Tuesday, 5 August 2008

Netcat as a Honeypot

Acting as a virtual server or honeypot

Netcat can simulate any TCP or UDP service, the binary ones are far more compliacted, but are still possible. IF we take the simple example of a Web server that we wish to create as a honeypot, the process is to serve a page and log the results.

Make a webserver:
while true; do nc -l -p 80 -q 1 < /tmp/index.html; done

Then you could log the netstat and other packets, setup snort etc. Or you could integrate logging.
cat { while read; do echo "`date` > $REPLY">> log.txt; echo $REPLY; done; } nc -l -p 80 -q 1 < /tmp/index.html { while read; do echo "`date` < $REPLY" >> log.txt; echo $REPLY; done; }

Add a proxy or client header and fool simple systems:
# nc google.com 80 GET / HTTP/1.1Host: google.comUser-Agent: Mozilla Version 2800.1 (one day)Referrer: Not.my.site.com

Make a log with times etc and the script needs to be spawn - but the idea is there.

This can be done for nearly any service or port, but of course there are simpler ways to do this.

No comments: