From: dave@immunitysec.com
Date: Tue Jun 24 2003 - 10:44:33 EDT
Well, that's a great way to think about it - as a test of your
countermeasures. In fact, there are MANY ways to both remotely and locally
detect various breeds of honeypots. VMWare, for example, uses a particular
range of MAC addresses, among other things. I always find it funny when
people use VMWare as a security measure.
But (imho) it's a truly RARE penetration test team that will notice some
of these subtle things, and basically no pentration test teams can
remotely discover a honeypot - the technology for doing so just isn't
public enough yet. (Well, I just gave away that MAC address trick, but
it's limited to the local net, and there are lots of other, better
tricks).
Dave Aitel
Immunity, Inc.
http://www.immunitysec.com/
>
> But...the last thing, since that was commented (but was removed from the
> thread I'm answering on). If you hire a company to do a pentest, of course
> you don't tell them about your countermessaures. The pentest is the exam
> for the system you have deployed, and the guys that tests you are the
> examiners. The result from the pentest should/might include that, yes,
> they found the honeypots, and it distracted them for some time before they
> understood what they had hit (a honeypot is just another countermeassure),
> and then the rest of the report comes.
>
> If you want to pentest a new service, then of course point them at that
> service. If you want to pentest your company...then that's what you tell
> them.
>
> Regards,
> Trygve Aasheim
> Manager, Network Security
>
>
>
> -----Opprinnelig melding-----
> Fra: Rob Shein [mailto:shoten@starpower.net]
> Sendt: 23. juni 2003 15:58
> Til: 'Michael Boman'; 'Larry Colen'
> Kopi: 'Brass, Phil (ISS Atlanta)'; pen-test@securityfocus.com
> Emne: RE: Honeypot detection and countermeasures
>
>
> This wouldn't work. Seeing the packets/traffic on the wire doesn't tell
> you
> the tools that are used, and it also doesn't really give you much else.
> Considering that a honeypot is either not really rootable (DTK) or is very
> low hanging fruit (and very rootable, like a honeynet.org system), they
> either won't see tools downloaded to the system or won't see anything more
> than the bare minimum needed to exploit a system that is too vulnerable to
> begin with.
>
>> -----Original Message-----
>> From: Michael Boman [mailto:michael.boman@securecirt.com]
>> Sent: Wednesday, June 18, 2003 11:32 PM
>> To: Larry Colen
>> Cc: Brass, Phil (ISS Atlanta); pen-test@securityfocus.com
>> Subject: Re: Honeypot detection and countermeasures
>>
>>
>> On Wed, 2003-06-18 at 10:15, Larry Colen wrote:
>> > Good point. I was more envisioning a scenario where the client was
>> > testing the whole security system, including the honeypots. I.e.
>> > hiring a pen-tester without giving the pen-tester any
>> knowldege of the
>> > system before hand.
>> >
>> > If I seem like a clueless newbie, I hope that I at least
>> seem like a
>> > polite clueless newbie. I'll crawl back into my hole and lurk a bit
>> > more.
>> >
>> > Larry
>> >
>>
>> There is a viable scenario for this. Let's say ACME Inc.
>> wants to do their own pen-tests because they
>> - Don't like to pay outsiders to do it
>> - Want to compete with the company
>> - They want to steal their tools and techniques
>> - insert your own paranoid explanation for the "why" bit
>>
>> They hire a group of people to hack their systems and record
>> everything so once the exercise is over ACME Inc. now knows
>> the tools and techniques of that particular pen test group.
>>
>> It's unlikely, but possible. Haven't happen to me (yet).
>>
>> Best regards
>> Michael Boman
>>
>> --
>> Michael Boman
>> Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com
>>
>
>
>
---------------------------------------------------------------------------
Latest attack techniques.
You're a pen tester, but is google.com still your R&D team? Now you can get
trustworthy commercial-grade exploits and the latest techniques from a
world-class research group.
Visit us at: www.coresecurity.com/promos/sf_ept1
or call 617-399-6980
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:35 EDT