Slashdot Mirror

← Back to Stories (view on slashdot.org)

802.11b Honeypots Open for Business

Posted by CmdrTaco on from the are-you-secure dept.

11thangel writes "SecurityFocus is running a story about a wireless honeypot project, being run by the SAIC. The setup consists of 5 Cisco access points in the Washington D.C. area, with two extra antennas (high gain omni's) plugged in. The network itself has a bunch of comps with various vulnerabilities, similar to a traditional honeypot. At the present, the network doesn't have a net connection, but the administrator is considering hooking it through a web proxy that would add a consent-to-monitor banner, so he can watch who's doing what. Time to find a WiFi card that can MAC-hop."

33 of 103 comments (clear)

  1. Honeypots by rustycage · · Score: 5, Funny

    O' bother.

    --
    No Sig For You
  2. Useful? by ipjohnson · · Score: 4, Insightful

    How useful can this be? it was just announced on slashdot .... hackers don't read slashdot?

    1. Re:Useful? by CaffeineAddict2001 · · Score: 2

      It's not being used to catch and prosecute hackers. It's being used to study what tools they use and probably thier habits. (Do they often return to the scene?)

    2. Re:Useful? by cheese_wallet · · Score: 2

      Ah, but this is an even greater challenge. Hacking your everyday network is like sneaking out of the house when you were a kid, or spying on your neighbor through the window.

      Honeypots are a whole different story. It's more like a game of chess. You can see all the past moves your opponent has made, but you don't necessarily know where they are going to go next. You can lay traps for your opponent, but if they are good enough they can turn the trap around on you.

      Honeypots are nearly irresistable to an ego and the desire for an adrenaline rush.

    3. Re:Useful? by anthony_dipierro · · Score: 2

      It's being used to study what tools they use and probably thier habits.

      "Furthermore, we have found that WiFi hackers tend to inundate the served webpages with messages such as 'First Hack!' and 'Hot Grits!' A secondary wave of hacks shortly follows discussing why 'First Hack!' should actually say 'First Crack'."

  3. Our Nation's Capital by BDew · · Score: 2, Funny

    Washington has been described many ways in the past, but as a "hot spot for laptop-toting cyberpunks"??? I'm obviously hanging out in the wrong crowd...

    --
    "Fifty million Americans can't be wrong," said Rep. Billy Tauzin. Gore - 50,999,897 Bush - 50,456,002
    1. Re:Our Nation's Capital by Anonymous Coward · · Score: 4, Funny

      You need to hang out in "Cyberpunkia", it's a hidden area (cloaked) in DC, reachable only by a special hidden stop on the Metro (between Tenleytown and Van Ness). When the train reaches the half way point (where it turns a bit), you need to do an emergency train stop, open the door, and enter the hidden door (open it with your laptop). I know it sounds kinda complicated, but once you do it once, it's easy to do again.

  4. Warchalk by Malc · · Score: 4, Informative

    I guess the warchalkers should add another symbol to their icons to warn people about honeypots. Although I suppose this could be abused by the owners of the access points trying to dissuade from hooking up.

    1. Re:Warchalk by dattaway · · Score: 4, Interesting

      Using a honeypot for an access point by a casual user might be safer than other people's motives for setting up an open system. You don't know who is providing you with that signal and if they are sniffing for cookies and passwords. Is it just a clueless person who owns an access port? Or is it someone who is looking for interesting user habits that he hasn't learned to sniff directly from the cable?

      Common sense would dictate never to use an untrusted network for personal information, but I can see it now: people in the park with a laptop will connect to an unknown system and start chatting their personal problems on irc. The Senator's son doing this? Never happen! ;)

    2. Re:Warchalk by stere0 · · Score: 2

      What about a small sticker with Maya the Bee on it? :)

      --
      Trollem mirabilem hanc subnotationis exigiutas non caperet
    3. Re:Warchalk by Anonym1ty · · Score: 2, Funny

      I guess the warchalkers should add another symbol to their icons to warn people about honeypots.

