Re: Honeypot detection and countermeasures

[Acl Proxy <aclproxy () yahoo com>]

In-Reply-To: <20030617150317.F11919 () red4est com>

So far in every pen test I've conducted most of the
addressing information was known up front. So if I ran
into a honeypot or honeynet, it was just part of the
overall equation. The clients were interested in what I
could hack into and what vulnerabilities were present
and needed to be closed. They weren't interested in
paying me or my company $$ to waste time on whether I
could evade a honeypot or not. It wasn't a test of my
abilities, but of their security posture at that moment
in time.

And always remember, the only dumb question is the one
you don't ask. How are you ever going to learn without
reading, trying and asking questions.

> Received: (qmail 30138 invoked from network); 17 Jun
2003 21:20:34 -0000
> Received: from outgoing2.securityfocus.com
(205.206.231.26)
>  by mail.securityfocus.com with SMTP; 17 Jun 2003
21:20:34 -0000
> Received: from lists.securityfocus.com
(lists.securityfocus.com [205.206.231.19])
>       by outgoing2.securityfocus.com (Postfix) with QMQP
>       id 30AB08F284; Tue, 17 Jun 2003 15:21:30 -0600 (MDT)
> Mailing-List: contact pen-test-help () securityfocus com;
run by ezmlm
> Precedence: bulk
> List-Id: <pen-test.list-id.securityfocus.com>
> List-Post: <mailto:pen-test () securityfocus com>
> List-Help: <mailto:pen-test-help () securityfocus com>
> List-Unsubscribe:
<mailto:pen-test-unsubscribe () securityfocus com>
> List-Subscribe:
<mailto:pen-test-subscribe () securityfocus com>
> Delivered-To: mailing list pen-test () securityfocus com
> Delivered-To: moderator for pen-test () securityfocus com
> Received: (qmail 31148 invoked by uid 0); 17 Jun 2003
19:52:04 -0000
> Date: Tue, 17 Jun 2003 15:03:17 -0700
> From: Larry Colen <lrcrypto () red4est com>
> To: pen-test () securityfocus com
> Subject: Honeypot detection and countermeasures
> Message-ID: <20030617150317.F11919 () red4est com>
> Mime-Version: 1.0
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
> User-Agent: Mutt/1.2.5i
>
> I'm doing some research on honeypot detection, and
preventing
> honeypots from being detected. I'd greatly appreciate
some feedback
> from pen-testers on the following issues:
>
> Do you worry about being detected by honeypots?
>
> When you do a pen-test, do you already know of the
existence of
> honeypots, and their location, so that it is an easy
matter to avoid
> them?
>
> If you are concerned about honeypots, how do you test
to see if the
> system under attack is a honeypot or a production machine?
>
> Thanks,
>  Larry
>
>
>
> ---------------------------------------------------------------------------
> Attend the Black Hat Briefings & Training, July 28 -
31 in Las Vegas, the 
> world's premier technical IT security event! 10
tracks, 15 training sessions, 
> 1,800 delegates from 30 nations including all of the
top experts, from CSO's to 
> "underground" security specialists.  See for yourself
what the buzz is about!  
> Early-bird registration ends July 3.  This event will
sell out. www.blackhat.com
> ----------------------------------------------------------------------------

---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get 
trustworthy commercial-grade exploits and the latest techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 
or call 617-399-6980
----------------------------------------------------------------------------