Re: A kind of Honeypot

From: Lance Spitzner (lanceat_private)
Date: Thu Jun 21 2001 - 07:45:49 PDT

  • Next message: ExpLiciT: "pen testing iis 5"

    On Wed, 20 Jun 2001, Nicolas Gregoire wrote:
    
    > I plan to make a website just for my pen-tests.
    >
    > This website grabs as much as possible info from the visitors (IP,
    > browser, proxy, etc ..), tries to exploit some common vulns of browsers
    > (Guninski's page is a good start for this) and hosts a passive
    > fingerprinting app.
    > The victims are "spammed" with some misc. content (p0rn, free CD/DVD,
    > jokes) linking (or redirecting) to the site.
    >
    > Has anybody ever do that ?
    
    Hmm, I have done this before, but for different reasons.  When I do
    assessments, I like to run a simple honeypot on my laptop.  Consider
    this a passive assessment, while you are out looking for issues, things
    might come looking for you (viruses, trojans, scanners, etc).  Good way
    to find is someone is being naughty.  For example, one time I was conducting
    an assessment of a organization in Asia.  Thirty minutes prior to a
    presentation I was to give to the board of directors, my laptop was attacked,
    as an attacker was scanning the company's network.  The honeypot software was
    attacked, and recorded the entire session.
    
    This was great evidence to give to the board of directors, as it validated
    to them why I was conducting the assessment.  I had proof that the bad
    guys were hitting their network, and the attackers were not friendly.
    
    At the time I was using BOF by NFR, but this is no longer available.
    One commercial honeypot solution that may work for you laptop is Specter
    (www.specter.com).
    
    lance
    



    This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 13:27:50 PDT