Honeypots for Windows (eBook)

Roger A. Grimes (CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CEH, TICSA, Security+, MCT) is a Windows security consultant, instructor, and author. This is Grimes' third book and he has written over a 150 articles for magazines like Windows IT Pro, Microsoft Certified Professional, InfoWorld, Network Magazine, Windows & .NET, and Security Administrator. He is a contributing editor for Windows & .NET, and InfoWorld magazines. Grimes has presented at Windows Connections, MCP TechMentors, and SANS. He was recognized as "Most Valuable Professional" (MVP) by Microsoft, for Windows Server 2003 security. Grimes also writes frequently for Microsoft, including material for two courses on advanced Windows security and Technet. He has taught security to many of the world's largest and most respected organizations, including Microsoft, VeriSign, the U.S. Navy, various universities, and public school systems. Grimes spends his time surrounded by the maddening hum of twelve 1U servers in his home office, monitoring his personal honeypots.

Contents 6
About the Author 14
About the Technical Reviewers 15
Acknowledgments 16
Introduction 17
Part One Honeypots in General 22
Chapter 1 An Introduction to Honeypots 23
What Is a Honeypot? 23
What Is a Honeynet? 25
Why Use a Honeypot? 25
Basic Honeypot Components 31
Honeypot Types 33
History of Honeypots 40
Attack Models 46
Risks of Using Honeypots 52
Summary 54
Chapter 2 A Honeypot Deployment Plan 55
Honeypot Deployment Steps 55
Honeypot Design Tenets 56
Attracting Hackers 57
Defining Goals 57
Honeypot System Network Devices 61
Honeypot System Placement 74
Summary 79
Part Two Windows Honeypots 80
Chapter 3 Windows Honeypot Modeling 81
What You Need to Know 81
Common Ports and Services 83
Computer Roles 86
Services in More Detail 90
Common Ports by Platform 101
Common Windows Applications 104
Putting It All Together 105
Summary 106
Chapter 4 Windows Honeypot Deployment 107
Decisions to Make 107
Installation Guidance 114
Hardening Microsoft Windows 118
Summary 138
Chapter 5 Honeyd Installation 139
What Is Honeyd? 139
Why Use Honeyd? 140
Honeyd Features 141
Honeyd Installation 154
Summary 167
Chapter 6 Honeyd Configuration 168
Using Honeyd Command-Line Options 168
Creating a Honeyd Runtime Batch File 169
Setting Up Honeyd Configuration Files 171
Testing Your Honeyd Configuration 182
Summary 183
Chapter 7 Honeyd Service Scripts 184
Honeyd Script Basics 184
Default Honeyd Scripts 189
Downloadable Scripts 195
Custom Scripts 197
Summary 205
Chapter 8 Other Windows-Based Honeypots 206
Back Officer Friendly 206
LaBrea 207
SPECTER 209
PatriotBox 229
Jackpot SMTP Tarpit 231
More Honeypots 236
Summary 236
Part Three Honeypot Operations 238
Chapter 9 Network Traffic Analysis 239
Why Use a Sniffer and an IDS? 239
Network Protocol Basics 243
Network Protocol Capturing Basics 255
Ethereal 256
Snort 266
Summary 284
Chapter 10 Honeypot Monitoring 285
Taking Baselines 285
Monitoring 292
Logging 300
Alerting 311
Summary 316
Chapter 11 Honeypot Data Analysis 317
Why Analyze? 317
Honeypot Analysis Investigations 318
A Structured Forensic Analysis Approach 320
Forensic Analysis in Action 341
Forensic Tool Web Sites 351
Summary 352
Chapter 12 Malware Code Analysis 353
An Overview of Code Disassembly 353
Assembly Language 355
Assembler and Disassembler Programs 365
Malicious Programming Techniques 374
Disassembly Environment 376
Disassembly Practice 376
Summary 377
Index 378