Penetration Testing mailing list archives
RE: How Would I Find the Actual Name of the Honeypot Software via a Pen Test?
From: "ep" <captgoodnight () hotmail com>
Date: Wed, 20 Jun 2007 17:34:52 -0800
This could be easier than you think. Goto http://honeyd.org/contrib.php and download the service scripts you might think they are using. Then look at the code, it's quite the simple code. Then diff the responses against the code. Now such a challenge is nothing more than a ego boost on their part, due to you being the "enemy"...This in of itself can be used for social engy work maybe :) Another thing I would look for is if arpd is being used, if you can monitor layer 2 traffic, see if arpd might be in use, this too will point to honeyd. In fact, if you can finger print the server as linux, it's a good bet it's honeyd. What about the coders they have, any linux experience, perl? Python? Linux in house? Have you compromised any of the linux servers? Looked for honeyd on those? Any webmin running :)? Tangents I'd start with..., --cg -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of StaticRez Sent: Wednesday, June 20, 2007 8:56 AM To: Pen-Tests Subject: Re: How Would I Find the Actual Name of the Honeypot Software via a Pen Test? Well, here's a list: http://www.honeypots.net/honeypots/products If you can actually tell them the name of the software then you're THE MAN. I'm assuming that within the honeypot configs, you can pick which services you'd want to be open. With that in mind, I don't think there's any way of knowing what the actual software is. And even assuming you know the OS, unless you're analyzing packets, the honeypot should be able to "mimic" (to a certain extent) an IIS server, it could be sitting on a BSD or any linux/unix variant box. this one might require some social engineering... staticrez On 6/19/07, TStark <stark.ironman () gmail com> wrote:
Good afternoon, I'm doing a pen test a new IPS appliance from outside the network, while working through the assessment I found that the server designated as my target was a honeypot set up by our server team rather than a normal server. I've now been challenged to now tell them the actual name of the honeypot software they are using. So with that, I figure I'd ask the pros, hoping that someone has a suggestion other than me low crawling under the raised floor in the server room looking for the host server:P Thanks for the help! Tony ---------------------------------------------------------------------- -- This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ---------------------------------------------------------------------- --
------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
Current thread:
- How Would I Find the Actual Name of the Honeypot Software via a Pen Test? TStark (Jun 19)
- RE: How Would I Find the Actual Name of the Honeypot Software via a Pen Test? Paul Melson (Jun 20)
- Re: How Would I Find the Actual Name of the Honeypot Software via a Pen Test? Dragos Ruiu (Jun 20)
- Re: How Would I Find the Actual Name of the Honeypot Software via a Pen Test? StaticRez (Jun 20)
- RE: How Would I Find the Actual Name of the Honeypot Software via a Pen Test? ep (Jun 20)
- <Possible follow-ups>
- Re: How Would I Find the Actual Name of the Honeypot Software via a Pen Test? Jay (Jun 20)
- RE: How Would I Find the Actual Name of the Honeypot Software via a Pen Test? Michael Scheidell (Jun 21)
- RE: How Would I Find the Actual Name of the Honeypot Software via a Pen Test? Jeremiah Brott (Jun 21)
- RE: How Would I Find the Actual Name of the Honeypot Software via a Pen Test? Paul Melson (Jun 20)