Honeypots mailing list archives
Re: Heisenberg in the honeypot
From: Valdis.Kletnieks () vt edu
Date: Tue, 22 Jun 2004 12:54:16 -0400
On Tue, 22 Jun 2004 03:44:15 PDT, Harlan Carvey said:
Perhaps another way of putting it...say I have a brand spanking new exploit (not blocked by firewalls, and no IDS rules exist for it), something no one has ever even considered. Let's say that I'm particularly nefarious, and intend to use this exploit for malicious purposes. Now, do you think I would run this exploit against arbitrary targets, knowing that somewhere out there, a honeypot would collect the data and someone might figure out what I was doing? Or do you think I would do a little recon (even of a physical nature) first, to ensure that I've got a really juicy, easy to access target...with NO honeypots?
You missed the most obvious case. :) You attack a juicy easy access target, and you *don't* bother worrying about honeypots because you're conducting a *targeted* attack. You gain a *first* foothold inside the target network via some means - e-mail spam that installs a trojan, mass scan for a *known* vulnerability, hoping that *one* person didn't patch their desktop box, etc... Now work from that box. Watch the ARP traffic, learn machine names on the local subnet. See if the local DNS will let you do a AXFR to get all the names in one shot (remember - they *may* have AXFR denied and they actually read the logs, but it's a pretty safe bet that the machine that's configured as your primary DNS isn't a honeypot - with one exception discussed later). From there, start working it - the desktop box probably has pointers to the organization's web server, mail server, and database machines... Start reading the e-mail on the box - is there announced downtime of a server? If it's important enough to announce the outage, it might be interesting.. and so on. It isn't a question of "blindly shoot and worry about hitting a honeypot" versus "select a target known not to have honeypots". If you're clued enough to be doing a targeted attack, you're clued enough to realize the following: 1) Real production machines will have lots of references to them (mentioned in e-mails, config files, and so on). 2) Honeypots will *not* have any/many references to them, because otherwise they'll false-positive like crazy. 3) As a result, as your recon work finds new machines, the fact that you *found* the machines means that the box is probably *not* a honeypot (modulo the method of discovery, of course - finding it via an nmap scan of the subnet doesn't give much confidence - the fact that the current box has 3 open shares on the file server, and the files you can see indicate that 25 or 30 *other* boxes also have shares there.. well, it's probably not a honeypot... :) The one exception is if the site is *so* clued that they can set up a fake desktop box, with *all* of this stuff faked too - a bogus router, bogus ARP traffic - with realistic replies from boxes you ping/nmap after learning their IP address via ARP, bogus DNS/mail/DB machines, bogus e-mail folders, and so on. Remember that a production network leaves a *LOT* of traces of itself on the boxes (poke around your own machine if you don't believe me ;). This was sort of what "An Evening with Berferd" was about - and notice that it didn't take very long at all before keeping up the charade got difficult. The other alternative is to sprinkle your network with red herrings - send out mass e-mails saying that "Server <codename-for-honeypot> will be down from 3:15 to 5PM Thursday after next for a security upgrade" - generally a bad idea, as users will deluge your support desk with calls of "Why did I get this e-mail about a server I never heard of?" - and you can be sure that 10% of your users will try to login to said server after the "upgrade" to make sure their files are still there. ;) It's that sort of issue why I honestly don't think that a honeypot wll catch many black hats, unless you (a) have a *really* nice "real" target and lots of resources to build a very elaborate facade, or (b) the black hat is a real novice and/or not paying close attention.... Another way to look at it - consider the end of Indiana Jones and the Last Crusade. All those letters on the floor are systems. However, your honeypot at J won't get hit unless this happens: Professor Henry Jones: The Word of God. Marcus Brody: No, Henry. Try not to talk. Professor Henry Jones: The Name of God. Indiana Jones: The Name of God. Jehovah. Professor Henry Jones: But in the Latin alphabet, "Jehovah" begins with an "I". Indiana Jones: J-...
Attachment:
_bin
Description:
Current thread:
- RE: Heisenberg in the honeypot, (continued)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 21)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 21)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot James Riden (Jun 22)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 22)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
- RE: Heisenberg in the honeypot Harlan Carvey (Jun 21)
- Re: Heisenberg in the honeypot PCSage Information Services (Jun 22)
- Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
- Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
- Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
- Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)