312-50V11 · Question #976
Dayn, an attacker, wanted to detect if any honeypots are installed in a target network. For this purpose, he used a time-based TCP fingerprinting method to validate the response to a normal computer a
The correct answer is B. Detecting the presence of Honeyd honeypots. Dayn uses time-based TCP fingerprinting to compare response timing between real systems and honeypots, a technique specifically effective against Honeyd honeypots.
Question
Options
- ADetecting honeypots running on VMware
- BDetecting the presence of Honeyd honeypots
- CA Detecting the presence of Snort_inline honeypots
- DDetecting the presence of Sebek-based honeypots
How the community answered
(41 responses)- A17% (7)
- B71% (29)
- C10% (4)
- D2% (1)
Why each option
Dayn uses time-based TCP fingerprinting to compare response timing between real systems and honeypots, a technique specifically effective against Honeyd honeypots.
Detecting VMware-based honeypots relies on identifying VMware-specific artifacts such as registry keys, driver files, or MAC address prefixes - not TCP response timing.
Honeyd is an open-source honeypot daemon that emulates TCP/IP stacks, but its emulated responses have detectable timing discrepancies compared to real systems. Time-based TCP fingerprinting exploits these latency differences by sending manual SYN requests and comparing response patterns, which reliably identifies Honeyd-based deployments. This method is a documented passive honeypot identification technique that does not trigger alerts on the monitored system.
Snort_inline honeypot detection involves identifying inline IPS/IDS behavioral patterns or traffic manipulation artifacts, not time-based TCP fingerprinting.
Sebek-based honeypot detection focuses on identifying kernel-level keystroke capture activity or Sebek communication artifacts, not TCP timing analysis.
Concept tested: Honeyd honeypot detection via TCP timing
Source: https://csrc.nist.gov/glossary/term/honeypot
Topics
Community Discussion
No community discussion yet for this question.