LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-01-2005, 10:30 AM   #1
TotalDefiance
Member
 
Registered: Jan 2004
Distribution: Slackware, RH, WBEL
Posts: 65

Rep: Reputation: 15
*working* kernel based keylogger for honeypot?


I've searched a good bit on the topic, and tried compiling vlogger (2.1.1 i think) however I have not had much luck.

I have a vmware honeypot set up and would like to avoid using user-mode-linux on top of that if possible. I have not been able to find a clear-cut linux kernel based keylogger which works (aside from mentions of prepackaged rootkits and related). vlogger has many errors when compiling on a 2.4. kernel (does compile the control program however crashes when compiling the actual keylogger)....and when compiling on the 2.6.x series, even more errors are had.

I dont really 'program' aside from when I need to so 'diving right in' to using kernel hooks and kernel input buffers to make my own for this purpose would take a while.

Links, ideas anyone?
 
Old 11-03-2005, 08:32 AM   #2
TotalDefiance
Member
 
Registered: Jan 2004
Distribution: Slackware, RH, WBEL
Posts: 65

Original Poster
Rep: Reputation: 15
anyone?...
 
Old 11-03-2005, 02:48 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
I've searched a good bit on the topic
Just curious what you found then.


I have a vmware honeypot
You know Vmware can be detected? And you don't need to be root for it.


I have not been able to find a clear-cut linux kernel based keylogger which works (aside from mentions of prepackaged rootkits and related).
You got a job to be done, so whats wrong with rootkits if that would work? Anyway, tried Sebek?


vlogger (..) however crashes when compiling the actual keylogger
Did you drop a question about that in the Programming forum? Might help..
 
Old 11-03-2005, 09:07 PM   #4
TotalDefiance
Member
 
Registered: Jan 2004
Distribution: Slackware, RH, WBEL
Posts: 65

Original Poster
Rep: Reputation: 15
1) mainly found various references to vlogger and infinite references to
http://www.phrack.org/show.php?p=59&a=14

Nothing definite.

2) yes, i am aware of the ease it takes to identify vmware regarding looking at the devices, *especially*in regards to vga. however vmware is at least legitimtate software. However if there are other ways you're aware of of detecting a virtual instance, please share. i'm not oppsed to slapping togethor an old PII, just lazy I suppose.

No, I have no opposition to rootkits, they would even be preferable and convenient in this instance, they are just soemwhat foreign territory to me as far as what ones exist and such. Sebek's info looks very promising.


3) If Sebek falls through, I'll take the programming forum advice; just thought I'd see if i could grab some quick and dirty comments here.

Thanks.
 
Old 11-05-2005, 11:25 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
However if there are other ways you're aware of of detecting a virtual instance, please share.
VMware specific: BIOS values, magic number/segfault check, VMware backdoor (legitimate), IDT address, execution timing, dmesg, IP ID's, VMware's MAC address vendor range, TCP stack errors. General: execution timing (vs clean system), looking for shaping/limiting, payload changes. For me the most important thing to realise is that honeypots are (quoting Corey) "a modification to the structure of the system that can and will be found". Articles and discussions on various mailinglists are easy to find at either SecurityFocus, MARC or Phrack, but here's some docs:
- Phrack phake, p62-0x07: Local Honeypot Identification (txt)
- Phrack phake, p63-0x09: Advanced Honey Pot Identification And Exploitation (txt)
- CCC, Nosebreak: Attacking Honeynets (pdf)
- USMA, 2005 IEEE: Detecting Honeypots and other suspicious environments (pdf)
- VMware's back
- SecurityFocus.com, 4tphi: Detecting VMWare
- SecurityFocus.com, Defeating Honeypots: System Issues, Part 1 and Part 2, also note the "Network issues" and other docs in the reference table at the bottom)


BTW, changing all Makefile maligns to faligns was all I needed to do, so what exactly where those errors compiling Vlogger?

Last edited by unSpawn; 11-05-2005 at 11:26 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
keylogger? |2ainman Linux - Security 4 08-21-2013 03:48 AM
Advertising honeypot? Dark_Helmet LQ Suggestions & Feedback 17 09-16-2005 05:40 PM
keylogger in java? Laptop2250 Programming 2 01-08-2005 05:27 PM
explain honeypot and tarpit? servnov Linux - Networking 3 09-30-2004 07:53 PM
help with lkl keylogger br0k3n Linux - Software 0 07-22-2004 04:55 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:14 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration