Configuring Windows networking for KFSensor
In order for KFSensor to act as a honeypot for Windows Networking it needs to listen to the standard ports
used by the Windows system. It is not possible to run KFSensor on these ports and let Windows use
them at the same time.
Windows Networking must be disabled. If KFSensor is running on a dedicated machine
it is best to disable Windows Networking completely.
If Windows Networking is required then it is still possible to run KFSensor as well if your
machine has more than one than one IP address. For example you may have a LAN IP address running Windows
Networking and an ADSL IP address running KFSensor.
However this cannot be a perfect solution as one part of Windows Networking cannot be partialy disabled in the way. This is explained below.
The following instructions are for Windows XP. Windows 2000 and 2003 are nearly identical.
NBT can be disabled or enabled for each network connection or IP address.
- Go to the Control Panel and select Network Connections.
- Double click on a network icon.
- Select the Properties button on the General tab.
- Go to the Networking tab.
- Uncheck the following two items in the list box.
File and Printer Sharing for Microsoft Networks
Client For Microsoft Networks
- Click on the "Internet Protocol (TCP/IP)" item and select the Properties button.
- On the Properties sheet select the Advanced button.
- Select the WINS tab.
- In the "NetBIOS setting" box select "Disable NetBIOS over TCP/IP".
- Press OK three times.
- Repeat steps 2-10 for each network interface.
- The NetBIOS Helper Service will record an error in the event log when it attempts to start.
This service can be disabled in the Services windows accessed from the Control Panel.
Disabling SMD Direct
SMD works in a different way to NBT.
It binds to all available IP addresses on TCP 445. There is no way of configuring it to work on some network adaptors and not others.
It is possible to leave it running while disabling NBT, however to run KFSensor on the complete set of Windows Networking port it must be disabled.
- From the Start menu select Run.
- Enter "regedt32" and click on OK.
- Expand the tree and select the key:
- Rename the value "TransportBindName" to "xTransportBindName"
- Exit regedt32 and re-boot the machine.
Next: KFSensor Windows networking emulation
KFSensor On-Line Manual Contents