[Honeywall] Re: Virtual Honeynet deployment using Linux Host - honeywall 1.3 roo

Fahim Abbasi mailtofahim at gmail.com
Sat Jul 5 02:47:19 EDT 2008


Hi All,

Finally got free to re-open pandoras box.....my virtual honeynet project :-)
. Ive come across a working model of a similar virtual honeynet but with
windows as hostOS. My motivation is to set it all up with linux as host OS,
havent been tremendously successfull so far :S (possible routing issue).  My
scenario is:


##################
Attacker: 192.168.2.3
gw: 192.168.2.2
##################
||
||
||
###########################################
Linux Host eth0: 192.168.2.2
-------------------VM1---------------------------------------
Honeywall eth0( bridge ) NO IP
Honeywall eth1( host-host [vmnet1] ) NO IP
Honeywall eth2( host-host [vmnet2]: 192.168.253.2 )
----------------------------------------------------------------
-------------------VM2----------------------------------------
winXP: Honeypot: 192.168.2.10
GW: 192.168.2.1
---------------------------------------------------------------
*******ifconfig on host gives**********
ifconfig
eth0    Link encap:Ethernet  HWaddr 00:02:3F:D9:87:02
          inet addr:192.168.2.2
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
          Interrupt:19 Base address:0xc800

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:10941 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10941 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:7753503 (7.3 MiB)  TX bytes:7753503 (7.3 MiB)

vmnet1    Link encap:Ethernet  HWaddr 00:50:56:C0:00:01
          inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fec0:1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

vmnet2    Link encap:Ethernet  HWaddr 00:50:56:C0:00:02
          inet addr:192.168.253.1  Bcast:192.168.253.255  Mask:255.255.255.0
          inet6 addr: fe80::250:56ff:fec0:2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
************************************************************************************************
Routing table looks like:
# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface
192.168.2.0     *               255.255.255.0   U         0 0          0
vmnet1
192.168.253.0   *               255.255.255.0   U         0 0          0
vmnet2



#################################################################################

My question is:

1. For testing purpose ive put the whole honeynet in a single subnet
192.168.2.0/24. The interfaces that i have assigned an ip to are attackers
eth0, hosteth0, vmnet1, & honeypot eth0. Using this im unable to ping
attacker from host and host from attacker. This seems to be the case as
linux routes all 192.168.2.x packets to vmnet1. This is causing confusion.
Please advise.

Observations:

tcpdump on eth0 of host shows arp broadcasts from host to attacker, arp
table does get populated with the attackers mac address but unfortunately
the frame doesnt get forwarded there as a result I get "Destination host
unreachable: 192.168.2.1" (which is vmnet1 ip).

Im using this apporach to use single ip subnet as a friend implemented a
similar project but with windows as host OS and its working fine. The only
deviation I see from windows is that during VMware compilation on linux we
have to setup bridge, host-host networking & NAT networking, windows maybe
uses some default :S but it works!!! My understanding of vmnet1 was that it
is used just like a switch but playing around with it, it seems to act like
a Layer 3 switch. So if we have to connect a honeypot with it then it must
be in same subnet as the vmnet1 LAN. If this is the case then when
implementing with public IP's ive to assing a pubip to the vmnet1 interface
as well :S

The management interface is working fine no problem whatsoever, I see
occasional netbios-dgm broadcat packets arriving on honeywall eth1 interface
from the winXP honeypot and logging etc working fine. Since ive to show this
off my laptop so i have only one eth0 interface on it, this being the reason
i opted for another host-host network vmnet2

My aim atm is to be able to ping honeypot from the attackers terminal via
the honeywall! I am able to ping host eth0 from honeypot and vice versa

Please advise as now it seems im running out of time & i definately dont
DONT want to use windows as host OS.

Thanks, Fahim
p.s. kindly find attached my honeywall.conf for reference
note: ignore sebek part
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://public.honeynet.org/pipermail/honeywall/attachments/20080705/b5d14fb2/attachment.html


More information about the Honeywall mailing list