HoneyPoint: A honeypot for Windows, Linux, or Mac OS X

HoneyPoint Security Server combines multiplatform support, unique features, and limitations

1 2 3 4 Page 2
Page 2 of 4

The TCP3lvl listener collects connection information and sends a banner, as well as a reply to what an attacker might type in response to the banner or header. Multiple connections from a single attacker, as determined by the connect count value, are collected into a single event for easier analysis. In the example below, an attacker connecting to port 23 will be sent a basic Cisco router banner. In addition, if the attacker responds with a username and password, he will be told that his password attempt was invalid.

46TC-honeypots-honeypoint-tcp31v1.gif

The Web listener allows a basic Web page and HTTP options to be sent back in reply to a connection attempt. The default Web page displayed looks like a very basic payroll system logon page. It's not very sophisticated, but probably enough to lure prying eyes. I'd recommend mimicking one of your company's real Web pages, and the Web listener is simple enough to update.

46TC-honeypots-honeypoint-web.gif

The TCPRandom HPoint randomly sends back one or more lines from a defined list or file, reminding me of similar functionality in another honeypot program, Specter, that I have reviewed in the past. The idea is to confuse the attacker or make him think his tools or the network is malfunctioning. The PortMiner listener responds by sending a large file in order to slow the attacker or crash a malware program; it's a crude form of tarpitting. I don't really see the value of the TCPRandom listener, which would slow down an attacker only for a short while. The PortMiner listener also falls short. Tarpitting should be done in a more sophisticated way -- namely, by using network protocol fuzzing as introduced by the LaBrea tarpit software nearly a decade ago.

46TC-honeypots-honeypoint-tcp.gif
1 2 3 4 Page 2
Page 2 of 4