Penetration Testing mailing list archives
Re: Honeypot detection and countermeasures
From: Gerardo Richarte <gera () corest com>
Date: Tue, 24 Jun 2003 18:00:33 -0300
Larry Colen wrote: > I'm doing some research on honeypot detection, and preventing > honeypots from being detected. I'd greatly appreciate some feedback > from pen-testers on the following issues: I find this an interesting subject. IMHO, when somebody is paying you/me to do a pen-test he's not only trying to find what hosts can be hacked into, but instead he's willingto test the security of the complete organization, and here I'm being, I think, a
little more open than most people. The whole system includes not onlyservers and networks, but also (oh well... this is not new) people, stablished
trust relationships, etc.If there is a honeypot in place, or NIDS or firewall or whatever security appliance or policy. I would expect my client to try to find how usefull this
tools are for securing the organization. If I hack into a honeypot, I would report it back, and I would expect somebody from the security team torealize I'm hacking into the honeypot (or looking at NIDS or firewalls alerts).
If nobody reacts to the alerts, well... although I hacked into a honeypot, I could say I found a security flaw in the organization, because one of the countermeassures was not effective.So, to wrap up this too-long mail, if there is a honeypot in the net, I would try to avoid hacking into it, and do everything a hacker would do to detect it, because I'm being paid to tell my client how vulnerable the organization would be to a real attack, and well... I tend to think attackers are as smart as I can
be when emulating them as part of a pen-test.All this said, of course the client an choose to ask you not to target honeypots, or can just tell you what IPs are honeypots, but this would be changing the attacker profile, either to a "script kiddie", who will not be carefull with honeypots, or to an advanced attacker, who will not target honeypots at all... for example...
erm... yeah gera --------------------------------------------------------------------------- Latest attack techniques.You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group.
Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980
----------------------------------------------------------------------------
Current thread:
- Re: Honeypot detection and countermeasures, (continued)
- Re: Honeypot detection and countermeasures miguel . dilaj (Jun 18)
- Re: Honeypot detection and countermeasures Acl Proxy (Jun 19)
- SV: Honeypot detection and countermeasures Trygve Aasheim (Jun 24)
- Re: SV: Honeypot detection and countermeasures dave (Jun 24)
- RE: Honeypot detection and countermeasures Rob Shein (Jun 24)
- RE: Honeypot detection and countermeasures Michael Boman (Jun 24)
- RE: Honeypot detection and countermeasures Rob Shein (Jun 24)
- RE: Honeypot detection and countermeasures .:[ Death Star]:. (Jun 25)
- RE: Honeypot detection and countermeasures Bojan Zdrnja (Jun 25)
- RE: Honeypot detection and countermeasures Michael Boman (Jun 24)
- RE: SV: Honeypot detection and countermeasures Lampe, John W. (Jun 24)
- Re: Honeypot detection and countermeasures Gerardo Richarte (Jun 24)