Penetration Testing mailing list archives
Re: Honeypot detection and countermeasures
From: Blake Matheny <bmatheny () mkfifo net>
Date: Wed, 18 Jun 2003 09:23:59 -0400
There are several techniques to detect honeypots. 4tphi had released this (http://lists.insecure.org/lists/honeypots/2002/Oct-Dec/0029.html) in late 2002 for determining whether you are in a VMWare session. There are several attacks against honeynet (looking for rate limiting, checking known exploits, etc.). I'd suggest looking at the honeynet site. As Lance says, "... we are not perfect", which I think can be used to an advantage. -Blake Whatchu talkin' 'bout, Willis?
I'm doing some research on honeypot detection, and preventing honeypots from being detected. I'd greatly appreciate some feedback from pen-testers on the following issues: Do you worry about being detected by honeypots? When you do a pen-test, do you already know of the existence of honeypots, and their location, so that it is an easy matter to avoid them? If you are concerned about honeypots, how do you test to see if the system under attack is a honeypot or a production machine? Thanks, Larry --------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
-- Blake Matheny "... one of the main causes of the fall of the bmatheny () mkfifo net Roman Empire was that, lacking zero, they had http://www.mkfifo.net no way to indicate successful termination of http://ovmj.org/GNUnet/ their C programs." --Robert Firth --------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- Honeypot detection and countermeasures Larry Colen (Jun 17)
- Re: Honeypot detection and countermeasures Blake Matheny (Jun 18)
- Re: Honeypot detection and countermeasures Henry O. Farad (Jun 24)
- Re: Honeypot detection and countermeasures Þórhallur Hálfdánarson (Jun 24)
- <Possible follow-ups>
- RE: Honeypot detection and countermeasures Brass, Phil (ISS Atlanta) (Jun 18)
- Re: Honeypot detection and countermeasures Larry Colen (Jun 18)
- Re: Honeypot detection and countermeasures Michael Boman (Jun 19)
- RE: Honeypot detection and countermeasures Rob Shein (Jun 23)
- Re: Honeypot detection and countermeasures Dragos Ruiu (Jun 24)
- Re: Honeypot detection and countermeasures Lance Spitzner (Jun 24)
- Re: Honeypot detection and countermeasures Larry Colen (Jun 18)