Honeypots mailing list archives

Re: Re: Sebek detection

From: Guilhem <guilhem.m () wanadoo fr>
Date: Mon, 29 Mar 2004 16:33:06 +0200 (CEST)

I think his point was: if someone hack into a honepot, he can run a tcpdump, and generate such a packet. If the tcpdump 
fails to notice the packet, there is something fishy.

I don't have the answer. I know Sebek generates (or asks for) an ID to find which packets are to be stored / analyzed 
and which are not. My guess is, only the specific ID is hidden, and the hacker, who doesn't know the ID, can't generate 
the packet.

As for the phrack paper, i think that at least some of his points are right. Or maybe they are not anymore, some flaws 
are detected, some flaws are corrected... Hey, never trust anyone, try for yourself ^^

Guilhem

Message du 29/03/04 16:16
De : Ty Bodell 
A : gconnell () middlebury edu
Copie à : honeypots () securityfocus com
Objet : Re: Sebek detection
Also in the KYE Sebek paper is the format for the Sebek packet and the sebek communication protocol, i don't think it 
can be constructed with nemesis. And what would constructing a sebek packet and putting it onto the network do for 
you anyway? How would this allow you to see if there is a honeypot on the network when the socket interface is taught 
to ignore sebek packets? The risk of sebek detection lies mostly on the local box itself, not the network interaction 
in the honeynet. Maybe i'm missing something. 

Respectfully,
Ty Bodell

----- Original Message -----
From: 
Date: 29 Mar 2004 06:46:23 -0000
To: honeypots () securityfocus com
Subject: Sebek detection



In the Know Your Enemy: Sebek whitepaper from honeynet.org, under the heading "Client Packet Export", it is made 
clear that "[Sebek] modifies the kernel such that the system is unable to see Sebek Packets, not just the packets 
generated by the local host, but any appropriatly configured Sebek Packet."

I'm sort of new at Sebek and haven't actually tested this idea out, but from the documentation, it seems there 
would be a pretty easy way to detect sebek running on a honeypot. Why not just construct a sebek packet with some 
sort of packet generation tool (maybe nemesis?) and send it onto the network, then see if it can be seen by a 
regular tcpdump or snort session?

--Cleverduck

Current thread:

Sebek detection gconnell (Mar 28)
- Re: Sebek detection Gabriel Armbrust Araujo (Mar 29)
  - Re: Sebek detection Edward Balas (Mar 29)
  - Re: Sebek detection Thorsten Holz (Mar 29)
    - Re: Sebek detection Lance Spitzner (Mar 29)
- Re: Sebek detection Edward Balas (Mar 29)
- <Possible follow-ups>
- Re: Sebek detection Ty Bodell (Mar 29)
- Re: Re: Sebek detection Guilhem (Mar 29)