Re: honeypots Digest 5 Jul 2006 18:33:45 -0000 Issue 691

[ader () ait edu gr]

SEBEK is a Client-Server program. The Client resides on the honeypots, and
the server on the Honeywall.
In brief i will try to explain how this system works:
The client Captures Data, and then transmits the captured data to an IP
address that is OUTSIDE the honeywall, as a result the packets travel
through the Honeywall and get captured there as well. The SEBEK server
residing on the honeywall will recognise SEBEK packets giving you the
option to drop them at this point as well.
The Very interesting feature of SEBEK is that the user is oblivius to this
transmission.
I would suggest to all of you to give it a try. Its robust and relatively
easy to install and run.

As far as the open SSH line change, it is used just to add a printf() type
statement in order to have the authentication fucntion of the SSH server,
print you the login attemps in the honeypot screen/file.

> Does SEBEK run on the honeywall or each of the honeypots? One of the
> earlier responses to this thread referenced a simple code change to
> openssh, in which a couple of lines of code are added to the
> authentication function. This would be on the honeypot side, no?
>
> If SEBEK is running on the honeywall, how does it have access to kernel
> functions on the honeypots?
>
> - Mark
>
> ader () ait edu gr wrote:
> > > Hi.
> > >
> > > On 06.07.2006 10:49, George wrote:
> > >
> > > > How you will intercept  the crypted traffic from ssh? Is sebek so
> > > > powerful to decrypt ssh? There is a honeypot that act as a ssh server
> > > > but also write somewhere decrypted? You will make a forensics analyse?
> >
> > Ok guys The question that you bring about SEBEK is a very simple one,
> > SEBEK  works on the KERNEL level... Meaning it can manipulate operating
> > system core functions that under normal circuimstances a user is not
> > allowed to (even if u have root access). This is one of the great
> > benefits
> > of SEBEK it works hidden in the Operating system recording all types of
> > data (Keystrokes, BUFFER reads from memory/NICS/HDD ) without the user
> > knowing anything about it. What sebek does essentially, is to record the
> > SYS_READ function of the operating system. Those of you that know a
> > little
> > about linux you understand how important and essential this function is.
> > So When an attacker tries to Login through SSH, SEBEK will capture the
> > data AFTER it has been decrypted by the SSHD, and the login request is
> > made to the OS. Dont forget that SSH is designed in order to protect the
> > data during transit through the Networks only.


-- 
Andreas Derdemezis
BEng IT  -  MSc ICT (e-Tech)  - MSc ITT