Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Honeypots: RE: Building an Honeypot using VMWare

RE: Building an Honeypot using VMWare

From: Muhammad Faisal Rauf Danka <mfrd_at_attitudex.com>
Date: Mon, 4 Nov 2002 12:39:14 -0800 (PST)

Have you tried using trojanned binary of ps ?
Hide vmware process the way intruders hide their psybnc processes.

or say:

cat /bin/ps

#!/bin/sh
/bin/.psreal $1 | grep -v "vmware" | grep -v "psreal"

Hide some more processes, im not suggesting to use similar shell
scripts, but just giving you an idea. You could code it in perl,
and compile it using perlcc, or could compile it in a C code,
using system();

Regards
--------
Muhammad Faisal Rauf Danka

Head of GemSEC / Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk
Key Id: 0x784B0202
Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B
784B 0202

--- "Bruno MAC Castro" <bcastro_at_dei.uc.pt> wrote:
>
>Thanks Bill,
>
>I agree with you in everything... But, it would improve the concept of a
>Honeypot if the trace of a virtual machine (VMWare) was hard (or
>impossible) to find. My goal is to reach a stage where there is no
>visible VMWare process in my honeypot. I also know that it is almost
>impossible to reach it, but we need high goals to keep us working...
>right?
>;-)
>
>For a start, I would be happy with a solution (maybe a tool) that hides
>or "camouflage" the VMWare process from the OS Process List.
>
>Any ideas?
>Regards
>Bruno
>
>-----Original Message-----
>From: Bill McCarty [mailto:bmccarty_at_apu.edu]
>Sent: segunda-feira, 4 de Novembro de 2002 16:32
>To: bcastro_at_dei.uc.pt; honeypots_at_securityfocus.com
>Subject: Re: Building an Honeypot using VMWare
>
>Hi Bruno and all,
>
>--On Monday, November 04, 2002 3:58 PM +0000 Bruno MAC Castro
><bcastro_at_dei.uc.pt> wrote:
>
>> 4. It would be important to hide the VMWare process on the Guest. I
>need
>> a tool (or a solution) to cover or hide the VMWare process in both
>> systems. Ideas?
>
>There are several other ways for an attacker to determine that the
>compromised host is a virtual host. For example, a virtual machine's
>virtual network adapters have distinctive MAC addresses. Similarly, the
>BIOS string and information from emulated PCI probes can give away the
>game.
>
>On the other hand, worms and script kiddies won't care much -- or
>possibly
>even notice -- that they've compromised a virtual machine. Yes, askilled
>
>blackhat might notice and care. But, concealing the virtual nature of a
>honeypot from that species is probably beyond the state of the art --
>possibly a good topic for a master's thesis in itself <grin>.
>

_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------

_____________________________________________________________
Select your own custom email address for FREE! Get you@yourchoice.com w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag
Received on Nov 04 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos