802.11b Honeypots Open for Business

11thangel writes "SecurityFocus is running a story about a wireless honeypot project, being run by the SAIC. The setup consists of 5 Cisco access points in the Washington D.C. area, with two extra antennas (high gain omni's) plugged in. The network itself has a bunch of comps with various vulnerabilities, similar to a traditional honeypot. At the present, the network doesn't have a net connection, but the administrator is considering hooking it through a web proxy that would add a consent-to-monitor banner, so he can watch who's doing what. Time to find a WiFi card that can MAC-hop."

Honeypots

[rustycage]

O' bother.

Useful?

[ipjohnson]

How useful can this be? it was just announced on slashdot .... hackers don't read slashdot?

Warchalk

[Malc]

I guess the warchalkers should add another symbol to their icons to warn people about honeypots. Although I suppose this could be abused by the owners of the access points trying to dissuade from hooking up.

Re:Warchalk

[dattaway]

Using a honeypot for an access point by a casual user might be safer than other people's motives for setting up an open system. You don't know who is providing you with that signal and if they are sniffing for cookies and passwords. Is it just a clueless person who owns an access port? Or is it someone who is looking for interesting user habits that he hasn't learned to sniff directly from the cable?

Common sense would dictate never to use an untrusted network for personal information, but I can see it now: people in the park with a laptop will connect to an unknown system and start chatting their personal problems on irc. The Senator's son doing this? Never happen! ;)

Changing the MAC

[stere0]

# ifconfig eth1 hw ether [mac] , where eth1 is your interface and [mac] your MAC, should work

Re:*sigh*

[Delta-9]

I agree. I don't buy the statement that they are using it to figure out the "tricks of the trade." Anyone can figure out the tricks of the trade by browsing a couple websites. I found netstumbler after doing very little research into this matter.

They are laying the groundwork for controlling and making precedent for what is "unauthorized access." Don't be suprised when someone is arrested for browsing /. from a public transportation bench in the near future. Its a shame that so many sysadmins can't do their job that people like this have to do it for them.

Re:Our Nation's Capital

You need to hang out in "Cyberpunkia", it's a hidden area (cloaked) in DC, reachable only by a special hidden stop on the Metro (between Tenleytown and Van Ness). When the train reaches the half way point (where it turns a bit), you need to do an emergency train stop, open the door, and enter the hidden door (open it with your laptop). I know it sounds kinda complicated, but once you do it once, it's easy to do again.

Re:*sigh*

[Oculus+Habent]

Just one example of why 802.11 isn't really an ideal protocol for public networks.

802.11 isn't a service or a communications protocol, it's a network layer. This is like complaining that 100 base-T doesn't have a MOTD

Brand new MOTD for cat5e! Just enter the message you want with this 1Hz binary input rocker switch, and in just minutes (depending on message length and encoding*) you can improperly interrupt network communications with a hardware-layer message.

* Available in ISO 8859-1, ISO 8859-6, and Unicode. Check with local suppliers for availability. Comes with free hexadecimalbinary convertor chart.

war-driving in D.C.

[ZeroLogic7]

Frankly, I can't imagine why SAIC would advertise the fact that they're setting up a WiFi honey pot. It's not net enabled, so for most war drivers, it probably won't be that interesting. Besides, if they were trying to incriminate, don't associate to any cisco gear. Most companies who are savy enough to buy the high end gear will most likely turn on WEP and VPN to a firewall anyway. (ah, the glory of cracking a key only to experience the agony of finding something ELSE in the way.) So if you find a cisco AP that's not WEP enabled, it's a likely candidate.

Maybe they're advertising because no one landed in their little pot so they're trying stoke the flames a little. I found several hundred AP's just driving a couple miles and back downtown. I would think it would be a little more interesting to situate your honey pot in a corporate area with low to medium RF traffic. Pinpointing a car in a relatively suburban area would be much easier than downtown. (and people wonder why I tinted my windows)

If you want to attract a war driver, dump something interesting on the air. You'd be surprised how much internal crap dumps out onto wireless due to broadcast traffic. (oh, you say you're on a switch? hehe..)

And how far can they track the "intruder?" I've been able to get line of sight at several miles to a few AP's while driving downtown. (and as long as someone else is driving, once they get a fix on me, they won't have me at that point for very long.) (course, LOS at a couple miles would be hard to keep associating while driving.)

As for the Mac-hopping comment... What good is that? Or are you talking about channel hopping? Get a real nic that monitors on all channels simultaneously. And war driving just isn't war driving unless you have a external antennas for both your GPS and your WiFi cards. (In some cases, an amplifier can help...)