Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: SV: Honeypot detection and countermeasures
From: "Lampe, John W." <JWLAMPE () GAPAC com>
Date: Tue, 24 Jun 2003 12:20:42 -0400

If you lump LaBrea in with these honeypots (and I don't see why you wouldn't), then the check is trivial (in fact, 
NESSUS can optionally check for the existence of LaBrea prior to launching nmap...that's nice)

some of the pricey honeypots (hi ManTrap) are trivial as well.  

And, when youve found some anomalous box on the network, it's always nifty to run a blackbox IP ID scanner against it 
(i.e. if the machine uses simple incrementing IP IDs, then record the ID every minute for a couple of days, then check 
back to see when the box traffic peaks...you might not find a honeypot, but you'll find lots of those reverse proxy / 
vpn thingees)



-----Original Message-----
From: dave () immunitysec com [mailto:dave () immunitysec com] 
Sent: Tuesday, June 24, 2003 10:45 AM
To: pen-test () securityfocus com
Subject: Re: SV: Honeypot detection and countermeasures


Well, that's a great way to think about it - as a test of 
your countermeasures. In fact, there are MANY ways to both 
remotely and locally detect various breeds of honeypots. 
VMWare, for example, uses a particular range of MAC 
addresses, among other things. I always find it funny when 
people use VMWare as a security measure.

But (imho) it's a truly RARE penetration test team that will 
notice some of these subtle things, and basically no 
pentration test teams can remotely discover a honeypot - the 
technology for doing so just isn't public enough yet. (Well, 
I just gave away that MAC address trick, but it's limited to 
the local net, and there are lots of other, better tricks).

Dave Aitel
Immunity, Inc.
http://www.immunitysec.com/






But...the last thing, since that was commented (but was 
removed from 
the thread I'm answering on). If you hire a company to do a 
pentest, 
of course you don't tell them about your countermessaures. 
The pentest 
is the exam for the system you have deployed, and the guys 
that tests 
you are the examiners. The result from the pentest should/might 
include that, yes, they found the honeypots, and it distracted them 
for some time before they understood what they had hit (a 
honeypot is 
just another countermeassure), and then the rest of the 
report comes.

If you want to pentest a new service, then of course point them at 
that service. If you want to pentest your company...then 
that's what 
you tell them.

Regards,
Trygve Aasheim
Manager, Network Security



-----Opprinnelig melding-----
Fra: Rob Shein [mailto:shoten () starpower net]
Sendt: 23. juni 2003 15:58
Til: 'Michael Boman'; 'Larry Colen'
Kopi: 'Brass, Phil (ISS Atlanta)'; pen-test () securityfocus com
Emne: RE: Honeypot detection and countermeasures


This wouldn't work.  Seeing the packets/traffic on the wire doesn't 
tell you the tools that are used, and it also doesn't 
really give you 
much else. Considering that a honeypot is either not really 
rootable 
(DTK) or is very low hanging fruit (and very rootable, like a 
honeynet.org system), they either won't see tools downloaded to the 
system or won't see anything more than the bare minimum needed to 
exploit a system that is too vulnerable to begin with.

-----Original Message-----
From: Michael Boman [mailto:michael.boman () securecirt com]
Sent: Wednesday, June 18, 2003 11:32 PM
To: Larry Colen
Cc: Brass, Phil (ISS Atlanta); pen-test () securityfocus com
Subject: Re: Honeypot detection and countermeasures


On Wed, 2003-06-18 at 10:15, Larry Colen wrote:
Good point. I was more envisioning a scenario where the 
client was 
testing the whole security system, including the honeypots. I.e. 
hiring a pen-tester without giving the pen-tester any
knowldege of the
system before hand.

If I seem like a clueless newbie, I hope that I at least
seem like a
polite clueless newbie. I'll crawl back into my hole and 
lurk a bit 
more.

   Larry


There is a viable scenario for this. Let's say ACME Inc. 
wants to do 
their own pen-tests because they
 - Don't like to pay outsiders to do it
 - Want to compete with the company
 - They want to steal their tools and techniques
 - insert your own paranoid explanation for the "why" bit

They hire a group of people to hack their systems and record 
everything so once the exercise is over ACME Inc. now 
knows the tools 
and techniques of that particular pen test group.

It's unlikely, but possible. Haven't happen to me (yet).

Best regards
 Michael Boman

--
Michael Boman
Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com





--------------------------------------------------------------
-------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? 
Now you can get 
trustworthy commercial-grade exploits and the latest 
techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 
or call 617-399-6980
--------------------------------------------------------------
--------------


---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get 
trustworthy commercial-grade exploits and the latest techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 
or call 617-399-6980
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]