Sebek
Upcoming SlideShare
Loading in...5
×
 

Sebek

on

  • 1,795 views

Data capture tool used by honeynet to track down attacker

Data capture tool used by honeynet to track down attacker

Statistics

Views

Total Views
1,795
Views on SlideShare
1,788
Embed Views
7

Actions

Likes
1
Downloads
38
Comments
0

2 Embeds 7

http://splash88.blogspot.com 6
http://www.slideshare.net 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Sebek Sebek Presentation Transcript

  • A kernel based capture tool
    Prepared by Jaison Salu John
    Sebek
  • Sebek
    Sebek is a data capture tool.
    To accurately recreate the events on a honeypot
    When an intruder broke in
    How they did it
    What they did after gaining access
    What their motivations are
    Who they may be working with
    Sebek captures data that provides the intruder’s keystrokes and the impact of the attack.
  • Sebek Architecture
    Sebek Web Interface
    Honeywall Gateway
    Sebek Server
    Module
    Sebek Packets
    Honeypot
    Honeypot
    Honeypot
    Sebek Client
    Module
    Sebek Client
    Module
    Sebek Client
    Module
  • How Sebek Captures from Client?
    Honeypot
    User Space
    Kernel Space
    Standard Library
    Read() call
    Syscall Table
    Orginal Read | Orginal Write
    (Pointers stored)
    Sebek Kernel Module
    New_Read Data Logger
  • How Sebek packets are kept hidden on the network?
    General flow:
    Sebek packets bypass
    TCP/IP Stack itself is not being used!
    Linux Kernel
    Local Ethernet
    Network
    Device Driver
    Socket
    Interface
    TCP/IP
    Stack
    Netfilter
    Sebek Kernel Module
    Data
    Logger
    Packet
    Generator
    Transmitter
  • Sebek Record Header
  • Sebek Functions
    Monitoring keystroke activity
    Command line
    Loading into a database
    Getting files tried to copy using scp command
    Identify point where attacker gained root access
    Web Interface
  • Sebek Client Installation Variables
    Interface
    Destination IP
    Destination MAC
    Magic Value
    Destination UDP Port
    Source UPD Port
    Keystrokes only
    Testing
  • Limitations
    Sebek modules can be detected with rootkit detection tools
  • References
    Know your Enemy – Sebek
    The Honeynet Project (17 November 2003)
    http://old.honeynet.org/papers/sebek.pdf