Not binding to specified MAC address

[beave]

Hello,

After some punching around, I managed to get "honeyd" mostly working the way that I want. One thing that I have noticed is that I am unable to "set" the MAC address as per the documentation. For example, my configuration looks like this:

----

create windows
set windows personality "Microsoft Windows XP Professional SP1"
set windows default tcp action reset
add windows tcp port 135 open
add windows tcp port 139 open
add windows tcp port 445 open

set windows ethernet "00:1a:e2:bc:a0:01"
bind 10.55.5.200 windows

----

I can ping 10.55.5.200 and nmap it just fine. However, it appear to not be using the specified MAC address of "00:1a:e2:bc:a0:01". Below is the output.

From the workstation I am pinging from:

----
root@ubuntu:~# ping 10.55.5.200
PING 10.55.5.200 (10.55.5.200) 56(84) bytes of data.
64 bytes from 10.55.5.200: icmp_seq=1 ttl=128 time=20.1 ms
64 bytes from 10.55.5.200: icmp_seq=2 ttl=128 time=10.3 ms
----

From the Honeyd -d output:

----
honeyd[7531]: started with -P -d -f /etc/honeyd/champ.conf
honeyd[7531]: listening promiscuously on ens3: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip )) and not ether src 00:e0:4c:12:7e:93
honeyd[7531]: switching to polling mode
honeyd[7531]: Demoting process privileges to uid 65534, gid 65534
honeyd[7531]: Sending ICMP Echo Reply: 10.55.5.200 -> 10.55.5.250
honeyd[7531]: arp_send: who-has 10.55.5.250 tell 10.55.5.200
honeyd[7531]: arp_recv_cb: 10.55.5.250 at 00:e0:4c:12:7e:92
honeyd[7531]: Sending ICMP Echo Reply: 10.55.5.200 -> 10.55.5.250
honeyd[7531]: arp reply 10.55.5.200 is-at 00:1a:e2:be:cc:99
----

(Note the last line).

From the arp table of the "pinging" machine:
10.55.5.200 ether 00:1a:e2:be:cc:99 C eth0

The MAC is successful with "00:1a:e2:be:cc:99", but I would expect this to be "00:1a:e2:bc:a0:01" as per my template.

Is there any reason it's only using "part" of my specified MAC address?

Hopefully this makes sense. Thank you.

[beave]

I should point out, I am not using farpd.

[Creased]

Hi there, I've the same trouble...

I've tried with DataSoft version and the last from debian squeeze repos for testing purposes, it doesn't change anything...

My logical network architecture (very simplified) looks like this:

My configuration file (i.e. /etc/honeypot/honeyd.conf):

# Default
create default
set default default tcp action block
set default default udp action block
set default default icmp action block

# Debian
create debian
set debian personality "Linux 2.4.20"
set debian default tcp action block
set debian default udp action block
set debian default icmp action open
add debian tcp port 21 "sh /usr/share/honeyd/scripts/unix/linux/ftp.sh"
add debian tcp port 22 "sh /usr/share/honeyd/scripts/unix/linux/suse8.0/ssh.sh"
add debian tcp port 23 "sh /usr/share/honeyd/scripts/unix/linux/suse8.0/telnetd.sh"
add debian tcp port 25 "sh /usr/share/honeyd/scripts/unix/general/smtp.sh"
add debian tcp port 110 "sh /usr/share/honeyd/scripts/unix/linux/suse8.0/qpop.sh"
add debian tcp port 143 "sh /usr/share/honeyd/scripts/unix/linux/suse8.0/cyrus-imapd.sh"
set debian ethernet "00:0f:1f:f8:17:c7"
# Pour une attribution d'adresse dynamique :
# dhcp debian on eth0
# Pour une attribution d'adresse statique :
bind 172.29.197.241 debian

honeyd daemon configuration file (i.e. /etc/default/farpd):

RUN="yes"

INTERFACE="eth0"

NETWORK="172.29.196.0/22"

OPTIONS="--disable-webserver"

farpd daemon configuration file (i.e. /etc/default/honeyd):

RUN="yes"

INTERFACE="eth0"

NETWORK="172.29.196.0/22"

Log:

# /etc/init.d/farpd restart
# honeyd -d -f /etc/honeypot/honeyd.conf -l /var/log/honeypot/honeyd.log -p /etc/honeypot/nmap.prints -a /etc/honeypot/nmap.assoc -0 /etc/honeypot/pf.os -x /etc/honeypot/xprobe2.conf -u 104 -g 106 --disable-webserver -i eth0 172.29.196.0/22

Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
honeyd[11245]: started with -df /etc/honeypot/honeyd.conf -l /var/log/honeypot/honeyd.log -p /etc/honeypot/nmap.prints -a /etc/honeypot/nmap.assoc -0 /etc/honeypot/pf.os -x /etc/honeypot/xprobe2.conf -u 104 -g 106 --disable-webserver -i eth0 172.29.196.0/22
honeyd[11245]: listening promiscuously on eth0: (arp or ip proto 47 or (udp and src port 67 and dst port 68) or (ip and (net 172.29.196.0/22))) and not ether src 00:0f:1f:f8:17:c7
honeyd[11245]: Demoting process privileges to uid 104, gid 106
honeyd[11245]: Sending ICMP Echo Reply: 172.29.197.241 -> 172.29.197.179
honeyd[11245]: arp_send: who-has 172.29.197.179 tell 172.29.197.241
honeyd[11245]: arp_recv_cb: 172.29.197.179 at 34:64:a9:2c:a3:68
honeyd[11245]: arp reply 172.29.197.241 is-at 00:0f:1f:35:3c:84
honeyd[11245]: update_connect_cb: connection failed: Invalid argument

As you can see, the arp reply doesn't match the configuration file. Otherwise, maybe you know how to fix the last printed error?

