Re: High interaction Windows Honeypot

We've been fielding Windows pots on Qemu, rather than VMWare for some
time now, saving a ton of gelt and having source to bang on as well.
Just stay away from the kqemu accelerator module for security reasons.

You may find that sebek won't work with qemu/bochs because of the old
NDIS drivers needed for the emulated realtek interface, but that
should be fixed in the new sebek.

Get with me off-list if you want implementation details. We haven't
written anything formal up yet.

g

On Mon, 8 Aug 2005 21:39:57 -0500
"Michael A. Davis" <mike_at_datanerds.net> wrote:

> Yes, I am. It is pretty much finished. The problem is the new 3.0
> integration (i.e. roo) it is all the other features. Also, there are
some
> licensing questions that I am currently investigating before
releasing it.
>
> Thanks,
> Michael A. Davis
> Chief Executive Officer
> Savid Technologies, Inc.
> Main: 708.243.2850
> http://www.savidtech.com
>
> This email may contain confidential and privileged information for
the sole
> use of the intended recipient. Any review or distribution by others
is
> strictly prohibited. If you are not the intended recipient, please
contact
> the sender and delete all copies of this message.
>
> > -----Original Message-----
> > From: Stejerean, Cosmin [mailto:cosmin_at_cti.depaul.edu]
> > Sent: Monday, August 08, 2005 11:49 AM
> > To: Thorsten Holz; honeypots_at_securityfocus.com
> > Subject: RE: High interaction Windows Honeypot
> >
> > Is anyone working on a Sebek3 program for Windows?
> >
> > Cosmin
> >
> > -----Original Message-----
> > From: Thorsten Holz [mailto:thorsten.holz_at_mmweg.rwth-aachen.de]
> > Sent: Monday, August 08, 2005 11:07 AM
> > To: honeypots_at_securityfocus.com
> > Subject: Re: High interaction Windows Honeypot
> >
> > Ahmed Ameen wrote:
> > > Hello All,
> > > I am currently planning for my CS thesis which I decided to do
on
> > > Windows Honeypots. I was wondering if anyone has experience on
> > > building a high interaction honeypot using a windows
> > environment and
> > > VMware.
> >
> > Some experience from me and the German Honeynet Project:
> >
> > * For the Honeywall, the easiest way to setup is the
> > Honeywall CDROM Roo (http://www.honeynet.org/tools/cdrom/).
> > This is Linux-based, but that should be no big problem. Just
> > boot a computer with three interfaces (two also works, but
> > for management a dedicated interface is best) and within 20
> > minutes your are done. Customization is very easy and the
> > web-interface allows you to monitor what's going on. If you
> > really need it, you can also install the Honeywall "by Hand",
> > but that's rather time-consuming...
> >
> > * Unfortunately, no Sebek version 3.x exists for Windows yet.
> > It is in development, but not ready up to now. So you have to
> > use Sebek version 2.x
> > (http://www.honeynet.org/tools/sebek/2/sebek-win32-2.1.5.zip).
> > Just install Windows and you are basically done. If you
> > don't apply some patches, a default installation of Windows
> > will be compromised by a bot in an automated way within
> > several minutes...
> >
> > * If you want to setup a virtual honeynet, just follow the
> > steps outlined in the paper "Virtual Honeynet: Deploying
> > Honeywall using VMware"
> > (http://www.honeynet.org.pk/honeywall/) written by the
> > Pakistan Honeynet Project.
> >
> > Cheers,
> > Thorsten
> >
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG Anti-Virus.
> > Version: 7.0.338 / Virus Database: 267.10.2/65 - Release
> > Date: 8/7/2005
> >
> >
>

-- 
George Bakos
Institute for Security Technology Studies
Dartmouth College
gbakos_at_ists.dartmouth.edu
603.646.0665 -voice
603.646.0666 -fax
pub  1024D/081ECB85 1999-04-09 George Bakos
<gbakos_at_ists.dartmouth.edu>     Key fingerprint = D646 8F91 F795 27EC
FF8B  8C95 B102 9EB2 081E CB85