They have collections of tools, yes...but can you learn to pen-test from that collection? Absolutely not. The point here is "can you learn to be a pen-tester by having a single pen-test done against your honeypot?" The answer is still no. > -----Original Message----- > From: Michael Boman [mailto:michael.bomanat_private] > Sent: Tuesday, June 24, 2003 10:03 AM > To: Rob Shein > Cc: 'John Public'; 'Larry Colen'; 'Brass, Phil (ISS > Atlanta)'; pen-testat_private; 'Lance Spitzner' > Subject: RE: Honeypot detection and countermeasures > > > On Tue, 2003-06-24 at 21:48, Rob Shein wrote: > > First off, I still maintain that watching the attack will > NOT tell you > > which tool was used. Watching the attack AND being > familiar with the > > tool(s) will, but in of itself, you don't see a series of > attacks on a > > web server and say "ah, that was Nessus, not just whisker, > and you can > > download it from www.nessus.org!" If you see a buffer overflow > > against a real server, you don't automatically know what > it's called, > > and where to get it (or how to use it). And you certainly wouldn't > > know the difference between a non-safe Nessus plugin that > only crashes > > a system and the real overflow attack, but with an error so > it doesn't > > gain root. You have to be familiar with the tools in > general to begin > > with, and since the whole scenario started with a company who was > > going to observe a pen test to try and figure out how to do one, I > > would presume that they lack that knowledge. > > Didn't expect my reply heating up the thread so much, but I > feel like I need to put more wood on the fire: > > If a honeypot / honeynet can't get the tools used, how come > every single "research" honeypot dump I've seen so far have a > collection of tools that has been used? Because the attacker > put them there of course! If you need a spring board into a > network (happens to me more often then you think) you need to > put at least a small collection of tools on the server. Now, > what if those tools were copied somewhere else? > > Of course, if you get yourself a talk-the-talk PT > guy/companies, all the tools can already be found on the net. > But there are PR guys/companies that has a collection of > lesser known/unknown tools. From my point of view the only > difference between a good guy/company (PT vendor) and a bad > guy (script kiddie, 'leet hacker) is the good guy asks for > permission and gives a report, while you will never hear form > the bad guy. > > When it comes to PT companies the in-house/limited exposure > tools would be counted as trade secrets and intellectual > properties (for a limited time, until they hit > pen-test/bugtraq). But never the less the tools are what > separate them from the rest. > > Seriously, would you pay big bucks for someone to run Nessus > against the systems when you can just DIY such test yourself? > > Best regards > Michael Boman > > -- > Michael Boman > Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com > --------------------------------------------------------------------------- Latest attack techniques. You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jun 24 2003 - 08:35:11 PDT