      Just draw your symbol and the quote Winne the Pooh... Write "Oh Bother" accross your pretty little symbol

      --
      See the Pictures of the Flood of '08
    4. Re:Warchalk by spacefrog · · Score: 2

      Three little letters...

      VPN

      When you are leaching off of someone else's access point, only use it to establish a VPN tunnel.

      When you are trying to harden your own access point, set it so it only allows direct communication with one server on one port---the VPN (pptp or whatever you happen to use) port on your VPN gateway.

    5. Re:Warchalk by Neon+Spiral+Injector · · Score: 2

      What are you going to tunnel to? You own slow dialed up machine at home? Most people use these open WiFi networks because of the bandwidth available, if you have the bandwidth at home, why go out? (I'm joking a little there.)

    6. Re:Warchalk by Jonny+290 · · Score: 2

      Something tells me that the people most likely to have the money for a laptop, wireless ethernet card and assorted accessories are also likely to spring for broadband at home.

      --
      Hey Taco! Looks like you're using the "infinite monkeys and typewriters" scheme to generate Ask Slashdots again...
  5. Changing the MAC by stere0 · · Score: 5, Informative

    # ifconfig eth1 hw ether [mac] , where eth1 is your interface and [mac] your MAC, should work

    --
    Trollem mirabilem hanc subnotationis exigiutas non caperet
    1. Re:Changing the MAC by DustMagnet · · Score: 2

      That only works if your card supports it. Mine (prism2) doesn't, according to this page. I think that's why 11thangel wrote, "Time to find a WiFi card that can MAC-hop."

      --
      'SBEMAIL!' is better than a goat!!
    2. Re:Changing the MAC by Pow · · Score: 2, Informative

      It works on my orinoco but needs a bit kernel/orinoco driver tweaking. By default this _does not_ work on orinoco cards i.e. mac is not changed. Yes I verified that.
      Basically

      hermes_write_ltv(hw,
      USER_BAP,
      HERMES_RID_CNFOWNMACADDR,
      HERMES_BYTES_TO_RECLEN(ETH_ALEN),
      dev->dev_addr);
      when resetting card does the trick. (i'm using orinoco_cs drivers).
      If you are lazy to add this code where appropriate, use these patches. They support mac changing plus monitoring mode for orinoco/wavelan cards.

  6. Honeypots by ivrcti · · Score: 2, Funny

    Wireless and honeypots.... Isn't that redundant?

  7. Re:*sigh* by ericman31 · · Score: 2, Insightful
    Of course if you connect to and access a network that displays banners saying it's a private network then you were breaking the law after being warned. That's not really entrapment as far as I understand it. For example, if an access banner says something like:


    WARNING: Use of the network is restricted to users authorized by XXXX only. User activity is monitored and recorded by system personnel. Anyone using the network expressly consents to such monitoring and recording. BE ADVISED: If possible criminal activity is detected, system records, along with certain personal information, may be provided to law enforcement officials.

    Nobody enticed you to do anything. In fact, they did just the opposite and told you not to do it, and you did it anyway.

    --
    In my universe I'm perfectly normal, it's not my fault you don't live in my universe.
  8. Re:*sigh* by Delta-9 · · Score: 4, Informative

    I agree. I don't buy the statement that they are using it to figure out the "tricks of the trade." Anyone can figure out the tricks of the trade by browsing a couple websites. I found netstumbler after doing very little research into this matter.

    They are laying the groundwork for controlling and making precedent for what is "unauthorized access." Don't be suprised when someone is arrested for browsing /. from a public transportation bench in the near future. Its a shame that so many sysadmins can't do their job that people like this have to do it for them.

  9. Help for Orinoco owners by Anonymous Coward · · Score: 2, Informative

    The new airsnort page has links to nifty stuff like a patch for "monitor mode" - now all those Prism2 owners will have nothing to hold over you.

    The newer versions of this patch also let you change the MAC address with ifconfig as seen in another post on this story. Stock versions of the driver (as found in the pcmcia-cs distribution) don't.

