RE: Honeypot detection and countermeasures

From: Rob Shein (shoten@starpower.net)
Date: Tue Jun 24 2003 - 09:48:28 EDT


Ok, I've gotten a lot of responses to my post, of varying sorts, so I'll
respond to them all here. :)

First off, I still maintain that watching the attack will NOT tell you which
tool was used. Watching the attack AND being familiar with the tool(s)
will, but in of itself, you don't see a series of attacks on a web server
and say "ah, that was Nessus, not just whisker, and you can download it from
www.nessus.org!" If you see a buffer overflow against a real server, you
don't automatically know what it's called, and where to get it (or how to
use it). And you certainly wouldn't know the difference between a non-safe
Nessus plugin that only crashes a system and the real overflow attack, but
with an error so it doesn't gain root. You have to be familiar with the
tools in general to begin with, and since the whole scenario started with a
company who was going to observe a pen test to try and figure out how to do
one, I would presume that they lack that knowledge.

And yes, I'm sure there are honeypots and honeynets out there beyond what's
normally thought of by most people (including me)...but the whole point I
was making is that one cannot learn how to do pen-tests by watching a single
one directed at a honeypot or honeynet of ANY kind. Even if you see every
attack, understand it with absolute clarity, and are able to replicate it,
the fact is that the attack was against something that is fundamentally
different from a production network. Furthermore, the "what ifs" of
alternate choices that would have been made given a different target (say,
the production network) will remain unknown, and may well make all the
difference in the world. Putting exceptions aside, honey*s are called
"honey" for a reason; they are, as a standard, made to appear more
low-hanging than most fruit on the network that hosts them, and therefore
make more attractive targets.

---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get
trustworthy commercial-grade exploits and the latest techniques from a
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1
or call 617-399-6980
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:35 EDT