802.11b Honeypots Open for Business

11thangel writes "SecurityFocus is running a story about a wireless honeypot project, being run by the SAIC. The setup consists of 5 Cisco access points in the Washington D.C. area, with two extra antennas (high gain omni's) plugged in. The network itself has a bunch of comps with various vulnerabilities, similar to a traditional honeypot. At the present, the network doesn't have a net connection, but the administrator is considering hooking it through a web proxy that would add a consent-to-monitor banner, so he can watch who's doing what. Time to find a WiFi card that can MAC-hop."

Honeypots

[rustycage]

O' bother.

Re:Honeypots

[motardo]

good one!

obscure winnie the pooh refrence, on SLASHDOT of all places :)

Re:Honeypots

[SEWilco]

OK, I was just wondering how useful an announced honeypot is...and what people might do with a known honeypot.

I don't know why they'd do anything when they know it is a honeypot, but at least if they get it stuck on their head we know what they are. Pooh

(Yes, I'm wondering about after they know it is a honeypot. Before that point, they're either wardriving or cracking, depending upon what they're doing.)

Re:Honeypots

[rustycage]

Hey man, nerds have children too!

Useful?

[ipjohnson]

How useful can this be? it was just announced on slashdot .... hackers don't read slashdot?

Re:Useful?

[CaffeineAddict2001]

It's not being used to catch and prosecute hackers. It's being used to study what tools they use and probably thier habits. (Do they often return to the scene?)

Re:Useful?

[ipjohnson]

The problem with that theory is still who is going to access an open wi-fi network in the DC area .... knowing its a honey pot? I just can't believe that the data they obtain isn't tainted.

Re:Useful?

[rovingeyes]

Let me tell you one thing - hackers hack in to a network because they offer some challenge and most of these guys like challenge. What is he (or she) going to accomplish by hacking in to a weak network. Those are the work of kiddies if you want to find their techniques type "hacking tutorial" on google. You can collect far more info than these "honey pots".

I believe the goal of this project is to find out about latest techniques and tools. But I'm pretty sure they will find hardly anything constructive. Wait till they release their report :-)

Re:Useful?

[shftleft]

I agree that one can get useful information from google. But I think the purpose of this project was more to observe the real world environment in which people will try to attack WiFi systems. Also most people who would be war-driving arent simple script kiddies, and can come up with some nifty ideas. I know I would want to look at some of the logs from those networks.....

Re:Useful?

[cheese_wallet]

Ah, but this is an even greater challenge. Hacking your everyday network is like sneaking out of the house when you were a kid, or spying on your neighbor through the window.

Honeypots are a whole different story. It's more like a game of chess. You can see all the past moves your opponent has made, but you don't necessarily know where they are going to go next. You can lay traps for your opponent, but if they are good enough they can turn the trap around on you.

Honeypots are nearly irresistable to an ego and the desire for an adrenaline rush.

Re:Useful?

[anthony_dipierro]

It's being used to study what tools they use and probably thier habits.

"Furthermore, we have found that WiFi hackers tend to inundate the served webpages with messages such as 'First Hack!' and 'Hot Grits!' A secondary wave of hacks shortly follows discussing why 'First Hack!' should actually say 'First Crack'."

Why advertise 'em?

[gentlewizard]

I may be missing the point here, but what good is a honeypot if you TELL people it's one? Won't the crackers just avoid them?

Re:Why advertise 'em?

[Camulus]

Well, if he adds internet access and you just have to consent to him monitoring your access if you use it, it could be pretty nice. I could actually see a use for this for ISP's. Make a DMZ and stick and unsecured box on it that your users can see and audit/monitor the hell out of it to remove the "naughty" elements of your network if they try something. Lord knows it is better then getting a call from other ISP's/coporations because one of your users just cracked thier web site. However, I have to agree with you, in its current implementation, it is pretty much the suck.

Consider this before attempting.

