According to my Exam Prep CEH study guide one way of detecting a Honeypot is by testing to see if all the services that appear to be open actually are. Services using SSL in particular should be checked like HTTPS or SMTPS etc.

Other ways of detecting Honeypots/Honeynets include checking the MAC addresses on the network, as has already been mentioned here. A badly configured Honeynet will have the same MAC on all the NIC's.

Many Honeypots have been set up as spam traps by BL's, and so a quick check to see if any mail has been sent from the mail account or if any legitimate-looking mail has arrived to the mail account, could also show if you're on a spam trap or not.


I must disagree with Oyle. A Honeypot with nothing more on it than the bare-bones system is just a pot with no honey. So where's the bait? Unless the hacker is intending to use the honeypot as a zombie or stepping stone, they'll be gone in minutes if there's nothing there to keep them there. OK so you may have the logs to analyse how they got on to your Honeypot, but you won't be able to learn anything else.

I found a whitepaper on the Honeynet website called Detecting Honeypots and other suspicious environments which may give some of you a more definative answer.

BTW, a quick perusal of the Honeynet projects Alumnii, shows a certain Edward Skoudis. A search for the word "Honeypot" on the SANS website comes up with the name Marcus J. Ranum numerous times. Both of these people are members/contribute either here at EH-Net or at CSP Mag. Perhaps Don can convince these experts to add some light on the matter.

What Michael Gregg (the author of the Exam Cram CEH study guide) says, is that by probing the services which appear to be open to see if they really are. If port 443 appears to be open you could attemp an SSL handshake to see how the system responds. The reason for this is that some protocols (such as SSL) go through a handshake procedure. A low interaction honeypot won't be able to complete the handshake process, and no exchange of credentials nor negotiation of the security parameters will take place between the client and the server. He then goes on to mention 3 tools; THC-Amap, Send-safe Honeypot Hunter and Nessus.
He says that while all 3 have the capability of probing targets to check their validity, Nessus in particular has the capability of checking for proper responses to SSL related services.