Ooooooh, fascinating. The academic paper is interesting and covers the high points of the type of things you would want to look for. And some things you wouldn't think that you should, like connection sampling rather than binary "is sniffing" / "is not sniffing". (ha ha, n^2 fuckup)
Looking at the exitmap source, as I was curious what modules existed....the problem I see is that it does not have modules that are capable of the more difficult to pull off things like SSH honeypot detection. Should have called the damn thing "inverse-metasploit". The idea is solid but the implementation has to keep up with the times. Specific attack vectors like CVE-2014-3566 (or any other sort of TLS/SSL downgrade attack) need to be tested for, and all that. Which makes the "inverse-metasploit" notion all the more compelling. Other things come to mind like testing for binary patching (eg, ninja exe patching). Some of these things are easier to detect than others. I'm going to put a pin in this and think about it. On Wed, Jul 19, 2017 at 3:02 PM, Philipp Winter <p...@nymity.ch> wrote: > On Wed, Jul 19, 2017 at 01:43:32PM -0500, eric gisse wrote: >> Is there any notion of doing a sort of automated testing for things >> like this that can be easily proven? > > Yes, the blog post I linked to contains some more information. We are > using tools such as exitmap [1] to systematically scan the network for > attacks such as DNS poisoning, SSL stripping, HTTPS MitM, and XMPP MitM, > just to name a few. We are always looking for more ideas on what to > scan for, so let us know if you have any! > > [1] <https://gitweb.torproject.org/user/phw/exitmap.git/> > <https://nymity.ch/pdf/winter2014b.pdf> > -- > tor-talk mailing list - tor-talk@lists.torproject.org > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
