RE: Honeypot detection and countermeasures

From: Bojan Zdrnja (Bojan.Zdrnja@LSS.hr)
Date: Wed Jun 25 2003 - 00:54:49 EDT

• Next message: .:[ Death Star]:.: "RE: Honeypot detection and countermeasures"
• Previous message: Þórhallur Hálfdánarson: "Re: Honeypot detection and countermeasures"
• In reply to: Michael Boman: "RE: Honeypot detection and countermeasures"
• Next in thread: Gerardo Richarte: "Re: Honeypot detection and countermeasures"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> -----Original Message-----
> From: Michael Boman [mailto:michael.boman@securecirt.com]
> Sent: Wednesday, 25 June 2003 2:03 a.m.
> To: Rob Shein
> Cc: 'John Public'; 'Larry Colen'; 'Brass, Phil (ISS
> Atlanta)'; pen-test@securityfocus.com; 'Lance Spitzner'
> Subject: RE: Honeypot detection and countermeasures
>
> Seriously, would you pay big bucks for someone to run Nessus
> against the
> systems when you can just DIY such test yourself?

I had to comment on this ...

Keep in mind that tools aren't everything as well!

*Anyone* can probably run Nessus or ISS against your host, but can everyone
read it's results? Can everyone point possible weaknesses in your security?
_Of course not_, and that's why you hire external penetration testers who
have experts for those fields.

Regarding honeypots - as Lance said, there are many, many types of
honeypots. Some are really easy to get into, while the other aren't.

Regarding this thread, it's obvious that you can't get tools by only
watching network traffic, but there are million other possibilities to
deploy honeypots, which *can* get tools you need.

I had a honeypot which had 2 network cards. One was connected to the
Internet and the other one was connected to something what looked like a
hardened server in a special DMZ. Now, after honeypot was compromised,
attacker obviously wanted to get to that other server and he had to upload
his tools to honeypot.

This is just one example of possible deployment. YMMV.

Best regards,

Bojan Zdrnja

---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get
trustworthy commercial-grade exploits and the latest techniques from a
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1
or call 617-399-6980
----------------------------------------------------------------------------

• Next message: .:[ Death Star]:.: "RE: Honeypot detection and countermeasures"
• Previous message: Þórhallur Hálfdánarson: "Re: Honeypot detection and countermeasures"
• In reply to: Michael Boman: "RE: Honeypot detection and countermeasures"
• Next in thread: Gerardo Richarte: "Re: Honeypot detection and countermeasures"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:35 EDT