Bravo
Comment on What are You Working on Wednesday
RedPhoenix@aussie.zone 1 year ago
A medium interaction SSH honeypot backed by a basic LLM that believes it’s bash.
I’m impressed at the ability to retain limited state, and respond ‘reasonably enough’ that it’ll probably allow first stage automated attacks to be captured… but at the moment, it’s way too easy to peer behind the curtain.
It’s quite jarring when your bash terminal starts telling you a story about a happy dragon in response to some weird command.
ComradeKhoumrag@infosec.pub 1 year ago
kabobglance@infosec.pub 1 year ago
This sounds fun
RedPhoenix@aussie.zone 1 year ago
Yep… sigh
mwguy@infosec.pub 1 year ago
Instead of giving it a LLVM based shell, can you give it an actual shell in a container? Maybe backed by AppArmor or SELinux to prevent breakouts
RedPhoenix@aussie.zone 1 year ago
Tempting, but in order to reduce the potential attack surface, I’m likely just to create a simple simulator instead now.
If it’s good enough to fool the first few interactions of an automated script, that’ll probably do. That’ll give me the curl/wget target they’re trying to insect me with, most likely.
It means I can potentially create a single binary docker instance that can be reset practically instantly by deleting/reimporting.