RE: Honeypot detection and countermeasures

[".:[ Death Star]:." <deathstar () optonline net>]

First of all I would like to say that the net is filled with script
kiddies (almost anyone of them can run nessus). Running nessus is very
easy (my 16 years old brother knows how to do it), but how about writing
your own NASL scripts that's something not easily done because you need
to know the technique of the attack. 

I've seen many discussions going back and forth about honypots ... well
my dear friends I can tell you that no matter what you do it's very hard
and time consuming to discover if the node your penetrating is running a
honeypot. Unless you actually know that the company you're scanning is
told you that they are using a honeypot. Another thing to keep in mind
and that is many companies cannot use honeypots (because in some cases
it might be considered entrapment, and it's prosecuted by the law
enforcement agencies). 

As for using external entities to perform the pen-test it's considered a
very good idea for the reason being (in most cases) that you want to see
you networks/systems in the eyes of a hacker. Another good reason for
having an external auditor is to prove to the law enforcement agencies
that you're in compliance with the standards and regulations (diligence
/ due diligence).

As we all know that on of the first things you do when pen-testing is
fingerprinting and enumerating systems/networks, in most cases if you
find out that a system is open like a window then you need to have the
system placed on the suspicious list. An example is having a server with
port 23 open!!! One of the best ways to avoid getting detected while
fully scanning the system for open ports is to use IDLE scanning. Then
if it happened and you where able to exploit a system u can use a tool
like datapipe or fpipe to port forward the traffic into the system you
owned (This way the honeypot if exist cannot see you as an external node
...)

The bottom line here is that discovering honeypot is very time
consuming, unless you really want to spend all the time of the pen-test
attempting to exploit a system that shows vulnerability but doesn't
respond to your attack the way an exploited system would. 

-----Original Message-----
From: Rob Shein [mailto:shoten () starpower net] 
Sent: Tuesday, June 24, 2003 10:35 AM
To: 'Michael Boman'
Cc: 'John Public'; 'Larry Colen'; 'Brass, Phil (ISS Atlanta)';
pen-test () securityfocus com; 'Lance Spitzner'
Subject: RE: Honeypot detection and countermeasures

They have collections of tools, yes...but can you learn to pen-test from
that collection?  Absolutely not.  The point here is "can you learn to
be a
pen-tester by having a single pen-test done against your honeypot?"  The
answer is still no.

> -----Original Message-----
> From: Michael Boman [mailto:michael.boman () securecirt com] 
> Sent: Tuesday, June 24, 2003 10:03 AM
> To: Rob Shein
> Cc: 'John Public'; 'Larry Colen'; 'Brass, Phil (ISS 
> Atlanta)'; pen-test () securityfocus com; 'Lance Spitzner'
> Subject: RE: Honeypot detection and countermeasures
>
>
> On Tue, 2003-06-24 at 21:48, Rob Shein wrote:
> > First off, I still maintain that watching the attack will 
> NOT tell you 
> > which tool was used.  Watching the attack AND being 
> familiar with the 
> > tool(s) will, but in of itself, you don't see a series of 
> attacks on a 
> > web server and say "ah, that was Nessus, not just whisker, 
> and you can 
> > download it from www.nessus.org!"  If you see a buffer overflow 
> > against a real server, you don't automatically know what 
> it's called, 
> > and where to get it (or how to use it).  And you certainly wouldn't 
> > know the difference between a non-safe Nessus plugin that 
> only crashes 
> > a system and the real overflow attack, but with an error so 
> it doesn't 
> > gain root.  You have to be familiar with the tools in 
> general to begin 
> > with, and since the whole scenario started with a company who was 
> > going to observe a pen test to try and figure out how to do one, I 
> > would presume that they lack that knowledge.
>
> Didn't expect my reply heating up the thread so much, but I 
> feel like I need to put more wood on the fire:
>
> If a honeypot / honeynet can't get the tools used, how come 
> every single "research" honeypot dump I've seen so far have a 
> collection of tools that has been used? Because the attacker 
> put them there of course! If you need a spring board into a 
> network (happens to me more often then you think) you need to 
> put at least a small collection of tools on the server. Now, 
> what if those tools were copied somewhere else?
>
> Of course, if you get yourself a talk-the-talk PT 
> guy/companies, all the tools can already be found on the net. 
> But there are PR guys/companies that has a collection of 
> lesser known/unknown tools. From my point of view the only 
> difference between a good guy/company (PT vendor) and a bad 
> guy (script kiddie, 'leet hacker) is the good guy asks for 
> permission and gives a report, while you will never hear form 
> the bad guy.
>
> When it comes to PT companies the in-house/limited exposure 
> tools would be counted as trade secrets and intellectual 
> properties (for a limited time, until they hit 
> pen-test/bugtraq). But never the less the tools are what 
> separate them from the rest.
>
> Seriously, would you pay big bucks for someone to run Nessus 
> against the systems when you can just DIY such test yourself?
>
> Best regards
>  Michael Boman
>
> -- 
> Michael Boman
> Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com


------------------------------------------------------------------------
---
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can
get 
trustworthy commercial-grade exploits and the latest techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 
or call 617-399-6980
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get 
trustworthy commercial-grade exploits and the latest techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 
or call 617-399-6980
----------------------------------------------------------------------------