Honeypots mailing list archives
RE: Building an Honeypot using VMWare
From: Dennis Rand <DER () cowi dk>
Date: Tue, 5 Nov 2002 08:01:13 +0100
I'm currently running a Honeypot on a WMWare platform with Windows 2000 Pro as the host system and WMWare installation is a Windows 2000 Server with IIS but there are nothing that shows that this is a WMWare system. http://warlab.infowarfare.dk for the main site The Host system is running with firewall protection and NAV and Ethereal -----Original Message----- From: Bruno MAC Castro [mailto:bcastro () dei uc pt] Sent: Monday, November 04, 2002 6:31 PM To: 'Bill McCarty' Cc: honeypots () securityfocus com Subject: RE: Building an Honeypot using VMWare Thanks Bill, I agree with you in everything... But, it would improve the concept of a Honeypot if the trace of a virtual machine (VMWare) was hard (or impossible) to find. My goal is to reach a stage where there is no visible VMWare process in my honeypot. I also know that it is almost impossible to reach it, but we need high goals to keep us working... right? ;-) For a start, I would be happy with a solution (maybe a tool) that hides or "camouflage" the VMWare process from the OS Process List. Any ideas? Regards Bruno ______________________________________ Bruno Miguel Abrantes de Campos e Castro Mail To: bcastro () portugalmail pt bcastro () dei uc pt ______________________________________ -----Original Message----- From: Bill McCarty [mailto:bmccarty () apu edu] Sent: segunda-feira, 4 de Novembro de 2002 16:32 To: bcastro () dei uc pt; honeypots () securityfocus com Subject: Re: Building an Honeypot using VMWare Hi Bruno and all, --On Monday, November 04, 2002 3:58 PM +0000 Bruno MAC Castro <bcastro () dei uc pt> wrote:
4. It would be important to hide the VMWare process on the Guest. I
need
a tool (or a solution) to cover or hide the VMWare process in both systems. Ideas?
There are several other ways for an attacker to determine that the compromised host is a virtual host. For example, a virtual machine's virtual network adapters have distinctive MAC addresses. Similarly, the BIOS string and information from emulated PCI probes can give away the game. On the other hand, worms and script kiddies won't care much -- or possibly even notice -- that they've compromised a virtual machine. Yes, askilled blackhat might notice and care. But, concealing the virtual nature of a honeypot from that species is probably beyond the state of the art -- possibly a good topic for a master's thesis in itself <grin>. Cheers, --------------------------------------------------- Bill McCarty
Current thread:
- Re: Building an Honeypot using VMWare, (continued)
- Re: Building an Honeypot using VMWare Bill McCarty (Nov 04)
- RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
- RE: Building an Honeypot using VMWare Edward Balas (Nov 04)
- RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
- Re: Building an Honeypot using VMWare Michael (Nov 13)
- RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
- Re: Building an Honeypot using VMWare Bill McCarty (Nov 04)
- Re: Building an Honeypot using VMWare Floydman (Nov 04)
- RE: Building an Honeypot using VMWare Muhammad Faisal Rauf Danka (Nov 04)
- Re: Building an Honeypot using VMWare Alberto Gonzalez (Nov 05)
- RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 05)
- Re: Building an Honeypot using VMWare Ali Saifullah Khan (Nov 12)
- RE: Building an Honeypot using VMWare Dennis Rand (Nov 05)