Penetration Testing mailing list archives
Re: Honeypot detection and countermeasures
From: miguel.dilaj () pharma novartis com
Date: Wed, 18 Jun 2003 09:53:39 +0200
Hi Larry As a general rule, if I've been hired for a pen-test, I don't worry too much about being detected by a honeypot (but on the personal side, perhaps I'll feel a little bad ;-) Some times, when there's a honeypot (or even NIDS), I've been informed in advance, some times not... it's up to the company that's hiring me, but I think that this always came on the table when we discussed the results. A honeypot can usually be seen as low hanging fruit (not a general rule), at least when comparec with other systems on the same network. So you've to distrust such a system. Other than distrusting the low hanging fruit, a honeypot could be seen as a "no-clear-purpose" machine. So this is another bit to add to your "distrust feeling". There're some very clear cases, for example a host with DTK with default installation, that can be easily avoided upon detecting them. Cheers, Miguel aka Nekromancer Larry Colen <lrcrypto () red4est com> 17/06/2003 23:03 To: pen-test () securityfocus com cc: Subject: Honeypot detection and countermeasures Do you worry about being detected by honeypots? When you do a pen-test, do you already know of the existence of honeypots, and their location, so that it is an easy matter to avoid them? If you are concerned about honeypots, how do you test to see if the system under attack is a honeypot or a production machine? --------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- Honeypot detection and countermeasures Larry Colen (Jun 17)
- Re: Honeypot detection and countermeasures Blake Matheny (Jun 18)
- Re: Honeypot detection and countermeasures Henry O. Farad (Jun 24)
- Re: Honeypot detection and countermeasures Þórhallur Hálfdánarson (Jun 24)
- <Possible follow-ups>
- RE: Honeypot detection and countermeasures Brass, Phil (ISS Atlanta) (Jun 18)
- Re: Honeypot detection and countermeasures Larry Colen (Jun 18)
- Re: Honeypot detection and countermeasures Michael Boman (Jun 19)
- RE: Honeypot detection and countermeasures Rob Shein (Jun 23)
- Re: Honeypot detection and countermeasures Dragos Ruiu (Jun 24)
- Re: Honeypot detection and countermeasures Lance Spitzner (Jun 24)
- Re: Honeypot detection and countermeasures Larry Colen (Jun 18)
- Re: SV: Honeypot detection and countermeasures dave (Jun 24)
- RE: Honeypot detection and countermeasures Michael Boman (Jun 24)
- RE: Honeypot detection and countermeasures Rob Shein (Jun 24)
- RE: Honeypot detection and countermeasures .:[ Death Star]:. (Jun 25)
- RE: Honeypot detection and countermeasures Bojan Zdrnja (Jun 25)