Bravo
Comment on What are You Working on Wednesday
RedPhoenix@aussie.zone 2 years ago
A medium interaction SSH honeypot backed by a basic LLM that believes it’s bash.
I’m impressed at the ability to retain limited state, and respond ‘reasonably enough’ that it’ll probably allow first stage automated attacks to be captured… but at the moment, it’s way too easy to peer behind the curtain.
It’s quite jarring when your bash terminal starts telling you a story about a happy dragon in response to some weird command.
ComradeKhoumrag@infosec.pub 2 years ago
kabobglance@infosec.pub 2 years ago
This sounds fun
RedPhoenix@aussie.zone 2 years ago
Yep… sigh
mwguy@infosec.pub 2 years ago
Instead of giving it a LLVM based shell, can you give it an actual shell in a container? Maybe backed by AppArmor or SELinux to prevent breakouts
RedPhoenix@aussie.zone 2 years ago
Tempting, but in order to reduce the potential attack surface, I’m likely just to create a simple simulator instead now.
If it’s good enough to fool the first few interactions of an automated script, that’ll probably do. That’ll give me the curl/wget target they’re trying to insect me with, most likely.
It means I can potentially create a single binary docker instance that can be reset practically instantly by deleting/reimporting.