire keeps all digital signatures on a secure system (better to keep the
file in secure host OS rather than guest OS). In consideration of identifying an intrusion,
TripWire investigates all present files and there information that are stored in the system.
TripWire oversees to a system if is there any alteration in the machine, system files,
programs or changes at any hardware that should not usually be alternated. TripWire

9
implies MD5 cryptography for its files to supervise its files and applications and store
them to the database. TripWire also inspects hash values for present files and applications
of the system.
2.4.2 Commercial vs. Open source-
Commercial and open source version of Tripwire, both have some things in common, as
well as both have some dissimilarity. Commercial version of Tripwire is usable for almost
all platforms like linux, windows and UNIX systems. On the hand, open source Tripwire is
not usable for windows. The GUI mode of Tripwire commercial version is more user
friendly than the open source version. Commercial version has some more applications
than free version like Server application, Manager application etc. Overall, the commercial
version has much more features than free version of Tripwire to identify any violation over
the system.
2.5 Snort-
Snort is a leading open source Network Intrusion Detection System, which is created by
Martin Roesch. It is a packet sniffer that investigates and logs packets in real time,
examining each and every packet very close to find out any harmful payload or any
distrustful irregularity.
Snort performs protocol analysis, content matching and content searching. Snort also can
help to find out any probes or intrusions, involving, os fingerprinting attacks, common
gateway interface, buffer overflows, server message block investigation and stealth port
scans.
For my Honeypot what I am building in this thesis, here snort is used in host system. So if
an attack is done against the guest machine would be logged, snort will create an alert. In
this way, intruder cannot be able to identify or deactivate snort, this is because snort is
installed in the host machine.
Snort uses a file named snort.conf which holds rule files and variables. My snort version
which I used on host machine holds 48 rules by default. These rules supplies info about an
incoming packet and what an action needs to be done if all aspects match.
Four steps needed to be carry if all aspects match. They are-
- Alert action: this helps to create an alert on alert.ids file.
- Log action: this action helps to log packets to the log directory.
- Pass action: this action is used to avoid the packet

10
- Activate action: that alerts and then turns on another dynamic rule.
According to the system requirements, an admin can update these system rules. In my
snort program of the system, snort found most of the threats, but few rules needs to update
to get proper alert if there is any attack. In my system, snort was unable to identify PCT
overflow exploit only. This problem can be solved by updating SMTP rules.
Snort can be setup in three main aspects. They are-
- Sniffer mode: scan network packets and show them on the console
- Packet logger mode: log packets to the disk
- Network intrusion detection mode: oversees network traffic and inspect it against a rule
set which is assigned by the user.
In my host machine, network intrusion detection mode was employed. The usage of ram of
this program is about 39.7mb where other two modes need 4.7mb each on avg.
Below picture shows a graph of ram usage on each mode-
Figure 2- ram usage by three modes of snort.
Ram Usage on Average
0.5
5.5
10.5
15.5
20.5
25.5
30.5
35.5
40.5
45.5
Sniffer Packet Logger Network Intrusion
Detection
Mode
Ram(MB)

11
2.6 Related Work:
‘Operating System Support for Virtual Machines’ by (Samuel T. King 2003) describes
some more work about virtual systems. The writer of this paper talks over about two types
of virtual-machine monitor. These two types of virtual-machine monitor’s are: Type 1 is
setup based on the physical hardware system and Type 2 is setup based one host OS. Type
2 machines exchange information with the physical hardware by way of host OS.
According to this information, it can be said that, VMware supports both of the types, i.e.
Type 1 and Type 2, where UML supports only Type 2. The writer of the paper (Samuel T.
King 2003) also talks over about how to minimize the expenditure of Type 2. Applying
those procedures, the writer achieved the goal to minimize the expenditure about 14-35%.
‘When Virtual Is Better than Real’ by (Peter M. Chen 2001) describes why it is really
beneficial to convert the system to virtual system from physical system. These writers
mentioned about three major functions why virtual system is more beneficial. These are –
safe logging, invasion avoidance and identification and system atmosphere migration. The
writers also challenged on two things to migrating to virtual systems, they are –
performance and acceptable gap among virtual system and physical system. It is possible
to exceed the challenges as described in this article.
The article ‘ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and
Replay’ by (George W. Dunlap 2002) talked over about how to become better system
loggers. The project took place at the University of Michigan named ReVirt Project. The
main purpose of the article is to clarify two problems which ‘need of integrity’ and ‘need
of effectiveness’. Need of integrity is that when loggers keeps log files in local file system,
if the administrative access is gained by an intruder, then all log files will be exposed. So
the ReVirt project resolves the problem by continuing the logger in a separate domain. And
need of effectiveness can be resolves by replying log info before and after an attack done
by an intruder. ReVirt helps to stop the system anytime (before, at the middle or at the end)
of an attack so that an admin can investigate the system about the attack at several points.
The article also shows that the expenditure of ReVirt is less, so it’s possible to continue the
system for a sufficient time without needing of extra hardware system.
(Spitzner 2003)’s article ‘HoneyPot Tracking Hackers’ describes about several types of
HoneyPot systems. The book describes about low-interaction and high-interaction
HoneyPots. Low-interaction HoneyPots are usually software that runs some different kind
of services like HTTP, Telnet etc. Those software that act as low-interaction HoneyPots

12
are HoneyD, BackOfficer etc. when an intruder tries to exploit these HoneyPots, the
usually attacks the server which are made by of this software’s. High-interaction
HoneyPots are basically a physical machine itself that is made to that intension to be
exploited. These category HoneyPots are more real and needs to setup manually in that
way to attract an intruder as he/she believes that it is a real system to exploit.
In my paper, I have talked over about different kinds of fact that needs to imply when
configuring high-interact HoneyPots.

13
Chapter 3: Research Methodology
3.1 Introduction:
This chapter will cover-up all the likely methodologies which can be could allow the
analysis in the most excellent likely approach. The purpose of the dissertation is to setup
HoneyPots and test them with some exploits. The intension is to examine the exploits and
make the HoneyPot stronger according to those exploits.
According to Zikmund, ‘Research that intends to expand boundaries of knowledge itself on
to verify the acceptability of a given theory’, is derived in (Saunders 2003).
3.2 Research Approach:
Using two type of research approach, it is possible to carry out the research. They are –
Deductive approach and Inductive approach.
Deductive approach Inductive approach
Figure 3: Research approach (deductive and inductive)
3.2.1 Deductive Approach:
A deductive approach is ‘testing approach’ as mentioned by (Patrick Mcneill 2005). The
thought of a theory can be describe from usual to more particular nature and a hypothesis
of the theory is been grown which is analyzed by observations. Thus the way is about
analyzing the theory by the observations.

