Re: Honeypot detection and countermeasures

From: Gerardo Richarte (geraat_private)
Date: Tue Jun 24 2003 - 14:00:33 PDT

Next message: Henry O. Farad: "Re: Honeypot detection and countermeasures"

Previous message: Lampe, John W.: "RE: SV: Honeypot detection and countermeasures"
Maybe in reply to: Larry Colen: "Honeypot detection and countermeasures"
Next in thread: Henry O. Farad: "Re: Honeypot detection and countermeasures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Larry Colen wrote:

 > I'm doing some research on honeypot detection, and preventing
 > honeypots from being detected. I'd greatly appreciate some feedback
 > from pen-testers on the following issues:

    I find this an interesting subject.

    IMHO, when somebody is paying you/me to do a pen-test he's not
only trying to find what hosts can be hacked into, but instead he's willing
to test the security of the complete organization, and here I'm being, I 
think, a
little more open than most people. The whole system includes not only
servers and networks, but also (oh well... this is not new) people, 
stablished
trust relationships, etc.

    If there is a honeypot in place, or NIDS or firewall or whatever 
security
appliance or policy. I would expect my client to try to find how usefull 
this
tools are for securing the organization. If I hack into a honeypot, I would
report it back, and I would expect somebody from the security team to
realize I'm hacking into the honeypot (or looking at NIDS or firewalls 
alerts).
If nobody reacts to the alerts, well... although I hacked into a honeypot,
I could say I found a security flaw in the organization, because one of the
countermeassures was not effective.

    So, to wrap up this too-long mail, if there is a honeypot in the 
net, I would
try to avoid hacking into it, and do everything a hacker would do to 
detect it,
because I'm being paid to tell my client how vulnerable the organization 
would
be to a real attack, and well... I tend to think attackers are as smart 
as I can
be when emulating them as part of a pen-test.

    All this said, of course the client an choose to ask you not to 
target honeypots,
or can just tell you what IPs are honeypots, but this would be changing 
the attacker
profile, either to a "script kiddie", who will not be carefull with 
honeypots, or to
an advanced attacker, who will not target honeypots at all... for 
example...

    erm... yeah


    gera


---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get 
trustworthy commercial-grade exploits and the latest techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 
or call 617-399-6980
----------------------------------------------------------------------------

Next message: Henry O. Farad: "Re: Honeypot detection and countermeasures"
Previous message: Lampe, John W.: "RE: SV: Honeypot detection and countermeasures"
Maybe in reply to: Larry Colen: "Honeypot detection and countermeasures"
Next in thread: Henry O. Farad: "Re: Honeypot detection and countermeasures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 24 2003 - 16:23:02 PDT