RE: How Would I Find the Actual Name of the Honeypot Software via a Pen Test?

---

• From: Jeremiah Brott <jeremiah@xxxxxxxxxxxxxxxxxxx>
• Date: Thu, 21 Jun 2007 15:14:00 -0400

---

There was a paper written awhile back about detecting honeyd via packet fragmentation. Link below:

http://www.merit.edu/networkresearch/papers/pdf/2006/MTR-2006-01.pdf

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of TStark
Sent: Tuesday, June 19, 2007 2:10 PM
To: pen-test
Subject: How Would I Find the Actual Name of the Honeypot Software via a Pen Test?

Good afternoon,

I'm doing a pen test a new IPS appliance from outside the network,
while working through the assessment I found that the server
designated as my target was a honeypot set up by our server team
rather than a normal server.

I've now been challenged to now tell them the actual name of the
honeypot software they are using.

So with that, I figure I'd ask the pros, hoping that someone has a
suggestion other than me low crawling under the raised floor in the
server room looking for the host server:P


Thanks for the help!

Tony

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------




------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

---

• Prev by Date: Re: Strange ports
• Next by Date: RE: Security and VPN
• Previous by thread: RE: How Would I Find the Actual Name of the Honeypot Software via a Pen Test?
• Next by thread: Pen testing / Vuln Assessment from Cable Modem - question on service provider selection
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: How Would I Find the Actual Name of the Honeypot Software via a Pen Test? ... The blue ribbon here is to find a vuln in the honeypot itself and break out ... shot in the dark, and if it's imitating only IIS on Windows, well, then, ... Are you using SPI, Watchfire or WhiteHat? ... Consider getting clear vision with Cenzic ... (Pen-Test) Re: How Would I Find the Actual Name of the Honeypot Software via a Pen Test? ... You may try and fingerprint the bios. ... How Would I Find the Actual Name of the Honeypot Software via a Pen Test? ... server, it could be sitting on a BSD or any linux/unix variant box. ... (Pen-Test) RE: How Would I Find the Actual Name of the Honeypot Software via a Pen Test? ... In fact, if you can finger print the server as linux, it's ... I'm assuming that within the honeypot configs, ... honeypot software they are using. ... (Pen-Test) Re: Login Delay in /etc/login.defs not working? Debian ... Honeypot looks like exactly what I was thinking of. ... it looks like most are simply fake servers ... connection redirected to the fake server on failure. ... but in case of login failure the connection would be intersepted ... (alt.os.linux) Re: How Would I Find the Actual Name of the Honeypot Software via a Pen Test? ... honeypot should be able to "mimic" an IIS ... server, it could be sitting on a BSD or any linux/unix variant box. ... Are you using SPI, Watchfire or WhiteHat? ... Consider getting clear vision with Cenzic ... (Pen-Test)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > pen-test  > 2007-06