Re: unsuccessful hacking attempt at my machine

• Previous message: Gandalf Parker: "Re: unsuccessful hacking attempt at my machine"
• In reply to: Gandalf Parker: "Re: unsuccessful hacking attempt at my machine"
• Next in thread: Edward Buck: "Re: unsuccessful hacking attempt at my machine"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 28 Jan 2005 03:28:14 GMT

>> I have an awsome opportunity to set up a number of honeypots using
>> vmware off of a fairly attractive connection. I'd like to pursue this
>> over the next year.
>
> You might ask around how much VMware is getting hit. Windows and RedHat
> are popular, which means many machines running them, which means many
> people trying to get into them. And all of that means that any rootkit
> site has far more exploits and scripts for those OS's. The same reason
> that some people use those OS's (lots of people and sites that can give
> you help with it) is the same reason that skiddies like them also.

vmware is the software you run on a box that allows you to set up virtual
machines and load whole new OSes and run it like an app on your desktop.
For example:

 ________ ___________ ___________ ______________
| W2K VM | | RH 9.0 VM | | Win XP VM | | Slack 9.1 VM |
 -------- ----------- ----------- --------------
| VM Ware Workstation Application |
 --------------------------------------------------------
| Real OS - Linux/Windows |
 --------------------------------------------------------
| HARDWARE |
 --------------------------------------------------------

The vm oses are "tricked" into thinking that they own the box and they are
the only system running on the box. Now you can tell it's a VM because the
devices are vm devices (pci probes show the devices aren't device names
you'd recognize, they are vm device names). And now some worms are checking
to see if the current box is a vm and if it is it changes it's behavior,
preventing good testing of a virus/worm in a closed system.

You can completely back up a vm (called a snapshot) and later restore it
again. Thus it's ideal as a honeypot because while the cracker is trying to
get in they can't tell it's a VM. And most of them aren't smart enough once
they're in to figure it out. So they trash the system and you just turn it
off in the vmware app, restore from snapshot, and start the system back up.
Everything was completely restored back to the exact same as when the
snapshot was made. Imagine being able to back up your entire PC, not just
the data on the hard drive, but all the hardware itself and now you have a
good idea of how powerful a vm snapshot is.

> Im not sure if it should ever be a question of how well written they are.
> If its popular, then every tiny hole will get found and abused. I know
> that the subject of "security thru obscurity" is another area that I
> disagree with the status quo but it really seems that using a lesser
> known OS provides abit of security all by itself.

vmware isn't an OS. It's a virtual machine.

>> One of the routers along the way is a linux box which can just open up
>> and log everything going on, so for the most part the logging would be
>> transparent to the cracker while allowing me to crack down when I need
>> to re-image or some other similar action.
>
> Thats a good arrangment. Alot of people like that since they can run
> sniffers and such on the router box to watch the action.

yep, and you can log all the packets and take your time to examine the
actual activity later at your liesure.

> It varied. Early on I was abit of a grey hat (crossing the line for the
> powers of good). I logged into their machines and took files which showed
> all the boxes they had gotten into, then I logged into those boxes using
> their secret accounts. But that led to discussions about it being
> technically as wrong as their actions.

I can understand the ethical delima. I don't know that I'd want to log into
a system that I knew I really didn't have the authority to be on. What
would really be cool is if you could get a search warrant issued and work
with law enforcement to go back to their box and obtain such lists in a two
fold effort to have the authorities prosecute them as well as contact others
that were broken into and let them re-secure their systems.

You may unearth credit card fraud and other online cracker activity that is
becoming more frequent these days.

> If its coming from outside of NATo then I put more effort into actually
> making contact. I love it when they tell me that my FBI cant touch them.
> I laugh and them and say "Why would I want to do that? It gains me
> nothing. I would much rather sue you, your parents, your ISP, and
> everyone else I can name. I will get everything you own even if its just
> that computer you are using." In many of those countries lawsuits from
> the US gain major inertia. I learned that from an ISP I worked for that
> was owned/run by a law firm. Overseas? Dont threaten them with law,
> threaten them with lawsuits.

Know of a good firm that will take on such cases without any money up front
for a cut of the punitive damages? Then you can have some fun expense free.

• Previous message: Gandalf Parker: "Re: unsuccessful hacking attempt at my machine"
• In reply to: Gandalf Parker: "Re: unsuccessful hacking attempt at my machine"
• Next in thread: Edward Buck: "Re: unsuccessful hacking attempt at my machine"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]