RE: Honeypot detection and countermeasures

From: Rob Shein (shotenat_private)
Date: Mon Jun 23 2003 - 06:58:14 PDT

Next message: Andrea Barisani: "Firewall Tester 0.9"

Previous message: wing.hon.lokeat_private: "Re: WebService pentest tool on"
In reply to: Michael Boman: "Re: Honeypot detection and countermeasures"
Next in thread: Dragos Ruiu: "Re: Honeypot detection and countermeasures"
Next in thread: miguel.dilajat_private: "Re: Honeypot detection and countermeasures"
Reply: Dragos Ruiu: "Re: Honeypot detection and countermeasures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This wouldn't work.  Seeing the packets/traffic on the wire doesn't tell you
the tools that are used, and it also doesn't really give you much else.
Considering that a honeypot is either not really rootable (DTK) or is very
low hanging fruit (and very rootable, like a honeynet.org system), they
either won't see tools downloaded to the system or won't see anything more
than the bare minimum needed to exploit a system that is too vulnerable to
begin with.  

> -----Original Message-----
> From: Michael Boman [mailto:michael.bomanat_private] 
> Sent: Wednesday, June 18, 2003 11:32 PM
> To: Larry Colen
> Cc: Brass, Phil (ISS Atlanta); pen-testat_private
> Subject: Re: Honeypot detection and countermeasures
> 
> 
> On Wed, 2003-06-18 at 10:15, Larry Colen wrote:
> > Good point. I was more envisioning a scenario where the client was 
> > testing the whole security system, including the honeypots. I.e. 
> > hiring a pen-tester without giving the pen-tester any 
> knowldege of the 
> > system before hand.
> > 
> > If I seem like a clueless newbie, I hope that I at least 
> seem like a 
> > polite clueless newbie. I'll crawl back into my hole and lurk a bit 
> > more.
> > 
> >    Larry
> > 
> 
> There is a viable scenario for this. Let's say ACME Inc. 
> wants to do their own pen-tests because they
>  - Don't like to pay outsiders to do it
>  - Want to compete with the company
>  - They want to steal their tools and techniques
>  - insert your own paranoid explanation for the "why" bit
> 
> They hire a group of people to hack their systems and record 
> everything so once the exercise is over ACME Inc. now knows 
> the tools and techniques of that particular pen test group.
> 
> It's unlikely, but possible. Haven't happen to me (yet).
> 
> Best regards
>  Michael Boman
> 
> -- 
> Michael Boman
> Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com
> 


---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get 
trustworthy commercial-grade exploits and the latest techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 
or call 617-399-6980
----------------------------------------------------------------------------

Next message: Andrea Barisani: "Firewall Tester 0.9"
Previous message: wing.hon.lokeat_private: "Re: WebService pentest tool on"
In reply to: Michael Boman: "Re: Honeypot detection and countermeasures"
Next in thread: Dragos Ruiu: "Re: Honeypot detection and countermeasures"
Next in thread: miguel.dilajat_private: "Re: Honeypot detection and countermeasures"
Reply: Dragos Ruiu: "Re: Honeypot detection and countermeasures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 23 2003 - 13:53:12 PDT