Your SlideShare is downloading. ×
0
Sebek
Sebek
Sebek
Sebek
Sebek
Sebek
Sebek
Sebek
Sebek
Sebek
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Sebek

1,432

Published on

Data capture tool used by honeynet to track down attacker

Data capture tool used by honeynet to track down attacker

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,432
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
45
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. A kernel based capture tool<br />Prepared by Jaison Salu John<br />Sebek<br />
  • 2. Sebek<br />Sebek is a data capture tool.<br />To accurately recreate the events on a honeypot<br />When an intruder broke in<br />How they did it<br />What they did after gaining access<br />What their motivations are<br />Who they may be working with<br />Sebek captures data that provides the intruder’s keystrokes and the impact of the attack.<br />
  • 3. Sebek Architecture<br />Sebek Web Interface<br />Honeywall Gateway<br />Sebek Server<br />Module<br />Sebek Packets<br />Honeypot<br />Honeypot<br />Honeypot<br />Sebek Client<br />Module<br />Sebek Client<br />Module<br />Sebek Client<br />Module<br />
  • 4. How Sebek Captures from Client?<br />Honeypot<br />User Space<br />Kernel Space<br />Standard Library<br />Read() call<br />Syscall Table<br />Orginal Read | Orginal Write<br />(Pointers stored)<br />Sebek Kernel Module<br />New_Read Data Logger<br />
  • 5. How Sebek packets are kept hidden on the network?<br />General flow:<br />Sebek packets bypass<br />TCP/IP Stack itself is not being used!<br />Linux Kernel<br />Local Ethernet<br />Network<br />Device Driver<br />Socket<br />Interface<br />TCP/IP<br />Stack<br />Netfilter<br />Sebek Kernel Module<br />Data<br />Logger<br />Packet<br />Generator<br />Transmitter<br />
  • 6. Sebek Record Header<br />
  • 7. Sebek Functions<br />Monitoring keystroke activity<br />Command line<br />Loading into a database<br />Getting files tried to copy using scp command<br />Identify point where attacker gained root access<br />Web Interface<br />
  • 8. Sebek Client Installation Variables<br />Interface<br />Destination IP<br />Destination MAC<br />Magic Value<br />Destination UDP Port<br />Source UPD Port<br />Keystrokes only<br />Testing<br />
  • 9. Limitations<br />Sebek modules can be detected with rootkit detection tools<br />
  • 10. References<br />Know your Enemy – Sebek<br />The Honeynet Project (17 November 2003)<br />http://old.honeynet.org/papers/sebek.pdf<br />

×