Penetration Testing mailing list archives

RE: Honeypot detection and countermeasures

From: "Brass, Phil (ISS Atlanta)" <PBrass () iss net>
Date: Tue, 17 Jun 2003 21:52:08 -0400

I think most pentest clients are more concerned with the safety of their
production systems - why pay somebody to attack a decoy?  To see how
effective the decoy is?  I haven't seen that level of paranoia in any of
my clients.  

Pointing a pentester at a honeypot could easily result in them spending
all their time breaking into the honeypot network.  Since many clients
expect to see if their production systems are at risk during a pentest,
this would be counterproductive.

Phil

-----Original Message-----
From: Larry Colen [mailto:lrcrypto () red4est com] 
Sent: Tuesday, June 17, 2003 6:03 PM
To: pen-test () securityfocus com
Subject: Honeypot detection and countermeasures

I'm doing some research on honeypot detection, and preventing 
honeypots from being detected. I'd greatly appreciate some 
feedback from pen-testers on the following issues:

Do you worry about being detected by honeypots?

When you do a pen-test, do you already know of the existence 
of honeypots, and their location, so that it is an easy 
matter to avoid them?

If you are concerned about honeypots, how do you test to see 
if the system under attack is a honeypot or a production machine?

Thanks,
  Larry

--------------------------------------------------------------
-------------
Attend the Black Hat Briefings & Training, July 28 - 31 in 
Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 
training sessions, 
1,800 delegates from 30 nations including all of the top 
experts, from CSO's to 
"underground" security specialists.  See for yourself what 
the buzz is about!  
Early-bird registration ends July 3.  This event will sell 
out. www.blackhat.com
--------------------------------------------------------------
--------------


---------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists.  See for yourself what the buzz is about!
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Current thread:

Honeypot detection and countermeasures Larry Colen (Jun 17)
- Re: Honeypot detection and countermeasures Blake Matheny (Jun 18)
- Re: Honeypot detection and countermeasures Henry O. Farad (Jun 24)
  - Re: Honeypot detection and countermeasures Þórhallur Hálfdánarson (Jun 24)
- <Possible follow-ups>
- RE: Honeypot detection and countermeasures Brass, Phil (ISS Atlanta) (Jun 18)
  - Re: Honeypot detection and countermeasures Larry Colen (Jun 18)
    - Re: Honeypot detection and countermeasures Michael Boman (Jun 19)
    - RE: Honeypot detection and countermeasures Rob Shein (Jun 23)
    - Re: Honeypot detection and countermeasures Dragos Ruiu (Jun 24)
    - Re: Honeypot detection and countermeasures Lance Spitzner (Jun 24)
- Re: Honeypot detection and countermeasures miguel . dilaj (Jun 18)
- Re: Honeypot detection and countermeasures Acl Proxy (Jun 19)
- SV: Honeypot detection and countermeasures Trygve Aasheim (Jun 24)
  - Re: SV: Honeypot detection and countermeasures dave (Jun 24)
- RE: Honeypot detection and countermeasures Rob Shein (Jun 24)

(Thread continues...)