Paid Advertising is
ha.ckers sla.cking
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Check if you are in a honeypot?
Posted by: kevin85
Date: June 28, 2010 11:46AM

By akshell

Trapped into a honeypot maybe the worst thing happened during a penetration test . The script below will give you some hits to see if you are in this situation.

dmesg |egrep -i 'vmware|xen'

Besides, Vmware’s MAC Addr also starts with fixed strings “00:50:56″ or “00:0c:29″。 You can also use this feature as a cue

ifconfig -a |egrep -i '00:50:56|00:0c:29'

The fllowing C program also achieve the goal in a more accurate way
Successfully tested on Xen & Vmware..

/* gcc -Wall -o checkVM checkVM.c * check linux OS in VMare ?
* by alert7
#include <stdio.h>
unsigned int get_addr_idt()
struct idtr idtr;
asm("sidt %0" : "=m" (idtr));
return idtr.base;
struct idtr
unsigned short limit;
unsigned int base;
} __attribute__ ((packed));
int main()
unsigned int ptr_idt;
printf("IDT Addr %p \n",ptr_idt);
if ( (ptr_idt>>24)==0xc0)
printf("Real Linux\n");
printf("Maybe in VMare\n");
return 0;

Any New methods are welcome

Linux Pentest Sites

Options: ReplyQuote

Sorry, only registered users may post in this forum.