Exam 312-50v11 topic 1 question 306 discussion

C indeed is the answer: CEH book page 1600 - Evading IDS, Firewalls, and Honeypots. And oh, this question was present in the actual exam.

C is the answer. An attacker can identify the presence of a honeyd honeypot by performing time-based TCP fingerprinting method (SYN proxy behavior)

Detecting Honeypots Detecting and Defeating Honeypots - Detecting the presence of Honeyd Honeypot Honeyd is a widely used honeypot daemon.This honeyd honeypot can respond to a remote attacker who tries to contact the SMTP service with fake responses. An attacker can identify the presence of honeyd honeypot by performing time-based TCP fingerprinting methods (SYN proxy behavior). (P.1601/5885)

Detecting Honeypots running on VMware: Observe the IEEE standards for the current range of MAC addresses assigned to VMWare Inc Detecting the presence of Snort_inline Honeypot: Analyze the outgoing packets by capturing the Snort_inline modified packets through another host system and identifying the packet modification Detecting the presence of Honeyd Honeypot: Perform time-based TCP Finger printing methods (SYN Proxy behavior) Detecting the presence of Sebek-based Honeypots: Sebek logs everything that is accessed via read() before transferring it to the network, causing the congestion effect. Analyze the congestion in the network layer

See https://www.linkedin.com/pulse/honeypots-types-technologies-detection-techniques-tools-ahmed-eissa

An attacker can identify the presence of honeyd honeypot by performing time-based TCP fingerprinting methods (SYN proxy behavior).

Is Honeyd as it says TCP fingerprinting

An attacker can identify the presence of a honeyd honeypot by performing time-based TCP fingerprinting method (S

C indeed is the answer: CEH book page 1600

C indeed is the answer: CEH book page 1600

C is the correct answer.

B is unlikely the answer. B- Attackers can identify these honeypots by analyzing the outgoing packets. If an outgoing packet is dropped, it might look like a black hole to an attacker, and when the snort_inline modifies an outgoing packet, the attacker can capture the modified packet through another host system and identify the packet modification.