14
3.2.2 Inductive Approach:
An Inductive approach is a way that provides an outcome, as mentioned by (J. Gill 2002)
‘this approach gives an outcome’. This type of approach, the writer always have a theory
that’s a fact in nature and an outcome is achieved the approach agreements with the main
data facts.
3.2.3 Executed Research Approach:
Taking everything in mind, the clue of the research and the concept of the subject,
deductive approach is needed and to be implemented to the research. So an outcome also
be required, hence, inductive approach is also required and needs to be implemented.
3.3 Research approach:
Research can be done by two types of approaches and they are – Qualitative and
Quantitative. The two approaches have several kinds of process by which data can be
gathered.
3.3.1 Quantitative Research:
Quantitative research approach assists to ‘generate statistics through the use of large scale
survey research, using method such as questionnaire’, mentioned by (Dawson 2009). Close
ended question helps to get a structured outcome where open ended questions help to get
unstructured type information.
But the questionnaires have some advantages and disadvantages-
It’s a cost effective process of using online questionnaire. Also its not time consuming
because the questionnaire can be done by on a single mouse click and users can get the
questionnaire through their email where there is no need to give the questionnaire hand to
hand. (Robson 1993) defines the advantages of questionnaires as ‘ability to transcend
individual differences and identify pattern and process which can be linked to social
structures and groups or organizational features’. (Robson 1993) also defines the
drawbacks as ‘they cannot capture the stubtleties and complexities of individual human
behavior’.
3.3.2 Qualitative Research:
The downsides of quantitative research can be overcome by using qualitative research
technique. This approach is more adaptable and it’s actually open in characteristics.
(Dawson 2009) describes the approach as ‘explores attitudes, behavior and experiences
through such method as interview or focused groups. It attempts to get an in-depth opinion
of participants.’

15
So there is an ‘Interview’ option is selected in qualitative instead of questionnaire to
overcome the limitations-
The interview can be carried out with technical person (admin) about HoneyPot
technology. Open ended question are made for the interview to get high info. The main
objective is to get the experimental investigation of the HoneyPot technology. (Robson
1993) described regarding the interview is ‘Less structured approaches allow the person
interviewed much more flexible of reponse’.
Rely upon the selected research methodology; the result of a given project might change
significantly. So it is most necessary to describe what techniques were used and what the
hypothesis has taken. I will show some techniques for accumulating and investigating
information for research use.
(P. J. Denning 1989) described three approaches to scientific research. Each of the
approaches has four categories-
- Theory is rooted in mathematics and it consists; 1. Assigning object of study, 2.
Creating a hypothesis on their similarity, 3. Obtaining the real value of the
hypothesis and 4. Defining the results.
- Abstraction (Modeling) is a test scientific technique that consists of 1.
Constructing a hypothesis, 2. Forming a model and guessing a prediction, 3.
Designing a test and gathering information and 4. Investigating the outcome.
- Design is rooted in engineering and consists of 1. Mentioning requirements, 2.
Stating specifications, 3. Architecting and assigning the system and 4.
Experimenting the system.
In my thesis, I will use an approach which consist of both abstraction and design approach.
This approach is in significance the abstraction approach with growing stress on the
prototype (experimental architecture) to involve specification, necessities and
experimenting.
I am not going to look for clear quantifiable results, but I will try to gain a qualitative
evaluation if the goal of my dissertation was met. I will talk over this to skillful level in
detail while describing my work in chapter 4.

16
Chapter 4: The Work
Designs of HoneyPot:
In this dissertation, I setup the HoneyPot on VMware platform. But for fullness, I will
explain UML HoneyPot in brief. In consideration of using UML on windows xp, I have
installed UML on VMware platform.
4.1 Design of UML HoneyPot:
The following likely method of experimenting a HoneyPot which is in UML. One needs to
be remembering that UML only supports Linux. As my host is operated by Windows XP,
so I have installed UML in guest OS by the help of VMware. Here, for UML, Gentoo will
perform as a host OS and on UML, Redhat & Debian will be operate as guest OS.
Figure 4- likely design of UML Honeypot.

17
4.2 identifying UML system:
As UML is not created completely to use as HoneyPot system, but to do a test with kernel
and infested software, it is more likely for an intruder to fingerprint UML, which means
there are some process that an intruder can tell the difference of UML form the main
system. But there are some techniques to make the intruder to fingerprint the UML. Later
on, there will be a discussion how UML can be found and there are some patches which
makes the UML acts like real system so that the intruder believes himself that he is
attacking the real system.
4.2.1 Procedure:
To fingerprint UML system, miscellaneous files can be use from /proc. For example, some
files /proc/cpuinfo, /proc/devices, /proc/interrupts, /proc/cmdline bears some information
which are individual to UML.
Below shows a screenshot of /proc/cpuinfo file, which contains some important
information. By looking at this information, an intruder can easily find out that the system
is real or fake. The screenshot shows the vendor_id, which is in User Mode Linux,
model_name: UML and mode: skas, this information represents that the system is not a
genuine one.
Figure 5- screenshot of /proc/cpuinfo file

18
4.2.2 Information of bootlog and file system:
Bootlog holds a record of files; those are opened and used as OS loads. It may possible to
find out that information in /var/log/boot.log file. Moreover, info of miscellaneous file
system such as hdd, partitioning may be cause of fingerprint the system and /etc/fstab
could carry the information.
The screenshot shows an o/p of MUL Bootlog file:
Figure 6– o/p of UML bootlog file
4.3 UML HoneyPot Characteristics and Fingerprint Mitigation:
Because of core interest to design HoneyPot machine, various factors have been included
to UML. These factors are skas and hppfs, and help the UML to act more like a HoneyPot
system.
4.3.1 skas (Separate kernel Address Space):
An intruder can access UML kernel by the help of TT (Tracing Thread) and can manage a
way to control host. Skas helps to find out this problem. Skas requires a patch to be
involved to the host kernel to admit UML kernel which helps to run on a parted address
space. This characteristic hides UML kernel info, hence an intruder won’t be able to view
or make any changes to UML kernel info which solves some of security issues and

19
fingerprinting problem. Moreover, skas mode helps to increase the performance of UML
then TT mode. Skas mode is faster almost double compared to TT mode.
Figure 7 - skas mode [host kernel]
4.3.2 Help with HPPFS for skas mode:
Hppfs helps to run skas by loading UML directory to UML guest operating system proc
directory and it gives an admin the authority to modify data of /proc in UML system using
host system. This makes a HoneyPot system to behave like as real one and an intruder
cannot fingerprint by investigating proc info.
4.4 Teletype logging:
Teletype logging (TTY) is a monitoring process which permits the admin to view an
intruder keystrokes log activities. This is more active with encrypted network packets. By
using usual packet sniffer, an admin can oversee only those packets which are encrypted
where teletype logging catches the keystrokes and stores into a file.
tty logging needed to authorize from character device option. Allowing tty logging, it
catches all keystrokes by the help of UML in virtual atmosphere.

20
Figure 8 – allowing tty logging to capture keystrokes.
An example has been shown. It shows the file of keystrokes done by users.
Figure 9– log of keystrokes (done by users)
4.5 Design of VMWare:
In this dissertation, to set up a honeypot, I have used VMware to make a virtual
atmosphere. By the help of VMware, I can setup a HoneyPot system in Windows XP
environment which is my host. With the help of GUI and Revirt, VMware make it easy to
build a HoneyPot. As VMware supports both windos and linux, so I am able to install both
of them as guest OS.

