Honeyd - Network Rhapsody for You Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their TCP personality can be adapted so that they appear to be running certain versions of operating systems. Honeyd enables a single host to claim multiple addresses - I have tested up to 65536 - on a LAN for network simulation. It is possible to ping the virtual machines, or to traceroute them. Any type of service on the virtual machine can be simulated according to a simple configuration file. Instead of simulating a service, it is also possible to proxy it to another machine. Example: annotate "AIX 4.0 - 4.2" fragment old # Example of a simple host template and its binding create template set template personality "AIX 4.0 - 4.2" add template tcp port 80 "sh scripts/web.sh" add template tcp port 22 "sh scripts/test.sh $ipsrc $dport" add template tcp port 23 proxy 10.23.1.2:23 set template default tcp action reset bind 10.21.19.102 template The different TCP personalities are learned from reading a nmap fingerprint file. The configured personality is the operating system that nmap or xprobe will return. Personalities can be annotated to determine if they allow FIN-scans for open ports or to select the preference in which they reassemble fragmented IP packets. Features * Simulates thousands of virtual hosts at the same time. * Configuration of arbitrary services via simple configuration file: * Includes proxy connects. * Simulates operating systems at TCP/IP stack level: * Fools nmap and xprobe, * Adjustable fragment reassembly policy, * Adjustable FIN-scan policy. * Simulation of arbitrary routing topologies: * Configurable latency and packet loss. Honeyd can be used to create a virtual honey net or for general network monitoring. It supports the creation of a virtual network topology including dedicated routes and routers. The routes can be attributed with latency and packet loss to make the topology seem more realistic. honeyd[2054]: Sending echo reply: 10.21.19.242 -> 240.81.64.14 honeyd[2054]: Connection request: (231.205.161.9:64843 - 10.21.19.240:80) honeyd[2054]: Connection established: (231.205.161.9:64843 - 10.21.19.240:80) <-> /var/honeyd/scripts/web.sh honeyd[2054]: Connection dropped with reset: (231.205.161.9:64843 - 10.21.19.240:80) honeyd[2054]: Connection request: (12.237.70.38:4064 - 10.21.19.240:80) honeyd[2054]: Connection established: (12.237.70.38:4064 - 10.21.19.240:80) <-> /var/honeyd/scripts/web.sh honeyd[2054]: Connection dropped with reset: (12.237.70.38:4064 - 10.21.19.240:80) honeyd[2054]: Connection request: (10.21.24.100:31537 - 10.21.19.240:80) honeyd[2054]: Connection established: (10.21.24.100:31537 - 10.21.19.240:80) <-> /var/honeyd/scripts/web.sh honeyd[2054]: Expiring (10.21.24.100:31537 - 10.21.19.240:80) (0x55800) in state 7 honeyd[2054]: Connection request: (10.21.24.101:36539 - 10.21.19.245:80) honeyd[2054]: Connection established: (10.21.24.101:36539 - 10.21.19.245:80) <-> /var/honeyd/scripts/web.sh honeyd[2054]: Expiring (10.21.24.101:36539 - 10.21.19.245:80) (0x55800) in state 7 The Honeyd homepage is located at: http://www.honeyd.org/ Cryptographic signatures and checksums may be provided by the developers at the URL(s) above. Wiretapped recommends that users check these before use of the software/information.