Penetration Testing mailing list archives

RE: How to track down a wireless hacker

From: cwright () bdosyd com au
Date: 9 Nov 2007 12:37:12 -0000

CG,
Pen Testing is not forensics and incident response as much as you would like this. Forensics and Incident response are 
the other side of the argument. As for what I know on forensics, lets see. I am one of the 14 people with a GIAC GSE 
level accreditation, co-author of a forensic book and about 20 peer reviewed published papers. Oh, also post grad law 
and 15+ years experience in digital forensics (21 security).

As for Honeynets - I have run several.

You state:
"Once an ATTACKER steps past the authentication/authorization border he/she
loses all rights of expected privacy on that network. As well, entrapment
(4th amendment) applies to law enforcement ect..., which I'm not."

I find your lack of understanding of legal issues problematic. There is no relation to the 4th amendment and these 
actions. Neither did I mention entrapment. An attacker does not lose any rights. There is no legal recourse to attack 
back or retaliate. As much as you may not like it - this is how it works. Further, the attack may originate from an 
innocent 3rd party. The law does not work on the principle of an eye for an eye.

How do you propose to find these leads? You seem to be stating that placing data somewhere will lead to a capture. 
Please explain how.
I see this as a simple request. I ask you to explain how this will occur. Let us forget web cookies. You have stated a 
field in a database, username and password for instance. Please explain how this will lead back to the mystery attacker?

Or is it that you are proposing that you will sniff traffic and find them post the event. That you propose making 
environmental changes that are going to be noticed?

What if the attacker sniffed the network and did not insert anything? What if they played an inactive role in the 
attack gathering information and monitoring traffic flows as occurs in most of these cases? What then?  You have made 
it sound simple, please elaborate.

Craig Wright (GSE-Compliance)




--------------------------------------------------------------------------------
From: ep [mailto:captgoodnight () hotmail com]
Sent: Fri 9/11/2007 9:24 PM
To: Craig Wright
Cc: pen-test () securityfocus com
Subject: RE: How to track down a wireless hacker

"Ah, if only all pentesters were also honeynet admins, /sigh"

First, pen-testing is function of testing, not forensic analysis and

incident response.

Pen-testing has all the flavors of forensic analysis and incident response.
It's just the other side of the coin that's usually amiss in practice.

How do you propose to track the cookie? Are you making the assumption that

all attacks will be to a web server? Adding a cookie to a web session is a
valid response, if it is not a web >>session (and I saw nothing to suggest
that this attack on an  internal network was) then it may not be.

It's NOT a web cookie, though in another example it could be and in fact
it's the same functional idea. More specifically it's a username and
password that belongs to (for the sake of the argument) OUR NETWORK, be it
the network the attacker sniffed them from after breaking into or the one
he/she would log into later on. That action would be a lead, from there we
could add other ingredients to create more leads... But NEVER would any
piece of data be placed on the attacker's machine that he/she didn't
knowingly place there themselves. May I say dear Craig, that simple fact
pretty much negates your remaining 'reply'. But let's continue.

Once an ATTACKER steps past the authentication/authorization border he/she
loses all rights of expected privacy on that network. As well, entrapment
(4th amendment) applies to law enforcement ect..., which I'm not.

If you are curious to the legalities of honeynets in the US then may I
suggest you visit this site http://www.honeynet.org. Also, please kindly
trim your replies.


Have fun,
--cg


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

Re: How to track down a wireless hacker, (continued)
- Re: How to track down a wireless hacker Mathieu CHATEAU (Nov 07)
- Re: How to track down a wireless hacker Nicholas Chapel (Nov 07)
  - RE: How to track down a wireless hacker ep (Nov 07)
  - Message not available
    - Re: How to track down a wireless hacker Nicholas Chapel (Nov 07)
    - RE: How to track down a wireless hacker ep (Nov 07)
- RE: How to track down a wireless hacker Ng, Kenneth (US) (Nov 07)
- Re: How to track down a wireless hacker cwright (Nov 07)
- Re: Re: How to track down a wireless hacker cwright (Nov 07)
- Re: How to track down a wireless hacker Francois Larouche (Nov 08)
  - RE: How to track down a wireless hacker ep (Nov 08)
- RE: How to track down a wireless hacker cwright (Nov 10)
  - RE: How to track down a wireless hacker ep (Nov 13)
- RE: How to track down a wireless hacker ep (Nov 10)
- Re: How to track down a wireless hacker Jan Heisterkamp (Nov 13)
  - RE: How to track down a wireless hacker ep (Nov 13)
- RE: How to track down a wireless hacker cwright (Nov 13)
- Re: RE: How to track down a wireless hacker cwright (Nov 13)
- Re: How to track down a wireless hacker Jan Heisterkamp (Nov 13)
- RE: How to track down a wireless hacker ep (Nov 13)
- Re: RE: How to track down a wireless hacker cwright (Nov 15)