Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. Honeyd enables a single host to claim multiple addresses – I have tested up to 65536 – on a LAN for network simulation. Honeyd improves cyber security by providing mechanisms for threat detection and assessment. It also deters adversaries by hiding real systems in the middle of virtual systems.

It is possible to ping the virtual machines, or to traceroute them. Any type of service on the virtual machine can be simulated according to a simple configuration file. Instead of simulating a service, it is also possible to proxy it to another machine.


Honeyd supports a variey of features that make the daemon very flexible for creating both host based and netword based virtual honeypots. The following list gives a brief overview of the different features that Honeyd supports:

  • Simulates thousands of virtual hosts at the same time.

  • Configuration of arbitrary services via simple configuration file:

    • Includes proxy connects.

    • Passive fingerprinting to identify remote hosts.

    • Random sampling for load scaling.

  • Simulates operating systems at TCP/IP stack level:

    • Fools nmap and xprobe,

    • Adjustable fragment reassembly policy,

    • Adjustable FIN-scan policy.

  • Simulation of arbitrary routing topologies:

    • Configurable latency and packet loss.

    • Assymetric routing.

    • Integration of physical machines into topology.

    • Distributed Honeyd via GRE tunneling.

  • Subsystem virtualization:

    • Run real UNIX applications under virtual Honeyd IP addresses: web servers, ftp servers, etc…

    • Dynamic port binding in virtual address space, background initiation of network connections, etc.



 honeyd [OPTIONS] [net ...]


options include:
  -d                     Do not daemonize, be verbose.
  -P                     Enable polling mode.
  -l logfile             Log packets and connections to logfile.
  -s logfile             Logs service status output to logfile.
  -i interface           Listen on interface.
  -p file                Read nmap-style fingerprints from file.
  -x file                Read xprobe-style fingerprints from file.
  -a assocfile           Read nmap-xprobe associations from file.
  -0 osfingerprints      Read pf-style OS fingerprints from file.
  -u uid		  Set the uid Honeyd should run as.
  -g gid		  Set the gid Honeyd should run as.
  -f configfile          Read configuration from file.
  -c host:port:name:pass Reports starts to collector.
  --webserver-address=address Address on which webserver listens.
  --webserver-port=port  Port on which webserver listens.
  --webserver-root=path  Root of document tree.
  --fix-webserver-permissions Change ownership and permissions.
  --rrdtool-path=path    Path to rrdtool.
  --disable-webserver    Disables internal webserver
  --disable-update       Disables checking for security fixes.
  --verify-config        Verify configuration file then exit.
  -V, --version          Print program version and exit.
  -h, --help             Print this message and exit.

For plugin development:
  --include-dir          Prints out header files directory and exits.
  --data-dir             Prints out data/plug-in directory and exits. 


Setting Up Virtual Honeypot using honeyd:

Create a conf file, say honeypot.conf  and put some code in it. Below is an example configuration file that generates a Windows NT 4.0 SP3 host and places it on the LAN:

### Standard Microsoft Windows NT 4.0 SP3
create win2k
set win2k personality "Microsoft Windows NT 4.0 SP3"
set win2k default tcp action closed
set win2k default udp action closed
set win2k default icmp action closed
set win2k uptime 3567
set win2k droprate in 13
add win2k tcp port 21 "sh scripts/win32/win2k/msftp.sh $ipsrc $sport $ipdst $dport"
add win2k tcp port 25 "sh scripts/win32/win2k/exchange-smtp.sh $ipsrc $sport $ipdst $dport"
add win2k tcp port 80 "sh scripts/win32/win2k/iis.sh $ipsrc $sport $ipdst $dport"
add win2k tcp port 110 "sh scripts/win32/win2k/exchange-pop3.sh $ipsrc $sport $ipdst $dport"
add win2k tcp port 143 "sh scripts/win32/win2k/exchange-imap.sh $ipsrc $sport $ipdst $dport"
add win2k tcp port 389 "sh scripts/win32/win2k/ldap.sh $ipsrc $sport $ipdst $dport"
add win2k tcp port 5901 "sh scripts/win32/win2k/vnc.sh $ipsrc $sport $ipdst $dport"
add win2k udp port 161 "perl scripts/unix/general/snmp/fake-snmp.pl public private --config=scripts/unix/general"
# This will redirect incomming windows-filesharing back to the source
add win2k udp port 137 proxy $ipsrc:137
add win2k udp port 138 proxy $ipsrc:138
add win2k udp port 445 proxy $ipsrc:445
add win2k tcp port 137 proxy $ipsrc:137
add win2k tcp port 138 proxy $ipsrc:138
add win2k tcp port 139 proxy $ipsrc:139
add win2k tcp port 445 proxy $ipsrc:445
bind win2k

Start the honeypot -d parameter forces Honeyd not to run in the background as a daemon. 

cyborg@cyborg:~$ sudo honeyd -d -f honeypot.conf
Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
honeyd[8737]: started with -d -f honeypot.conf
honeyd[8737]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip )) and not ether src 00:e0:4c:37:00:93
honeyd[8737]: Demoting process privileges to uid 65534, gid 6553

Leave a reply


We're are building as a community and a team. Be a part of it.


©2018 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?