From: Michael Boman [mailto:michael.boman () securecirt com]
Sent: Tuesday, June 24, 2003 10:03 AM
To: Rob Shein
Cc: 'John Public'; 'Larry Colen'; 'Brass, Phil (ISS
Atlanta)'; pen-test () securityfocus com; 'Lance Spitzner'
Subject: RE: Honeypot detection and countermeasures
On Tue, 2003-06-24 at 21:48, Rob Shein wrote:
First off, I still maintain that watching the attack will
NOT tell you
which tool was used. Watching the attack AND being
familiar with the
tool(s) will, but in of itself, you don't see a series of
attacks on a
web server and say "ah, that was Nessus, not just whisker,
and you can
download it from www.nessus.org!" If you see a buffer overflow
against a real server, you don't automatically know what
and where to get it (or how to use it). And you certainly wouldn't
know the difference between a non-safe Nessus plugin that
a system and the real overflow attack, but with an error so
gain root. You have to be familiar with the tools in
general to begin
with, and since the whole scenario started with a company who was
going to observe a pen test to try and figure out how to do one, I
would presume that they lack that knowledge.
Didn't expect my reply heating up the thread so much, but I
feel like I need to put more wood on the fire:
If a honeypot / honeynet can't get the tools used, how come
every single "research" honeypot dump I've seen so far have a
collection of tools that has been used? Because the attacker
put them there of course! If you need a spring board into a
network (happens to me more often then you think) you need to
put at least a small collection of tools on the server. Now,
what if those tools were copied somewhere else?
Of course, if you get yourself a talk-the-talk PT
guy/companies, all the tools can already be found on the net.
But there are PR guys/companies that has a collection of
lesser known/unknown tools. From my point of view the only
difference between a good guy/company (PT vendor) and a bad
guy (script kiddie, 'leet hacker) is the good guy asks for
permission and gives a report, while you will never hear form
the bad guy.
When it comes to PT companies the in-house/limited exposure
tools would be counted as trade secrets and intellectual
properties (for a limited time, until they hit
pen-test/bugtraq). But never the less the tools are what
separate them from the rest.
Seriously, would you pay big bucks for someone to run Nessus
against the systems when you can just DIY such test yourself?
Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com