Low Interaction Honeypots
A low interaction Windows honeypot, such as KFSensor, Specter and others, emulate operating systems and other services at risk of attack. Such honeypots are usually plug and play. Simply install the software, select the operating systems and/or services to emulate, make any changes to the default settings as required, and the honeypot is live.
KFSensor, a popular low interaction honeypot for Windows, monitors TCP, UDP and ICMP traffic for all ports to detect attacks, and when doing so also identifies the nature of attacks on file shares and Windows administrative services. It has a rule based signature engine where users may add their own scripts and database queries. To set it up, simply run the installer, agree to the terms and conditions, select the drive to install it to, and select from FTP, SMB, POP3, HTTP, Telnet, SMTP and SOCKS to emulate.
Specter, another popular low interaction honeypot for commercial Windows networks, touts its key strength as ease of installation, configuration and deployment. It uses a standard Windows installer. Launching the installer gives a simple GUI that guides the user through various options. Users can modify settings for the built-in alerting function, set email address and cell phone numbers for real time alerts, and fix intervals for “heartbeat" or regular email alerts. Specter monitors activity on 14 TCP ports, including seven traps and seven services. Traps detect intrusion, and services interact with the hackers, emulating the service. However, it cannot detect ICMP, UDP or any non-standard IP traffic.
Low interaction emulation based honeypots run in the same network or system, but do not have access to the actual operating system, and thereby contain the attacker’s activity. Being set up within the network, it captures internal threats, and reveals whether a computer inside the network is already infected.
The advantages notwithstanding, low intensity honeypots identify only known threats, making their effectiveness limited. Moreover, determined hackers can detect the presence of such honeypots. Installation on insecure or vulnerable operating systems, one with file shares open for example, could result in the hacker compromising the honeypot to harm other systems.