Re: Honeypot detection and countermeasures

From: Blake Matheny (bmatheny@mkfifo.net)
Date: Wed Jun 18 2003 - 09:23:59 EDT

• Next message: exon: "Re: Noisy port scans"
• Previous message: vruy@chez.com: "SMB "sniffer""
• In reply to: Larry Colen: "Honeypot detection and countermeasures"
• Next in thread: Acl Proxy: "Re: Honeypot detection and countermeasures"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

There are several techniques to detect honeypots. 4tphi had released this
(http://lists.insecure.org/lists/honeypots/2002/Oct-Dec/0029.html) in late
2002 for determining whether you are in a VMWare session. There are several
attacks against honeynet (looking for rate limiting, checking known exploits,
etc.). I'd suggest looking at the honeynet site. As Lance says, "... we are
not perfect", which I think can be used to an advantage.

-Blake

Whatchu talkin' 'bout, Willis?
> I'm doing some research on honeypot detection, and preventing
> honeypots from being detected. I'd greatly appreciate some feedback
> from pen-testers on the following issues:
>
> Do you worry about being detected by honeypots?
>
> When you do a pen-test, do you already know of the existence of
> honeypots, and their location, so that it is an easy matter to avoid
> them?
>
> If you are concerned about honeypots, how do you test to see if the
> system under attack is a honeypot or a production machine?
>
> Thanks,
> Larry
>
>
>
> ---------------------------------------------------------------------------
> Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
> world's premier technical IT security event! 10 tracks, 15 training sessions,
> 1,800 delegates from 30 nations including all of the top experts, from CSO's to
> "underground" security specialists. See for yourself what the buzz is about!
> Early-bird registration ends July 3. This event will sell out. www.blackhat.com
> ----------------------------------------------------------------------------
>

-- 
Blake Matheny           "... one of the main causes of the fall of the
bmatheny@mkfifo.net      Roman Empire was that, lacking zero, they had
http://www.mkfifo.net    no way to indicate successful termination of
http://ovmj.org/GNUnet/  their C programs." --Robert Firth
---------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

• Next message: exon: "Re: Noisy port scans"
• Previous message: vruy@chez.com: "SMB "sniffer""
• In reply to: Larry Colen: "Honeypot detection and countermeasures"
• Next in thread: Acl Proxy: "Re: Honeypot detection and countermeasures"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:34 EDT