Defining Virtual Honeynets

Discussion in 'other security issues & news' started by Paul Wilders, Aug 21, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Jul 1, 2001
    The Netherlands
    Over the past several years Honeynets have demonstrated their value as a security mechanism, primarily to learn about the tools, tactics, and motives of the blackhat community. This information is critical for organizations to better understand and protect against the threats they face. One of the problems with Honeynets is they are resource intensive, difficult to build, and complex to maintain. Honeynets require a variety of both physical systems and security mechanisms to effectively deploy. However, the Honeynet Project has been researching a new possibility, virtual Honeynets. These systems share many of the values of traditional Honeynets, but have the advantages of running all the systems on a single system. This makes virtual Honeynets cheaper to build, easier to deploy, and simpler to maintain.

  2. Prince_Serendip

    Prince_Serendip Registered Member

    Apr 8, 2002
    :) Hi Paul! If I understand this correctly, the honeypot is like a Policewoman posing as a hooker and so the honeynet is like an organization of Policewomen posing as hookers? The purpose is entrapment? Hackers are therefore the hookers customers? And so, a Virtual Honeynet would be like an organization of Policewomen posing as hookers who do business by telephone? Does this make sense? (Sorry for the examples but I couldn't think of more pertinent human ones. I could use bears instead!) :D
  3. Tinribs

    Tinribs Registered Member

    Mar 14, 2002
  4. virtual honeypot
    A software program that is designed to appear to be a real functioning network but is actually a decoy built specifically to be probed and attacked by malicious users. In contrast to a honeypot, which is typically a hardware device that lures users into its trap, a virtual honeypot uses software to emulate a network.

    A network of honeypots.

    Some of these FAQ will make a quick study of many of the issues I know hold your interest.
    This Organization is One of the best.

    And these are but I few sites of some of them members.

    You can find many more at the site and info on all the members. They have nothing to hide.

    I do not know what OS you have but here is a link to another tool that you maybe able to use.

    It is called Vision from Foundstone Inc and it is free.

    We at Foundstone have honed our security skills at the highest corporate and government levels, including three of the Big Five accounting firms, the United States Air Force, and contractors involved in classified Department of Defense projects. In total, the Foundstone team has several decades of combined security experience across a full range of network and Internet technologies.

    by Foundstone
    System Requirements

    NT 4/ Win 2000
    NT 4 needs psapi.dll
    800x600 res. minimum
    256 colors min

    Vision will not work on Windows 9x, or Me. We are still in the process of testing of Vision on Windows XP.

    Vision, Foundstone's newest product. This forensic utility is an essential part of a computer security professional's tool-kit. Vision maps all of a host's executables to corresponding ports, allowing you to identify and investigate suspicious services. Vision enables you to interrogate suspect services to identify backdoors and Trojan applications. If a malicious service is identified, Vision allows you to immediately kill it.

    Other Free tools at Foundstone.
  6. Hacker Techniques, Exploits, and Incident Handling
    SANS Beyond Firewalls
    SANS is coming back to Denver, Colorado August 22 - 27, 2002 and we hope to see you there. Because of the overwhelming success at our previous three Denver training opportunities, this year's conference has been expanded to 6 full immersion training tracks including: SANS Security Essentials; Firewalls, Perimeter Protection, and VPNs; Intrusion Detection In-Depth; Hacker Techniques, Exploits, and Incident Handling; Securing Windows; and our popular entry level offer Information Security Officer.

    Hacker Techniques, Exploits, and Incident Handling

    Hacker Techniques, Exploits, and Incident Handling is a signature track of the GIAC training program. It seeks to prepare people to take a leadership role in incident handling in their organizations, their communities, their nations, and globally. This challenging program is for security professionals capable of installing dual boot operating systems on their laptops to study how "in-the-wild" exploits work. It also teaches the step-by-step process proven effective in hundreds of organizations by which they prepare for and respond to attacks on their systems. This track can be used to prepare for the GIAC Certified Incident Handler (GCIH) certification.

