Honeypots mailing list archives
Re: Is it one way to detect honeypot?
From: Cedric Blancher <blancher () cartel-securite fr>
Date: Wed, 11 Feb 2004 18:05:03 +0100
Le mer 11/02/2004 à 16:54, wanfat wu a écrit :
I am running honeyd with arpd. It can answer with unused IP. However, when I use some programs to check the MAC address of virtual hosts(unused IP), it always answer with the MAC address of honeyd host. By looking at the MAC address, all the MAC are the same!
That's just what it is supposed to do. Arpd just answers ARP requests for unused IP with its own MAC address...
Is it one way to detect honeypot? Anything to hide my honeypot?
Hiding a honeypot from its own LAN is not an easy task to achieve. I would mean the attacker is already on the Ethernet segment, what can be the case on a Wi-Fi hotpot* as an example. Maybe you should consider wether hacking arpd to have it answer IPs with specified MAC addresses or using a box configured as an ARP server and fill its ARP cache with desired associations. Then set a Linux bridge up with ebtables and operate a layer 2 NAT to distinguish each IP and affect it the correct MAC address. Well, I have to think about this a bit more, and produce a short paper about this kind of setup. * It has been done during LSM 2003 in Metz, and was detected because of its MAC... -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
Hi! I'm your friendly neighbourhood signature virus. Copy me to your signature file and help me spread!
Current thread:
- Is it one way to detect honeypot? wanfat wu (Feb 11)
- Re: Is it one way to detect honeypot? ravivsn (Feb 12)
- Re: Is it one way to detect honeypot? Cedric Blancher (Feb 12)
- Re: Is it one way to detect honeypot? Olaf Gellert (Feb 12)
- Re: Is it one way to detect honeypot? wanfat wu (Feb 13)
- Re: Is it one way to detect honeypot? Olaf Gellert (Feb 12)
- Re: Is it one way to detect honeypot? wanfat wu (Feb 13)