RE: Honeypot detection and countermeasures

["Rob Shein" <shoten () starpower net>]

They have collections of tools, yes...but can you learn to pen-test from
that collection?  Absolutely not.  The point here is "can you learn to be a
pen-tester by having a single pen-test done against your honeypot?"  The
answer is still no.

> -----Original Message-----
> From: Michael Boman [mailto:michael.boman () securecirt com] 
> Sent: Tuesday, June 24, 2003 10:03 AM
> To: Rob Shein
> Cc: 'John Public'; 'Larry Colen'; 'Brass, Phil (ISS 
> Atlanta)'; pen-test () securityfocus com; 'Lance Spitzner'
> Subject: RE: Honeypot detection and countermeasures
>
>
> On Tue, 2003-06-24 at 21:48, Rob Shein wrote:
> > First off, I still maintain that watching the attack will 
> NOT tell you 
> > which tool was used.  Watching the attack AND being 
> familiar with the 
> > tool(s) will, but in of itself, you don't see a series of 
> attacks on a 
> > web server and say "ah, that was Nessus, not just whisker, 
> and you can 
> > download it from www.nessus.org!"  If you see a buffer overflow 
> > against a real server, you don't automatically know what 
> it's called, 
> > and where to get it (or how to use it).  And you certainly wouldn't 
> > know the difference between a non-safe Nessus plugin that 
> only crashes 
> > a system and the real overflow attack, but with an error so 
> it doesn't 
> > gain root.  You have to be familiar with the tools in 
> general to begin 
> > with, and since the whole scenario started with a company who was 
> > going to observe a pen test to try and figure out how to do one, I 
> > would presume that they lack that knowledge.
>
> Didn't expect my reply heating up the thread so much, but I 
> feel like I need to put more wood on the fire:
>
> If a honeypot / honeynet can't get the tools used, how come 
> every single "research" honeypot dump I've seen so far have a 
> collection of tools that has been used? Because the attacker 
> put them there of course! If you need a spring board into a 
> network (happens to me more often then you think) you need to 
> put at least a small collection of tools on the server. Now, 
> what if those tools were copied somewhere else?
>
> Of course, if you get yourself a talk-the-talk PT 
> guy/companies, all the tools can already be found on the net. 
> But there are PR guys/companies that has a collection of 
> lesser known/unknown tools. From my point of view the only 
> difference between a good guy/company (PT vendor) and a bad 
> guy (script kiddie, 'leet hacker) is the good guy asks for 
> permission and gives a report, while you will never hear form 
> the bad guy.
>
> When it comes to PT companies the in-house/limited exposure 
> tools would be counted as trade secrets and intellectual 
> properties (for a limited time, until they hit 
> pen-test/bugtraq). But never the less the tools are what 
> separate them from the rest.
>
> Seriously, would you pay big bucks for someone to run Nessus 
> against the systems when you can just DIY such test yourself?
>
> Best regards
>  Michael Boman
>
> -- 
> Michael Boman
> Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com


---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get 
trustworthy commercial-grade exploits and the latest techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 
or call 617-399-6980
----------------------------------------------------------------------------