Know Your Enemy: Sebek A Kernel Based Data Capture Tool

1
Know Your Enemy Sebek - A Kernel Based Data
Capture Tool

• The Honeynet Project
• Last Modified 17 November 2003

2
Outline

• Motivation
• Sebek overview
• Sebek architecture
• Client data capture
• Client module hiding
• Data collection
• Sebek protocol specification
• Limitations
• The Sebek web interface

3
Motivation

• To observe intruders using session encryption,
  Sebek uses kernel based rootkits to circumvent
  rather than break encryption.
• Recall from Scott McLeans talk that there are
  important aspects to Honeypot technology
• Data control the containment of attackers
  activity to limit collateral damage.
• Data capture the monitoring and logging of
  attackers activities.
• Data collection the requirement to collect data
  from distributed Honeypots and store it in a safe
  and convenient location.
• Sebek is mostly a data capture tool, but it has
  interesting data collection functionality.

4
Sebek Overview

• Stream analysis is very useful when the session
  is not encrypted.
• To circumvent encryption, a trojaned binary can
  be used, but attackers upload their own trusted
  versions. The most robust capture method is from
  within the OS kernel.

5
Sebek Versions

• Sebek v1 used a trojaned sys_read call (adore
  Rootkit) to capture keystrokes from the kernel.
• Sebek v2 captures all sys_read data.
• This will capture keystrokes, but also file
  copies, IRC, mail.
• Also makes Sebek harder to detect by hiding
  logging traffic to protect against attackers
  sniffers.
• Sebek v2 allows to look at the Honeypot in a
  glass box manner, instead of the traditional
  network black box.

6
Sebek Architecture

• The client collects the data from the Honeypot
  and exports it to the network.
• The server collects from one of two sources live
  packet capture from the network or packet capture
  archive stored as a tcpdump formatted file.
• The client resides entirely in the Honeypot
  kernel space and records all user data accessed
  via a system read() call.

7
Client Data Capture
8
Client Module Hiding

• Because Sebek is entirely in kernel space, most
  rootkit techniques(?) Do not apply.
• Hiding the existence of the module is a direct
  benefit.
• A second module, the cleaner, is installed.
• Manipulates the linked list of installed module
  to remove Sebek. This is not completely robust,
  see Linenoise section of Phrack 61(?).
• Users can no longer see that Sebek is installed.
• Users are unable to rmmod the Sebek module.

9
Data Collection

• Sent on LAN. Not most secure, but widely used.
• Sent by UDP, but outside normal flow.
• Kernel modified
• Disable all Sebek packet detection.
• System cannot block transmission or count number
  of packets.
• Sebek server sees all packets.
• Keystroke activity can be monitored from the
  command line, or saved to a data base.

10
Client Packet Generation

• Every read() generates one or more log packets.
• Information on the context of call made and data
  accessed.
• Sebek record fields for process making the call,
  time, length of data recorded, data itself.
• The packets are generated entirely within Sebek,
  without using the TCP/IP stack.
• System is unable to see or block packets
  generated by the resident client.
• The packets are sent directly to the device
  driver, bypassing the raw socket code path (?)

11
Sebek Packet Obfuscation

• IPTABLES is useless since Sebek packets are sent
  directly to the device driver. gt LAN sniffers
  cannot detect Sebek packets.
• To prevent a sniffer on Honeypot A to detect the
  Sebek packets from Honeypot B, Sebek installs its
  own implementation of the raw socket
  interface(!). This interpretation silently
  ignores Sebek packets the implementation simply
  drops Sebek packets on the floor and moves
  on
• Sebek packets are defined as those that have a
  predetermined destination UDP port and the proper
  magic number set in the Sebek header.

12
The Client Packet Hiding Decision
Check Type
Packet
13
Sebek Versions

• Sebek was originally developed on Linux.
• It has been ported to other OS
• Win32.
• Solaris.
• OpenBSD.
• The Sebek protocol was specified to ensure
  interoperability.

14
Sebek Protocol Specification
Sebek will chop the read data into multiple
fragments if the data is longer than the LAN MTU.
Each segment is a proper Sebek packet.
15
Sebek Limitations

• It is possible to detect Sebek by using common
  rootkit detection techniques (?).
• /Dev/kmem feature in Linux, an interface to the
  physical memory can be used to detect or disable
  Sebek.
• Data control is an issue, Sebek would be powerful
  in the hands of attackers.
• Sebek export data is no longer encrypted.
• Packet headers are no longer spoofed.
• Only Sebek enabled Honeypots are blind to Sebek
  packets, other systems on the network can detect
  them.
• Standard rootkit features have been removed from
  Sebek.

16
The Sebek Web Interface
The Web interface works on the server
database. It has three main functions

• Keystroke summary view provides a summary of all
  keystroke activity.
• Search view allows users the ability to query for
  certain information.
• The browse view provides a summary of all
  activity, including non keystroke activity.

17
Example 1/6
18
Example 2/6
19
Example 3/6
20
Example 4/6
21
Example 5/6
22
Example 6/6
23
References

• Know Your Enemy Sebek - A kernel based data
  capture tool. Honeynet Project (The). 21 April
  2004 ltwww.honeynet.org/papers/sebek.pdfgt
• C5 1.0 Man Pages, Jaluna. 21 April 2004
  ltwww.jaluna.com/doc/c5/html/ManPages/hman7s/kmem.7
  s.htmlgt
• Madsys. Finding Hiden Kernel Modules (the extreme
  way). Phrack Inc. 21 April 2004
  ltwww.phrack.org/show.php?p61a3gt