Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Honeypot detection and countermeasures
From: "Rob Shein" <shoten () starpower net>
Date: Mon, 23 Jun 2003 09:58:14 -0400

This wouldn't work.  Seeing the packets/traffic on the wire doesn't tell you
the tools that are used, and it also doesn't really give you much else.
Considering that a honeypot is either not really rootable (DTK) or is very
low hanging fruit (and very rootable, like a honeynet.org system), they
either won't see tools downloaded to the system or won't see anything more
than the bare minimum needed to exploit a system that is too vulnerable to
begin with.  

-----Original Message-----
From: Michael Boman [mailto:michael.boman () securecirt com] 
Sent: Wednesday, June 18, 2003 11:32 PM
To: Larry Colen
Cc: Brass, Phil (ISS Atlanta); pen-test () securityfocus com
Subject: Re: Honeypot detection and countermeasures

On Wed, 2003-06-18 at 10:15, Larry Colen wrote:
Good point. I was more envisioning a scenario where the client was 
testing the whole security system, including the honeypots. I.e. 
hiring a pen-tester without giving the pen-tester any 
knowldege of the 
system before hand.

If I seem like a clueless newbie, I hope that I at least 
seem like a 
polite clueless newbie. I'll crawl back into my hole and lurk a bit 


There is a viable scenario for this. Let's say ACME Inc. 
wants to do their own pen-tests because they
 - Don't like to pay outsiders to do it
 - Want to compete with the company
 - They want to steal their tools and techniques
 - insert your own paranoid explanation for the "why" bit

They hire a group of people to hack their systems and record 
everything so once the exercise is over ACME Inc. now knows 
the tools and techniques of that particular pen test group.

It's unlikely, but possible. Haven't happen to me (yet).

Best regards
 Michael Boman

Michael Boman
Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com

Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get 
trustworthy commercial-grade exploits and the latest techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 
or call 617-399-6980

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]