[Netkit.users] Making netkit communicate with honeyd

Fri Jun 12 12:51:24 CEST 2009

Dear Deependra,

ok, thank you for providing a more detailed configuration.

As I have already stated, my knowledge of honeyd is rather limited. However,
what I can say is that honeyd was not primarily designed to perform routing,
but rather to "trap" malicious traffic inside a controlled environment.
I'm afraid there is no really native way of letting traffic through honeyd
first and then through Netkit *in your setting*. In honeyd you can "proxy"
traffic, but even if you resorted to this option, you would still need to
look up twice the same routing table (i.e., Backtrack's) for the same
destination address (i.e., 192.168.3.1).

At present I see no way you could ping 192.168.3.1 from Backtrack, route the
packet to honeyd, tell honeyd to forward it to 192.168.3.1, receive it again
at Backtrack and route to Netkit VM.

As I said above, what you can do is to configure honeyd to proxy traffic
(examples can be easily found in the Internet), but in this case you would
need to contact an address different from Netkit access router's (i.e., not
192.168.3.1).
An interesting alternative would be to prepare a honeyd service script that
takes care of forwarding traffic as required. Such a script could, for
example, exploit netcat to contact the actual Netkit VM. But, again, don't
expect to be able to let traffic through honeyd first, then through Netkit
VMs by contacting the Netkit VM directly.

Hope this helps.

Regards,
Massimo.

