[Question] Is it possible or has it been done, can a Honeypot be created with bash aliases that would use a very common command someone would run if they were in your system but it aliases to some
from whostosay@lemmy.world to linux@lemmy.ml on 10 Jul 07:10
https://lemmy.world/post/32743529

Sort of command that would pull a download that is self executed to the host machine?

That’s worded a bit fucky, if I need to elaborate, please chime in.

#linux

threaded - newest

Strit@lemmy.linuxuserspace.show on 10 Jul 07:24 next collapse

Sounds like you are trying to setup a keylogger of sorts…

whostosay@lemmy.world on 10 Jul 07:56 collapse

Not quite, PC gets hacked, on hacked machine someone does something like cd, but on that PC cd has been set up as an alias for some sort of command that downloads a malicious executable to the hackers machine and executed it.

That executable very well could be a keylogger, but doesn’t necessarily have to be. It could be be rm -rf --no-preserve-root / or a reverse shell or whatever really.

I imagine cd would be a terrible choice to alias given how much it’s used, but maybe something else more obscure could be used that is frequently used when bots/attackers are rummaging through files for stuff to steal.

Strit@lemmy.linuxuserspace.show on 10 Jul 08:06 collapse

I mean, I’m sure it’s possible, it’s just a matter of how to get the honeypot/script on the system and give the downloaded file executable rights.

whostosay@lemmy.world on 10 Jul 08:23 collapse

Is there anything that is specific to ssh that would allow for this? Like a command that would allow something to execute back to the other machine similar to downloading? I’m not well versed just kind of a napkin idea I thought of.

sprite0@sh.itjust.works on 10 Jul 08:31 collapse

you can’t know what system architecture is on the ssh client side. It could be a mac, a windows or linux box, android or ios, beos, amigaos, etc.

So even if you could get ssh to pass malicious code how would you know what code to pass?

What you’re asking for is nigh impossible i think.

whostosay@lemmy.world on 10 Jul 08:36 next collapse

I kind of figured it would be a shot in the dark, some scripting could definitely be done to assess that, and even run code per major OS depending on some automated recon.

Let’s say you’ve got that figured out, and the user is running putty on windows as an administrator. Is there anything that could take advantage of that fact?

I feel like this would be way easier/more feasible to run a script on your own machine as a defensive measure like OC mentioned early, but just more asking our of curiosity. I’m not skilled enough to even imagine what to do with this or write it, but I am fascinated by security stuff.

whostosay@lemmy.world on 10 Jul 08:38 collapse

And when you say “can’t know” do you mean it would be impossible to tell strictly through SSH?

sprite0@sh.itjust.works on 10 Jul 08:44 collapse

the ssh protocol doesn’t provide any mechanism for your server to identity the client host architecture, nor does it provide any mechanism i’m aware of to send any payloads back to the host client for arbitrary execution.

The thing is ssh is a protocol and it’s implementation is not going to be identical across clients.

So if you found a bug in an ssh client that allowed for this your hypothetical attack vector would only work on intruders using that broken client. ssh is one of the most scrutinized protocols there are and you should be a hero if you found this bug. what you’re asking for, if it were as easy as you might hope, well ssh wouldn’t be the ubiquitous security connection protocol if it were simple like that right?

whostosay@lemmy.world on 10 Jul 08:47 collapse

Very true. Thanks for the education. SSH to me is just magic portal that lets me talk to my server in my closet lmao

sprite0@sh.itjust.works on 10 Jul 08:59 collapse

it’s a fun thought experiment as it’s a very complex protocol

DeuxChevaux@lemmy.world on 10 Jul 08:11 next collapse

Something like this?

alias ls=“who am i >> /var/log/intruder.log && logout”
alias l=“/usr/bin/ls”

whostosay@lemmy.world on 10 Jul 08:25 next collapse

Partially for sure. Other part of this would be somehow executing a command on the attackers machine that originated as their own input, but they wouldn’t be privy to that due to the alias.

I’ve seen some videos where people will willingly let scammers into their machine, and Honeypot them with a file that they execute, typically named like credit card info or bank info or something. But they knowingly click that and open it, I don’t know what needs to be done on the “make this code execute on the attackers machine” part.

If someone is ssh’d into your machine, are there any escalated privileges you’d already have back to their machine because they’ve willingly come to yours?

DeuxChevaux@lemmy.world on 10 Jul 09:22 collapse

Sounds illegal, though…

MonkderVierte@lemmy.zip on 10 Jul 09:19 collapse

Should be whoami tho.

DeuxChevaux@lemmy.world on 10 Jul 09:21 collapse

‘whoami’ and ‘who am i’ are two different things. Try it out.

thanksforallthefish@literature.cafe on 10 Jul 12:59 collapse

Damn. TIL. knew about the first of course but who am i as three seperate pieces is new to me

Sxan@piefed.zip on 10 Jul 11:48 collapse

I've þought about how to do ðis myself. Ðe best idea I've had is to build a virus, or simply someþing destructive, or a program ðat downloads CP and emails it to the FBI; and use Justine's APE to build an executable and call it "bitcoin_wallet.exe". Entice ðe hacker to download a malicious program and execute it on ðeir computer.

Ðen I lose interest and spend the time instead doing someþing to furðer tighten security on my VMs.