Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Honeypot detection and countermeasures
From: Dragos Ruiu <dr () kyx net>
Date: Mon, 23 Jun 2003 19:48:14 -0700

On June 23, 2003 06:58 am, Rob Shein wrote:
This wouldn't work.  Seeing the packets/traffic on the wire doesn't tell
you the tools that are used, and it also doesn't really give you much else.
Considering that a honeypot is either not really rootable (DTK) or is very
low hanging fruit (and very rootable, like a honeynet.org system), they
either won't see tools downloaded to the system or won't see anything more
than the bare minimum needed to exploit a system that is too vulnerable to
begin with.

Putting on my Honeynet Project hat...

I think you presume too much about honeypots.
There are _many_ varieties of honeypots.

Some more rootable than others, some more detectable than others.
And it's also possible to instrument them with many other monitoring 
systems besides just sniffing traffic in and out. I'll leave the specifics
as an excercise for the reader.... :-) but they range from running inside
vmware to instrumented os loads and even special hardware in some 
cases.

Lately the Honeynet Alliance folks have been deploying
other systems besides your typical low hanging fruit. Different 
honeypots gather different data. It all depends on what you
are trying to catch.

Beware the Jabberwock...

cheers,
--dr

-- 
pgpkey http://dragos.com/ kyxpgp

---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get 
trustworthy commercial-grade exploits and the latest techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 
or call 617-399-6980
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault