View Full Version : Is internet safe now? Or do I misunderstand Vmware?
October 28th, 2006, 06:42 PM
I am doing a layman honeypot in VMWare.
I have set up a Windows XP original in Vmware (ie no servicepacks or hotfixes at all)
I am connected to internet without a firewall or other anti malware apps. Vmware has its own IP number.
I have no router, just fiber LAN to the net.
A check at GRC.com shows ports from 0 to 1024 are closed. excepts 135-139 and 445 are stealthed. 1025 and 5000 are open.
I have been online with it for three hours without anything happening.
I have read somewhere that you only have to be online for 15-30 minutes before you get infected with something.
Is that just a myth or is it VMware that somehow prevents the worms´n´stuff? Or maybe I am just impatient?
The only things I use to check if any activity is going on is Port explorer and Process explorer. Perhaps those are not enough?
October 28th, 2006, 06:50 PM
If you connect via NAT through your original machine, you will see no effect. GRC will scan your gateway. Just like with any LAN machine.
You say it has its own IP. Interesting. How did you achieve that? Your ISP lets you have multiple IPs? Do elaborate on that one.
But then, don't believe everything they tell ya (about malware).
VMware offers a solid testing environment, but it can be possibly breached.
If you want a really safe testing grounds, you should use VMware in Linux. And then in it, install Windows. Or do a recursive install until you run out of memory.
Seriously though, your test has no real impact. It's effectively isolated from the net.
If you want to see how "safe" it is, browse the Internet with, try FF, try IE, compare the results = infections, and so forth. Just be careful that you keep malware from propagating to your own host.
You can also try Truman in Linux, which runs on native hardware.
And as I said, VMware in Linux running Windows guest.
October 28th, 2006, 06:51 PM
yea i have heard those freaky comments . even 3 minutes some where. i have surfed with no firewall or security apps apart from adblock for a few hours and never been infected. however i i didnt go to the otherside, so to speak. my ports were closed .
October 28th, 2006, 06:53 PM
Maybe I wasn't clear in the first post. Check your host name when scanned in GRC. Compare with your real machine. Are they the same?
October 28th, 2006, 07:01 PM
Thanks for your reply.
Now I probably will shows my ignorance, but what the heck :)
Grc said it was scanning the IP number that I got from my ISP.
I got one IP for my host machine(windows XP pro fully patched) and one IP for the guest machine, I mean two real IP adresses assigned from my ISP.
Maybe I will try VMware from Linux some day, but for now I just wanted a unsecure connection to the net, but I recon, after reading your post, I cant get that :(
But I will try to find some bad sites with my unpatched IE.
November 28th, 2006, 06:11 PM
ISP's block the ports that a hacker or program can easily infiltrate your system and hose you down real good
November 28th, 2006, 08:47 PM
There's two things:
1. If port 445 is closed (or "stealthed") then most worms will not be able to get to the box
2. Many of them now specifically detect VMWare now and will not infect it, mainly because VMWare is frequently used by malware analysts. It's harder for them to analyze the malware if it won't run.
Once you figure out the ports issue, you might look at something like http://nepenthes.mwcollect.org/, if you're just wanting to get malware.
November 28th, 2006, 09:54 PM
there's some stuff at bugtraq about setting up honeypots i think. there's also honeypot.org too i suppose
here are some links which might help
vBulletin® Copyright ©2000-2013, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2013, Wilders Security Forums