winnie is a network scanner capable of detecting honeypot deployments using Honeyd <= 1.0. The issue causing the vulnerability is present in Honeyd's IP fragment reassembly code which does not follow RFC 791. Honeyd incorrectly omitted the IP protocol number when searching for corresponding fragments for reassembly. By constructing a fragmented TCP SYN packet with a different IP protocol number in each packet, it is possible to elicit a SYN/ACK response from addresses monitored by Honeyd, thereby exposing the honeypot deployment.

For more details, please read the technical report written up regarding the vulnerability. The Honeyd security advisory can be found here. The patch to fix the issue can be found here and is included in Honey >= 1.5.


  • libpcap
  • libdnet


winnie can be downloaded here

Copyright © 2018 - Jon Oberheide