Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

honeypots logo Honeypots mailing list archives

Re: Commercial anti-honeypot tool
From: "KeyFocus" <support () keyfocus net>
Date: Tue, 13 Jan 2004 01:10:21 -0000
Wouldn't it be easy for a honeypot to detect "Hon.eypot Hun.ter"
simply by looking for SOCKS clients that make connection requests
back to their own IP on port 25? For these connections, the
honeypot could provide full SOCKS functionality.



You're making the assumption that the injecting IP address and the

destination

IP address are in the same address range.  There's nothing that says that

the

thing can't at least in theory come from 66.112.34.98 or someplace, and ask
to connect to 12.34.98.64, which is running a packet forwarder back to the

66. address.

Well thats the way it works in the current version of H.H.
Once they smarten up and do what you say they will be much harder to detect.

- Tom

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]