Honeypots mailing list archives
Re: honeypots Digest 5 Jul 2006 18:33:45 -0000 Issue 691
From: ader () ait edu gr
Date: Thu, 13 Jul 2006 02:17:06 +0300 (EEST)
SEBEK is a Client-Server program. The Client resides on the honeypots, and the server on the Honeywall. In brief i will try to explain how this system works: The client Captures Data, and then transmits the captured data to an IP address that is OUTSIDE the honeywall, as a result the packets travel through the Honeywall and get captured there as well. The SEBEK server residing on the honeywall will recognise SEBEK packets giving you the option to drop them at this point as well. The Very interesting feature of SEBEK is that the user is oblivius to this transmission. I would suggest to all of you to give it a try. Its robust and relatively easy to install and run. As far as the open SSH line change, it is used just to add a printf() type statement in order to have the authentication fucntion of the SSH server, print you the login attemps in the honeypot screen/file.
Does SEBEK run on the honeywall or each of the honeypots? One of the earlier responses to this thread referenced a simple code change to openssh, in which a couple of lines of code are added to the authentication function. This would be on the honeypot side, no? If SEBEK is running on the honeywall, how does it have access to kernel functions on the honeypots? - Mark ader () ait edu gr wrote:Hi. On 06.07.2006 10:49, George wrote:How you will intercept the crypted traffic from ssh? Is sebek so powerful to decrypt ssh? There is a honeypot that act as a ssh server but also write somewhere decrypted? You will make a forensics analyse?Ok guys The question that you bring about SEBEK is a very simple one, SEBEK works on the KERNEL level... Meaning it can manipulate operating system core functions that under normal circuimstances a user is not allowed to (even if u have root access). This is one of the great benefits of SEBEK it works hidden in the Operating system recording all types of data (Keystrokes, BUFFER reads from memory/NICS/HDD ) without the user knowing anything about it. What sebek does essentially, is to record the SYS_READ function of the operating system. Those of you that know a little about linux you understand how important and essential this function is. So When an attacker tries to Login through SSH, SEBEK will capture the data AFTER it has been decrypted by the SSHD, and the login request is made to the OS. Dont forget that SSH is designed in order to protect the data during transit through the Networks only.
-- Andreas Derdemezis BEng IT - MSc ICT (e-Tech) - MSc ITT
Current thread:
- Re: honeypots Digest 5 Jul 2006 18:33:45 -0000 Issue 691 George (Jul 06)
- Re: honeypots Digest 5 Jul 2006 18:33:45 -0000 Issue 691 Yannis Corovesis (Jul 06)
- Re: honeypots Digest 5 Jul 2006 18:33:45 -0000 Issue 691 Siim Põder (Jul 12)
- Re: honeypots Digest 5 Jul 2006 18:33:45 -0000 Issue 691 ader (Jul 12)
- Re: honeypots Digest 5 Jul 2006 18:33:45 -0000 Issue 691 Mark J. Hufe (Jul 12)
- Re: honeypots Digest 5 Jul 2006 18:33:45 -0000 Issue 691 ader (Jul 12)
- Re: honeypots Digest 5 Jul 2006 18:33:45 -0000 Issue 691 ader (Jul 12)