HoneyBOT

HoneyBOT is a windows based low interaction honeypot solution. Click here to download the latest version.
What is a Honeypot?
A honeypot is a device placed on a computer network specifically designed to capture malicious network traffic. The
logging capability of a honeypot is far greater than any other network security tool and captures raw packet level data
even including the keystrokes and mistakes made by hackers. The captured information is highly valuable as it
contains only malicious traffic with little to no false positives.
Honeypots are becoming one of the leading security tools used to monitor the latest tricks and exploits of hackers by
recording their every move so that the security community can more uickly respond to new exploits.
How does it work?
HoneyBOT works by opening a large range of listening sockets on your computer from which a selection of these
sockets are designed to mimic vulnerable services. !hen an attacker connects to these services they are fooled into
thinking they are attacking a real server. The honeypot safely captures all communications with the attacker and logs
these results for future analysis. "hould an attacker attempt an exploit or upload a rootkit or tro#an to the server the
honeypot environment can safely store these files on your computer for malware collection and analysis purposes.
Our test server has captured several thousand tro#ans and rootkits from these simulated services including$
Dabber
Devil
Kuang
MyDoom
Netbus
Sasser
LSASS
DCOM (msblast, etc)
Lithium
Sub7
Honeypot Placement
An organisation may place a honeypot inside their internal network% secured by their perimeter defenses where it
should never to be attacked. Any traffic captured on the honeypot in this situation would indicate that another
computer inside the network is already infected with a virus or worm% or even that a company employee is attempting
to break into the computer.
Another method is to attach the honeypot directly to the internet which normally results in captured malicious network
traffic in minutes. A direct connection is the most basic setup for honeypot users and in this scenario the honeypot
computer is placed external to your production systems and allocated a public &' address.
The most popular choice of honeypot placement for internet users is to place the honeypot in your network ()*
where all unsolicited internet probes are forwarded to your honeypot computer.
Securing Your Honeypot
A honeypot is intentionally put in harms way so it is critical to carry out some security precautions on your honeypot
computer before deployment on any network. This includes updating your operating system with all security updates
and patches and using an updated antivirus product. +ou should also enable the windows firewall with an exception
for HoneyBOT. &f you are unsure how to secure your computer then don,t attempt to deploy a honeypot. More...
HoneyBOT nstallation
!e suggest that you install HoneyBOT on a dedicated computer with no valuable information or resources reuired of
it. &n fact% you want your honeypot to be as free as possible from any legitimate traffic so in broad terms we can
consider any traffic to the honeypot to be malicious in nature.
HoneyBOT reuires minimum operating system of windows -... and at least /-0)B 1A) is recommended.
Security Tips
On this page are tips for securing your !indows HoneyBOT. These tips are not represented in any particular order
and may be optional for your individual situation.
!omputer Selection
&nstall HoneyBOT on a dedicated system or virtual machine. A honeypot computer should not be used for any purpose
other than for monitoring the network so that in broad terms we can consider any traffic to or from the machine to be
malicious in nature. 1emember that we are attracting attackers to intrude into this system so running HoneyBOT on a
production system is strongly discouraged.
Patches
+ou should protect your computer by updating your system with service packs and software patches.
"irewall
A firewall will prevent unsolicited connections from reaching your computer. +our firewall rules will need to be relaxed
in order to allow HoneyBOT to accept incoming connections. &f you have not disabled !indows services then you
should block them at the firewall.
#isa$le Windows Ser%ices
+ou should disable any !indows services that are not reuired for the machine to operate as they offer an attacker a
possible avenue of attack. HoneyBOT cannot listen on a port that is already in use by a !indows service. "ome of the
services that you may choose to disable include$ )essenger% ClipBook% CO)2% 3T' 'ublishing% ")T'% "4)'% TC'5&'
4etB&O" Helper% Telnet% !!! 'ublishing.
#isa$le SMB &!"S'
")B provides name resolution% network browsing and printing services over TC'5&'. To disable ")B open the
4etwork Connections window% right click the adapter and select 'roperties and uninstall Client 3or )icrosoft 4etworks
and 3ile And 'rinter "haring. 4ote this may break browsing and sharing files on the local network.
#isa$le (etBOS &(BT'
")B services may also be provided over 4etB&O". To disable 4etB&O" open the (evice )anager window% select
"how Hidden (evices% expand 4on6'lug And 'lay (rivers and disable 4etBios Over Tcpip. 4ote this may break
browsing and sharing files on the local network.
#isa$le )P!
&t is possible to disable 1'C by modifying the registry% but removal will leave your machine unstable.
Take a Baseline
Before starting HoneyBOT take a baseline of the current listening services. &n the following example the only service
enabled is 1'C. Accordingly this service is being blocked at the firewall.
C$78netstat 6ano
Active Connections
roto Local A!!ress "oreign A!!ress State #D
$C %&%&%&%'()* %&%&%&%'% L#S$+N#N, ((-.
)emote Monitoring
&f you are monitoring your honeypot via a remote desktop program then you should change the default listening port to
a random high numbered port.
*ot a new tip?
"ubmit your tips here.
Screenshots
Here is a preview of HonetBOT,s main display window listing connections by remote &' and destination port. +ou can
filter the results by selecting items from the tree on the left.

+ou can double click on a connection to reveal the connection details and see the packets transmitted. &n this
connection the attacking computer attempted an &&" overflow exploit.