Re: A kind of Honeypot

[Lance Spitzner <lance () honeynet org>]

On Wed, 20 Jun 2001, Nicolas Gregoire wrote:

> I plan to make a website just for my pen-tests.
>
> This website grabs as much as possible info from the visitors (IP,
> browser, proxy, etc ..), tries to exploit some common vulns of browsers
> (Guninski's page is a good start for this) and hosts a passive
> fingerprinting app.
> The victims are "spammed" with some misc. content (p0rn, free CD/DVD,
> jokes) linking (or redirecting) to the site.
>
> Has anybody ever do that ?

Hmm, I have done this before, but for different reasons.  When I do
assessments, I like to run a simple honeypot on my laptop.  Consider
this a passive assessment, while you are out looking for issues, things
might come looking for you (viruses, trojans, scanners, etc).  Good way
to find is someone is being naughty.  For example, one time I was conducting
an assessment of a organization in Asia.  Thirty minutes prior to a
presentation I was to give to the board of directors, my laptop was attacked,
as an attacker was scanning the company's network.  The honeypot software was
attacked, and recorded the entire session.

This was great evidence to give to the board of directors, as it validated
to them why I was conducting the assessment.  I had proof that the bad
guys were hitting their network, and the attackers were not friendly.

At the time I was using BOF by NFR, but this is no longer available.
One commercial honeypot solution that may work for you laptop is Specter
(www.specter.com).

lance