Penetration Testing mailing list archives
RE: Honeypot detection and countermeasures
From: "Rob Shein" <shoten () starpower net>
Date: Tue, 24 Jun 2003 10:34:38 -0400
They have collections of tools, yes...but can you learn to pen-test from that collection? Absolutely not. The point here is "can you learn to be a pen-tester by having a single pen-test done against your honeypot?" The answer is still no.
-----Original Message----- From: Michael Boman [mailto:michael.boman () securecirt com] Sent: Tuesday, June 24, 2003 10:03 AM To: Rob Shein Cc: 'John Public'; 'Larry Colen'; 'Brass, Phil (ISS Atlanta)'; pen-test () securityfocus com; 'Lance Spitzner' Subject: RE: Honeypot detection and countermeasures On Tue, 2003-06-24 at 21:48, Rob Shein wrote:First off, I still maintain that watching the attack willNOT tell youwhich tool was used. Watching the attack AND beingfamiliar with thetool(s) will, but in of itself, you don't see a series ofattacks on aweb server and say "ah, that was Nessus, not just whisker,and you candownload it from www.nessus.org!" If you see a buffer overflow against a real server, you don't automatically know whatit's called,and where to get it (or how to use it). And you certainly wouldn't know the difference between a non-safe Nessus plugin thatonly crashesa system and the real overflow attack, but with an error soit doesn'tgain root. You have to be familiar with the tools ingeneral to beginwith, and since the whole scenario started with a company who was going to observe a pen test to try and figure out how to do one, I would presume that they lack that knowledge.Didn't expect my reply heating up the thread so much, but I feel like I need to put more wood on the fire: If a honeypot / honeynet can't get the tools used, how come every single "research" honeypot dump I've seen so far have a collection of tools that has been used? Because the attacker put them there of course! If you need a spring board into a network (happens to me more often then you think) you need to put at least a small collection of tools on the server. Now, what if those tools were copied somewhere else? Of course, if you get yourself a talk-the-talk PT guy/companies, all the tools can already be found on the net. But there are PR guys/companies that has a collection of lesser known/unknown tools. From my point of view the only difference between a good guy/company (PT vendor) and a bad guy (script kiddie, 'leet hacker) is the good guy asks for permission and gives a report, while you will never hear form the bad guy. When it comes to PT companies the in-house/limited exposure tools would be counted as trade secrets and intellectual properties (for a limited time, until they hit pen-test/bugtraq). But never the less the tools are what separate them from the rest. Seriously, would you pay big bucks for someone to run Nessus against the systems when you can just DIY such test yourself? Best regards Michael Boman -- Michael Boman Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com
--------------------------------------------------------------------------- Latest attack techniques. You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980 ----------------------------------------------------------------------------
Current thread:
- Re: Honeypot detection and countermeasures, (continued)
- Re: Honeypot detection and countermeasures Michael Boman (Jun 19)
- RE: Honeypot detection and countermeasures Rob Shein (Jun 23)
- Re: Honeypot detection and countermeasures Dragos Ruiu (Jun 24)
- Re: Honeypot detection and countermeasures Lance Spitzner (Jun 24)
- Re: SV: Honeypot detection and countermeasures dave (Jun 24)
- RE: Honeypot detection and countermeasures Michael Boman (Jun 24)
- RE: Honeypot detection and countermeasures Rob Shein (Jun 24)
- RE: Honeypot detection and countermeasures .:[ Death Star]:. (Jun 25)
- RE: Honeypot detection and countermeasures Bojan Zdrnja (Jun 25)