Honeypots: Re: honeyd win32 and XP

[Jeff <jeffduh99 () hotmail com>]

In-Reply-To: <055c01c45b66$d6170080$0501a8c0 () SHA01X>

Leigh,

I can get honeyd win32 to list attempted connections to and from other hosts, but not to the IP listed.  Oh well.  
Thanks,

Jeff

> Received: (qmail 27537 invoked from network); 26 Jun 2004 16:18:55 -0000
> Received: from lists.securityfocus.com (205.206.231.19)
>  by mail.securityfocus.com with SMTP; 26 Jun 2004 16:18:55 -0000
> Received: (qmail 20549 invoked by alias); 26 Jun 2004 16:14:37 -0000
> Mailing-List: contact honeypots-help () securityfocus com; run by ezmlm
> Precedence: bulk
> X-No-Archive: yes
> List-Id: <honeypots.list-id.securityfocus.com>
> List-Post: <mailto:honeypots () securityfocus com>
> List-Help: <mailto:honeypots-help () securityfocus com>
> List-Unsubscribe: <mailto:honeypots-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:honeypots-subscribe () securityfocus com>
> Delivered-To: mailing list honeypots () securityfocus com
> Delivered-To: moderator for honeypots () securityfocus com
> Received: (qmail 15328 invoked from network); 26 Jun 2004 10:10:38 -0000
> Message-ID: <055c01c45b66$d6170080$0501a8c0 () SHA01X>
> Reply-To: "Leigh" <hst () iprimus com au>
> From: "Leigh" <hst () iprimus com au>
> To: "Jeff" <jeffduh99 () hotmail com>, <honeypots () securityfocus com>
> References: <20040626035927.4909.qmail () www securityfocus com>
> Subject: Re: honeyd win32 and XP
> Date: Sat, 26 Jun 2004 20:17:48 +1000
> MIME-Version: 1.0
> Content-Type: text/plain;
>       format=flowed;
>       charset="iso-8859-1";
>       reply-type=original
> Content-Transfer-Encoding: 7bit
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2900.2096
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2096
>
> Might have something to do with the removal of raw sockets support in XP SP2 
> (I too have been experiencing the same problems, on both SP1/SP2 beta).
>
> Apparently MS have removed support for rawsock because "the only use for it 
> is for people who write attack tools" according to the developers in their 
> listserv. Not so. This is also strange because I am using software like 
> Ethercap which also uses Winpcap/packet.dll and this works fine (yet honeyd 
> does not and nmap will only work with TCP connect scans/-P0).
>
> Please let me know how you get on. I have been playing around with various 
> virtual pc's and emulators (like Cygwin/X and CoLinux) under XP in order to 
> get the aforementioned working,  but to no avail., yet this is probably due 
> to my inability more than anything else :)
>
> Leigh
> hst () iprimus com au
> Melbourne, Australia
> ----- Original Message ----- 
> From: "Jeff" <jeffduh99 () hotmail com>
> To: <honeypots () securityfocus com>
> Sent: Saturday, June 26, 2004 1:59 PM
> Subject: honeyd win32 not responding to ping
>
>
> > Hi all,
> >
> > I am attempting to run Honeyd win32 on Windows XP and am having a bit of 
> > trouble.  It appears that everything is running properly.  However, I am 
> > unable to ping the honeypot.  Here is the setup.
> >
> > create win2k
> > set win2k personality "Windows 2000 server SP2"
> > add win2k tcp port 80 "scripts/web.sh"
> > set win2k default tcp action reset
> > set win2k default udp action reset
> >
> > bind 192.168.0.2 win2k
> > set 192.168.0.2 uptime 1327650
> >
> > When I start honeyd with this command "honeyd.exe -d -f 
> > c:\tools\honeyd\honeyd.conf -l c:\tools\honeyd\log\log.txt" I get this 
> > response "listening on \Device\NPF_{C3FF3A45-AC8E-48D5-8FD7-F4186D95A5A0}: 
> > ip  and not ether src 00:e0:b8:6d:21:2d"
> >
> > When I try to ping 192.168.0.2, it does not respond.  Any ideas about 
> > where I'm going wrong?  Any help is appreciated.  Thanks,
> >
> > Jeff