PS: It seems to be the same problem as in this post.

[awaldow]

It looks like honeyd is only using the vendor octets for MAC generation (the first three), if I had to guess. It's probably just something related to first time node generation, it's been long enough since I've looked at it that I can't be sure though. It could be that it has the right address in memory and then randomizes it when it's provisioning the node, which would be a bug. I would shoot the Nova support guys an email saying that honeyd is doing this and see what they say. Otherwise it's time to dive deep into honeyd.c and see where it would be happening. I imagine it's just an operation ordering issue.

On Feb 16, 2016, 06:54, at 06:54, Baptiste MOINE [email protected] wrote:

Hi there, I've the same trouble...

I've tried with DataSoft version and the last from debian squeeze repos
for testing purposes, it doesn't change anything...

My logical network architecture (very simplified) looks like this:

My configuration file (i.e. /etc/honeypot/honeyd.conf):

# Default
create default
set default default tcp action block
set default default udp action block
set default default icmp action block

# Debian
create debian
set debian personality "Linux 2.4.20"
set debian default tcp action block
set debian default udp action block
set debian default icmp action open
add debian tcp port 21 "sh /usr/share/honeyd/scripts/unix/linux/ftp.sh"
add debian tcp port 22 "sh
/usr/share/honeyd/scripts/unix/linux/suse8.0/ssh.sh"
add debian tcp port 23 "sh
/usr/share/honeyd/scripts/unix/linux/suse8.0/telnetd.sh"
add debian tcp port 25 "sh
/usr/share/honeyd/scripts/unix/general/smtp.sh"
add debian tcp port 110 "sh
/usr/share/honeyd/scripts/unix/linux/suse8.0/qpop.sh"
add debian tcp port 143 "sh
/usr/share/honeyd/scripts/unix/linux/suse8.0/cyrus-imapd.sh"
set debian ethernet "00:0f:1f:f8:17:c7"
# Pour une attribution d'adresse dynamique :
# dhcp debian on eth0
# Pour une attribution d'adresse statique :
bind 172.29.197.241 debian

honeyd daemon configuration file (i.e. /etc/default/farpd):

RUN="yes"

INTERFACE="eth0"

NETWORK="172.29.196.0/22"

OPTIONS="--disable-webserver"

farpd daemon configuration file (i.e. /etc/default/honeyd):

RUN="yes"

INTERFACE="eth0"

NETWORK="172.29.196.0/22"

Log:

# /etc/init.d/farpd restart
# honeyd -d -f /etc/honeypot/honeyd.conf -l
/var/log/honeypot/honeyd.log -p /etc/honeypot/nmap.prints -a
/etc/honeypot/nmap.assoc -0 /etc/honeypot/pf.os -x
/etc/honeypot/xprobe2.conf -u 104 -g 106 --disable-webserver -i eth0
172.29.196.0/22

Honeyd V1.5c Copyright (c) 2002-2007 Niels Provos
honeyd[11245]: started with -df /etc/honeypot/honeyd.conf -l
/var/log/honeypot/honeyd.log -p /etc/honeypot/nmap.prints -a
/etc/honeypot/nmap.assoc -0 /etc/honeypot/pf.os -x
/etc/honeypot/xprobe2.conf -u 104 -g 106 --disable-webserver -i eth0
172.29.196.0/22
honeyd[11245]: listening promiscuously on eth0: (arp or ip proto 47 or
(udp and src port 67 and dst port 68) or (ip and (net
172.29.196.0/22))) and not ether src 00:0f:1f:f8:17:c7
honeyd[11245]: Demoting process privileges to uid 104, gid 106
honeyd[11245]: Sending ICMP Echo Reply: 172.29.197.241 ->
172.29.197.179
honeyd[11245]: arp_send: who-has 172.29.197.179 tell 172.29.197.241
honeyd[11245]: arp_recv_cb: 172.29.197.179 at 34:64:a9:2c:a3:68
honeyd[11245]: arp reply 172.29.197.241 is-at 00:0f:1f:35:3c:84
honeyd[11245]: update_connect_cb: connection failed: Invalid argument

As you can see, the arp reply doesn't match the configuration file.
Otherwise, maybe you know how to fix the last printed error?

PS: It seems to be the same problem as in this
post.

---

Reply to this email directly or view it on GitHub:
#92 (comment)

[cvasilatos]

Any update on this?