libemu-0.1.0.tar1195629932 21/11/2007,15:25 549.31 Kb
nepenthes-0.2.0.tar1195629940 21/11/2007,15:25 891.87 Kb
1. What is Nepenthes?
Nepenthes is a low interaction honeypot like honeyd or mwcollect. Low Interaction Honeypots emulate _known_ vulnerabilities to collect information about potential attacks. Nepenthes is designed to emulate vulnerabilties worms use to spread, and to capture these worms. As there are many possible ways for worms to spread, Nepenthes is modular. There are module interface to
- resolve dns asynchronous
- emulate vulnerabilities
- download files
- submit the downloaded files
- trigger events (sounds abstract and it is abstract but is still quite useful)
- shellcode handler
2. How does Nepenthes work?
Nepenthes vulnerability modules require knowledge about weaknesses so one can draft a Dialogue how the virus will exploit the weakness, gain the needed information to download the file and send the attacker just enough information he does not notice he gets fooled.
On the other hand Nepenthes is quite usefull to capture new exploits for old vulnerabilities.
As Nepenthes does not know these exploits, they will appear in the logfiles.
By running these captures against a real vulnerable machine one can gain new information about the exploit and start writing an Nepenthes Dialogue.
2.1 Why would one want to run Nepenthes?
The first argument is, its free. The software is free, the viruses you can capture are free. You can collect this annoying stuff like stamps without paying a diam. The rest of the arguments are security related an discussable. Setting up a host running Nepenthes can improve network security drastically, as you can see who scans for which known vulnerabilities.
| < 上页 | 下页 > |
|---|