Re: AW: Honey VS Vinegar

[the rxmr <the.rxmr () gmail com>]

In-Reply-To: <1099405102.8972.6.camel@JohnnyQuest>

"but dont forget to check you hunnypot webserver logs for all those refers from google (thanks Johnny for google 
hacking)...."

I have also tested the Google Hacking Database from the johnny.ihackstuff.com website and noticed that most of results 
(usually text, no graphics no loading from original website) are also avaliable in the Google cache.  Therefore, by 
using the info from the cache one could avoid an entry in the webserver's logs.

Thanks to all those that took the time to read my rather long post.  It wasn't quite finished, but since the question 
was raised, I decided to go ahead and post it.  Anyway, it is interesting to read some of the tactics currently being 
used by others.  With regard to the question that someone else asked of "how far shoud we go?", I think it is OK to 
start off small and gradually work one's way through the different, more complex and time consuming methods.  Keep it 
simple and don't make your efforts obvious.

The people we are trying to get a response from can sometimes tell if something is amiss.  They can also exhibit 
self-control and may ignore such provocations therefore allowing them to pick their potential victims for their own 
reasons.

When I first started running a honeypot, I became bored with it after a few months and began thinking of ways to draw 
in more activity.  Sometimes it works, sometimes it doesn't.  If such methods are already being used, I understand the 
reluctance in disclosing them and the results in a public forum. Good luck to you all!

> I have been provoking attacks (usally in IRC) for years... when I
> mentioned this in another security related list a few years ago i got
> flamed so bad i still feel toasty... I have noticed (using a bit of
> psycology from the aid of my wife who is a phycologist and closet geek
> girl) that you can easily tell if you are going to get your basic 13 or
> 14 yr old script kiddie or someone a bit more skillful... but dont
> forget to check you hunnypot webserver logs for all those refers from
> google (thanks Johnny for google hacking)....
>
>
> sorry if it was a rant... but it's my 2 cents worth... 
>
>
> On Tue, 2004-11-02 at 05:29, Stephan Riebach wrote:
> > Reading all your posts I wondered if aggressive tactics do really provoke
> > new/interesting attacks. More precisely I wondered how far we should go?!
> >
> > I tested some tactic earlier by installing a P2P client on a honeypot and
> > provoking attacks by "annoying" users. I created random data files with "dd"
> > and converted them to the mp3 format using lame
> > (http://lame.sourceforge.net/). I gave those fake files the names of famous
> > Top20 songs and provided the files with my KazaaLite client. I also provided
> > some real large faked files which I simply renamed as zip or rar archive,
> > e.g. "Windows2000Prof.zip" . The honeypot was online for 6 weeks and many
> > files were downloaded but really no new/unusual/special attack could be
> > detected in this time. Just the well-known port 135 and 445 signatures. I
> > also run a web server on this honeypot and I hoped to increase attacks with
> > this "annoying" tactic.  Maybe you can compare this with fishing and my lure
> > was bad or I simply had no luck. :-)
> >
> > Or maybe I proofed that P2P users are harmless and never attack anybody. :-)
> >
> >
> > Cheers!
> > Stephan