Well, that's a great way to think about it - as a test of your countermeasures. In fact, there are MANY ways to both remotely and locally detect various breeds of honeypots. VMWare, for example, uses a particular range of MAC addresses, among other things. I always find it funny when people use VMWare as a security measure. But (imho) it's a truly RARE penetration test team that will notice some of these subtle things, and basically no pentration test teams can remotely discover a honeypot - the technology for doing so just isn't public enough yet. (Well, I just gave away that MAC address trick, but it's limited to the local net, and there are lots of other, better tricks). Dave Aitel Immunity, Inc. http://www.immunitysec.com/ > > But...the last thing, since that was commented (but was removed from the > thread I'm answering on). If you hire a company to do a pentest, of course > you don't tell them about your countermessaures. The pentest is the exam > for the system you have deployed, and the guys that tests you are the > examiners. The result from the pentest should/might include that, yes, > they found the honeypots, and it distracted them for some time before they > understood what they had hit (a honeypot is just another countermeassure), > and then the rest of the report comes. > > If you want to pentest a new service, then of course point them at that > service. If you want to pentest your company...then that's what you tell > them. > > Regards, > Trygve Aasheim > Manager, Network Security > > > > -----Opprinnelig melding----- > Fra: Rob Shein [mailto:shotenat_private] > Sendt: 23. juni 2003 15:58 > Til: 'Michael Boman'; 'Larry Colen' > Kopi: 'Brass, Phil (ISS Atlanta)'; pen-testat_private > Emne: RE: Honeypot detection and countermeasures > > > This wouldn't work. Seeing the packets/traffic on the wire doesn't tell > you > the tools that are used, and it also doesn't really give you much else. > Considering that a honeypot is either not really rootable (DTK) or is very > low hanging fruit (and very rootable, like a honeynet.org system), they > either won't see tools downloaded to the system or won't see anything more > than the bare minimum needed to exploit a system that is too vulnerable to > begin with. > >> -----Original Message----- >> From: Michael Boman [mailto:michael.bomanat_private] >> Sent: Wednesday, June 18, 2003 11:32 PM >> To: Larry Colen >> Cc: Brass, Phil (ISS Atlanta); pen-testat_private >> Subject: Re: Honeypot detection and countermeasures >> >> >> On Wed, 2003-06-18 at 10:15, Larry Colen wrote: >> > Good point. I was more envisioning a scenario where the client was >> > testing the whole security system, including the honeypots. I.e. >> > hiring a pen-tester without giving the pen-tester any >> knowldege of the >> > system before hand. >> > >> > If I seem like a clueless newbie, I hope that I at least >> seem like a >> > polite clueless newbie. I'll crawl back into my hole and lurk a bit >> > more. >> > >> > Larry >> > >> >> There is a viable scenario for this. Let's say ACME Inc. >> wants to do their own pen-tests because they >> - Don't like to pay outsiders to do it >> - Want to compete with the company >> - They want to steal their tools and techniques >> - insert your own paranoid explanation for the "why" bit >> >> They hire a group of people to hack their systems and record >> everything so once the exercise is over ACME Inc. now knows >> the tools and techniques of that particular pen test group. >> >> It's unlikely, but possible. Haven't happen to me (yet). >> >> Best regards >> Michael Boman >> >> -- >> Michael Boman >> Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com >> > > > --------------------------------------------------------------------------- Latest attack techniques. You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980 ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jun 24 2003 - 08:48:18 PDT