Does SEBEK run on the honeywall or each of the honeypots? One of the
earlier responses to this thread referenced a simple code change to
openssh, in which a couple of lines of code are added to the
authentication function. This would be on the honeypot side, no?
If SEBEK is running on the honeywall, how does it have access to kernel
functions on the honeypots?
- Mark
ader_at_ait.edu.gr wrote:
>>Hi.
>>
>>On 06.07.2006 10:49, George wrote:
>>
>>>How you will intercept the crypted traffic from ssh? Is sebek so
>>>powerful to decrypt ssh? There is a honeypot that act as a ssh server
>>>but also write somewhere decrypted? You will make a forensics analyse?
>>
>
> Ok guys The question that you bring about SEBEK is a very simple one,
> SEBEK works on the KERNEL level... Meaning it can manipulate operating
> system core functions that under normal circuimstances a user is not
> allowed to (even if u have root access). This is one of the great benefits
> of SEBEK it works hidden in the Operating system recording all types of
> data (Keystrokes, BUFFER reads from memory/NICS/HDD ) without the user
> knowing anything about it. What sebek does essentially, is to record the
> SYS_READ function of the operating system. Those of you that know a little
> about linux you understand how important and essential this function is.
> So When an attacker tries to Login through SSH, SEBEK will capture the
> data AFTER it has been decrypted by the SSHD, and the login request is
> made to the OS. Dont forget that SSH is designed in order to protect the
> data during transit through the Networks only.
>
Received on Jul 12 2006
Intro
