Honeypots
Re: nepenthes for multiple ip addresses Apr 19 2009 06:56PM
Viktor (gecko003 gmail com)
Thanks for all the answers, i have profited a lot from them! Let me
answer for each reply in one mail.

Kashyap Timmaraju wrote:
> The reason you need arpd is because you have to bind the unused IP
> addresses to a MAC address in this case it will be your MAC
> address(how else can u get read those packets?) which arpd does for
> you. You will have to run arpd, so all the best with your experiment!
I have tryed farpd to get all unused IPs, but since i'm in a /24 subnet,
i could only bind IPs from my subnet (i have forgot to mention that i'm
e.g 192.168.1.1/24, but i'm having traffic redirected from
192.168.0.1-192.168.255.255). It's a great package btw (thanks again Mr
Provos :))

Gergely Révay wrote:
> If there is no address translation in the routing process then you
> should have alias interfaces for those IPs which you want to listen
> on.
>
> For instance if the 192.168.1.0/24 network is redirected to your
> computer then you should use a command like this:
>
> $ for i in `seq 2 254`; do sudo ip addr add 192.168.1.$i/24 brd + dev eth0; done
>
> (or something :) )
>
> In this case when nepenthes listens on 0.0.0.0 then it means it listen
> on the alias IPs as well.
>
Unfortunately it's a bit more complex. My box got traffic addressed to
currently unused IPs, but the IPs are changing every time (if someone
get one of the IPs by DHCP, than i won't get any more traffic redirected
to me), and i think it would cause network conflict if i would add all
255*255 IPs to my interface (also it's a big number :)).
> If there is address translation in the routing then those packet
> should have your IP as their destination IP and then it should work.
> If you don't know you can check it with tcpdump
I'm not getting traffic by NAT, all traffic are simply redirected to my
IP. But after reading your reply, i tryed to NAT all traffic locally at
my computer, and it worked! I set iptables' nat to translate the
destination ip of all packets, which destination ip wasn't mine
originally, to my ip. Now nepenthes having it's log incremented by
0.5MB/min :))).

The only problem, that now i lost all information about who received the
malicious packet originally, since in the log all dest ip is mine :(. Do
you think is that possible to write such a script that can delay the
packets, add the originaly dest ip to my interface, move the packet
(nepenthes scans it), than after a short delay remove the IP from my
interface? Or if there is any simpler solution, i'm open to all
suggestion :)

Viktor

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus