Reference Manual


honeypot - The NAT32 Honeypot


The NAT32 Honeypot consists of two threads that run on startup: one thread that listens at the standard HTTP port (80) and (optionally) another that listens at the standard HTTPS port (443).
The honeypot threads listen at ports visible only to NAT32's own TCP/IP stack at the (default) address, thus ensuring that conflicts with Windows servers using those ports cannot occur.

Web traffic to the honeypot is analysed and responses are returned based on the type of information a Web Client is requesting. For example, if a client is requesting a Javascript file, the honeypot returns a small placeholder file called honeypot.js.

The following types (and associated files or headers) are presently implemented:

Web clients do DNS lookups when requesting Internet content, and it is the NAT32 DNS Resolver Daemon that intercepts those lookups and reports the honeypot address rather than the real address for undesirable sites.

This mechanism ensures that no communication with such sites ever takes place, resulting in greatly reduced traffic volumes, greatly enhanced privacy and protection from malicious content.

The DNS Resolver determines the desirability of a site by consulting black-lists, grey-lists and white-lists. Further details can be found here.

HTTPS requests to the honeypot are always blocked and the target server name is printed in the Monitor window. Prudent users will block HTTPS requests to all sites not listed in the white-list to prevent information leakage and privacy infringements. This is done by adding the wild-card entry * to the grey-list and the permitted names to the white-list.

The honeypot can also redirect requests to black-listed sites to the same URL but with an IP address substituted for the host name. This feature is called Redirect to IP and can be carried out for a name appearing in the variable 'exception' or if the URL contains the string 'redirect'.


set exception google                 # Redirect all URLS containing 'google' to an IP URL       # Redirect to an IP URL        # View the current exception       # Clear the exception # Temporarily allow Google access
Interestingly, if Google sites are accessed via URLs containing an IP address instead of a name, no redirection to HTTPS occurs.
As of NAT32 Build 22346, a Honeypot Port 443 daemon is no longer started in file startup.txt. In addition, command setns e5 is used to instruct the DNSRD to report NXDOMAIN for blocked names. This means that clients attempting to resolve blocked names will receive a "Name does not exist" response.
dnsmap, dnsrd, dstat, setns, setnsi setnss setnsx setwns