HoneyBOT

Quick Start

Follow the prompts to purchase, download and install HoneyBOT. Launch the application and then click the play button to start the server engine. When a connection occurs it will be displayed in the event list. Click the stop button to terminate any existing connections and halt the server engine.

Installing and Securing Your Honeypot

A honeypot is intentionally put in harms way so it is critical to carry out some security precautions on your honeypot computer before deployment on any network. Install HoneyBOT on a dedicated computer or virtual machine. Update the operating system with security updates and use an antivirus product. You want your honeypot to be as free as possible from legitimate traffic so in broad terms we can consider any traffic to the honeypot to be malicious in nature. Remember that we are attracting attackers to intrude into this system so precautions are important.

Network Placement

If you place HoneyBOT inside the internal network where it is secured by perimeter defences it should never to be attacked. Any malicious traffic captured in this situation would indicate that another computer inside the network is already compromised or that the perimeter defences have been breached. In this configuration HoneyBOT is acting as an intrusion detection system. If you place HoneyBOT on an external network or internet you will attract higher volumes of unsolicited network traffic. Direct internet placement is the most common setup with HoneyBOT being on the network DMZ.

Windows Services, SMB and NetBIOS

You should disable any Windows services that are not required for the machine to operate as they offer an attacker a possible avenue of attack. HoneyBOT cannot listen on a port that is already in use by a Windows service. Some of the services that you may choose to disable include Messenger, ClipBook, COM+, FTP Publishing, SMTP, SNMP, TCP/IP NetBIOS Helper, Telnet, WWW Publishing.

SMB (CIFS) provides name resolution, network browsing and printing services over TCP/IP. To disable SMB open the Network Connections window, right click the adapter and select Properties and uninstall Client For Microsoft Networks and File And Printer Sharing.

SMB services may also be provided over NetBIOS (NBT). To disable NetBIOS open the Device Manager window, select Show Hidden Devices, expand Non-Plug And Play Drivers and disable NetBios Over Tcpip.

If you are monitoring your honeypot via a remote desktop tool then you should change the default listening port to a random high numbered port.

Finally, before starting HoneyBOT take a baseline of the current listening services by opening a command shell and launching netstat with the -ano option. Any listening services that you are unable to disable need to be blocked at the firewall.

Firewall

A firewall will prevent unsolicited connections from reaching your computer. In order for HoneyBOT to communicate you need to customise your firewall rules to allow incoming connections. If you are using a software firewall you should create an exception for HoneyBOT.

HoneyBOT Options

Select Options from the View menu to configure HoneyBOT.

Automatically Start Engine: The server engine will start automatically when the application is started.
Enable Sound Alert: Plays a short sound each time an event occurs.
Capture Binaries: If this option is enabled HoneyBOT will attempt to capture malware and other files and save them to the \HoneyBOT\Captures\ folder. If this option is enabled you should add an exception in your antivirus software to exclude this folder from its scan.
Automatically Rotate Log: Each day at midnight HoneyBOT will save the current log file and start a new log file.
Server Name: The alias name of the HoneyBOT server given to the remote machine.

Email Alerts

Enter your email address and SMTP server information to receive daily email updates from HoneyBOT.

Exports

Select the Export Logs to CSV option to create a daily extract of your log file as a CSV file. Exported logs are saved in the \HoneyBOT\Logs\ folder. You can also choose to participate in the centralised log program and have your log files uploaded to the HoneyBOT website.

Syslog

Select to send connection events to a Syslog server. Enter the Syslog server IP address and port.

Bindings

Only applicable to multihomed machines. Provides support for multiple networks so HoneyBOT can bind to one or all detected networks. Enter the IP address that you want HoneyBOT to bind to. If the IP address is not valid and more than one IP address is available you will be prompted to select an address when the server engine starts.

Updates

Select to have HoneyBOT check for updates on startup. There are two update types that may occur. A service update is a minor update to the server listening services, if a service update is available you will be prompted to install the update. An application update notification will occur if a new version of HoneyBOT is available.

Services and Profiles

Select to edit the TCP and UDP services started by the HoneyBOT engine. You can add a new port, edit and disable an existing port, or delete the port configuration entirely.

By default HoneyBOT will open more listening ports than a typical computer and this may alert an attacker to its presence. You can choose to limit your honeypot exposure to just a handful of ports that more closely resembles a real operating system. By loading a profile you can quickly emulate common operation system setups like an SQL Server, IIS Server, Exchange Server, etc.

Whitelist

You may find HoneyBOT is interacting with services on your network that are legitimate and not a cause for alarm. You can whitelist the source machine by adding the IP and port to the whitelist settings. When a machine is whitelisted HoneyBOT will no longer accept connections from that machine.

Debug

The debug window will display application messages and socket events that occur during typical application operation.

Event Navigation

The event tree on the left shows the ports that have been probed and remote addresses that have connected to HoneyBOT. The event list at the top right will display all connection attempts including the attributes of the connection. The packet list at the bottom displays each packet transmitted and received between the remote machine and the HoneyBOT server. You can expand the event tree and filter the events displayed by selecting an item in the list.


About

HoneyBOT has been operating since the 2001 attack of the code red internet worm. Learn more.

Help

Get help with planning, securing and configuring your honeypot solution.

Support

If you need support you can contact the team here.