Bravo
Comment on What are You Working on Wednesday
RedPhoenix@aussie.zone 10 months ago
A medium interaction SSH honeypot backed by a basic LLM that believes it’s bash.
I’m impressed at the ability to retain limited state, and respond ‘reasonably enough’ that it’ll probably allow first stage automated attacks to be captured… but at the moment, it’s way too easy to peer behind the curtain.
It’s quite jarring when your bash terminal starts telling you a story about a happy dragon in response to some weird command.
ComradeKhoumrag@infosec.pub 10 months ago
kabobglance@infosec.pub 10 months ago
This sounds fun
RedPhoenix@aussie.zone 10 months ago
Yep… sigh
mwguy@infosec.pub 10 months ago
Instead of giving it a LLVM based shell, can you give it an actual shell in a container? Maybe backed by AppArmor or SELinux to prevent breakouts
RedPhoenix@aussie.zone 10 months ago
Tempting, but in order to reduce the potential attack surface, I’m likely just to create a simple simulator instead now.
If it’s good enough to fool the first few interactions of an automated script, that’ll probably do. That’ll give me the curl/wget target they’re trying to insect me with, most likely.
It means I can potentially create a single binary docker instance that can be reset practically instantly by deleting/reimporting.