Re: Is it one way to detect honeypot?

[Olaf Gellert <og () pre-secure de>]

wanfat wu wrote:
> Hi Olaf Gellert,
>  
> Thank You for your reply first!
> I get your point. From my point of view, honeypot can also be used to 
> detect unauthorized user or to protect local network, for example, in 
> university campus.
> I think it is quite easy to detect MAC by using Ettercap. If I am the 
> attacker, I can see many host with same MAC. So, I can know that host 
> with diffierent MAC is the real host.
> How do you think?

Well, this works only of the attacker is in the same
ethernet segment. This would be true of a small network
with ~100 hosts, but of course not for a large university
campus. I am not sure, usually arp requests should not
go over a switch to another segment (someone correct me
if I am wrong). So, yes, you can use this to detect
the kind of honeypots that use many IP-addresses on
one interface. There are some special settings, where
this would not work (for example SSL-servers serving many
domains (each one needs an IP-address), so they have
many IP-addresses but are using only one interface).

Cheers, Olaf

-- 
Dipl.Inform. Olaf Gellert                  PRESECURE (R)
Consultant,                              Consulting GmbH
Phone: (+49) 0700 / PRESECURE           og () pre-secure de