RE: Honeypot detection and countermeasures

From: Michael Boman (michael.boman@securecirt.com)
Date: Tue Jun 24 2003 - 10:02:51 EDT

• Next message: Rob Shein: "RE: Honeypot detection and countermeasures"
• Previous message: Rob Shein: "RE: Honeypot detection and countermeasures"
• In reply to: Rob Shein: "RE: Honeypot detection and countermeasures"
• Next in thread: Rob Shein: "RE: Honeypot detection and countermeasures"
• Reply: Rob Shein: "RE: Honeypot detection and countermeasures"
• Reply: Bojan Zdrnja: "RE: Honeypot detection and countermeasures"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Tue, 2003-06-24 at 21:48, Rob Shein wrote:
> First off, I still maintain that watching the attack will NOT tell you which
> tool was used. Watching the attack AND being familiar with the tool(s)
> will, but in of itself, you don't see a series of attacks on a web server
> and say "ah, that was Nessus, not just whisker, and you can download it from
> www.nessus.org!" If you see a buffer overflow against a real server, you
> don't automatically know what it's called, and where to get it (or how to
> use it). And you certainly wouldn't know the difference between a non-safe
> Nessus plugin that only crashes a system and the real overflow attack, but
> with an error so it doesn't gain root. You have to be familiar with the
> tools in general to begin with, and since the whole scenario started with a
> company who was going to observe a pen test to try and figure out how to do
> one, I would presume that they lack that knowledge.

Didn't expect my reply heating up the thread so much, but I feel like I
need to put more wood on the fire:

If a honeypot / honeynet can't get the tools used, how come every single
"research" honeypot dump I've seen so far have a collection of tools
that has been used? Because the attacker put them there of course! If
you need a spring board into a network (happens to me more often then
you think) you need to put at least a small collection of tools on the
server. Now, what if those tools were copied somewhere else?

Of course, if you get yourself a talk-the-talk PT guy/companies, all the
tools can already be found on the net. But there are PR guys/companies
that has a collection of lesser known/unknown tools. From my point of
view the only difference between a good guy/company (PT vendor) and a
bad guy (script kiddie, 'leet hacker) is the good guy asks for
permission and gives a report, while you will never hear form the bad
guy.

When it comes to PT companies the in-house/limited exposure tools would
be counted as trade secrets and intellectual properties (for a limited
time, until they hit pen-test/bugtraq). But never the less the tools are
what separate them from the rest.

Seriously, would you pay big bucks for someone to run Nessus against the
systems when you can just DIY such test yourself?

Best regards
 Michael Boman

-- 
Michael Boman
Security Architect, SecureCiRT Pte Ltd
http://www.securecirt.com

• application/pgp-signature attachment: This is a digitally signed message part

• Next message: Rob Shein: "RE: Honeypot detection and countermeasures"
• Previous message: Rob Shein: "RE: Honeypot detection and countermeasures"
• In reply to: Rob Shein: "RE: Honeypot detection and countermeasures"
• Next in thread: Rob Shein: "RE: Honeypot detection and countermeasures"
• Reply: Rob Shein: "RE: Honeypot detection and countermeasures"
• Reply: Bojan Zdrnja: "RE: Honeypot detection and countermeasures"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:35 EDT