From: Rob Shein (shoten@starpower.net)
Date: Mon Jun 23 2003 - 09:58:14 EDT
This wouldn't work. Seeing the packets/traffic on the wire doesn't tell you
the tools that are used, and it also doesn't really give you much else.
Considering that a honeypot is either not really rootable (DTK) or is very
low hanging fruit (and very rootable, like a honeynet.org system), they
either won't see tools downloaded to the system or won't see anything more
than the bare minimum needed to exploit a system that is too vulnerable to
begin with.
> -----Original Message-----
> From: Michael Boman [mailto:michael.boman@securecirt.com]
> Sent: Wednesday, June 18, 2003 11:32 PM
> To: Larry Colen
> Cc: Brass, Phil (ISS Atlanta); pen-test@securityfocus.com
> Subject: Re: Honeypot detection and countermeasures
>
>
> On Wed, 2003-06-18 at 10:15, Larry Colen wrote:
> > Good point. I was more envisioning a scenario where the client was
> > testing the whole security system, including the honeypots. I.e.
> > hiring a pen-tester without giving the pen-tester any
> knowldege of the
> > system before hand.
> >
> > If I seem like a clueless newbie, I hope that I at least
> seem like a
> > polite clueless newbie. I'll crawl back into my hole and lurk a bit
> > more.
> >
> > Larry
> >
>
> There is a viable scenario for this. Let's say ACME Inc.
> wants to do their own pen-tests because they
> - Don't like to pay outsiders to do it
> - Want to compete with the company
> - They want to steal their tools and techniques
> - insert your own paranoid explanation for the "why" bit
>
> They hire a group of people to hack their systems and record
> everything so once the exercise is over ACME Inc. now knows
> the tools and techniques of that particular pen test group.
>
> It's unlikely, but possible. Haven't happen to me (yet).
>
> Best regards
> Michael Boman
>
> --
> Michael Boman
> Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com
>
---------------------------------------------------------------------------
Latest attack techniques.
You're a pen tester, but is google.com still your R&D team? Now you can get
trustworthy commercial-grade exploits and the latest techniques from a
world-class research group.
Visit us at: www.coresecurity.com/promos/sf_ept1
or call 617-399-6980
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:35 EDT