www.task.to © toronto area security klatch 2007 adventures in wireless honeypots eldon sprickerhoff...
TRANSCRIPT
www.TASK.to© Toronto Area Security Klatch 2007
Adventures in Wireless Honeypots
Eldon Sprickerhoff
eSentire, Inc.
www.TASK.to
Wireless Honeypots
A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.
A wireless resource made available and monitored, just to see who connects and what they do.
Not quite an IDS; you're actively “offering” up a sacrificial lamb to the slaughter.
You've got to make it convincing.
www.TASK.to
Wireless Honeypots
DIY
Cheap!
OpenBSD 3.7 or higher
Pretty much any hardware will work (laptop, NIC)
Create an access point, choose a good SSID.
Add appropriate ARP entries and fake IP's.
Add some fake traffic to it (pings of different sizes).
WEP or no WEP?
Power?
Useful?
www.TASK.to
Wireless Honeypots
DIY Part Two
What's the largest open “mesh” community wireless network in the world?
www.TASK.to
Wireless Honeypots
linksys
channel 6
www.TASK.to
Wireless Honeypots
Follow all the original steps to build an access point.
DHCP Server
Null Configured DNS Server
POP3 Server
IMAP Server
FTP Server
Telnet Server
WWW Server (and set up some good pages)
tcpdump
snort
www.TASK.to
Wireless Honeypots
Who would be so stupid<del><del><del><del><del><del>unwise to connect to this lame honeypot?
www.TASK.to
Wireless Honeypots
Infosecurity Canada 2006
“Protect Your Business”
100+ Vendors
2000+ Attendees (supposedly)
Arguably, some of the “best minds” in the corporate security arena.
www.TASK.to
Wireless Honeypots
www.TASK.to
Wireless Honeypots
www.TASK.to
Wireless Honeypots
www.TASK.to
Wireless Honeypots
www.TASK.to
Wireless Honeypots
www.TASK.to
Wireless Honeypots
www.TASK.to
Wireless Honeypots
www.TASK.to
Wireless Honeypots
Of course, this is bad, but I could have done much worse.
Google was the homepage (boring and benign).
Purely passive (didn't upload, no attacks).
www.TASK.to
Wireless Honeypots
Encrypt everything!
Firewall!
Don't blindly think that “linksys” is some grandpa with an open access point.
Hey, did I fool anyone today?
www.TASK.to
Wireless Honeypots
Questions?
I could clean and package it up, let me know if there's any interest among you lazy bastards.