nerdexam
EC-Council

312-50V11 · Question #976

Dayn, an attacker, wanted to detect if any honeypots are installed in a target network. For this purpose, he used a time-based TCP fingerprinting method to validate the response to a normal computer a

The correct answer is B. Detecting the presence of Honeyd honeypots. Dayn uses time-based TCP fingerprinting to compare response timing between real systems and honeypots, a technique specifically effective against Honeyd honeypots.

Evading IDS, Firewalls, and Honeypots

Question

Dayn, an attacker, wanted to detect if any honeypots are installed in a target network. For this purpose, he used a time-based TCP fingerprinting method to validate the response to a normal computer and the response of a honeypot to a manual SYN request. Which of the following techniques is employed by Dayn to detect honeypots?

Options

  • ADetecting honeypots running on VMware
  • BDetecting the presence of Honeyd honeypots
  • CA Detecting the presence of Snort_inline honeypots
  • DDetecting the presence of Sebek-based honeypots

How the community answered

(41 responses)
  • A
    17% (7)
  • B
    71% (29)
  • C
    10% (4)
  • D
    2% (1)

Why each option

Dayn uses time-based TCP fingerprinting to compare response timing between real systems and honeypots, a technique specifically effective against Honeyd honeypots.

ADetecting honeypots running on VMware

Detecting VMware-based honeypots relies on identifying VMware-specific artifacts such as registry keys, driver files, or MAC address prefixes - not TCP response timing.

BDetecting the presence of Honeyd honeypotsCorrect

Honeyd is an open-source honeypot daemon that emulates TCP/IP stacks, but its emulated responses have detectable timing discrepancies compared to real systems. Time-based TCP fingerprinting exploits these latency differences by sending manual SYN requests and comparing response patterns, which reliably identifies Honeyd-based deployments. This method is a documented passive honeypot identification technique that does not trigger alerts on the monitored system.

CA Detecting the presence of Snort_inline honeypots

Snort_inline honeypot detection involves identifying inline IPS/IDS behavioral patterns or traffic manipulation artifacts, not time-based TCP fingerprinting.

DDetecting the presence of Sebek-based honeypots

Sebek-based honeypot detection focuses on identifying kernel-level keystroke capture activity or Sebek communication artifacts, not TCP timing analysis.

Concept tested: Honeyd honeypot detection via TCP timing

Source: https://csrc.nist.gov/glossary/term/honeypot

Topics

#honeypot detection#Honeyd#TCP fingerprinting#time-based analysis

Community Discussion

No community discussion yet for this question.

Full 312-50V11 Practice