Configuring Windows networking for KFSensor

In order for KFSensor to act as a honeypot for Windows Networking it needs to listen to the standard ports used by the Windows system. It is not possible to run KFSensor on these ports and let Windows use them at the same time.
Windows Networking must be disabled. If KFSensor is running on a dedicated machine it is best to disable Windows Networking completely.

If Windows Networking is required then it is still possible to run KFSensor as well if your machine has more than one than one IP address. For example you may have a LAN IP address running Windows Networking and an ADSL IP address running KFSensor.
However this cannot be a perfect solution as one part of Windows Networking cannot be partialy disabled in the way. This is explained below.

Disabling NBT/SMB.

The following instructions are for Windows XP. Windows 2000 and 2003 are nearly identical.

Disable NBT

NBT can be disabled or enabled for each network connection or IP address.

  1. Go to the Control Panel and select Network Connections.
  2. Double click on a network icon.
  3. Select the Properties button on the General tab.
  4. Go to the Networking tab.
  5. Uncheck the following two items in the list box.
    File and Printer Sharing for Microsoft Networks

  6. Client For Microsoft Networks
  7. Click on the "Internet Protocol (TCP/IP)" item and select the Properties button.
  8. On the Properties sheet select the Advanced button.
  9. Select the WINS tab.
  10. In the "NetBIOS setting" box select "Disable NetBIOS over TCP/IP".
  11. Press OK three times.
  12. Repeat steps 2-10 for each network interface.
  13. The NetBIOS Helper Service will record an error in the event log when it attempts to start. This service can be disabled in the Services windows accessed from the Control Panel.

Disabling SMD Direct

SMD works in a different way to NBT.
It binds to all available IP addresses on TCP 445. There is no way of configuring it to work on some network adaptors and not others.
It is possible to leave it running while disabling NBT, however to run KFSensor on the complete set of Windows Networking port it must be disabled.
  1. From the Start menu select Run.
  2. Enter "regedt32" and click on OK.
  3. Expand the tree and select the key:
  4. Rename the value "TransportBindName" to "xTransportBindName"
  5. Exit regedt32 and re-boot the machine.

Next: KFSensor Windows networking emulation

Related Topics

KFSensor On-Line Manual Contents