Your global information security experts
Search for Vulnerabilities via
The National Vulnerability Database
Netcat Honeypot
by Brian
Did you ever wish you could afford to put a honeypot on your network or just monitor port surfer activities, but did not know how or could not afford the cost of a dedicated system. Netcat could provide the answer you are looking for. Yes, NetCat the mother of all system administrative and hacking tools, thanks to Weld and the guys at the L0pht, makes a great tool for creating an inexpensive (free) honeypot. It is also easy to implement and is compatible with many operating system. Netcat is available at "http://www.l0pht.com/~weld/netcat". For those of you that have never heard of the L0pht, there is a wealth of computer security information and tools available to download.
Since most dedicated hacking attempts start with a low and slow probe for available network services, one might want an audit trail of attempted port connections. One of the many features of netcat allows you to start a service listening on the port of your choice. With this method, you can make a simple Linux, Solaris, NT, etc. workstation look like it is running sendmail, dns, ftp, telnet, and web server. There is one deficiency with this setup. It will not pickup half scans, like a stealthy nmap probe. However, from my experience, once an attacker has mapped what they think are open services, they have to use a full 3 way hand shake to get to the apparently open services. Then you have them, or at least the IP of the attacking system.
The following is the code needed to get a honeypot working on a Solaris workstation. First create a script file with the following contents for each port to be baited. Use the following netcat options:
-l regular listen mode -p your port of choice -vv double verbose mode (-vv) x.x.x.x IP address of the system you using
Append a "2" at the end of the command line for error messages to be included in the audit output.
Redirect the output to an audit file. Echo any comments you want into the audit file and wrap it all up with an endless do loop. I used the regular listen mode instead of the recursive listen mode (-L) because I wanted the other comments to get appended into the output file for each hit on the port. It is very important to put the IP address of the system this honeypot is residing. That way the only system allowed to connect to the port is itself. If you leave out the IP, then ALL systems are granted access to the port. I also wanted all of the information in one file for easy review and trend analysis, so I added the extra lines to copy the audit info to another file and clear the original file.
Below is the contents of my "port25" script file:
while true; do
/usr/bin/nc -l -p 25 -vv xxx.xxx.xxx.xxx 2>> /var/audit/nc-port25
date >> /var/audit/nc-port25
echo "******************** FAILED SENDMAIL ATTEMPT - PORT 25
********************\n" >> /var/audit/nc-port25
cat /var/audit/nc-port25 >> /var/audit/nc-log
cp /dev/null /var/audit/nc-port25
done
At this point, I created a script file, "portwrap", that will start all of the port scripts in one place.
Contents of portwrap:
/var/audit/nc-wrappers/port25 & /var/audit/nc-wrappers/port79 & /var/audit/nc-wrappers/port512 & /var/audit/nc-wrappers/port513 & /var/audit/nc-wrappers/port514 & .... .... ....
Finally, create one more script file, "S99nc-wrappers", and put it in the "/etc/rc2.d" directory and your honeypot will be up and running every time you boot your system.
# this will start the netcat audit wrappers for sensitive ports # nohup /var/audit/nc-wrappers/portwrap
Good Ports to monitor:
FTP 21 Telnet 23 Sendmail 25 TFTP 69 Finger 79 Web 80, 443, 8080 NetBIOS 139 Rexec 512 Rlogin 513 Rsh 514 BO 31337