BOF is the easiest honeypot—as well as one of the easiest Windows applications—I have ever installed and configured. You simply download the zipped package, unzip the compressed file, and double-click on the BOF icon (see Figure 6-4). Once you double-click on the bof.exe icon, the honeypot is installed and running. You should then see it on your menu tray in the lower right-hand corner of your system. The only step remaining is to configure the honeypot.
Notice that the actual program is 92KB, extremely small and simple. The rest of the material is .html-based documentation, which is actually very good. To configure the honeypot, you double-click on the icon in your user's tray in the lower right-hand corner. You will then get the BOF console, as you can see in Figure 6-5. This is BOF's only menu. All your configurations, maintenance, logs, and alerts happen with this single interface, which makes BOF a simple solution for anyone to use.
Figure 6-5. Menu for BackOfficer Friendly. This is the only GUI to the honeypot, making configuration very simple.
Next you want to configure the honeypot. What do you want it to do? Do you want the honeypot to automatically start? What services do you want it to listen on? Do you want it to emulate the services? You configure the honeypot using the Options menu on the interface. You will be presented with the options shown in Figure 6-6.
The first option is Run at Startup. It is highly recommended that you configure BOF to start when your systems start. Remember, the honeypot cannot detect attacks if it is not running. If you are anything like me, you will forget to start BOF manually every time you reboot.
You have seven services to select from, which are the seven services that BOF will listen on and detect any attacks made against. There is no option to create your own services or port listeners. Here are the seven services.
• Back Orifice. A Windows-based Trojan released in 1998. This service is of limited value since this Trojan is not often used. Listens on port UDP 31337.
• FTP. File Transfer Protocol. A cleartext protocol used to transfer files. Listens on port TCP 21. This is an extremely common service that attackers will target. You will most likely see a great deal of activity on this port.
• Telnet. A cleartext protocol used to remotely administer systems. Listens on port TCP 23.
• SMTP. Simple Mail Transfer Protocol. A cleartext protocol used to send and receive e-mail. Listens on port TCP 25.
• HTTP. Hyper-Text Transfer Protocol. Cleartext version of the World Wide Web. Listens on port TCP 80. Of all the services offered by BOF, this is the service most likely to be probed or attacked. There is no option or functionality to listen on port TCP 443, known as Secure Socket Layer (SSL) port, for encrypted Web connections.
• POP3. Post-Office Protocol. Cleartext protocol used by clients to retrieve e-mail. Listens on port TCP 110.
• IMAP. Internet Message Access Protocol. Cleartext protocol used by clients to retrieve e-mail. Listens on port TCP 143.
Finally, you are given the opportunity to select the Fake Replies option. By default, BOF only listens on selected ports and records any connections. It makes no response to emulate any of the services. An attacker would connect to one of these ports and believe there is no service provided. BOF accomplishes this by first completing the TCP connection and then closing it by sending a RST packet, tearing the connection down. In Figure 6-7, you see a Snort trace of a Telnet connection to a BOF honeypot (IP address 192.168.1.100) with Fake Replies disabled. Notice how the BOF honeypot first establishes a TCP connection and then closes it with a RST packet.
Figure 6-7. Snort trace of a Telnet connection to BOF honeypot with Fake Replies disabled. The last packet (highlighted) is an RST packet tearing the connection down.
However, if you select Fake Replies, BOF enables the emulation capabilities. It will not only detect connections but also attempt to respond to them. BOF emulates the services and responds as the applications would, but this response capability is extremely limited. For example, with Telnet emulation, the attacker can only attempt to give a login and password. There are no banners to emulate specific operating systems or any specific responses you can select. The HTTP service does not emulate any specific type of Web server; it only captures the command sent by the attacker. The advantage with Fake Replies is that more information can be obtained. The disadvantage is that the attacker most likely knows his activity has been logged. He knows this because by interacting with the application, some type of logging must have occurred.
Once you select the options from the Options menu, they immediately take effect. There is no rebooting or any restarting of any services or emulation engines. BOF is extremely straightforward: Select what you want, and it immediately happens.
Once BOF is installed, you are ready to go. No patches or updates have been released since 1998, so you most likely do not have to worry about updating the honeypots. A disadvantage of BOF is there is no capability to remotely manage BOF honeypots. Once installed and deployed, all management and configuration must happen locally on the system. As such, this is not an enterprise solution. BOF was not designed to be deployed
throughout a large corporation. There is no centralized mechanism for configuration and maintenance. Instead, everything has to happen on the system to which it is locally installed. Its primary use is as a desktop honeypot to be run on individual systems such as the systems of security or network administrators.