Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > pen-test > 03 > 060882.html (Request Expert securityfocus.com Support)

RE: Honeypot detection and countermeasures

From: Rob Shein <shoten(at)starpower.net>
Date: Tue Jun 24 2003 - 09:48:28 EDT


Ok, I've gotten a lot of responses to my post, of varying sorts, so I'll respond to them all here. :)

First off, I still maintain that watching the attack will NOT tell you which tool was used. Watching the attack AND being familiar with the tool(s) will, but in of itself, you don't see a series of attacks on a web server and say "ah, that was Nessus, not just whisker, and you can download it from www.nessus.org!" If you see a buffer overflow against a real server, you don't automatically know what it's called, and where to get it (or how to use it). And you certainly wouldn't know the difference between a non-safe Nessus plugin that only crashes a system and the real overflow attack, but with an error so it doesn't gain root. You have to be familiar with the tools in general to begin with, and since the whole scenario started with a company who was going to observe a pen test to try and figure out how to do one, I would presume that they lack that knowledge.

And yes, I'm sure there are honeypots and honeynets out there beyond what's normally thought of by most people (including me)...but the whole point I was making is that one cannot learn how to do pen-tests by watching a single one directed at a honeypot or honeynet of ANY kind. Even if you see every attack, understand it with absolute clarity, and are able to replicate it, the fact is that the attack was against something that is fundamentally different from a production network. Furthermore, the "what ifs" of alternate choices that would have been made given a different target (say, the production network) will remain unknown, and may well make all the difference in the world. Putting exceptions aside, honey*s are called "honey" for a reason; they are, as a standard, made to appear more low-hanging than most fruit on the network that hosts them, and therefore make more attractive targets.


Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980

Received on Tue Jun 24 11:45:23 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:38 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library