> -----Original Message-----
> From: netkit.users-bounces a list.dia.uniroma3.it [mailto:netkit.users-
> bounces a list.dia.uniroma3.it] On Behalf Of Deependra Singh Shekhawat
> Sent: Friday, June 12, 2009 10:52 AM
> To: Users of the Netkit Network Emulation System
> Subject: Re: [Netkit.users] Making netkit communicate with honeyd
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 06/12/2009 02:14 PM, Massimo Rimondini wrote:
> > Dear Deependra,
> >
> > I think I need some more clarification about the scenario.
> >
> >> I would like backtrack 3 to act as the media for the communication
> >> between honeyd and netkit.
> >
> > So, Backtrack should act as a router between the Netkit and honeyd
> networks.
> >
> >> Honeyd simulates multiple routers which are connected in following way:
> >>
> >> router 1 - 10.0.0.1 (this is the entry router)
> >> router 2 - 10.1.0.1 connected to router 1
> >> router 3 - 10.2.0.1 connected to router 2
> >> router 4 - 10.3.0.1 connected to router 3
> >> router 5 - 10.4.0.1 connected to router 4
> >> router 6 - 10.5.0.1 connected to router 4
> >
> > Ok. I don't know in detail how honeyd operates, but I see that all the
> > routers are on the same subnet (10.0.0.0/8), and there are two things
> that
> > sound strange to me in such a setting: (1) routers usually "separate"
> > subnets and (2) to establish a chain of routers you need to equip each
> one
> > with at least two network interfaces. Now, this configuration may be
> > completely legal in honeyd, but I still miss the semantics.
> >
> >> Now router 5 and router connects to the first machine in netkit that is
> >> 192.168.3.1
> >
> > "and router ..."? You probably meant router 1.
> >
> >> This makes 2 possible paths to the netkit VM (192.168.3.1) via the
> >> honeyd network. Now when I ping 192.168.3.1 it should go through the
> >> honeyd network first (kind of like honeyd , entry router, acting as my
> >> default gateway) and then to the netkit VM,
> >
> > Where do you ping 192.168.3.1 from? From inside the honeyd network?
> >
> > Overall, the only thing that I can suggest at this stage is to check
> whether
> > there are enough static routes in your Backtrack host and in Netkit to
> > instruct them about where to send traffic directed to other subnets.
> Failing
> > ARP resolutions may also be a reason for the problems you are reporting.
> >
> > Regards,
> > Massimo.
> >
> >
> > _______________________________________________
> > Netkit.users mailing list
> > Netkit.users a list.dia.uniroma3.it
> > http://list.dia.uniroma3.it/mailman/listinfo/netkit.users
> >
> Hi Massimo,
> 
> I thank you very much for your quick reply and extremely sorry for not
> providing the correct details , I just looked back to my mail and found
> I posted some incorrect details about my honeyd config , please find it
> below:
> 
> # Router/Routes Setup
> route entry 10.0.0.1
> route 10.0.0.1 link 10.64.0.0/10
> route 10.0.0.1 add net 10.128.0.0/10 10.128.0.1 latency 68ms loss 0.2
> 
> route 10.128.0.1 link 10.144.0.0/12
> route 10.128.0.1 add net 10.160.0.0/12 10.160.0.1 latency 17ms loss 0.2
> 
> route 10.160.0.1 link 10.164.0.0/14
> route 10.160.0.1 add net 10.168.0.0/14 10.168.0.1 latency 9ms loss 0.1
> 
> route 10.168.0.1 link 10.169.0.0/16
> route 10.168.0.1 add net 10.170.0.0/16 10.170.0.1 latency 99ms loss 0.1
> 
> route 10.170.0.1 link 10.170.64.0/18
> route 10.170.0.1 add net 10.170.128.0/18 10.170.128.1 latency 92ms loss
0.2
> 
> route 10.170.128.1 link 10.170.144.0/20
> route 10.170.128.1 add net 10.170.160.0/20 10.170.160.1 latency 98ms
> loss 0.2
> 
> route 10.170.160.1 link 10.170.164.0/22
> route 10.170.160.1 add net 10.170.168.0/22 10.170.168.1 latency 43ms
> loss 0.2
> 
> route 10.170.168.1 link 10.170.169.0/24
> route 10.170.168.1 add net 10.170.170.0/24 10.170.170.1 latency 2ms loss
> 0.1
> 
> route 10.170.170.1 link 10.170.170.64/26
> route 10.170.170.1 add net 10.170.170.128/26 10.170.170.129 latency 47ms
> loss 0.2
> 
> route 10.170.170.129 link 10.170.170.144/28
> route 10.170.170.129 add net 10.170.170.160/28 10.170.170.161 latency
> 34ms loss 0.1
> 
> route 10.0.0.1 link 10.0.0.1/32
> route 10.128.0.1 link 10.128.0.1/32
> route 10.160.0.1 link 10.160.0.1/32
> route 10.168.0.1 link 10.168.0.1/32
> route 10.170.0.1 link 10.170.0.1/32
> route 10.170.128.1 link 10.170.128.1/32
> route 10.170.160.1 link 10.170.160.1/32
> route 10.170.168.1 link 10.170.168.1/32
> route 10.170.170.1 link 10.170.170.1/32
> route 10.170.170.129 link 10.170.170.129/32
> route 10.170.170.161 link 10.170.170.161/32
> 
> 
> Now this is my honeyd config here you see multiple networks with
> multiple routers. Now when I start honeyd before that I just do this:
> 
> 
> # route add -net 10.0.0.0 netmask 255.0.0.0 lo
> 
> And then I start honeyd. Now I can actually ping 10.170.170.161 and also
> do traceroute on 10.170.170.161 and see that my packet travels from all
> the routers in the way
> 
> NOTE: I ping / traceroute from my backtrack 3 host which has three
> interfaces
> 
> tap0
> lo
> eth0
> 
> I would like the router 10.170.170.129 to end up communicating with the
> netkit VM that is 192.168.3.1
> 
> You can't get login to honeyd routers as they are just simulated routers
> with very basic functionality.
> 
> I can ping 192.168.3.1 from Backtrack 3 because my netkit is configured
> that way but what I would like to do is
> 
> ping 192.168.3.1 from backtrack 3 which travels from honeyd first and
> then end up in the netkit.
> 
> This requires honeyd to be able to communicate to the netkit VM.
> 
> I hope now I have clarified my situation a bit.
> 
> Also let me know what you think about the above honeyd config , I think
> this time we don't have routers all on the same subnet or is it that
> still we are on the same subnet? I would like to keep every router on
> different subnet
> 
> Thanks
> Deependra Singh Shekhawat
> - --
> RHCE/RHCSS Certificate number: 804006843818597
> Type: pub
> bits/keyID: 1024D/483B234C
> Date: 2007/06/29
> Key Server: pgp.mit.edu
> User ID: Deependra Singh Shekhawat (Fedora Project)
> <jeevanullas a gmail.com> <deepsa a fedoraproject.org>
> Key fingerprint: ED45 62EA A4D7 53FB 44C7  774A D55B F3F0 483B 234C
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> 
> iEYEARECAAYFAkoyF0UACgkQ1Vvz8Eg7I0xgvwCePxsX3+kupMSrmF2i3ve68fCW
> qSkAn1/iME6EGuC0LjAP9Qz1zmL9ZTGQ
> =r5sx
> -----END PGP SIGNATURE-----
> _______________________________________________
> Netkit.users mailing list
> Netkit.users a list.dia.uniroma3.it
> http://list.dia.uniroma3.it/mailman/listinfo/netkit.users