    Driving around with one of these things and a standard Lucent range extender popsicle antenna is almost boring now. LOTS of ISPs are getting into the business, and you get hits just about anywhere you go. You can even pick up a good signal while being chased by alligators at Brazos Bend state park outside Houston. It's everywhere.

  10. Re:*sigh* by funky+womble · · Score: 2, Interesting
    IEEE 802.11b doesn't have support for banners (unless maybe you write a really long SSID and even then it wouldn't always be seen)...

    There are ways of grafting them on (using http redirection and so on), but those won't be seen by everyone and there are no standards, so it's not possible to connect using a script (for example). Just one example of why 802.11 isn't really an ideal protocol for public networks.

    It's probably about time there were standards for things like: displaying network AUPs, privacy policies, registration/authentication. Ideally machine-readable so they could be used automatically where desired (would be quite easy to have third parties validate and sign these, done on a regular basis it would make it easier to block any networks discovered to be rogue by refusing to sign a renewal).

    I think DHCP might be a reasonably good place for something like that to go (there are plenty of occasions it would be useful on a wired network too) but this type of thing is rarely useful without fairly widespread support.

  11. Re:*sigh* by numatrix · · Score: 2, Insightful

    Not at all true. Honepots have gathered a number of very interesting exploits long before they become publically accessible on common hacking webpages. Check out the honeynet project if you don't believe me. It stands to reason that a wireless honeynet would be just as useful for the same reasons, maybe even more since I would expect the odds of getting someone more sophisticated on a wireless intrusion are higher than random internet ip scans.

  12. O'Bother? by Mr+Guy · · Score: 2

    O'bother being Winnie's Irish cousin. McBother is Winnie's scottish cousin of course. The exclamation being Oh bother, of course. I know, I know, off topic flamebait. It's my type A talking, not me!

    --
    Never confuse volume with power.
  13. That's easy to find the hacker by Jonny+Ringo · · Score: 2

    Once they are in your system just look out the window at the teenagers in their parents mini van with a a light glow on there pimply face from their laptop.

    please remember to proceed with caution when confronting the nerd.

  14. It's probably bogus... by Pig+Hogger · · Score: 2

    Since it's been "advertised" on Slashdot, most crackers know it, and they won't bother with it. So, nobody will know if the honeypot is genuinely bogus...

  15. Re:*sigh* by Oculus+Habent · · Score: 4, Funny
    Just one example of why 802.11 isn't really an ideal protocol for public networks.

    802.11 isn't a service or a communications protocol, it's a network layer. This is like complaining that 100 base-T doesn't have a MOTD

    Brand new MOTD for cat5e! Just enter the message you want with this 1Hz binary input rocker switch, and in just minutes (depending on message length and encoding*) you can improperly interrupt network communications with a hardware-layer message.

    * Available in ISO 8859-1, ISO 8859-6, and Unicode. Check with local suppliers for availability. Comes with free hexadecimalbinary convertor chart.

    --
    That what was all this school was for... to teach us how to solve our own problems. -- janeowit
  16. AUPAP:// by Oculus+Habent · · Score: 2

    It would be reasonable to create an AUP/Authentication Protocol. This could have quite a substantial level of function to it.

    If the user doesn't support AUPAP and doesn't successfully authenticate with the network's "domain controller" or somesuch authority, the user would be limited to the most basic access (or none at all). If the user successfully authenticates, they have their appropriate access.

    If the the user supports AUPAP, they could then choose to agree to different areas/levels of access, monitoring, etc. This would allow a publicly-accessible network to provide users with Internet Access (with permission to monitor/block), SMTP-send capabilities (with message/MAC Addr/system info logging), etc without users becoming upset that they weren't aware it was happening.

    Of course, there will be plenty of "Click-through" users, but an AUP is more to cover the provider than the user.

    --
    1.3 You acknowledge that you are aware that some areas of MSN and the Internet may contain material that is unsuitable for minors, and you agree to supervise usage by minors whom you permit to use your MSN account. -- MSN

    --
    That what was all this school was for... to teach us how to solve our own problems. -- janeowit
  17. alternative to vpn by akb · · Score: 2

    Freenet. Maybe someday it'll be ready for that.

