Penetration Testing mailing list archives
RE: honeypot in conjunction with pen test?
From: "Javier Fernandez-Sanguino Pena" <jfernandez () germinus com>
Date: Thu, 6 Jun 2002 10:26:47 +0200
NB: this is a question from the point of view of the customer of a pen-test; if that's off-topic for this list my apologies and I'll go away.
IMHO it's perfectly in topic.
I've had an interesting circumstance arise. I was a customer of a pen test, and had the happy outcome that the testers found absolutely nothing, despite the fact that they'd been provided with
(...) You were happy but I expect that the pen-testers were really dumped. (...)
But the thought occurred to me that a really nice approach to take the next time it comes around again on the guitar would be to position a honeypot in the facility, just to give the poor scuppers something to find, and of course to let us collect positive documentation of our own confirming what was done. Has anybody done this before? How did you choose what services to publish in your honeypot? How do you make it believable --- and how do you avoid making it so juicy that it blinds the testers to any real substance that might actually be there to find elsewhere in the tested plant?
Being a pen-tester myself, I have "suffered" the effects of a honeypot, even one as simple as a cgi simulating to be the old and vulnerable php-fi. In that pen-test the honeypot was really a waste of time for both the pen-testing team, the team coordinating the test and the systems administrators in charge (who probably laughed aloud when we stumbled into the honeypot). It was a waste of time because in our pent-tests we follow a strict procedure to tell our customers when a high-risk vulnerability is detected, we do not wait until the end of the test to tell them of this but do so inmediately. However before doing so we had to re-evaluate if it was really a vulnerability, the "honeypot" surely did not work as expected but it did seem to be there so, even if in doubt, we reported anyway. Now, there was a lot of wasted time after detecting this exploitable vulnerability, reporting it properly, sending it to the person in charge and move the report all the way towards the system administrators that had built the honeypot. Then do this backwards again to tell the pen-testing team that it was really a honeypot. IMHO honeypots and pen-tests don't get nice *unless* you want to test how the pen-testing team and evaluate their methods/procedures/technical expertise with an environment you control directly. Surely I can find that it can be useful for customers that are not really sure of the pen-testing team they are hiring and want to supervise their work. However, I do not see how it might add anything to the pen-test itself. Regards Javi ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- RE: honeypot in conjunction with pen test? Aleksander P. Czarnowski (Jun 05)
- <Possible follow-ups>
- RE: honeypot in conjunction with pen test? Javier Fernandez-Sanguino Pena (Jun 06)
- Re: honeypot in conjunction with pen test? Bennett Todd (Jun 06)
- Re: honeypot in conjunction with pen test? Mike Riley (Jun 06)
- Re: honeypot in conjunction with pen test? Mark Tinberg (Jun 07)
- Re: honeypot in conjunction with pen test? Daniel Polombo (Jun 07)
- honeypot in conjunction with pen test? Javier Fernandez-Sanguino Pena (Jun 18)
- Re: honeypot in conjunction with pen test? Alex Russell (Jun 19)
- RE: honeypot in conjunction with pen test? Woody Weaver (Jun 19)