• Like
Sebek
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Sebek

  • 1,367 views
Published

Data capture tool used by honeynet to track down attacker

Data capture tool used by honeynet to track down attacker

Published in Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,367
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
44
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. A kernel based capture tool
    Prepared by Jaison Salu John
    Sebek
  • 2. Sebek
    Sebek is a data capture tool.
    To accurately recreate the events on a honeypot
    When an intruder broke in
    How they did it
    What they did after gaining access
    What their motivations are
    Who they may be working with
    Sebek captures data that provides the intruder’s keystrokes and the impact of the attack.
  • 3. Sebek Architecture
    Sebek Web Interface
    Honeywall Gateway
    Sebek Server
    Module
    Sebek Packets
    Honeypot
    Honeypot
    Honeypot
    Sebek Client
    Module
    Sebek Client
    Module
    Sebek Client
    Module
  • 4. How Sebek Captures from Client?
    Honeypot
    User Space
    Kernel Space
    Standard Library
    Read() call
    Syscall Table
    Orginal Read | Orginal Write
    (Pointers stored)
    Sebek Kernel Module
    New_Read Data Logger
  • 5. How Sebek packets are kept hidden on the network?
    General flow:
    Sebek packets bypass
    TCP/IP Stack itself is not being used!
    Linux Kernel
    Local Ethernet
    Network
    Device Driver
    Socket
    Interface
    TCP/IP
    Stack
    Netfilter
    Sebek Kernel Module
    Data
    Logger
    Packet
    Generator
    Transmitter
  • 6. Sebek Record Header
  • 7. Sebek Functions
    Monitoring keystroke activity
    Command line
    Loading into a database
    Getting files tried to copy using scp command
    Identify point where attacker gained root access
    Web Interface
  • 8. Sebek Client Installation Variables
    Interface
    Destination IP
    Destination MAC
    Magic Value
    Destination UDP Port
    Source UPD Port
    Keystrokes only
    Testing
  • 9. Limitations
    Sebek modules can be detected with rootkit detection tools
  • 10. References
    Know your Enemy – Sebek
    The Honeynet Project (17 November 2003)
    http://old.honeynet.org/papers/sebek.pdf