Re: Is it one way to detect honeypot?

[Cedric Blancher <blancher () cartel-securite fr>]

Le mer 11/02/2004 à 16:54, wanfat wu a écrit :
>   I am running honeyd with arpd. It can answer with unused IP.
> However, when I use some programs to check the MAC address of virtual
> hosts(unused IP),  it always answer with the MAC address of honeyd
> host.
>   By looking at the MAC address, all the MAC are the same!

That's just what it is supposed to do. Arpd just answers ARP requests
for unused IP with its own MAC address...

> Is it one way to detect honeypot? Anything to hide my honeypot?

Hiding a honeypot from its own LAN is not an easy task to achieve. I
would mean the attacker is already on the Ethernet segment, what can be
the case on a Wi-Fi hotpot* as an example.

Maybe you should consider wether hacking arpd to have it answer IPs with
specified MAC addresses or using a box configured as an ARP server and
fill its ARP cache with desired associations. Then set a Linux bridge up
with ebtables and operate a layer 2 NAT to distinguish each IP and
affect it the correct MAC address.

Well, I have to think about this a bit more, and produce a short paper
about this kind of setup.


* It has been done during LSM 2003 in Metz, and was detected because of
  its MAC...

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
> > Hi! I'm your friendly neighbourhood signature virus.
> > Copy me to your signature file and help me spread!