This wouldn't work. Seeing the packets/traffic on the wire doesn't tell you the tools that are used, and it also doesn't really give you much else. Considering that a honeypot is either not really rootable (DTK) or is very low hanging fruit (and very rootable, like a honeynet.org system), they either won't see tools downloaded to the system or won't see anything more than the bare minimum needed to exploit a system that is too vulnerable to begin with.
> -----Original Message----- > From: Michael Boman [mailto:[EMAIL PROTECTED] > Sent: Wednesday, June 18, 2003 11:32 PM > To: Larry Colen > Cc: Brass, Phil (ISS Atlanta); [EMAIL PROTECTED] > Subject: Re: Honeypot detection and countermeasures > > > On Wed, 2003-06-18 at 10:15, Larry Colen wrote: > > Good point. I was more envisioning a scenario where the client was > > testing the whole security system, including the honeypots. I.e. > > hiring a pen-tester without giving the pen-tester any > knowldege of the > > system before hand. > > > > If I seem like a clueless newbie, I hope that I at least > seem like a > > polite clueless newbie. I'll crawl back into my hole and lurk a bit > > more. > > > > Larry > > > > There is a viable scenario for this. Let's say ACME Inc. > wants to do their own pen-tests because they > - Don't like to pay outsiders to do it > - Want to compete with the company > - They want to steal their tools and techniques > - insert your own paranoid explanation for the "why" bit > > They hire a group of people to hack their systems and record > everything so once the exercise is over ACME Inc. now knows > the tools and techniques of that particular pen test group. > > It's unlikely, but possible. Haven't happen to me (yet). > > Best regards > Michael Boman > > -- > Michael Boman > Security Architect, SecureCiRT Pte Ltd http://www.securecirt.com > --------------------------------------------------------------------------- Latest attack techniques. You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. Visit us at: www.coresecurity.com/promos/sf_ept1 or call 617-399-6980 ----------------------------------------------------------------------------