  18. Here is why WiFi Honeynets are necessary. by Nonesuch · · Score: 2
    I agree. I don't buy the statement that they are using it to figure out the "tricks of the trade." Anyone can figure out the tricks of the trade by browsing a couple websites. I found netstumbler after doing very little research into this matter.
    However, the real 'black hats' are not going to be using Windows-based laptops with Netstumbler.

    If I were after a specific target, I would use less-publicized software that supports a true 'passive' mode, sniff traffic (need several megabytes of captured traffic to crack WEP), then clone the MAC from a valid but not-currently-active client node to use for active probing. Attackers with criminal intent most likely have this whole process automated and scripted.

    One purpose of honeypots is to detect new, unpublished exploits and tools 'in the wild'. This goal includes new WiFi intrusion tools.

    They are laying the groundwork for controlling and making precedent for what is "unauthorized access." Don't be suprised when someone is arrested for browsing /. from a public transportation bench in the near future. Its a shame that so many sysadmins can't do their job that people like this have to do it for them.
    Disclaimer: IANAL.

    That a network was not adequately secured is no excuse for connecting and using their bandwidth without permission. Criminal "trespass to chattel" is not excusable by virtue of the victim not having taken extreme measures to protect their assets.

    --

    I do not deploy Linux. Ever.
  19. war-driving in D.C. by ZeroLogic7 · · Score: 3, Insightful

    Frankly, I can't imagine why SAIC would advertise the fact that they're setting up a WiFi honey pot. It's not net enabled, so for most war drivers, it probably won't be that interesting. Besides, if they were trying to incriminate, don't associate to any cisco gear. Most companies who are savy enough to buy the high end gear will most likely turn on WEP and VPN to a firewall anyway. (ah, the glory of cracking a key only to experience the agony of finding something ELSE in the way.) So if you find a cisco AP that's not WEP enabled, it's a likely candidate.

    Maybe they're advertising because no one landed in their little pot so they're trying stoke the flames a little. I found several hundred AP's just driving a couple miles and back downtown. I would think it would be a little more interesting to situate your honey pot in a corporate area with low to medium RF traffic. Pinpointing a car in a relatively suburban area would be much easier than downtown. (and people wonder why I tinted my windows)

    If you want to attract a war driver, dump something interesting on the air. You'd be surprised how much internal crap dumps out onto wireless due to broadcast traffic. (oh, you say you're on a switch? hehe..)

    And how far can they track the "intruder?" I've been able to get line of sight at several miles to a few AP's while driving downtown. (and as long as someone else is driving, once they get a fix on me, they won't have me at that point for very long.) (course, LOS at a couple miles would be hard to keep associating while driving.)

    As for the Mac-hopping comment... What good is that? Or are you talking about channel hopping? Get a real nic that monitors on all channels simultaneously. And war driving just isn't war driving unless you have a external antennas for both your GPS and your WiFi cards. (In some cases, an amplifier can help...)

    --
    THIS SPACE FOR RENT
  20. Re:High-Gain Omnidirectional Antenna by funky+womble · · Score: 2, Insightful
    Omnidirectional usually refers to 360 degrees around the antenna (H-plane). The higher the gain, the narrower the vertical beamwidth (E-plane).

    So in order to cover more people it probably would be better to use a couple of sector antennas with a down-tilt (as often seen on cellular base stations).

    An alternative would be an amplified lower gain omni (but in many situations that wouldn't work as well since it will pick up more noise).

  21. Re:Changing the MAC -- Prism2 / WLAN by Uzmo · · Score: 2, Informative

    If you have a prism2 chipset and are using the wlan-ng drivers on linux, then you can change the MAC on your wireless card. Change the MAC on the wireless card using the wlanctl-ng command similar to this: /sbin/wlanctl-ng wlan0 dot11req_mibset mibattribute=dot11StationID=[mac] Then change to the same MAC using the ifconfig command as mentioned by stere0. Cheers!