Penetration Testing mailing list archives

Re: SV: Honeypot detection and countermeasures

From: dave () immunitysec com
Date: Tue, 24 Jun 2003 10:44:33 -0400 (EDT)

Well, that's a great way to think about it - as a test of your
countermeasures. In fact, there are MANY ways to both remotely and locally
detect various breeds of honeypots. VMWare, for example, uses a particular
range of MAC addresses, among other things. I always find it funny when
people use VMWare as a security measure.

But (imho) it's a truly RARE penetration test team that will notice some
of these subtle things, and basically no pentration test teams can
remotely discover a honeypot - the technology for doing so just isn't
public enough yet. (Well, I just gave away that MAC address trick, but
it's limited to the local net, and there are lots of other, better
tricks).

Dave Aitel
Immunity, Inc.
http://www.immunitysec.com/


But...the last thing, since that was commented (but was removed from the
thread I'm answering on). If you hire a company to do a pentest, of course
you don't tell them about your countermessaures. The pentest is the exam
for the system you have deployed, and the guys that tests you are the
examiners. The result from the pentest should/might include that, yes,
they found the honeypots, and it distracted them for some time before they
understood what they had hit (a honeypot is just another countermeassure),
and then the rest of the report comes.

If you want to pentest a new service, then of course point them at that
service. If you want to pentest your company...then that's what you tell
them.

Regards,
Trygve Aasheim
Manager, Network Security



-----Opprinnelig melding-----
Fra: Rob Shein [mailto:shoten () starpower net]
Sendt: 23. juni 2003 15:58
Til: 'Michael Boman'; 'Larry Colen'
Kopi: 'Brass, Phil (ISS Atlanta)'; pen-test () securityfocus com
Emne: RE: Honeypot detection and countermeasures


This wouldn't work.  Seeing the packets/traffic on the wire doesn't tell
you
the tools that are used, and it also doesn't really give you much else.
Considering that a honeypot is either not really rootable (DTK) or is very
low hanging fruit (and very rootable, like a honeynet.org system), they
either won't see tools downloaded to the system or won't see anything more
than the bare minimum needed to exploit a system that is too vulnerable to
begin with.

-----Original Message-----
From: Michael Boman [mailto:michael.boman () securecirt com]
Sent: Wednesday, June 18, 2003 11:32 PM
To: Larry Colen
Cc: Brass, Phil (ISS Atlanta); pen-test () securityfocus com
Subject: Re: Honeypot detection and countermeasures


On Wed, 2003-06-18 at 10:15, Larry Colen wrote:

Good point. I was more envisioning a scenario where the client was
testing the whole security system, including the honeypots. I.e.
hiring a pen-tester without giving the pen-tester any

knowldege of the

system before hand.

If I seem like a clueless newbie, I hope that I at least

seem like a

polite clueless newbie. I'll crawl back into my hole and lurk a bit
more.

   Larry


There is a viable scenario for this. Let's say ACME Inc.
wants to do their own pen-tests because they
 - Don't like to pay outsiders to do it
 - Want to compete with the company
 - They want to steal their tools and techniques
 - insert your own paranoid explanation for the "why" bit

They hire a group of people to hack their systems and record
everything so once the exercise is over ACME Inc. now knows
the tools and techniques of that particular pen test group.

It's unlikely, but possible. Haven't happen to me (yet).

Best regards
 Michael Boman

--
Michael Boman
Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com


---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get 
trustworthy commercial-grade exploits and the latest techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 
or call 617-399-6980
----------------------------------------------------------------------------

Current thread:

Re: Honeypot detection and countermeasures, (continued)
- - Re: Honeypot detection and countermeasures Þórhallur Hálfdánarson (Jun 24)
- RE: Honeypot detection and countermeasures Brass, Phil (ISS Atlanta) (Jun 18)
  - Re: Honeypot detection and countermeasures Larry Colen (Jun 18)
    - Re: Honeypot detection and countermeasures Michael Boman (Jun 19)
    - RE: Honeypot detection and countermeasures Rob Shein (Jun 23)
    - Re: Honeypot detection and countermeasures Dragos Ruiu (Jun 24)
    - Re: Honeypot detection and countermeasures Lance Spitzner (Jun 24)
- Re: Honeypot detection and countermeasures miguel . dilaj (Jun 18)
- Re: Honeypot detection and countermeasures Acl Proxy (Jun 19)
- SV: Honeypot detection and countermeasures Trygve Aasheim (Jun 24)
  - Re: SV: Honeypot detection and countermeasures dave (Jun 24)
- RE: Honeypot detection and countermeasures Rob Shein (Jun 24)
  - RE: Honeypot detection and countermeasures Michael Boman (Jun 24)
    - RE: Honeypot detection and countermeasures Rob Shein (Jun 24)
    - RE: Honeypot detection and countermeasures .:[ Death Star]:. (Jun 25)
    - RE: Honeypot detection and countermeasures Bojan Zdrnja (Jun 25)
- RE: SV: Honeypot detection and countermeasures Lampe, John W. (Jun 24)
- Re: Honeypot detection and countermeasures Gerardo Richarte (Jun 24)