21
4.6 Form Host-Only HoneyPots:
The figure below shows the architecture of my HoneyPot machine. Here, the host
operating system is Windows XP and VMware platform is used for this host OS. As a
guest OS, Redhat, Gentoo and Windows XP are used and HoneyPot is configured in this
guest machines. This guest machines have separate ip address. Moreover, several kinds of
applications are setup on these three guest machines. On the host machine (Windows XP),
an intrusion detection mechanism is installed called Snort.
Figure 10– Architecture of Host-Only HoneyPot
VMware supports three kind of network preference. They are bridge, NAT and Host-only.
Bridge network option means the virtual network is connected to the physical network via
bridge connection. In bridge connection, every single virtual machine in the network has
their different ip address and each virtual machine act as a normal computer.
Host-only network makes a personal network that connects host OS and guest OS. Here, in
this network option, guest OS is unable to communicate with external network. This

22
problem can be solved by Windows Internet Connection Sharing (ICS). This preference is
a perfect way to configure and mastering a HoneyPot network.
NAT is similar to Host-Only. But here, guest OS can communication with the outside
network.
Host-only network is a perfect method to config a HoneyPot network (HoneyNet), this is
because, data traffic needs to go from guest machine to the network via host machine and
for that reason, it is easy to configure firewall and monitoring applications in the host
machine.
As mentioned before, in Host-only network, guest machines cannot communicate to the
outside network and ICS need to install on host machine. In that way, host machine will
perform as default gateway and it also supports the DHCP and Nat support for the guest
machines.
Host machine (Windows) will assign automatically ip address for the guest machines
through DHCP. Since I am setting up the host machine (windows) that route packets to a
certain HoneyPot systems’ ip address, hence I don’t want to manually setup ip address
each time when the system startups. I overcame with the problem by assigning static ip
address to HoneyPot machines in the network. (configuration could be found at C.4)
In ICS, ip forwarding is configured in a way that a host machine can send one packet to a
specific HoneyPot. Hence, the admin needs to assign each port manually to send packet to
each HoneyPot. To clear the concept an example is given – an Apache program is running
on Gentoo system (HoneyPot machine) which is using port 80 and the windows XP system
(another HoneyPot machine) is running a windows web server which also uses port 80.
Now if a packet comes from outside network which is directed to port 80, the host system
won’t be able to send the packet to multiple HoneyPot systems. Hence, host system looks
at the configuration of ICS setting which is configured by an admin according to the
system specification and will send the packet according to the setting. According to my
setting, the packet is going to the Gentoo machine.
4.7 Firewall:
Setting up a firewall for HoneyPot, can make the HoneyPot more stable and real.
Moreover, it is possible to control incoming and outgoing traffic through the firewall. In
my HoneyPot, I want to permit all the incoming data and give limitation to outgoing data
from HoneyPot. By doing this kind of config, if an intruder tries to attack my system, I can
lock the intruder inside the HoneyPot and stop those intruders from attacking other

23
network. In addition, by regulating the outgoing traffic, I can make a safeguard for host
machine from attackers those are inside HoneyPot machine.
Very few firewalls give an effortless control over incoming and outgoing traffic.
Moreover, windows XP’s firewall has some limitation too. Hence, I decided to use
ZoneAlarm firewall that give me the features what I required for my HoneyPot.
4.8 Architecture of Bridged and Host-Only HoneyPots:
Figure 11- Architecture of Bridged and Host-Only HoneyPot
The above figure shows a bridged and host-only HoneyPot architecture. In this
architecture, one of the HoneyPot is in bridged connection with the host machine. The
bridged HoneyPot has its separate ip and it acts as a free machine in the local network,
which means a stranger can access the HoneyPot machine without going through the host

24
machine. For this architecture ICS and ip forwarding techniques are not needed for this
bridged system. IDS tools and firewall is setup for this design for the similar aim.
There are some major benefits for Bridged and Host-only architecture. These are – the
admin is not required to configure manually the ip forwarding to send packet to the
HoneyPot which is in bridge connection. And in bridged HoneyPot, it can communication
with two http servers where the previous architecture, in Host-only HoneyPot, a packet can
communicate with only one HoneyPot.
The main downside is this architecture is using an ip address which can be used by outside
network, so there are possibilities to conflict of ip address. Hence, getting an ip address can
cause paying out more money to configure the HoneyPot.
4.9 Identifying VMware System:
VMware acts nearly like a physical machine. There are several ways to identify a VMware
system – using software, bios, from mac info, system and device info.
4.9.1 Identification of VMware tool:
An intruder can identify VMware by looking at software information which is built in
virtual machine. This is particularly real when a user setup VMware on the machine, if this
is so, an intruder can identify VMware by investigating control panel in windows or
through VMware directory.
4.9.2 System Identification:
An intruder can investigate the computer system to see whether its VMware system or not.
The system info supplies information about the system which could be a cause of
fingerprinting.
Bios information of windows XP OS can be done by following these steps-
Start -> Programs -> Accessories -> System Tools -> System Information.
Below shows an example of system information where System Manufacturer is stated as
‘VMware, Inc’ and System Model is stated as ‘VMware Virtual Platform’. This info’s give
clear knowledge of that it’s a VMware machine.

25
Figure 12– System information of VMware machine.
4.9.3 Identification of MAC address
There is one more way to identify VMware machine by overseeing its MAC address.
Under the physical address, 3 OUI’s are registered by VMware. Among these three,
VMware produce two MAC addresses and the third one can be manually created by user.
There is a limitation for guest OS regarding assigning MAC address. These are 00-0C-29-
XX-XX-XX, 00-05-69-XX-XX-XX or 00-50-56-XX-XX-XX.
The following example shows a MAC address which is automatically generated by
VMware. To identify MAC address of a VMware in windows XP environment, there are
two steps. First, start command prompt (start->search cmd) and then type ipconfig /a/l. it
will show an output and in the output the physical address is the MAC address. Here, in
this given example, VMnet1 is MAC address which is automatically produced by
VMware.

26
Figure 13– example of automatically generated MAC address by VMware.
Two more examples have been shown which are for Gentoo and Redhat respectively. For
Gentoo, the MAC address is 00:50:56:00:11:22 and for Redhat, the MAC address is
00:0c:29:36:63:60.
Figure 14– MAC address of Gentoo
Figure 15– MAC address of Redhat

27
4.9.4 Device Identification:
By investigating the system devices, it is more likely to identify a VMware system as
VMware makes some virtual devices itself which are equal to the real hardware elements.
It is not like the UML system, because in UML, guest machine needs to access the host
machine’s hardware by the help of the function key.
To see system devices, my computer -> properties (right click) -> choose hardware tab ->
device manager -> Disk Drive -> VMware virtual IDE Hardware Drive.
Figure 16– finding system information
An intruder can fingerprint a system by the help of this disk drive.
4.9.5 – Identify Computer System
An intruder can look at computer system and can investigate on it as this method depends
on attacker’s guess. For example, a system is not conventional with 2GHz cpu, 80mb ram
and 4gb hdd. Because a conventional system might have more cpu power or same with
more ram and hdd other than a virtual honeypot system. However an intruder might be
incorrect.
4.10 Protecting VMware machine from fingerprinting:
Intruders are getting more interest in VMware machines as its popularity is going high. But
there are several ways the admin can protect the system from fingerprinting the VMware
machine. Following tables shows how can be protect a system from fingerprinting as
mentioned in section 4.9.X.

