The concept is simple: listen and record. The only problem is that the badguys can't speak until after a connection comes up. So we give them one. On any port they want. Period. Upon connecting, they are presented with a greeting (I use fortune) and a root prompt. W00p! They are leet. If you prefer a silent listener (no greeting or prompt), that's cool, too. See the section xinetd.d/inetd, below. Script kiddeez are your best entertainment value!
In a nutshell:
New connections to a given port are handed off to a Perl script.
That Perl script builds two files: a running connection tracker, and a unique session file, into which we merely capture all data.
iptables REDIRECT is used to pass all incoming connection requests, regardless of destination port, to that listener.
In order for the intruder-to-be to know what port a service is listening on, they need to ask the target system's portmapper. So we fire up a portmapper, and feed it bogus mappings for every service we can.
Capture, and repeat.
thp is not an extensive Honeypot. It is not as full-featured as HoneyD? or LaBrea?. It is very simple. But it will give you a rough idea of the potential of such a program.
