RE: Honeypot detection and countermeasures

From: Rob Shein (shoten@starpower.net)
Date: Mon Jun 23 2003 - 09:58:14 EDT

• Next message: Andrea Barisani: "Firewall Tester 0.9"
• Previous message: wing.hon.loke@sg.pwc.com: "Re: WebService pentest tool on"
• In reply to: Michael Boman: "Re: Honeypot detection and countermeasures"
• Next in thread: Dragos Ruiu: "Re: Honeypot detection and countermeasures"
• Reply: Dragos Ruiu: "Re: Honeypot detection and countermeasures"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This wouldn't work. Seeing the packets/traffic on the wire doesn't tell you
the tools that are used, and it also doesn't really give you much else.
Considering that a honeypot is either not really rootable (DTK) or is very
low hanging fruit (and very rootable, like a honeynet.org system), they
either won't see tools downloaded to the system or won't see anything more
than the bare minimum needed to exploit a system that is too vulnerable to
begin with.

> -----Original Message-----
> From: Michael Boman [mailto:michael.boman@securecirt.com]
> Sent: Wednesday, June 18, 2003 11:32 PM
> To: Larry Colen
> Cc: Brass, Phil (ISS Atlanta); pen-test@securityfocus.com
> Subject: Re: Honeypot detection and countermeasures
>
>
> On Wed, 2003-06-18 at 10:15, Larry Colen wrote:
> > Good point. I was more envisioning a scenario where the client was
> > testing the whole security system, including the honeypots. I.e.
> > hiring a pen-tester without giving the pen-tester any
> knowldege of the
> > system before hand.
> >
> > If I seem like a clueless newbie, I hope that I at least
> seem like a
> > polite clueless newbie. I'll crawl back into my hole and lurk a bit
> > more.
> >
> > Larry
> >
>
> There is a viable scenario for this. Let's say ACME Inc.
> wants to do their own pen-tests because they
> - Don't like to pay outsiders to do it
> - Want to compete with the company
> - They want to steal their tools and techniques
> - insert your own paranoid explanation for the "why" bit
>
> They hire a group of people to hack their systems and record
> everything so once the exercise is over ACME Inc. now knows
> the tools and techniques of that particular pen test group.
>
> It's unlikely, but possible. Haven't happen to me (yet).
>
> Best regards
> Michael Boman
>
> --
> Michael Boman
> Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com
>

---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get
trustworthy commercial-grade exploits and the latest techniques from a
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1
or call 617-399-6980
----------------------------------------------------------------------------

• Next message: Andrea Barisani: "Firewall Tester 0.9"
• Previous message: wing.hon.loke@sg.pwc.com: "Re: WebService pentest tool on"
• In reply to: Michael Boman: "Re: Honeypot detection and countermeasures"
• Next in thread: Dragos Ruiu: "Re: Honeypot detection and countermeasures"
• Reply: Dragos Ruiu: "Re: Honeypot detection and countermeasures"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:35 EDT