28
Section Fingerprint Countermeasure
4.9.1 Identification of VMware Tool System Configuration
4.9.2 System Identification Script/Hex Editor
4.9.3 Identification of Mac Address System Configuration
4.9.4 Devices Identification Script/Hex Editor
4.9.5 Identify Computer System System Configuration
Figure 17– protecting VMware from fingerprinting
4.10.1 Script/Hex Editor:
A VMware binary file called vmware-vmx.exe can be edited by a normal hex editor called
Ultraedit. When the vmware binary file is ready to run, an admin can edit Virtual IDE Hard
Drive or Virtual IDE CDROM and can change their name as the admin want.
Below figure shows an example of Ultraedit hex editor.
Figure 18– using Ultraedit editing Virtual IDE CDROM.

29
4.10.2 Operating System Setup:
To protect any system from fingerprinting, an operating system should set up in a perfect
way. To avoid fingerprinting, e.g. VMware tool, its better not to install this factor on the
guest system where the guest system acts like a honeypot. As mentioned before (in section
4.9.5), to setup a standard virtual system, an admin needs use enough ram (i.e. 128mb or
more) and proper hard disk space. An admin should change the MAC address of VMware
machine because of some predefined limitations (derived in section 4.9.3). An intruder can
view all default MAC address of VMware system by using ipconfig /all command
(VMware MAC address range; as mentioned in 4.9.3 section), hence operating system
provides an option to change the MAC address.
Following process and figures shows how to change the MAC address:
In windows environment, one needs to go to start, then needs to go to network connection
using control panel. Then go to properties by right clicking on local connection. After that
configure option, then selecting advance tab. Here a box will appear with some options.
Select Network Address from them and then change the MAC address as an admin want to
change it.
Figure 19– how to change MAC address in windows platform.

30
To change MAC address for linux, it fully different from windows. To change MAC
address in linux, an admin should follow these commands:
ifconfig eth0 down hw ether 00:00:00:00:00:01
ifconfig eth0 up
To do the whole work, it uses the system; hence system configuration according to its
requirements should be perfect. Next section describes about the system usage while doing
the work.
Benchmarking VMware:
4.10 System recommendation and it usage:
VMware Workstation 4.0 can use 1024mb ram in total for all virtual systems where
VMware Workstation 4.5 supports 3.6 GB. So running highest number virtual systems at
the same time depends on memory space. Suppose 640 mb is assigned for a single virtual
system, and then only one system is possible to run on a specific time. In this dissertation,
for my systems, I have chosen 128mb, this is because, and it is possible to run eight
systems at a time with this limit. Due to small physical memory and disk exchange, I
reduced the efficiency of virtual systems.
To create a network of honeypot (HoneyNet), multiple guest operating systems needs to
run at a same time on a host machine. To run multiple guest operating systems in VMware,
there is large number of expenses to the host operating system. So there are several ways to
accommodate VMware to build a HoneyNet, this section of the dissertation will
benchmark and will talk over in detail about that.
Here, in this dissertation, I have assigned 128mb ram and 4gb hdd space applying default
settings of VMware.
In HoneyNet, Windows XP machine is recommended for 128MB RAM, where it machine
uses 95MB out of 128. For Gentoo, the recommended RAM is 128, where it uses 121MB.

31
The CPU usage for Windows XP is 9.7% where the CPU usage rate for Gentoo is under
1% after running all of application from figure 4.6. Gentoo also need free hard disk space
of 1GB. On the other hand, Redhat is using 74.3MB RAM out of 128MB and using 1.5%
CPU on avg. Redhat needs 700MB hdd space with this setup.
Figure 20– Total usage of systems by VMware.
The figure below shows RAM and CPU use when running multiple guest machines-
Figure 21- RAM and CPU use when running multiple guest machines.
VMware Benchmark
0 20 40 60 80 100 120 140
Ram Usage-Guest
OS (MB)
Minimum RAM
(MB)
CPU Usage (MHz)
Redhat
Gentoo
Windows XP

32
Analyzing, Simulating and Investigating Attacks
Once a honeypot is fully configured, the next step comes to simulate, oversees and
investigate the honeypot if there is any attacks. This section will cover about several
attacks and will discuss about the attacked report performed by two software – Snort and
TripWire. Metasploit has been used to run some exploits.
4.12 Serv-U Buffer Overflow Attack:
An ftp file transfer program, named Serv-U, use to transfer files from one machine to
another. There is a risk of buffer overflow attack of version 4.1.0.11 of Serv-U and older
versions. This attack retrieves the information of last updated file in Serv-U, normally its
known as ‘Modification Time (MDTM)’. So, there is a possibility of overflowed and
intruders can manage root access by putting malicious code.
4.12.1 Configure:
Here, I’ll investigate a Serv-U ftp attack by the help of two operating systems, one is
Windows XP pro and another one is Linux Gentoo. In windows machine, we have used
Serv-U ftp version 4.1. I have chosen this version because this one open to attack of
MDTM and that one we are trying to exploit.
Source code of the attack is taken from here:
http://www.securiteam.com/exploits/5SP020KCAG.html
Figure 22- shows a screenshot of Serv-U ftp program (version 4.1)

33
Following command has been used to run Serv-U exploit code on linux system-
./test –h 192.168.0.111 –t 4
By using the above command, it gives access to the main directory of Windows XP. After
attaining the access to c:wutemp directory, I have cleared all files. Usually, if an intruder
get root access, then it is possible to install any malicious program or can remove any files
that are essential.
Figure 23 – shows exploit of Serv-U (version 4.1)
The picture below shows a screenshot that after implementing the exploit, it has launched a
command prompt to the target system without letting the user know.
Figure 24 – exploits launched command prompt to the target machine.

34
4.12.2 Examine and determine Snort report:
Snort identifies the Serv-U ftp buffer overflow attack and keeps the records in log
directory. In log directory, it shows that an ip address is accessed the HoneyPot system.
Below shows a screenshot of the record-
Figure 25– log information of Snort
In the log record, there is an alert file created by Snort. This is a high priority file and by
looking it this records, it shows an ‘FTP MDTM overflow attempt’ attack. The figure
below shows the records of that alert file –
Figure 26– records of FTP MDTM overflow attempt.

