|
|
| Applications |
| Mailing Lists |
| Miscellaneous |
| Operating Systems |
| Programming |
RE: Honeypot detection and countermeasures
Date: Wed Jun 25 2003 - 02:44:27 EDT
First of all I would like to say that the net is filled with script
kiddies (almost anyone of them can run nessus). Running nessus is very
easy (my 16 years old brother knows how to do it), but how about writing
your own NASL scripts that's something not easily done because you need
to know the technique of the attack.
I've seen many discussions going back and forth about honypots ... well my dear friends I can tell you that no matter what you do it's very hard and time consuming to discover if the node your penetrating is running a honeypot. Unless you actually know that the company you're scanning is told you that they are using a honeypot. Another thing to keep in mind and that is many companies cannot use honeypots (because in some cases it might be considered entrapment, and it's prosecuted by the law enforcement agencies).
As for using external entities to perform the pen-test it's considered a very good idea for the reason being (in most cases) that you want to see you networks/systems in the eyes of a hacker. Another good reason for having an external auditor is to prove to the law enforcement agencies that you're in compliance with the standards and regulations (diligence / due diligence).
As we all know that on of the first things you do when pen-testing is fingerprinting and enumerating systems/networks, in most cases if you find out that a system is open like a window then you need to have the system placed on the suspicious list. An example is having a server with port 23 open!!! One of the best ways to avoid getting detected while fully scanning the system for open ports is to use IDLE scanning. Then if it happened and you where able to exploit a system u can use a tool like datapipe or fpipe to port forward the traffic into the system you owned (This way the honeypot if exist cannot see you as an external node ...)
The bottom line here is that discovering honeypot is very time consuming, unless you really want to spend all the time of the pen-test attempting to exploit a system that shows vulnerability but doesn't respond to your attack the way an exploited system would.
-----Original Message-----
From: Rob Shein [mailto:shoten@starpower.net]
Sent: Tuesday, June 24, 2003 10:35 AM
To: 'Michael Boman'
Cc: 'John Public'; 'Larry Colen'; 'Brass, Phil (ISS Atlanta)';
pen-test@securityfocus.com; 'Lance Spitzner'
Subject: RE: Honeypot detection and countermeasures
They have collections of tools, yes...but can you learn to pen-test from
that collection? Absolutely not. The point here is "can you learn to
be a
pen-tester by having a single pen-test done against your honeypot?" The
answer is still no.
--- Latest attack techniques. You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980 ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Latest attack techniques. You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980 ----------------------------------------------------------------------------Received on Wed Jun 25 12:49:15 2003
This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:38 EDT
|
Contact Us Legal Notices Order Services Online Pantek Home Privacy Policy IT news Site Map Pantek Library |