To Build a Honeypot

To Build a Honeypot

Post by Lance Spitzne » Wed, 11 Aug 1999 04:00:00



I've just posted a whitepaper I thought many of you
would be interested in "To Build a Honeypot".

This article is a follow up to the "Know Your Enemy"
series. Many people from the Internet community asked
me how I was able to track black-hats in the act of
probing for and compromising a system. This paper
discusses just that. Here I describe how I built,
implemented, and monitored a honeypot network designed
specifically to learn how black-hats work.  I would
greatly appreciate any feedback or recommendations.

Thanks!
http://www.enteract.com/~lspitz/honeypot.html

Lance Spitzner
http://www.enteract.com/~lspitz
Internetworking & Security Engineer
Dimension Enterprises Inc

 
 
 

1. Building rpc.statd exploit honeypot--need help

I am trying to build a simple honeypot to mimic the rpc.statd (port 111)
vulnerablility so I can trick these script kiddies that have scanned my box
hundreds of times in the last few moths into thinking they have "cracked" my
machine.  I don't have any interest in getting anyone in trouble, I just
want to watch offenders for my amusement, and maybe scare them for added
fun.

So here's the problem.  I don't know how this vulnerability works.  I've
read all I can from CERT and others about what lockd and statd's purposes
are, but nothing substantial.  Before I started coding anything I configured
netcat to listen on port 111 like so:

nc -L -p 111 -v -v >> log.txt

All that I wanted to do was to capture some of the shellcode that gets spit
at statd so I could see if I could continue building my honeypot.  If it
would have worked (which it didn't), I would have known that I could
continue and start coding.

How does this exploit work?  I know that NFS uses TCP and UDP interchangably
and I don't even know where RPC procedures fit into this whole process.

Any help would be most appreciated.

2. Sound Setup in Linux 2.1.26

3. "To Build a Honeypot"

4. Where's that 2.6 browser?

5. Building rpc.statd exploit honeypot(port 111)--need help

6. backspace not working.

7. how to setup linux ppp w/AOL? possible?

8. best honeypot

9. honeypots

10. Honeypots?

11. honeypot