Re: honeypots Digest 5 Jul 2006 18:33:45 -0000 Issue 691

[ader () ait edu gr]

> Hi.
>
> On 06.07.2006 10:49, George wrote:
> > How you will intercept  the crypted traffic from ssh? Is sebek so
> > powerful to decrypt ssh? There is a honeypot that act as a ssh server
> > but also write somewhere decrypted? You will make a forensics analyse?

Ok guys The question that you bring about SEBEK is a very simple one,
SEBEK  works on the KERNEL level... Meaning it can manipulate operating
system core functions that under normal circuimstances a user is not
allowed to (even if u have root access). This is one of the great benefits
of SEBEK it works hidden in the Operating system recording all types of
data (Keystrokes, BUFFER reads from memory/NICS/HDD ) without the user
knowing anything about it. What sebek does essentially, is to record the
SYS_READ function of the operating system. Those of you that know a little
about linux you understand how important and essential this function is.
So When an attacker tries to Login through SSH, SEBEK will capture the
data AFTER it has been decrypted by the SSHD, and the login request is
made to the OS. Dont forget that SSH is designed in order to protect the
data during transit through the Networks only.

-- 
Andreas Derdemezis
BEng IT  -  MSc ICT (e-Tech)  - MSc ITT