Re: Heisenberg in the honeypot

[Valdis.Kletnieks () vt edu]

On Tue, 22 Jun 2004 10:38:57 EDT, Chuck Fullerton said:

> Without the inside info, how can the person be totally sure without a doubt
> that there is no honeypot there?

They *don't have to care* whether or not there's a honeypot there....

It's the rare organization indeed that you can't get yourself a beachhead
system without using a 0-day - there's always that one last unpatched box.

Once you have that, you can start collecting inside info.  Probably not enough
to be *totally* sure (for that matter, the sysadmin themselves may not know/
remember which boxes were honeypots without checking their cheat sheet ;) - but
enough info to convince yourself of the likelyhood of *a specific box* being a
honeypot.

Remember - if there's 300 machines on the subnet, the black hat doesn't care
that one is a honeypot, as long as he can tell that none of the 10 machines
he's actually interested in is a honeypot.  So he has one box he 0wned already,
and 10 he wants to 0wn - and any one (or all) of the other 289 can be
honeypots, as far as he cares...

(The preceeding assumes, of course, that we're dealing with a black hat with a
clue.  It is of course highly likely that a clueless black hat who can't figure
out which 10 of the 300 he should be interested in will accidentally stumble
into the honeypot while trying to hit some other system.  But since we started
off with the idea that the black hat is clued enough to know what a honeypot
*is*, we can exclude that scenario from the discussion - but not from the list
of what things will hit your honeypot in real life....)

Attachment: _bin
Description: