Edit Sim Std Server

The HTTP Sim Server is the most complex and fully featured of all the sim servers. It is a fully working web server that correctly emulates Microsoft's IIS web server.

Great effort has been made to return the exact response messages that IIS returns in all circumstances, to provide the best possible emulation and reduce the chance of the visitor detecting that they are not visiting a real web server.

This sim server can be used to host a web site. A basic set of files is included with KFSensor that make the server appear to be a default Microsoft IIS configuration. You can replace these files with you own HTML and image files to make the honeypot more realistic.

The ability to host files is disabled completely in the High Integrity Version of KFSensor.

Microsoft IIS can be configured in many different ways.
KFSensor emulates the following restrictive IIS configuration:

IIS Setting	Notes
Disable HTTP Keep-Alives	Limits visitor to one request per connection
No Execute permission	Scripts and CGI cannot be executed
No ISAPI filters	These are extensions to IIS which have often been prone to vulnerabilities in the past
No directory browsing	The server will not produce an index page if a directory is requested. Index files are supported
No write permission	Visitors are not allowed to change the website contents
Default Error messages	IIS can return a custom error page for each type of error. Only default errors are emulated

Here are some of the features KFSensor implements to provide an accurate emulation of IIS:

Emulated Feature	Notes
Error messages	ISS returns different error descriptions depending on the error, even for the same response code
Response headers	Correct values are returned for the headers contained in the server's response. As well as the common ones, like "Content-Length" the more complex ones are also supported; such as: "Content-Location", "Last-Modified", "Content-Range" and "ETag"
Header Order	Each web server is free to return the response headers in any order. IIS is inconsistent in the way that it orders these headers. For example sometimes it returns "Content-Length" as the first header and sometimes as the last header. KFSensor matches these different header orders
If-Modified	KFSensor supports browser side caching
Range Requests	By using the Range header a visitor can request specified parts of a file
HTTP Verbs	OPTIONS, TRACE, GET, HEAD, POST all handled correctly
Fragmentation	A request can be split into many packets as a way of avoiding detection by signature based IDS. KFSensor correctly handles fragmentation

The following are some of the checks and restrictions that KFSensor implements to provide a secure emulation of IIS:

Feature	Notes
Restricted Extensions	Only files with certain common extensions will be returned. For example .xls, .doc and .exe will never be returned even if they are in the web document directory.
No CGI	KFSensor does run attempt to run an external executable or DLL
Buffer over-flows	Dynamic buffers are used through to prevent buffer overflows and many additional checks are made.
Unicode attacks	CodeRed style double-encoding are checked for
Directory walking	Tricks like /../ and /.../ are checked for

HTTP Proxy Server

This sim server also supports HTTP proxy server requests; CONNECT and proxy URLs.

Incorrectly configured HTTP proxy servers are used by people to surf anonymously and to access other non-HTTP services.

For more information on this aspect of the server and how to configure it see the KFSensor Proxy Server emulation section in the KFSensor Administration Guide.

Configuration

Title

Name
Each Sim Std Server requires a unique name, which is used to identify it.
Description
A piece of text for notes on what the Sim Std Server aims to support
Default Port
Most services have standard ports on which visitors expect to find them.
The default port for HTTP is 80.
This is only used as a prompt during configuration of a Listen; a Sim Std Server can be set on any or many different ports.
Severity
The severity level that events generated by this Sim Std Server will be given. This can be changed or over ridden as part of the Listen configuration.

Options

These settings control how this Sim Std Server responds to a visitor.

Emulation
The real server that is emulated.
Nb. At present only the Microsoft IIS server is emulated.
Version
A web server returns a header called "Server", as part of its response, that identifies the make and version number of the http server.
Setting this value allows you to control the value that is returned to the visitor in this header.
Document Root
This is the path on the local machine of the web server's root directory.
Files in this directory and any sub directories will be available for visitors to download.
If this value is blank then the downloading of files will be disabled.
Take care when changing this setting as it could expose private files on your system to a visitor if not properly configured.
The path can be either relative or absolute. A relative path is considered to be relative to the KFSensor's installation directory. e.g. "files\iis\wwwroot" will be considered "C:\Program Files\KeyFocus\KFSensor\files\iis\wwwroot".
This option is disabled in the High Integrity Version of KFSensor.
Index Files
If a visitor requests a directory instead of a file then the server will attempt to locate a suitable index file to be automatically returned instead of a not found error. This value contains a list of files that should be selected as an index files. Each file name should be separated by a single space.
This option is disabled in the High Integrity Version of KFSensor.
Require Basic Authorization
If this option is checked then the visitor will receive an Unauthorized response. If they are using a browser they will be prompted for a user name and password. All attempts to log on will be rejected and the sim server will not allow any files to be returned to the user.
This option is always set in the High Integrity Version of KFSensor.
Time out
The time in seconds that the KFSensor server allows the session to continue for before closing the connection.
Idle Time out
The time in seconds that the KFSensor server will wait for traffic on a connection before closing the connection.
Receive limit
The maximum number of bytes that will be accepted from the visitor before the connection is closed.
Log response lines
If set to a value greater than zero then a response will be truncated to the specified number of lines when it is recorded in the log.
Log response size
If set to a value greater than zero then a response will be truncated to the specified number of bytes when it is recorded in the log.
Log receive size
If set to a value greater than zero then received data will be truncated to the specified number of bytes when it is recorded in the log.

Proxy emulation

See the KFSensor Proxy Server emulation section in the KFSensor Administration Guide for more details.

HTTP proxy
CONNECT proxy

Buttons

Proxy Rules...
Use the Proxy Rules dialog box to change the active scenario's proxy rule definitions.

Example Attacks

The following are real life examples of attacks on a HTTP Sim Std Server.

GET /_mem_bin/..%c0%2f../..%c0%2f../..%c0%2f../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0

HTTP/1.1 404 Not Found Content-Length: 103 Content-Type: text/html Server: Microsoft-IIS/6.0 Date: Sat, 10 May 2003 12:00:02 GMT Connection: close <html><head><title>Error</title></head><body>The system cannot find the path specified. </body></html>

GET /scripts/root.exe?/c+dir+c:\ HTTP/1.0 Host: www

HTTP/1.1 404 Not Found Content-Length: 103 Content-Type: text/html Server: Microsoft-IIS/6.0 Date: Sat, 10 May 2003 12:05:01 GMT Connection: close <html><head><title>Error</title></head><body>The system cannot find the path specified. </body></html>

GET /_vti_bin/check.bat/..%c1%1c..%c1%1c..%c1%1cwinnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0

HTTP/1.1 400 Bad Request Content-Type: text/html Server: Microsoft-IIS/6.0 Date: Sat, 10 May 2003 12:05:00 GMT Connection: close Content-Length: 34 <h1>Bad Request (Invalid URL)</h1>