HoneyMole

From Honeynet-PT

Secure Ethernet Bridge over TCP/IP

The main goal of this tool is to act as a completely Secure Ethernet Bridge over TCP/IP, tunneling in a transparent, safe and easy way, network traffic to a remote location without the need of any kernel patches or modules, or even the need to hide routing in the honeypots.

It can be used to easily deploy honeypot farms of distributed honeypots, transporting network traffic to a central honeypot architecture where data collection and analysis will be done. It can also be used as a very simple and efficient VPN (Virtual Private Network) for any other purposes.


The current architecture diagram of our Honeypot Farm using HoneyMole can be viewed here.


14/02/2008 - HoneyMole 2.0.2

CHANGES:

Install script bug fixes and debug log improments.

To deactivate or delete an existing client from honeymole server, just rename the configuration file extension to something else different than ".conf" or just delete the file. Then send a SIGHUP signal to the honeymole parent process in order to refresh configurations.

If you want to add a new client or change an existing one, just create a new configuration file with the extension ".conf" or change the existing file and then send the SIGHUP signal to the parent process in order to load the new configuration.

Resuming, all the active client configuration files must have the ".conf" extension.


Version 2.x presents the following major changes:

     - add/delete/reload client configuration files without stopping the other existing tunnels;
     - server can handle multiple clients;
     - server and client binaries are build separately;
     - traffic shapers, inbound and outbound;
     - log to syslogd option added;
     - setup is done in configuration files, no more parameters via command line.

Download it honeymole-2.0.2.tar.gz
MD5 checksum is 95eac85aaa88548c76056b63d945a84d


30/08/2007 - HoneyMole 1.1.2

Download it honeymole-1.1.2.tar.gz
MD5 checksum is 8a2d95f3b1361d195d30107e7c4e245c


  • Why HoneyMole development was initiated?

HoneyMole development was initiated because one main objective of The Honeynet Research Alliance tools is to keep deployment as simples and fast as possible to the general public.

The use of HoneyMole should be considered because:

- you don't need any kernel patches, something that almost all the VPN packages available need;
- you don't need almost any network knowledge to setup;
- you don't need to hide routes;
- you can redirect your network traffic to a remote location in a few minutes, from scratch, everything working in transparent mode;
- you have just one place to setup everything;
- you can handle as many clients as you want, just by doing small changes in one configuration file.


There are many ways to achieve exactly the same, of course you are free to do as you feel more comfortable and think that cover your needs.


  • What is HoneyMole's value to me?

Deploying traditional honeypots and honeynets can be a problem if you have in mind that every honeypot you deploy means more work and resources required to maintain and analyze everything it collects. In the other hand the more honeypots you deploy, the more valid information you can collect.

Honeypot Farms are one way to solve this problem. A honeypot farm is nothing more then a several honeypots located in a single location. You then place redirectors anywhere you want in the world. The redirectors are nothing more then 'virtual honeypots' that redirect traffic to the honeypot farm.

People when attacking one of those systems think they are interacting with a system (your virtual honeypot) in Portugal, United States or United Kingdom, yet in reality all of their activity is being redirected to your single collection of honeypots. The redirectors make it very easy to virtually deploy lots of honeypots all over the place, but you only have to maintain a small number of real honeypots in a single location.


As presented by Edward Balas in chapter 7 of “Know Your Enemy, 2nd Edition”, Honeypot Farms are used as a way of virtually distributing honeypots, transporting IP packets from remote locations to the physical honeypots. It aims to reduce cost, deployment time and analysis time.


Advantages of Honeypot Farms

- Honeynets can be deployed with in a very short amount of time;

- Forensic analysis can be done faster;

- Honeypot farms can be used to protect production servers (hot-zoning);

- Participant networks don’t need to configure or monitor the honeypots.


Disadvantages of Honeypot Farms

- Geographic unrelated positions cause anomalies in network latency;

- Honeypot farms use routing rather than bridge, so they are complex to configure and require good network knowledge to operate properly;

- This technology is fair new, there are no tools to help automate the configuration and operation of the infrastructures.


HoneyMole is the result of the work we have decided to embrace on simplifying the Honeypot Farm concept and the necessary traffic tunneling.

Our aim was to use bridging rather than routing for transporting the traffic from remote locations to our honeypots on the farm and at the same time to reduce all the previously identified disadvanges except the network latencey.


  • What technologies it uses?

Honeymole is developed in C using Libpcap, Libnet and OpenSSL libraries.


  • What about performance?

The performance it is fairly good. It is being used for some months in production environments without any problem. Since libpcap uses BPF (Berkeley Packet Filter), it is possible to apply filter rules on both directions in order to reduce the traffic in the tunnel to the operational needs.


  • What about security?

Honeymole authentication and encryption uses OpenSSL. Some scripts are available to generate all the necessary certificates for the CA (Certificate Authority), used in the communication between the server and client.


  • What operating systems are supported?

At the moment Honeymole works fine on Linux, OpenBSD, FreeBSD, NetBSD, Solaris and Mac OS X. Since it is based on Libpcap, Libnet and OpenSSL, it should be easy to port it to Microsoft Windows also.


You can also join our public mailing list, by subscribing it here:

https://public.honeynet.org/mailman/listinfo/honeymole

development