35
There are some more records about the buffer overflow attack at the sub-folder of the log.
Figure 27– sub-folder of log which contains more info about the overflow attack.
The screenshots below shows that the code that was applied to make the buffer overflow
attack. Here, it shows the similar code which is found in Snort report and code from host
machine from where the attack is carried out, which is Linux system. Highlighted area
shows the code below in the screenshots.
Figure 28– code found in Snort report

36
Figure 29– same source code on linux system.
There is another log file on the sub-folder of log folder, which contains ATTACK-
RESPONSE directory listing. This file shows c:wutemp is accessed by an intruder. By
surveying this file information, an admin can get to know about the directory listing from
that time from when an intruder managed to enter to the HoneyPot system.
Figure below shows ATTACK-RESPONSE directory listing-
Figure 30 - ATTACK-RESPONSE directory listing (Snort report)

37
4.13 Port Scan Investigation (Windows XP)
An intruder always searches for open ports at the target system before continuing his/her
operation and for this the intruder can use port scan program to know which specific ports
are open on the target system.
4.13.1 Configuration:
For this experiment, a software has been used named SuperScan. SuperScan investigates
about all the ports of the targeted system. Here, for the targeted system the ip address is
192.168.0.192.
There are some options that can make an advanced search for SuperScan – ping, scan port
from a list of port and scan port from a supplied extent.
A screenshot is given below of SuperScan program.
Figure 31– Screenshot of SuperScan.
4.13.2 Examine and Determine Snort
If there is any port scan launched by an intruder, Snort will create an alert file which
contains information about port scan. In the alert file, the information is marked as
classified if the system got any port scan and the classification is: Attempted Information
Leak. If an admin investigates this file and sees this classification, then he/she will come to
the point that it was a port scan attack.
A screenshot is shown below. Here, for an port scan is attempted from the ip address
192.168.0.191.

38
Figure 32– report of port scan attack created by Snort by the help of SuperScan.
4.14 Ethereal Buffer Overflow Exploit:
Ethereal is a network packet analyzer which captures network packets and performs to
show packet data in details as much as possible. Ethereal is a freeware sniffing tool that
mainly employed for troubleshooting, software development, education etc.
Prior versions of Ethereal have a vulnerability by which an intruder can achieve root access
or can crash Ethereal.
So, for this instance, I will show what happens if an intruder tries to vulnerate Ethereal by
buffer overflow.
4.14.1 Configure
I have configured a Gentoo system to drive an exploit code; here the ip address of Gentoo
is 192.168.20.128. The exploit code is outlined in a way that can cause buffer overflow to
ethereal, hereby, a special tricky packet can make a denial of service and by chance can
open a port with which an intruder can achieve access to the target system (192.168.0.192).

39
Figure 33- Exploiting Ethereal
Ethereal 0.10.0 version is configured in my windows xp system that catches packets mode.
The function of Ethereal here is to oversee into all incoming packets. So whenever buffer
overflow packets comes that are outlined to exploit Ethereal, it will catch the packet. When
Ethereal is busy to capture and read infected packet, in that time if an admin tries to close
the program, Ethereal will crash.
Figure 34– capturing screenshot of Ethereal.

40
Updated version of Ethereal 0.10.5 has overcame the crashing problem, it does not crash
while trying read the corrupted packet. If we take a view to the corrupted packet, we can
see that corrupted packets are marked as a ‘Membership Query’ under IGAP (Internet
Group Membership Authentication Protocol).
Following screenshot shows the information in corrupted packet-
Figure 35– Corrupted packet info. Captured by Ethereal.
Figure below shows a Snort report. By investigating this report, it can be seen that, the
intruder attempted IGMP overflow attack to achieve root access. This is a crucial warn and
need to take essential steps against it. If we look at the ip address from where the packet
comes from, its 192.168.20.128. This ip address doesn’t belong from intruder’s system
(192.168.0.206). An admin must need to investigate always the ip address; this is because
it is possible to change the source address, so with a different ip doesn’t signify that it is
not from the source machine.

41
Figure 36– Snort report of Ethereal bufferflow attack
4.15 NetBus Backdoor (Windows XP):
NetBus is a ‘Trojan Horse’ that has same characteristics than ‘Back Orifice’. This means
NetBus opens a backdoor to a system without letting the admin know, so that the intruder
can access the system. NetBus is very convenient than Back Orifice.
NetBus was first programmed by a Swedish called Carl-Fredrick Neikter and publish his
first version on 1998.
NetBus has two sections – a client-program (netbus.exe) and other one is server-program
(patch.exe), that is the real backdoor.
As mentioned before, NetBus is consisting of two parts – a client-program and a server-
program. NetBus program deceive itself to act like ICQ installation program that appears
faulty while installing to the system, hence NetBus installed to the aimed system and will
release a port to the intruder to achieve access.

42
Figure 37– Installation of NetBus.
At intruder’s end, to achieve access to the targeted machine, the intruder needs drive
NetBus client program. This program will make a connection with that system which one
is running NetBus server. This permits an intruder to investigate and gain access of the
vulnerable system.
Figure 38– NetBus Client

43
If is there any NetBus aimed to the system, Snort is not able to identify the attempt as by
default it deactivated. To activate the Snort so that it can identify the attempt, following
steps needs to be done-
Go to  c:snortetcsnort.config  search ‘backdoor’, and then it will show a rule as
shown below and then remove ‘#’ from the rule.
Figure 39– Snort rule editing to identify NetBus
After that, according to the configuration of Snort, update the Snort rule. In my case, i have
removed the following line from Snort backdoor rule –
[note - search for the line in snort by typing Ctrl F]
Figure 40– Updating Snort rule in order to record NetBus in Snort.
Following figure shows an screenshot of NetBus backdoor attempt which is caught by
Snort and the priority is set to 3. From the figure, we can see that, the attack is done by that
system which contains the ip address 192.168.0.191.
I thing needs to be mentioned that, here, Snort records packets those are travelling from
HoneyPot system to the intruder’s system. From the figure, it can be noticed that packets
are travelling from 192.168.0.192 to 192.168.0.191.

44
Figure 41– NetBus report captured by Snort.
4.16 Subseven Backdoor:
Subseven (Sub7) is also familiar as Backdoor-G. It is one of the most popular backdoor
programs. This program is one of a kind as far as hacker program is described.
As like NetBus, Subseven install a backdoor to the targeted system and opens port.
Subseven is categorized as Trojan horse that uses 27374 port by default.
When an intruder installs Subseven backdoor to the targeted machine, it updates the
registry when the system restarts. Latest versions of Subseven supports a new feature, that
is Subseven can launch from eight different location of windows. Those files which are
produced by Subseven, is turf to delete without the help of any antivirus.
Figure below shows a client application that drives on an intruder’s system.
Figure 42– Subseven Client Application [version 2.1.5]

45
Subseven has one big advantage over NetBus program. That is, Subseven can change the
server executable file that helps an intruder to change icon of server, can investigate the
server whenever target opens the server as the intruder gets a notification for that. This
kind of options gives an advance exploiting option to the intruder to modify the server
according to the intruder’s expectations.
The figure below shows a Subseven EditServer screenshot-
Figure 43– Subseven EditServer screenshot
Following picture shows Snort alert report of Subseven, where the alert ‘BACKDOOR
subseven’ categorized as priority 3. And it also shows the information of port, here,
intruder’s port number is 3180 and targeted machines port number is 27374.

