Honeypots mailing list archives
Re: honeypots Digest 5 Jul 2006 18:33:45 -0000 Issue 691
From: ader () ait edu gr
Date: Wed, 12 Jul 2006 23:46:44 +0300 (EEST)
Hi. On 06.07.2006 10:49, George wrote:How you will intercept the crypted traffic from ssh? Is sebek so powerful to decrypt ssh? There is a honeypot that act as a ssh server but also write somewhere decrypted? You will make a forensics analyse?
Ok guys The question that you bring about SEBEK is a very simple one, SEBEK works on the KERNEL level... Meaning it can manipulate operating system core functions that under normal circuimstances a user is not allowed to (even if u have root access). This is one of the great benefits of SEBEK it works hidden in the Operating system recording all types of data (Keystrokes, BUFFER reads from memory/NICS/HDD ) without the user knowing anything about it. What sebek does essentially, is to record the SYS_READ function of the operating system. Those of you that know a little about linux you understand how important and essential this function is. So When an attacker tries to Login through SSH, SEBEK will capture the data AFTER it has been decrypted by the SSHD, and the login request is made to the OS. Dont forget that SSH is designed in order to protect the data during transit through the Networks only. -- Andreas Derdemezis BEng IT - MSc ICT (e-Tech) - MSc ITT
Current thread:
- Re: honeypots Digest 5 Jul 2006 18:33:45 -0000 Issue 691 George (Jul 06)
- Re: honeypots Digest 5 Jul 2006 18:33:45 -0000 Issue 691 Yannis Corovesis (Jul 06)
- Re: honeypots Digest 5 Jul 2006 18:33:45 -0000 Issue 691 Siim Põder (Jul 12)
- Re: honeypots Digest 5 Jul 2006 18:33:45 -0000 Issue 691 ader (Jul 12)
- Re: honeypots Digest 5 Jul 2006 18:33:45 -0000 Issue 691 Mark J. Hufe (Jul 12)
- Re: honeypots Digest 5 Jul 2006 18:33:45 -0000 Issue 691 ader (Jul 12)
- Re: honeypots Digest 5 Jul 2006 18:33:45 -0000 Issue 691 ader (Jul 12)