Honeypot and Mitm detection?

**charly13** · 02-25-2009, 12:03 PM

Hi i am new to this forums and i have a question

How we can detect honeypots and mitm attacks?
I think that all hacking and cracking your network to find vulnerabilities is good but a tutorial in detection is more important in my opinion.

thanx

**imported_blackfoot** · 02-25-2009, 01:46 PM

A useful question though might be better rounded.

I would hope it is difficult to detect a honeypot though their unresponsiveness can sometimes give things away. Really you might like to make your own honeypot and learn from hands-on experience. bt has a daemon ready for you to utilise:

man honeyd

A (surprisingly) useful entry appears here:

http://en.wikipedia.org/wiki/Honeypot_(computing)

Quite a good place to launch your research.

Also look at:

http://www.honeynet.org/

As for detecting mitm attacks perhaps utilise a sniffer ids and watch for temporal delays in network traffic particularly in certificate transfer/validation.

Write back for further guidance

**KMDave** · 02-25-2009, 02:06 PM

blackfoot's advice is really good. You should start to learn how honeypots work. Learn about the difference which possibilities are out there to set up a honeypot/honeynet. Use google to search on how to detect high interaction honeypots since they give themself away mostly by specific hardware/software footprinting which is not hidden most of the time.

For low interaction honeypots it is dependend on how they are configured.

As for MITM, you could create a script which regularly checks the arp entries and see if something changes. Not sure how big your network is though, other options could be more practical depending on the size of it.

**charly13** · 02-25-2009, 02:39 PM

Thank a lot for your replys.My network is small router -> pc->laptop all wireless for that reason i want to learn more about detection to be 100% bulletproof.do you know any book on that subject?

**Abraxas** · 02-26-2009, 03:43 PM

An IDS like snort is a good option. If you're in a coffee shop type location and you want to detect arp poisoning you can with ettercap. If I have to use a hotspot with unknown security I always run a scan with kismet first and then connect and scan with ettercap.

**imported_wyze** · 03-20-2009, 08:19 AM

Not quite sure what the OP is trying to do, but this is worth a look http://www.bothunter.net/

**Barry** · 03-20-2009, 12:38 PM

Originally Posted by wyze

Not quite sure what the OP is trying to do, but this is worth a look http://www.bothunter.net/

Neat! !!!

**streaker69** · 03-20-2009, 03:12 PM

Originally Posted by Barry

Neat! !!!

I just downloaded the liveCD from the torrent. I'm gonna see how well it works as a VM.

**Barry** · 03-20-2009, 03:45 PM

Originally Posted by streaker69

I just downloaded the liveCD from the torrent. I'm gonna see how well it works as a VM.

I'm having java issues with it under windows, but it is windows.

I'll download it at home, much faster connection.

BackTrack Linux - Penetration Testing Distribution

Thread: Honeypot and Mitm detection?

Thread Tools

Search Thread

Display

Honeypot and Mitm detection?

useful

Posting Permissions