46
Figure 44– exploit alert of Subseven Backdoor captured by Snort
4.17 Windows DCOM (Distributed Component Object Model) RPC
(Remote Procedure Call) Exploit:
DCOM (Distributed Component Object Model) is an array of Microsoft ideas and program
interfaces that client program objects can appeal for services from server program objects
from different computers where all computers are in a network.
DCOM supplies RPC (Remote Procedure Call) protocol. Windows OS uses RPC. RPC
supplies an inter-process communication function which permits a program driving on a
system to continuously execute on a remote system.
Windows XP come up with DCOM RPC that helps to unfasten port 135 which is Windows
RPC port.
Windows XP DCOM RPC has vulnerability that helps to create a buffer overflow for an
intruder and helps to run malicious code to the system and W32 Blaster Worm is widely
used that runs to exploit a system.
4.17.1 How to Setup:
To test exploit, metasploit has been used to accomplish the attack.
Below shows some command line to setup metasploit –
use msrpc_dcom_ms03_026
Set TARGET 0
Set PAYLOAD winreverse

47
Set RHOST 192.168.0.192
Set LHOST 192.168.0.191
exploit
After executing these commands, an intruder can achieve the access to the victim system’s
honeypot. Figure below shows a screenshot that the intruder achieved access-
Figure 45– An intruder gained access to victims system by running metasploit.
4.17.2 Examine and Determine Snort report:
The snort reports displays that there was an RPC buffer overflow attack which is leveled as
priority 3. The report also displays that the intruder tried to achieve administrator access
which is leveled as priority 1.
Figure 46– Snort report of DCOM RPC exploit.

48
4.18 ISS BlackIce Exploit:
BlackIce is an individual firewall that evolved with intrusion detection system. BlackIce
can examine incoming and outgoing data even obstructed connections so that it can
specify, warn and obstruct likely offensive activities.
BlackIce version 3.6.ccf and older than this, can be exploit by an intruder. The intruder can
cause buffer overflow to the system and can run malicious activities to exploit the system.
As BlackIce 3.6.ccf and older versions are vulnerable, so here BlackIce 3.6.ccf has been
used to execute the attack. For this reason, metasploit used the commands below-
use blackice_pam_icq
set RHOST 192.168.0.192
set PAYLOAD winreverse
set TARGET 5
set LHOST 192.168.0.191
set EXITFUNC thread
exploit
BlackIce will be unable to identify the attack.
The figure below shows that the intruder has achieved access to the windows HoneyPot
and the intruder can modify the machine.
Figure 47– BlackIce exploited by metasploit.

49
Snort can identify the attack and give the following report-
Figure 48– BlackIce exploit report given by Snort.
Here, in this report, the severity marked as 2.
Below shows another picture, taken from log directory. Here it shows the buffer overflow
of BlackIce –
Figure 49– buffer overflow attempt of BlackIce by intruder
4.19 SHOUTcast Remote Exploit:
A winamp streaming audio program named SHOUTcast makes users to interconnect with
you to tune with your broadcast and hence, makes it vulnerable. Those versions which are
vulnerable are version 1.8.9 and earlier versions. These versions are available on internet.
I have setup one server in Redhat system. Picture below displays the executing of
SHOUTcast server on the system-

50
Figure 50– executing SHOUTcast server on Redhat system.
When execution of the server is done, it shows the achievement of administrative
privileges-
Figure 51– executing SHOUTcast attack.

51
The figure below displays the snort result which classified as “Potentially Bad Traffic” and
labeled the priority as 2 [fig 6.9.1.a]. But Snort is unable to detect the fault as SHOUTcast.
So Snort is needed to put the rules so that it can identify the attack. And fig 6.9.1.b shows
information of the exploit in details after an effective attack.
Figure 52– Snort report of SHOUTcast Remote exploit
Figure 53– detailed Snort report of SHOUTcast Remote exploit

52
Chapter 5: Conclusions
This dissertation investigated several ways of configuring HoneyPots. But this dissertation
talked over closely on User Mode Linux (UML) and VMware. It describes the buildup of
HoneyPot systems that is really important. It also covers the area that what should an
admin need to do and what are the things that need to consider while configuring a
HoneyPot system. For instance, fingerprinting issues and security flaws. Here, I described
also how to monitor and how to examine exploits on the system.
In this article, it shows several ways of how to fingerprint that an intruder can use the
system to identify the virtual system. This paper also describes lots of techniques to
countermeasure fingerprinting so that an intruder can get trust that he is actually exploiting
a real machine.
This paper also made a discussion about the security flaws of a system. To protect the
intruder against exploiting HoneyPot machine and employ the machine to exploit a
different network, firewall has been used here. The firewall doesn’t keep the network from
outsider intruders, inside the HoneyPot it also keep secure the host operating system from
the attackers.
This paper discussed about two monitoring software, these are Snort and TripWire. These
software are used to protect, detect and oversee a network. Here, the paper described how
to setup this software on HoneyPot machine so that it can identify and investigates about
the attacks.
This dissertation also reviewed about Metasploit. Metasploit is basically a building and
investigating procedure. By the help of this program, it is easy to findout about a HoneyPot
machine with which things it is vulnerable. This program also helped to findout about
Snort activity, what Snort can detect and what’s not. And according to that requirement, it
helps to find out which Snort rules needs to be inserted inside the Snort to identify any new
and updated attacks.
This paper shown VMware measurement which helps to show how to minimize the use of
CPU and memory so that it is possible to make HoneyPots (HoneyNet) for large network
without extra requiring hardware.

53
At the end, lots of things need to keep in mind when it comes to configure a reliable
HoneyPot. First thing that comes to mind that, a huge number of pc users use windows
platform for personal or office use. So maximum of the attacks are written to exploit
windows machines. Thus, this is fruitful if the HoneyNet system build in windows
platform. Second one is, it is better to form the HoneyNet by virtual system, this is
because, using virtual system is easier to config, not difficult to manage, monitor and its
competitive. Moreover, an admin can do anything side by side with the system which
maintaining the virtual systems. The third point is, HoneyPot is productive when an
intruder thinks it is a real system. Hence it is one of the most important tasks to do
fingerprinting countermeasures to make the HoneyPot more realistic so that it can engage
with intruders. Forth point is to install supervising and intrusion identifying tools in proper
way so it helps to give the admin cent percent result. The output of supervising and
identifying tools must need to give systematized output so that if there is any breakdown in
system, an admin can pin point to the attack and not spend too much time to find out the
attacking information. Fifth point is the host system needs to keep update with latest
patches to make it more secure so that it can protect the host system from attacker doing
any exploiting. And the last point is the HoneyPot system should need to be attractive to
the intruder, hence different kind of applications and configuration needs to be done to
make it look like a real system.

