Lately I’ve been making some changes to our original Virtual SCADA Honeynet, specifically the target. Our target is emulating a very popular PLC pretty much from head to toe. In our first release the target provided high interactive services for http, ftp, and modbus tcp. Attackers could view configurations of the device from the mocked administrative interface, transfer files via ftp, and lastly get/set values via modbus function code interaction.

However we needed the target to be even more realistic.

From an attackers point of view scanning our first release revealed the services I mentioned above (tcp/21, tcp/80, tcp/502). More so that same scan (tcp/udp 1-65535) revealed a few more services. Those being tcp/23, tcp/111, udp/69, udp/111, udp/161, and udp/17185. Also the network stack looked like it was a Linux box.

I decided to grab the “lowest hanging fruit” and started with telnet (tcp/23), snmp (udp/161), and the fingerprint/network stack obfuscation. It seemed like this would be a great place to use honeyd. Honeyd offers low interaction for generally any service and medium interaction by triggering scripts and also stack obfuscation.

On the telnet front Matt previously contributed to development of a medium-low python vxworks telnet service (along with some other services), so I decided to utilize this for telnet. Next on the list was snmp. Some quick research revealed the fake-snmp script written by the guys who support the French Honeynet Project. Not much documentation was provided for the scripts and I ran into some perl module issues with BER.pm. The solution was getting the same BER.pm that cacti uses for snmp monitoring and compiling/installing it by hand (not CPAN).

However one problem remained. None of the timeticks or dynamic values were changing when I continuously walked the device. I understand it may be pretty difficult to get 100% of every value to change, but not having any of them, especially the timeticks, really bugged me. This is when I ran across Net-Raddle, it like fake-snmp is 3 or 4 years old (with a few more docs). It provides values that change and even builds configs ready for honeyd. For the remaining services I utilized honeyd to act like services were open and also have it obfuscating the stack to look like a VxWorks network stack.

From a network perspective honeyd needs it’s own ip address. So I made all of the local high interactive services listen on localhost and removed the IP from the eth0 device. Since honeyd will now be listening for this IP I had to setup a static arp to get the traffic there. You can also use arpd to simply this, but for a single host I decided not to. Now when packets arrive that the target honeyd proxies the high interactive services to localhost, processes the scripts for the medium interactive services, appears to have open ports for low interactive services, and appears to be a VxWorks network stack.

Next time I will discuss a short review of the new test Roo distribution… the changelog looks great..