    Securing an infrastructure is a complex task of balancing business needs against security risks. With the discovery of new vulnerabilities almost on a daily basis, there is always the potential for an intrusion. In addition to intrusions, things like fires, floods, and crime all require a solid methodology for incident handling, allowing for the systems and services to get back online as quickly and securely as possible.
    The first part of this course is the result of a consensus process involving more than fifty practitioners of incident handling. It is designed to provide a complete introduction using the six steps (preparation, identification, containment, eradication, recovery and lessons learned) one needs to follow in the event of a computer incident.
    The second part of this course provides from-the-trenches case studies of what does and does not work in identifying computer attackers. This part provides valuable information on what system administrators can do to improve their chances of catching and prosecuting attackers.

    Seemingly innocuous data leaking from your network could be the clue needed by an attacker to bust your systems wide open. This day-long course covers the details associated with Reconnaissance and Scanning, the first two phases of many computer attacks.

    pre-paid networks reveal an enormous amount of information to potential attackers. In addition to looking for information leakage, attackers also conduct detailed scans of systems, looking for openings to get through your defenses. They look for targets of opportunity to break into your network, such a weak DMZ systems and firewalls, unsecured modem, or the increasingly popular wireless LAN attacks. Attackers are increasingly employing inverse scanning, blind scans, and bounce scans to obscure their source and intentions. They are also targeting firewalls, attempting to understand and manipulate rule sets to penetrate our networks. Another very hot area in computer attacks involves Intrusion Detection System evasion, techniques that allow an attacker to avoid detection by these computer burglar alarms.
    If you don't have the skills needed to understand these critical phases of an attack in detail, you won't be able to protect your network. Students who take this class and master the material will have real-world knowledge of these attacks and the associated defenses.

    Computer attackers are ripping our networks and systems apart in novel ways, while constantly improving their abilities. This day-long course covers the third step of many hacker attacks: Gaining Access.

    Attackers employ a variety of techniques to take over systems, from the network level up to the application level. This section covers the attacks in depth, from the details of buffer overflow and format string attack techniques to the latest in session hijacking of supposedly secure protocols. The course also covers the increasingly popular web application attacks. Because most organizations' homegrown web apps don't get the security scrutiny of commercial software, these targets are exploited using SQL Injection, Cross-Site Scripting, Session Cloning and a variety of other mechanisms discussed in detail. The course also presents a taxonomy of Denial of Service attacks, illustrating how attackers can stop services or exhaust resources.
    To really defend against these attacks, administrators need to get into the "meat" of how the attacks and their associated defenses work. For each attack, the course explains the vulnerability, how various tools exploit it, the signature of the attack, and how to harden the system or application against the attack. Students who sign an ethics and release form are issued a CD-ROM containing the attack tools examined in class.

    Once intruders have gained access into a system, they want to keep that access, preventing pesky system administrators and security personnel from detecting their presence. This day-long course covers the fourth and fifth steps of many hacker attacks: Maintaining Access and Covering the Tracks.

    To fool you, attackers install tools and manipulate existing software on a system to maintain access to the machine on their own terms. They install backdoors, apply RootKits, and sometimes even manipulate the underlying kernel itself to hide their nefarious deeds. Each of these categories of tools requires specialized defenses to protect the underlying system. Attackers also cover their tracks by hiding files, sniffers, network usage, and running processes. Sniffing backdoors are increasingly being used to thwart investigations. Finally, attackers often alter system logs, all in an attempt to make the compromised system appear normal.
    To defend against these attacks, you need to understand how attackers manipulate systems to discover the sometimes-subtle hints associated with system compromise. This course arms you with the understanding and tools you need to defend against attackers maintaining access and covering their tracks.

    Over the years, the security industry has become smarter and more effective in stopping hackers; unfortunately, hacker tools are becoming smarter and more complex. One of the most effective methods in stopping the enemy is actually testing the environment with the same tools and tactics an attacker might use.
    This workshop lets you put what you have learned into practice. pre-paid will be connected to one of the most hostile networks on planet Earth. This network simulates the Internet and allows students not only to try actual attacks against live machines but also to learn how to protect against these attacks. This will supplement the classroom training that the student has already received and give them flight time with the attack tools to better understand how they work. As students run the exploits and protect against them, instructors will be giving guidance on exactly what is happening. As students work on various exploits and master them, the environment will become increasingly difficult so that students will have to master additional skills in order to successfully complete the exercises. This course is available to Track 4 participants only.

    UNICRON Technical Expert

    Feb 14, 2002
    Nanaimo BC Canada
    wanna play home honeypot? then check out labrea tarpit at
Thread Status:
Not open for further replies.