[Honeywall] Virtual Honeynet deployment using Linux Host - honeywall 1.3 roo

Faiz Ahmad Shuja faiz.shuja at gmail.com
Sat Jul 5 06:24:02 EDT 2008


Do you have a router in the network to route traffic between virtual
networks? Why the gateway for the interface on host OS is vmnet1? Both
should be separate network. All the honeypots are usually connected to
vmnet1 (host-only) and configured to have external IPs (same network as host
OS eth0). Honeywall will do the bridging.


Regards,
Faiz

On Sat, Jul 5, 2008 at 12:29 PM, Fahim Abbasi <mailtofahim at gmail.com> wrote:

> Hi All,
>
> Finally got free to re-open pandoras box.....my virtual honeynet project
> :-) . Ive come across a working model of a similar virtual honeynet but with
> windows as hostOS. My motivation is to set it all up with linux as host OS,
> havent been tremendously successfull so far :S (possible routing issue).  My
> scenario is:
>
>
> ##################
> Attacker: 192.168.2.3
> gw: 192.168.2.2
> ##################
> ||
> ||
> ||
> ###########################################
> Linux Host eth0: 192.168.2.2
> -------------------VM1---------------------------------------
> Honeywall eth0( bridge ) NO IP
> Honeywall eth1( host-host [vmnet1] ) NO IP
> Honeywall eth2( host-host [vmnet2]: 192.168.253.2 )
> ----------------------------------------------------------------
> -------------------VM2----------------------------------------
> winXP: Honeypot: 192.168.2.10
> GW: 192.168.2.1
> ---------------------------------------------------------------
> *******ifconfig on host gives**********
> ifconfig
> eth0    Link encap:Ethernet  HWaddr 00:02:3F:D9:87:02
>           inet addr:192.168.2.2
>           UP BROADCAST MULTICAST  MTU:1500  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
>           Interrupt:19 Base address:0xc800
>
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           inet6 addr: ::1/128 Scope:Host
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:10941 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:10941 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:7753503 (7.3 MiB)  TX bytes:7753503 (7.3 MiB)
>
> vmnet1    Link encap:Ethernet  HWaddr 00:50:56:C0:00:01
>           inet addr:192.168.2.1  Bcast:192.168.2.255  Mask:255.255.255.0
>           inet6 addr: fe80::250:56ff:fec0:1/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:23 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
>
> vmnet2    Link encap:Ethernet  HWaddr 00:50:56:C0:00:02
>           inet addr:192.168.253.1  Bcast:192.168.253.255  Mask:
> 255.255.255.0
>           inet6 addr: fe80::250:56ff:fec0:2/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
>
> ************************************************************************************************
> Routing table looks like:
> # netstat -r
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   MSS Window  irtt
> Iface
> 192.168.2.0     *               255.255.255.0   U         0 0          0
> vmnet1
> 192.168.253.0   *               255.255.255.0   U         0 0          0
> vmnet2
>
>
>
>
> #################################################################################
>
> My question is:
>
> 1. For testing purpose ive put the whole honeynet in a single subnet
> 192.168.2.0/24. The interfaces that i have assigned an ip to are attackers
> eth0, hosteth0, vmnet1, & honeypot eth0. Using this im unable to ping
> attacker from host and host from attacker. This seems to be the case as
> linux routes all 192.168.2.x packets to vmnet1. This is causing confusion.
> Please advise.
>
> Observations:
>
> tcpdump on eth0 of host shows arp broadcasts from host to attacker, arp
> table does get populated with the attackers mac address but unfortunately
> the frame doesnt get forwarded there as a result I get "Destination host
> unreachable: 192.168.2.1" (which is vmnet1 ip).
>
> Im using this apporach to use single ip subnet as a friend implemented a
> similar project but with windows as host OS and its working fine. The only
> deviation I see from windows is that during VMware compilation on linux we
> have to setup bridge, host-host networking & NAT networking, windows maybe
> uses some default :S but it works!!! My understanding of vmnet1 was that it
> is used just like a switch but playing around with it, it seems to act like
> a Layer 3 switch. So if we have to connect a honeypot with it then it must
> be in same subnet as the vmnet1 LAN. If this is the case then when
> implementing with public IP's ive to assing a pubip to the vmnet1 interface
> as well :S
>
> The management interface is working fine no problem whatsoever, I see
> occasional netbios-dgm broadcat packets arriving on honeywall eth1 interface
> from the winXP honeypot and logging etc working fine. Since ive to show this
> off my laptop so i have only one eth0 interface on it, this being the reason
> i opted for another host-host network vmnet2
>
> My aim atm is to be able to ping honeypot from the attackers terminal via
> the honeywall! I am able to ping host eth0 from honeypot and vice versa
>
> Please advise as now it seems im running out of time & i definately dont
> DONT want to use windows as host OS.
>
> Thanks, Fahim
> p.s. kindly find attached my honeywall.conf for reference
> note: ignore sebek part
>
> _______________________________________________
> Honeywall mailing list
> Honeywall at public.honeynet.org
> https://public.honeynet.org/mailman/listinfo/honeywall
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://public.honeynet.org/pipermail/honeywall/attachments/20080705/ce8ee419/attachment-0001.html


More information about the Honeywall mailing list