Penetration Testing mailing list archives
RE: Honeypot detection and countermeasures
From: "Rob Shein" <shoten () starpower net>
Date: Mon, 23 Jun 2003 09:58:14 -0400
This wouldn't work. Seeing the packets/traffic on the wire doesn't tell you the tools that are used, and it also doesn't really give you much else. Considering that a honeypot is either not really rootable (DTK) or is very low hanging fruit (and very rootable, like a honeynet.org system), they either won't see tools downloaded to the system or won't see anything more than the bare minimum needed to exploit a system that is too vulnerable to begin with.
-----Original Message----- From: Michael Boman [mailto:michael.boman () securecirt com] Sent: Wednesday, June 18, 2003 11:32 PM To: Larry Colen Cc: Brass, Phil (ISS Atlanta); pen-test () securityfocus com Subject: Re: Honeypot detection and countermeasures On Wed, 2003-06-18 at 10:15, Larry Colen wrote:Good point. I was more envisioning a scenario where the client was testing the whole security system, including the honeypots. I.e. hiring a pen-tester without giving the pen-tester anyknowldege of thesystem before hand. If I seem like a clueless newbie, I hope that I at leastseem like apolite clueless newbie. I'll crawl back into my hole and lurk a bit more. LarryThere is a viable scenario for this. Let's say ACME Inc. wants to do their own pen-tests because they - Don't like to pay outsiders to do it - Want to compete with the company - They want to steal their tools and techniques - insert your own paranoid explanation for the "why" bit They hire a group of people to hack their systems and record everything so once the exercise is over ACME Inc. now knows the tools and techniques of that particular pen test group. It's unlikely, but possible. Haven't happen to me (yet). Best regards Michael Boman -- Michael Boman Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com
--------------------------------------------------------------------------- Latest attack techniques. You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980 ----------------------------------------------------------------------------
Current thread:
- Honeypot detection and countermeasures Larry Colen (Jun 17)
- Re: Honeypot detection and countermeasures Blake Matheny (Jun 18)
- Re: Honeypot detection and countermeasures Henry O. Farad (Jun 24)
- Re: Honeypot detection and countermeasures Þórhallur Hálfdánarson (Jun 24)
- <Possible follow-ups>
- RE: Honeypot detection and countermeasures Brass, Phil (ISS Atlanta) (Jun 18)
- Re: Honeypot detection and countermeasures Larry Colen (Jun 18)
- Re: Honeypot detection and countermeasures Michael Boman (Jun 19)
- RE: Honeypot detection and countermeasures Rob Shein (Jun 23)
- Re: Honeypot detection and countermeasures Dragos Ruiu (Jun 24)
- Re: Honeypot detection and countermeasures Lance Spitzner (Jun 24)
- Re: Honeypot detection and countermeasures Larry Colen (Jun 18)
- Re: SV: Honeypot detection and countermeasures dave (Jun 24)
- RE: Honeypot detection and countermeasures Michael Boman (Jun 24)
- RE: Honeypot detection and countermeasures Rob Shein (Jun 24)
- RE: Honeypot detection and countermeasures .:[ Death Star]:. (Jun 25)