Commercial anti-honeypot tool

["KeyFocus" <support () keyfocus net>]

A couple of months back Bill McCarty posted a reference to Hon.eypot
Hun.ter, a commercial tool to identify honeypot systems.

I finally found some time to download and play with it.
If the risks in running such an application have put you off, but want to
know how this tool works then you may find the following interesting :-)

- Tom

Background
---------------

Hon.eypot Hun.ter is made by "Send Safe" which specialise in selling a
serious bulk emailing package.
Their bulk emailer is sold on a per usage basis. $10 per million emails may
sound cheap, but given the amount of spam their customers pump out they must
be making a tidy sum.

Their software contains all the latest spamming tricks such as the ability
to add random words and techniques to fool AOL.
However the key selling point is how it uses SOCKS servers to provide
anonymity to their customers.

So the emergence of  honeypot SOCKS servers threatens to undermine their
whole business which is why they have come up with Hon.eypot Hun.ter.

Hon.eypot Hun.ter
-----------------------
Hon.eypot Hun.ter is a tool for testing a list of SOCKS servers.
It reads a text file containing a list of IP & ports and outputs them to
three files (good, bad & honeypot) depending on the results of the test.

There are plenty of such tools already available. The unique feature is the
ability to identify honeypots.

Hon.eypot Hun.ter works by listening on port 25 where it runs its own
emulated SMTP service.
It then connects to the target SOCKS server and issues a version 4 CONNECT
request back to its own IP on port 25.
If the connection works then it attempts to send an email to its own SMTP
server.

There are four types of Honeypot SOCKS servers based on the level of
deception they provide.

Type 1 - Returns connection authorised and then records input without
responding.
 Hon.eypot Hun.ter marks this as bad.

Type 2 - Returns connection authorised and then relays to a honeypot SMTP
server.
 Hon.eypot Hun.ter marks this as bad, as it does not detect a connection
back to its own port 25.

Type 3 - Returns connection authorised and connects to the target SMTP
server. This enables the honeypot to grab the correct SMTP banner and other
data to send back to the client. The honeypot does not allow the DATA
command to be relayed and instead fakes a positive response. This is the
best level of deception possible without allowing emails to be sent.
 Hon.eypot Hun.ter marks this as a honeypot, as its own SMTP server does not
receive all the data it is expecting.

Type 4 - Allows full SOCKS functionality but logs all traffic. No easy way
to detect this, but open to abuse.
 Hon.eypot Hun.ter marks this as good.

Hon.eypot Hun.ter seems to be designed to detect the Type 3 honeypots that
some people have deployed.

The following is transcript of Hon.eypot Hun.ter's test against a working
SOCKS server:

Notes: The names and mail contents are random data to avoid the honeypot
identifying Hon.eypot Hun.ter.

Sent to Proxy
----------------

[04 01 00 19 C0 A8 02 0A 00] - SOCKS 4 Connect: 192.168.2.10:25

HELO qgyrm.edu
MAIL FROM:<htdvqybem () qgyrm edu>
RCPT TO:<uecyiqiyf () qgyrm edu>
DATA
From: <htdvqybem () qgyrm edu>

Message-Id: <155901c3d911$7fe1ed10$5d7e0241@htdvqybem
Date: Mon, 12 Jan 2004 07:39:27 -0600
Subject:  lpqyc th ruv
To: <uecyiqiyf () qgyrm edu>

Content-Type: text/plain;
 charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

af ru v kvfl  omkgkj nsscb   v bb t uynecw rbmv wn xitcpppu l q ttduwxhe eb
r bqkahki
kb   qfci
.

Reply from Proxy
----------------------

[00 5A 0F 39 C0 A8 02 09]  - SOCKS 4 Request Granted

220 qgyrm.edu (IMail 8.00 153-1) NT-ESMTP Server X1
250 hello qgyrm.edu
250 ok
250 ok its for <uecyiqiyf () qgyrm edu>

354 ok, send it; end with <CRLF>.<CRLF>
250 message queued [c6e3489b79ee04eb9e74a86da9de5a9b]