分类: 网络与安全
2008-06-05 16:11:13
1.Enriroment
1.1 OS
Centos release 5 (Final) Kernel :2.6.18-8.el5xen
1.2 Prequired libs
pcre-6.6-1.1
pcre-devel-6.6-1.1
libpcap-0.9.4-8.1
libpcap-devel-0.9.4-8.1
(shiped with CentOS DVD)
libevent
./configure --prefix=/usr/local/libevent
libdnet
./configure --prefix=/usr/local/libdnet
Honeyd
2. Install honeyd
wget
tar xfvz honeyd-1.5.c.tar.gz -C working
cd working/honeyd-1.5c
./configure --prefix=/usr/local/honeyd --with-libevent=/usr/local/libevent --with-libdnet=/usr/local/libdnet
make
make install
cp -r /src/working/honeyd-1.5c/scripts /usr/local/honeyd/
3. Configure honeyd
honeyd可以创建出一个网络,我现在需要的只是一个fake port列表,用于做到将真实的服务和虚假的服务放在一起,做到对真正服务的伪装,因此虚拟出一个机器就可以了,配置如下
create windows
set windows personality "Microsoft Windows NT 4.0 SP3"
set windows default tcp action reset
set windows default udp action reset
set windows default tcp action reset
add windows tcp port 22 "/usr/local/honeyd/scripts/test.sh"
add windows tcp port 23 "/usr/local/honeyd/scripts/router-telnet.pl"
add windows tcp port 25 "/usr/local/honeyd/scripts/smtp.pl"
add windows tcp port 80 "/usr/local/honeyd/scripts/web.sh"
add windows tcp port 110 "/usr/local/honeyd/scripts/pop3.sh"
add windows tcp port 21 "/usr/local/honeyd/scripts/ftp.sh"
bind 192.168.0.110 windows
4. Start honeyd
/usr/local/honeyd/bin/honeyd -l /usr/local/honeyd/log/pack -s /usr/local/honeyd/log/service -p /usr/local/honeyd/share/honeyd/nmap.prints -u 500 -g 500 -f /usr/local/honeyd/share/honeyd/my.conf
这时这个192.168.0.110 fake机器就开始工作了,有的文档说要用arpd来响应arp请求,但是我发现我没有启用arpd也可以使用,我想可能和我做的fake在和物理网卡在同一个物理网段的原因,如果不在,应该是需要arpd的,暂时用不上着,没有实验。但是编译的时候出现了错误,找了下,发现没有很好的解决方法,最后找了个rpm上去。
5. Confiugre NAT
iptalbes -A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -m comment --comment "fake 21" -m tcp --dport 21 -j DNAT --to-destination 192.168.0.110:21
iptalbes -A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -m comment --comment "fake 22" -m tcp --dport 22 -j DNAT --to-destination 192.168.0.110:22
iptalbes -A PREROUTING -d xxx.xxx.xxx.xxx -p tcp -m comment --comment "fake 23" -m tcp --dport 23 -j DNAT --to-destination 192.168.0.110:23
6. See what you get.
telnet xxx.xxx.xxx.xxx /* public IP Address */
User Access Verification
Username:
Right!go ahead
7.arpd 的安装
wget
如果安装了iproute 会提示和iproute的arpd冲突,把/usr/sbin/arpd 改名
会提示依赖性错误
warning: arpd-0.2-4.rh9.rf.i386.rpm: Header V3 DSA signature: NOKEY, key ID 6b8d79e6
error: Failed dependencies:
libdnet.1 is needed by arpd-0.2-4.rh9.rf.i386
libevent-1.3b.so.1 is needed by arpd-0.2-4.rh9.rf.i386
libpcap.so.0.6.2 is needed by arpd-0.2-4.rh9.rf.i386
不管,用rpm -Uhv --no-deps 强行安装
/usr/sbin/arpd: error while loading shared libraries: libevent-1.3b.so.1: cannot open shared object file: No such file or directory
下载libevent-1.3b 编译后把lib下的文件cp到/usr/lib下
/usr/sbin/arpd.honey: error while loading shared libraries: libdnet.1: cannot open shared object file: No such file or directory
把编译过完成的libdnet下lib下的文件cp到/usr/lib下
然后就可以运行了。
iproute包里面也带来arpd 和这个arpd作用一样不,没有研究。