Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Script obfuscation, filter evasion, IDS/IPS/WAF bypassing... this is where it should live. Because this topic is too big to live anywhere else. Phj33r! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Check if you are in a honeypot?
Posted by: kevin85
Date: June 28, 2010 11:46AM

By akshell
Site:http://www.linuxpentest.com

Trapped into a honeypot maybe the worst thing happened during a penetration test . The script below will give you some hits to see if you are in this situation.

dmesg |egrep -i 'vmware|xen'

Besides, Vmware’s MAC Addr also starts with fixed strings “00:50:56″ or “00:0c:29″。 You can also use this feature as a cue

ifconfig -a |egrep -i '00:50:56|00:0c:29'

The fllowing C program also achieve the goal in a more accurate way
Successfully tested on Xen & Vmware..

/* gcc -Wall -o checkVM checkVM.c * check linux OS in VMare ?
* by alert7
*/
#include <stdio.h>
unsigned int get_addr_idt()
{
struct idtr idtr;
asm("sidt %0" : "=m" (idtr));
return idtr.base;
}
struct idtr
{
unsigned short limit;
unsigned int base;
} __attribute__ ((packed));
int main()
{
unsigned int ptr_idt;
ptr_idt=get_addr_idt();
printf("IDT Addr %p \n",ptr_idt);
if ( (ptr_idt>>24)==0xc0)
printf("Real Linux\n");
else
printf("Maybe in VMare\n");
return 0;
}

Any New methods are welcome

Linux Pentest Sites
http://www.linuxpentest.com

Options: ReplyQuote


Sorry, only registered users may post in this forum.