Honeypot

Reference Manual

NAME

honeypot - The NAT32 Honeypot

DESCRIPTION

The NAT32 Honeypot consists of two threads that run on startup: one thread that listens at the standard HTTP port (80) and (optionally) another that listens at the standard HTTPS port (443).
The honeypot threads listen at ports visible only to NAT32's own TCP/IP stack at the (default) address 1.2.3.4, thus ensuring that conflicts with Windows servers using those ports cannot occur.

Web traffic to the honeypot is analysed and responses are returned based on the type of information a Web Client is requesting. For example, if a client is requesting a Javascript file, the honeypot returns a small placeholder file called honeypot.js.
The following types (and associated files or headers) are presently implemented:

htm
honeypot2.htm

html
honeypot2.htm

gif
honeypot2.gif

jpg
honeypot2.jpg

png
honeypot2.png

fav
favicon.ico

dbg
debug.js

js
honeypot.js

default
404 Not Found

Web clients do DNS lookups when requesting Internet content, and it is the NAT32 DNS Resolver Daemon that intercepts those lookups and reports the honeypot address rather than the real address for undesirable sites.
This mechanism ensures that no communication with such sites ever takes place, resulting in greatly reduced traffic volumes, greatly enhanced privacy and protection from malicious content.
The DNS Resolver determines the desirability of a site by consulting black-lists, grey-lists and white-lists. Further details can be found here.

NOTES

HTTPS requests to the honeypot are always blocked and the target server name is printed in the Monitor window. Prudent users will block HTTPS requests to all sites not listed in the white-list to prevent information leakage and privacy infringements. This is done by adding the wild-card entry * to the grey-list and the permitted names to the white-list.
The honeypot can also redirect requests to black-listed sites to the same URL but with an IP address substituted for the host name. This feature is called Redirect to IP and can be carried out for a name appearing in the variable 'exception' or if the URL contains the string 'redirect'.
Examples
set exception google                 # Redirect all URLS containing 'google' to an IP URL

http://www.google.com/redirect       # Redirect to an IP URL

http://honeypot.box/exception        # View the current exception

http://honeypot.box/exception=       # Clear the exception

http://honeypot.box/exception=google # Temporarily allow Google access
Interestingly, if Google sites are accessed via URLs containing an IP address instead of a name, no redirection to HTTPS occurs.

As of NAT32 Build 22346, a Honeypot Port 443 daemon is no longer started in file startup.txt. In addition, command setns e5 is used to instruct the DNSRD to report NXDOMAIN for blocked names. This means that clients attempting to resolve blocked names will receive a "Name does not exist" response.

SEE ALSO

dnsmap, dnsrd, dstat, setns, setnsi setnss setnsx setwns

htm	honeypot2.htm
html	honeypot2.htm
gif	honeypot2.gif
jpg	honeypot2.jpg
png	honeypot2.png
fav	favicon.ico
dbg	debug.js
js	honeypot.js
default	404 Not Found