[sup4hleet]

Pointing out a wireless security hole can land you in hot water. [theregister.co.uk]

Re:Consider this before attempting.

[glesga_kiss]

While I don't like this, it makes sense. If they don't prosecute, it leaves the door open to use "I was merely looking for vulnerabilities to help you" as an excuse for a real malicious intrusion attempt. It won't be long until laws are passed against wardriving...

Our Nation's Capital

[BDew]

Washington has been described many ways in the past, but as a "hot spot for laptop-toting cyberpunks"??? I'm obviously hanging out in the wrong crowd...

Re:Our Nation's Capital

[kyoko21]

No kidding... I walk the streets of D.C. all the time and I don't see any 'cyberpunks' carrying laptops... mostly just weird tourists not knowing where the metro stations are.

Re:Our Nation's Capital

[Anonymous Coward]

You need to hang out in "Cyberpunkia", it's a hidden area (cloaked) in DC, reachable only by a special hidden stop on the Metro (between Tenleytown and Van Ness). When the train reaches the half way point (where it turns a bit), you need to do an emergency train stop, open the door, and enter the hidden door (open it with your laptop). I know it sounds kinda complicated, but once you do it once, it's easy to do again.

Re:Our Nation's Capital

[CaffeineAddict2001]

The troglodite council will have your head for this!

Re:Our Nation's Capital

[craw]

In SAIC's parlance, "Cyberpunkia" is the Metro stop on the blue line between Pentagon City and Arlington National Cemetary.

Another bit of trivia for those of you that visit DC. Prostitutes are easy to identify. They look just like well dressed business women except that they are wearing sneakers. Furthermore, there is free parking for Ryder rental vans on the 900 block of Pennsylvania Avenue, NW.

Warchalk

[Malc]

I guess the warchalkers should add another symbol to their icons to warn people about honeypots. Although I suppose this could be abused by the owners of the access points trying to dissuade from hooking up.

Re:Warchalk

[dattaway]

Using a honeypot for an access point by a casual user might be safer than other people's motives for setting up an open system. You don't know who is providing you with that signal and if they are sniffing for cookies and passwords. Is it just a clueless person who owns an access port? Or is it someone who is looking for interesting user habits that he hasn't learned to sniff directly from the cable?

Common sense would dictate never to use an untrusted network for personal information, but I can see it now: people in the park with a laptop will connect to an unknown system and start chatting their personal problems on irc. The Senator's son doing this? Never happen! ;)

Re:Warchalk

[jumpingfred]

So basically a private individual cannot use any network for personal information. I don't know if I can trust my ISP or my phone company.

Re:Warchalk

[spacefrog]

Three little letters...

VPN

When you are leaching off of someone else's access point, only use it to establish a VPN tunnel.

When you are trying to harden your own access point, set it so it only allows direct communication with one server on one port---the VPN (pptp or whatever you happen to use) port on your VPN gateway.

Re:Warchalk

[Neon Spiral Injector]

What are you going to tunnel to? You own slow dialed up machine at home? Most people use these open WiFi networks because of the bandwidth available, if you have the bandwidth at home, why go out? (I'm joking a little there.)

Re:Warchalk

[Jonny 290]

Something tells me that the people most likely to have the money for a laptop, wireless ethernet card and assorted accessories are also likely to spring for broadband at home.

alternative to vpn

[akb]

Freenet [freenetproject.org]. Maybe someday it'll be ready for that.

Re:Warchalk

[stere0]

What about a small sticker with Maya the Bee [www.ys.is] on it? :)

Re:Warchalk

[Anonym1ty]

I guess the warchalkers should add another symbol to their icons to warn people about honeypots.