54
References and Bibliography
AHARONI, Mati (2003). Windows DCOM RPC Exploit. [online]. Last accessed January 2012 at:
http://www.securitypronews.com/2003/0814.html
AL., Murhammer et (1998). guide to virtual private network. NJ, prentice hall PTR.
BARNETT, Ryan C. (2002). Monitoring VMware HoneyPots.
http://honeypots.sourceforge.net/monitoring_vmware_honeypots.html#test_scenario.
BLYTHECO (ND). virtual private network configuration. [online]. Last accessed 28 janurary 2011 at:
http://www.blytheco.com/network/virtual_private.asp
BRADELY MITCHELL (ND). What Are the Advantages and Benefits of a VPN. [online]. Last accessed
31 janurary 2011 at: http://compnetworking.about.com/od/vpn/f/vpn_benefits.htm
BRADLEY, Tony (2012). Sub7 Trojan / Backdoor. [online]. Last accessed January 2012 at:
http://netsecurity.about.com/cs/hackertools/a/aa032603a.htm
BUSH, randy and GRIFFIN,Timothy (2003). Integrity for virtual private routed networks. Integrity
for virtual private routed networks,.
CAMBRIDGE, University of (2004). Xen - The Xen virtual machine monitor.
http://www.cl.cam.ac.uk/research/srg/netos/xen/.
CHOU, David (2005). Adopting virtual private network for electronic commerce: An economic
analysis. Adopting virtual private network for electronic commerce: An economic analysis,.
COHEN, R and KAEMPFER,G. (2000). Networking. On the cost of virtual private networks,.
COHEN, Reuven and KAEMPFER,Gideon (6 Dec 2000). On the cost of Virtual Private network. On
the cost of Virtual Private network,.
DAWSON, Catherine (2009). Introduction to Research Methods. 4th ed., How to book.
DEN, Zknk (2007). Detecting Vmwares Remotely. [online]. Last accessed December 2011 at:
http://www.secniche.org/papers/Detecting_Vmwares_Remotely.pdf
DUFFIELD, N.G et.al (ND). A Flexible Model for Resource Management in Virtual Private Networks.
A Flexible Model for Resource Management in Virtual Private Networks ,.
ETHEREAL (2004-2005). What is Ethereal. [online]. Last accessed 15 December 2011 at:
http://www.ethereal.com/docs/eug_html_chunked/ChapterIntroduction.html
FURNESS, Victoria (2009). The Future of Virtualization. Emerging trends and the evolving vendor
landscape,.

55
FURNESS, Victoria (2007). SMB Vendor Opportunities and Strategies. SMB Vendor Opportunities
and Strategies,.
GEORGE W. DUNLAP, Samuel T. King, Sukru Cinar, Murtaza A. Basrai, Peter M. Chen (2002).
ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay. ACM.
How To Install and Configure a Virtual Private Network Server in Windows 2000. (2006). [online].
Last accessed 2011 janurary 2011 at: http://support.microsoft.com/kb/308208
J. GILL, P. Johnson (2002). Research Methods for Managers. 3rd ed.,
JEFF TYSON (ND). how virtual priavte network works. [online]. Last accessed 26 januarary 2011 at:
http://computer.howstuffworks.com/vpn.htm/printable
JEFF TYSON (ND). howstuffworks. [online]. Last accessed 26 janurary 2011 at:
http://www.howstuffworks.com/vpn9.htm
JIM DUFFY AND TIM GREENE (1999). Virtual private nets show QoS no respect. [online]. Last
accessed 21 janurary 2011 at: http://www.networkworld.com/news/1999/0621vpnqos.html
JOE TAYLOR JR. (2011). Adding VPN to Your Small Business Security Strategy. [online]. Last
accessed 21 March 2011 at: http://www.brighthub.com/computing/smb-
security/articles/1855.aspx
KATO, Takao et.al (1995). BVPN (Broadband Virtual Private Network): a flexible, high-speed,
enterprise network architecture. Distributed Computing system,.
M.S SMITH (2010). Understanding VPN - Advantages and Benefits. [online]. Last accessed 28
Januaray 2011 at: http://www.brighthub.com/computing/hardware/articles/62501.aspx
MAGAZINE, Linux Productivity (2003). Tripwire.
http://www.troubleshooters.com/lpm/200304/200304.htm.
MARTIN ROESCH, Brian Caswell (2001-2004). Backdoor Rules. [online]. Last accessed January 2012
at: http://cvs.snort.org/viewcvs.cgi/*checkout*/snort/rules/backdoor.rules?rev=1.50
MICROSOFT (2006). microsoft. [online]. Last accessed 26 januarary 2011 at:
http://support.microsoft.com/kb/308208
MICROSOFT (2005). Virtual Private Networks. [online]. Last accessed 23rd january 2011 at:
http://technet.microsoft.com/en-us/library/cc759780(WS.10).aspx
MIZUSAWA, Jun-ichi (ND). NTT communication Switching. Virtual Private Network Control System
Concept,.
MORGAN, David (ND). Workings of a Virtual Private Network in Linux--Part 2. Workings of a
Virtual Private Network in Linux--Part 2,.

56
MORGAN, David (ND). Workings of a Virtual Private Network, Part 1. Workings of a Virtual Private
Network, Part 1,.
NYRE, Asmund Nergard (2005). Increasing Survivability by Dynamic Development of Honeypots.
Norwegian University of Science and Technology.
OSTROWSKI, Paul (2002). Sub Seven. [online]. Last accessed January 2012 at:
http://www.giac.org/paper/gcih/287/seven-risk-internet-security/102981
P. J. DENNING, D. E. Comer, D. Gries, M. C. Mulder, A. Tucker, A. J. Turner, P. R. Young (1989).
Computing as a discipline.
PATRICK MCNEILL, Steve Chapman (2005). Research Methods.
PELLETIER, Bob (2004). Connection Redirection Applied to Production Honeyots.
PENG, wu (2010). computer design and application. Exploration and research on the
implementation of a virtual private network technology in the new generation of IP protocol,.
PETER M. CHEN, Brian D. Noble (2001). When Virtual Is Better than Real. IEEE Computer Society
Washington DC, USA.
(2007). Photonics Technology letters. Demonstration and Scalability Analysis of All-Optical Virtual
Private Network in Multiple Passive Optical Networks Using ASK/FSK Format,.
RAJARAVIVERMA, Veeramuthu Ph.D (Jan 2009). open source Virtual Private Network Experience.
open source Virtual Private Network Experience,.
Reasons for using VPN connection. (ND). [online]. Last accessed 3 Feburary 2011 at:
http://www.articlesphere.com/Article/Reasons-for-Using-VPN-Connection/191489
ROBSON, Colin (1993). Real World Research. 2nd edition ed., Blackwell Publishing, p.p231.
ROSEN, Rami (2005). Introduction to the Xen Virtual Machine. [online]. Last accessed December
2011 at: http://www.linuxjournal.com
ROSENTHAL, Chip (2002). XTAIL. [online]. Last accessed December 2011 at:
http://www.makelinux.net/man/1/X/xtail
SAMUEL T. KING, George W. Dunlap, Peter M. Chen (2003). Operating System Support for Virtual
Machines.
SAUNDERS, Mark (2003). research Methods for Business Students. Pearson Education Limited.
SONICWALL (ND). ssl-vpn secure remote access. [online]. Last accessed 29 Janurary 2011 at:
http://www.sonicwall.com/emea/879.html

