Honeyd Remote Fingerprinting

Wednesday, February 15, 2006

Honeyd is a low-interaction honeypot developed by Niels Provos designed to emulate services and personalities of virtual hosts and networks. As honeypot deployments must remain undetected to maintain their value, the ability of an attacker to effectively and remotely fingerprint Honeyd is a serious issue.

IP Fragment Reassembly

According to the Internet Protocol specification (RFC 791), a correct IP stack implementation must identify corresponding fragments by matching the source address, destination address, identification number, and protocol number. However, Honeyd does not correctly follow RFC 791 and omits the protocol number when matching corresponding fragments for reassembly. The following code snippet is from Honeyd's ipfrag.c:

#define DIFF(a,b) do {
    if ((a) < (b)) return -1;
    if ((a) > (b)) return 1;
} while (0)

fragcompare(struct fragment *a, struct fragment *b)
    DIFF(a->ip_src, b->ip_src);
    DIFF(a->ip_dst, b->ip_dst);
    DIFF(a->ip_id, b->ip_id);

    return (0);

This omission results in Honeyd reassembling fragments that have a matching source address, destination address, and identification number, but a differing value in the protocol field. This flaw does not normally create a problem in the behavior or functionality of the honeypot, as it is extremely unlikely that a host with a modern network stack would send IP packet fragments where only three of the four fields would match. However, it is trivial to craft customized packet fragments which will trigger this bug and result in packet reassembly occurring where it should not.

Fingerprinting Technique

One way to expose this flaw is to split a TCP SYN packet into several fragments and set the protocol field of the IP header of one of the fragments to some protocol other than TCP. A stack that correctly implements IP reassembly will drop these fragments, as it will not group the fragment with the differing protocol number with the others. Honeyd, on the other hand, will receive these fragments and reassemble them into a complete TCP SYN packet. It will then respond to the sender with a SYN/ACK.

An attacker can send out these fragments to a large number of hosts and simply listen for any SYN/ACK responses. Since this reassembly flaw does not exist in common operating system IP stacks, the attacker can be fairly certain that responding hosts are indeed Honeyd-based honeypots. A simple proof of concept scanner called winnie is available.

The patch to fix the issue can be found here and is included in Honey >= 1.5.

Copyright © 2021 - Jon Oberheide