Create a simple, simulated network with the honeyd tool

A honeynet management tool called honeyd can be a useful security tool like any other honeypot, but it can be a great low-level instructional tool as well.

Each piece of software in the FreeBSD ports tree comes with a pkg-descr file that offers a summarized description of the software. Using a tool such as pkgsearch, also from FreeBSD ports, you can print the contents of that file to the console without having to type the full path or go to the file the long way. Using pkgsearch to get a description of the net/honeyd port shows this:

:~> pkgsearch -d honeyd



Honeyd is a small daemon that creates virtual hosts

on a network. The hosts can be configured to run

arbitrary services, and their TCP personality can be

adapted so that they appear to be running certain

versions of operating systems. Honeyd enables a

single host to claim multiple addresses - I have

tested up to 65536 - on a LAN for network simulation.


- Dominic <>

The honeyd tool can be used to simulate an entire network of vulnerable computers. The standard use case for honeyd is to set up a honeypot network. Wikipedia defines a honeypot, as of this writing, thusly:

In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated, (un)protected, and monitored, and which seems to contain information or a resource of value to attackers.

On most of the major open source Unix-like systems -- including BSD Unix systems like FreeBSD and Linux-based systems such as Debian -- installing honeyd is as easy as a single short command, because it is available through the operating system's standard software management system. Configuration is, in its most basic form, not much more difficult.

Configuration for honeyd is stored in a file of your choosing. A file called honeyd.conf is the most obvious choice. A relatively easy to follow explanation of configuration and deployment is available in the form of an entry in the Ulisses Costa Blog, "Deploying Honeypots with Honeyd."

The O'Reilly book Network Security Hacks offers an overview of setup and use as well. In the second edition, the setup explanation begins on page 400; between that and the following explanation of how to record honeypot activity, the section on honeyd spans thirteen pages.

Only the most cursory, and largely useless, explanation of honeyd could be offered in an article here. You are better off reading other sources for the information. Instead, let this serve as your introduction to where to find the information and why you might want it.

The usual purpose for a honeynet (a virtual network of honeypot hosts) is to serve as either a distraction and delaying tactic for malicious security hackers, allowing network administrators additional options for protecting themselves, or as a way to collect data on the activities of malicious security hackers without being attached to a network of any other hosts. An additional possible use that may not occur to many is that of a test network for practicing beginner-level penetration testing techniques.

One of the benefits of using something like honeyd for practicing some of the basic techniques of penetration testing -- network enumeration for instance -- is that it is a lot cheaper than building an entire physical test network, and a lot simpler than building a virtual network using virtual machine technology like Virtualbox, VMWare, and Xen. Considering the licensing issues involved if you need MS Windows hosts in your test networks, the savings can be really shockingly large. Check that number above: the developer has tested honeyd simulating as many as 65,536 honeypot hosts. Doing that with actual MS Windows licenses would cost more than three million dollars with a very generous volume discount.

There are downsides to this approach to simulating penetration testing target networks as well, of course. The simulation of hosts that honeyd provides is in fact fairly rudimentary. If you want to start exploring the possibilities for rootkit installation, be prepared to move up from honeyd to something more robust.

In the end, honeyd's usefulness is whatever you make of it, but whether you want to start learning the ropes of penetration testing, set up a honeynet to delay and confuse would-be attackers, or simply perform some research, it is a tool worth knowing is available. Being open source software, it can be used without charge as well.