57
SPITZNER, Lance (2003). Honeypots. [online]. Last accessed January 2012 at: http://www.tracking-
hackers.com/papers/honeypots.html
TANGERINE (ND). VPN's. [online]. at: http://www.tangerine.co.ke/pageid.php?main=14
TANGERINE (ND). VPN's. [online]. Last accessed 28 Janurary 2011 at:
http://www.tangerine.co.ke/pageid.php?main=14
TCP-IP-INFO.DE (2004). NetBus Backdoor. [online]. Last accessed December 2011 at:
http://www.tcp-ip-info.de/trojaner_und_viren/netbus_eng.htm
TIAN, Yue et.al (2007). Photonics Technology. Demonstration and Scalability Analysis of All-Optical
Virtual Private Network in Multiple Passive Optical Networks Using ASK/FSK Format,.
The User-mode Linux Kernel Home Page. http://user-mode-linux.sourceforge.net/.
VIRTUAL PRIVATE NETWORKS (ND). cisco. [online]. Last accessed 28 janurary 2011 at:
http://www.cisco.com/en/US/products/ps5743/Products_Sub_Category_Home.html
[online]. Last accessed December 2011 at: http://www.vmware.com/support/ws45/doc/
VPN case study. (ND). [online]. Last accessed 3 feburary 2011 at:
http://www.internetwk.com/VPN/default.html
VPNC (ND). VPN white papers. [online]. Last accessed 29 janurary 2011 at:
http://www.vpnc.org/white-papers.html
WEBSITE, Sweetscape (2002-2011). Hex Editor. [online]. Last accessed December 2011 at:
http://www.sweetscape.com/articles/hex_editor.html
WEBSITE, searchmidmarketsecurity.techtarget.com (2002). Snort. [online]. Last accessed
December 2011 at: http://searchmidmarketsecurity.techtarget.com/definition/Snort
WHATIS.TECHTARGET.COM (2008). DCOM (Distributed Component Object Model). [online]. Last
accessed January 2012 at: http://whatis.techtarget.com/definition/0,sid9_gci213883,00.html
WIKIPEDIA (2012). Snort. [online]. Last accessed December 2011 at:
http://en.wikipedia.org/wiki/Snort_(software)?&lang=en_us&output=json&session-
id=e67aebac21f0c948f4f7e011b8d29d06
WOOD, D. et al (1988). Private Switiching systems and Networks. Virtual Private Network,.

58
Appendices
Appendix A: TripWire
A.1 Setting Up TripWire-
To setup TripWire, carry out ‘emerge tripwire’ on Gentoo; it will setup TripWire program
on the Linux HoneyPot system.
When TripWire is setup, it is possible to modify the policy file and the configuration file
by editing them-
/etc/tripwire/twinstall.sh
tripwire –init
Following command need to use for running integrity check of the present file system
opposite to the kept files in the database-
tripwire –check
For printing the report –
twprint -m r --twfile /var/lib/tripwire/report/<name>.twr
Following command is used to make up to date the policy file-
twadmin --create-polfile -S site.key /etc/tripwire/twpol.txt
Following command is in use to modity the configuration file-
twadmin --create-cfgfile -S site.key /etc/tripwire/twcfg.txt

59
Appendix B: UML
C.1 Setup UML
The setup procedure of User Mode Linux (UML) could be found at
http://www.gentoo.org/doc/en/uml.xml.
To install UML manually, one must acquire a kernel from www.kernel.org. After that, to
patch a kernel, it is must to get a patch and patch can be acquired from here http://user-
mode-linux.sourceforge.net/. One thing need to be notice that, the downloaded patch and
kernel needs to be compatible with each other.
By using emerge on Gentoo, it is not necessary to manually load a kernel and a patch to the
system. Just need to follow the guidance from the document which is mentioned above to
setup the guest machine.
Figure 54– setup UML
Now its obvious to setup guest OS on UML or one can download the precompiled OS
from here http://sourceforge.net/projects/user-mode-linux/files/Root%20filesystems/

60
If we use precompiled OS, we must need to open root_fs file by the command ‘bunzip2
*.bz2’. this will add a new file to the present directory. Name the new file as ‘root_fs’ and
we need to run ‘linux ubd0=root_fs’ in the same directory, to load the precompiled OS
using UML.
Figure 55– execution of UML
And when operating system starts, we will get the UML virtual console as shown below-
Figure 56– UML virtual Consol.

61
Appendix C: Design of VMware
C1- Setup VMware:
VMware can be installing from the following page-
http://www.vmware.com/support/ws45/doc/install_win_wsa.html#1025548
C2- Network Setup: Internet Connection Sharing (ICS)
ICS setup can done by obtaining following steps on the host machine-
Start -> All Programs -> Accessories -> Communications -> Network Setup Wizard
Hence, host machine is the one which has a communication with the internet, so we need
to select the option below-
Figure 57– Internet Connection Sharing (ICS)
Now we need to choose the Ethernet adapter which helps to make a connection with the
internet-

62
Figure 58– Choosing Ethernet adapter
Select to setup the following connection-
Figure 59– Selecting connection manually

63
Now select VMware Network Adapter VMnet1, this is the default adapter for host-only
connection-
Figure 60– Selecting the connection to bridge
When network setup on host machine is done, after that setup VMware as host-only to
make it work with ICS.
C.3 Network configuration in VMware:
As we need to configure Host-only network in VMware, so choose Host-Only connection
as shown in the figure. To go to the option, just follow the following instruction-
Edit -> Virtual Machine Settings -> Choose NIC 1 -> choose Host-Only: A private
network shared with the host.
Figure 61– Selecting Host-only option.

64
To prevent confliction with host machine’s services, in VMware, we need to deactivate the
DHCP and NAT services. We need to do that because windows XP ICS provides me the
same services. To do that we need to follow the instructions below-
Edit -> Virtual Network Setting -> select DHCP -> select Stop Services -> click Apply.
To stop the NAT services also, we need to follow the same instruction.
Figure 62– deactivating DHCP in VMware
Figure 63– deactivating NAT in vmware.

65
So, when the operating system starts, the guest machine can access the internet.
C.4 Configuring Static IP address for guest OS-
Gentoo:
To skip manually setup IP each time, in guest machine, a static ip needs to be appointed.
To complete this step, we need to edit /etc/conf/d/net file and then appoint the ip address
(192.168.0.206) as follows to the Gentoo guest OS-
Figure 64– applying static ip address to Gentoo guest machine.
Redhat:
In Redhat machine, /etc/sysconfig/network-scripts/ifcfg-eth0 file needs to be edited to
apply the static ip 192.168.0.110 to the system-
Figure 65– Applying static ip to Redhat.

66
Windows:
To apply the ip address in windows machine, follow the steps-
Start -> Control Panel -> Network Connections -> right click to Local Area Connection
(LAN)-> Properties -> Internet Protocol (TCP/IP) -> Properties
.
Figure 66– applying static ip in winows XP
C.5 configuring Host machine IP Forwarding:
In the host systems, to authorize packet forwarding, following steps needs to be taken-
Start-> Control Panel -> Network Connection -> right click on Local Area Connection ->
select Properties.

67
Figure 67– choosing ip forwarding
After going to the properties, choose the advance tab and then Settings. It is possible to
select several service requests for several local systems. And the point is to be noticed that
one must put static ip for each of the service.
Figure 68– setting up IP forwarding.

HoneyPot for Network Security - building and testing against exploits.

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (16)

Similar to HoneyPot for Network Security - building and testing against exploits.

Similar to HoneyPot for Network Security - building and testing against exploits. (20)

HoneyPot for Network Security - building and testing against exploits.