Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Honeypot detection and countermeasures
From: Þórhallur Hálfdánarson <tolli () tol li>
Date: Wed, 25 Jun 2003 00:39:58 +0000

Maybe I'm pointing out something said many times before, but I guess that comes with newcomers. :)

-*- Henry O. Farad <lrcrypto () red4est com> [ 2003-06-24 23:36 ]:
1) On pen-testing and honeypots:

This is the question I asked, rather than the one that I meant to
ask. In many cases, the customer will say "Don't bother attacking
these systems, they are honeypots". In this case the pen tester will
end up testing the security of the "production machines" without
wasting time on the honeypots. However, this will not test the system
as a whole, since the honeypots are part of the complete security

Some point on situations where you have little as no information up front on the target.

The client will probably want to know how easily identifiable his honeypots are, before access has been gained on the 
honypot.  If a decoy is a part of the security measures, it should be working.

Then again, the client might have gotten the idea to disguise a productional system as a honeypot to distract 
intruders... so I guess you'll have to perform the pentest anyway. ;)  Although, as most intruders would, save it 'til 
the end.

For different client requests (like Acl Proxy mentioned), this obviously does not apply.

On a side note, Michael Boman brought up an interesting point:
"There is a viable scenario for this. Let's say ACME Inc. wants to do their own pen-tests because they [...] want to 
steal their tools and techniques".

A questioncrossed my mind yesterday that's related to this -- "Do pentesters have clauses in their contracts regarding 
the client re-using the methods used by pentesters" -- that is for knowledge gained by the client from information 
not-in-the-report, but through devices tested.

tolli () tol li

Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get 
trustworthy commercial-grade exploits and the latest techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 
or call 617-399-6980

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]