Re: Honeypot detection and countermeasures

Maybe I'm pointing out something said many times before, but I guess that comes with newcomers. :)

-*- Henry O. Farad <lrcrypto@red4est.com> [ 2003-06-24 23:36 ]:
> 1) On pen-testing and honeypots:

Some point on situations where you have little as no information up front on the target.

The client will probably want to know how easily identifiable his honeypots are, before access has been gained on the honypot. If a decoy is a part of the security measures, it should be working.

Then again, the client might have gotten the idea to disguise a productional system as a honeypot to distract intruders... so I guess you'll have to perform the pentest anyway. ;) Although, as most intruders would, save it 'til the end.

For different client requests (like Acl Proxy mentioned), this obviously does not apply.

On a side note, Michael Boman brought up an interesting point: "There is a viable scenario for this. Let's say ACME Inc. wants to do their own pen-tests because they [...] want to steal their tools and techniques".

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

A questioncrossed my mind yesterday that's related to this -- "Do pentesters have clauses in their contracts regarding the client re-using the methods used by pentesters" -- that is for knowledge gained by the client from information not-in-the-report, but through devices tested.

-- 
Tolli
tolli@tol.li

---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get 
trustworthy commercial-grade exploits and the latest techniques from a 
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1 
or call 617-399-6980
----------------------------------------------------------------------------