Penetration Testing mailing list archives
Re: Honeypot detection and countermeasures
From: Dragos Ruiu <dr () kyx net>
Date: Mon, 23 Jun 2003 19:48:14 -0700
On June 23, 2003 06:58 am, Rob Shein wrote:
This wouldn't work. Seeing the packets/traffic on the wire doesn't tell you the tools that are used, and it also doesn't really give you much else. Considering that a honeypot is either not really rootable (DTK) or is very low hanging fruit (and very rootable, like a honeynet.org system), they either won't see tools downloaded to the system or won't see anything more than the bare minimum needed to exploit a system that is too vulnerable to begin with.
Putting on my Honeynet Project hat... I think you presume too much about honeypots. There are _many_ varieties of honeypots. Some more rootable than others, some more detectable than others. And it's also possible to instrument them with many other monitoring systems besides just sniffing traffic in and out. I'll leave the specifics as an excercise for the reader.... :-) but they range from running inside vmware to instrumented os loads and even special hardware in some cases. Lately the Honeynet Alliance folks have been deploying other systems besides your typical low hanging fruit. Different honeypots gather different data. It all depends on what you are trying to catch. Beware the Jabberwock... cheers, --dr -- pgpkey http://dragos.com/ kyxpgp --------------------------------------------------------------------------- Latest attack techniques. You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980 ----------------------------------------------------------------------------
Current thread:
- Honeypot detection and countermeasures Larry Colen (Jun 17)
- Re: Honeypot detection and countermeasures Blake Matheny (Jun 18)
- Re: Honeypot detection and countermeasures Henry O. Farad (Jun 24)
- Re: Honeypot detection and countermeasures Þórhallur Hálfdánarson (Jun 24)
- <Possible follow-ups>
- RE: Honeypot detection and countermeasures Brass, Phil (ISS Atlanta) (Jun 18)
- Re: Honeypot detection and countermeasures Larry Colen (Jun 18)
- Re: Honeypot detection and countermeasures Michael Boman (Jun 19)
- RE: Honeypot detection and countermeasures Rob Shein (Jun 23)
- Re: Honeypot detection and countermeasures Dragos Ruiu (Jun 24)
- Re: Honeypot detection and countermeasures Lance Spitzner (Jun 24)
- Re: Honeypot detection and countermeasures Larry Colen (Jun 18)
- Re: SV: Honeypot detection and countermeasures dave (Jun 24)
- RE: Honeypot detection and countermeasures Michael Boman (Jun 24)
- RE: Honeypot detection and countermeasures Rob Shein (Jun 24)
- RE: Honeypot detection and countermeasures .:[ Death Star]:. (Jun 25)
- RE: Honeypot detection and countermeasures Bojan Zdrnja (Jun 25)