Just draw your symbol and the quote Winne the Pooh... Write "Oh Bother" accross your pretty little symbol

Re:Warchalk

[sulli]

Winnie-the-Pooh fans may want to draw this [lavasurfer.com]

*sigh*

[PhysicsGenius]

On the one hand I applaud these geeks for making the world a much better place by weeding out hackers. On the other hand, I can't help but feel nervous that the geek community is headed down a slippery slope when it uses entrapment like this. What's next? Banning free speech (from Microsoft) or the right to bear cryptography (for pedophiles)?

Re:*sigh*

[grimiore1]

entrapment? I thought honeypots weren't put out there for entrapping and prosecuting crackers. Where they not made for watching crackers and other hackers in the wild, to analyize new tools, techniques, or common methods? Kinda of a catch-and-release for crackers...but no bother to stick your hand in their mouth and take out germ-infested hooks.

Re:*sigh*

[Anonymous Coward]

the right to bear cryptography

A grizzly future for crypto, indeed.

Re:*sigh*

[Anonymous Coward]

This isn't entrapment man. Entrapment is when they would say (and if they were a police agency) "come hack this system, it'll be fun." Then when you do, they prosecute you for it. This is just throwing some vulnerable systems onto the net and seeing what happens. Grandma's and PHB's do that everyday. Get a clue. It's the furthest thing from entrapment out there.

Re:*sigh*

[ericman31]

Of course if you connect to and access a network that displays banners saying it's a private network then you were breaking the law after being warned. That's not really entrapment as far as I understand it. For example, if an access banner says something like:

WARNING: Use of the network is restricted to users authorized by XXXX only. User activity is monitored and recorded by system personnel. Anyone using the network expressly consents to such monitoring and recording. BE ADVISED: If possible criminal activity is detected, system records, along with certain personal information, may be provided to law enforcement officials.

Nobody enticed you to do anything. In fact, they did just the opposite and told you not to do it, and you did it anyway.

Re:*sigh*

[funky womble]

IEEE 802.11b doesn't have support for banners (unless maybe you write a really long SSID and even then it wouldn't always be seen)...

There are ways of grafting them on (using http redirection and so on), but those won't be seen by everyone and there are no standards, so it's not possible to connect using a script (for example). Just one example of why 802.11 isn't really an ideal protocol for public networks.

It's probably about time there were standards for things like: displaying network AUPs, privacy policies, registration/authentication. Ideally machine-readable so they could be used automatically where desired (would be quite easy to have third parties validate and sign these, done on a regular basis it would make it easier to block any networks discovered to be rogue by refusing to sign a renewal).

I think DHCP might be a reasonably good place for something like that to go (there are plenty of occasions it would be useful on a wired network too) but this type of thing is rarely useful without fairly widespread support.

Re:*sigh*

[Oculus Habent]

Just one example of why 802.11 isn't really an ideal protocol for public networks.

802.11 isn't a service or a communications protocol, it's a network layer. This is like complaining that 100 base-T doesn't have a MOTD

Brand new MOTD for cat5e! Just enter the message you want with this 1Hz binary input rocker switch, and in just minutes (depending on message length and encoding*) you can improperly interrupt network communications with a hardware-layer message.

* Available in ISO 8859-1, ISO 8859-6, and Unicode. Check with local suppliers for availability. Comes with free hexadecimalbinary convertor chart.

Re:*sigh*

[funky womble]

802.11 isn't a service or a communications protocol, it's a network layer. This is like complaining that 100 base-T doesn't have a MOTD

True, but the way it's commonly used, it's being treated as if it was. Would be a nice feature for a host configuration protocol though...

Brand new MOTD for cat5e!

$ ping -p7072697661746520676f2061776179 255.255.255.255

As used [qsl.net] by radio amateurs to satisfy the identification requirements of their license. (Amateurs using 802.11b kit can still use part 15 [lns.com] [or local equivalent in other countries] but in many cases they can also transmit at higher power if they comply with various conditions, including broadcasting their callsign).

AUPAP://

[Oculus Habent]

It would be reasonable to create an AUP/Authentication Protocol. This could have quite a substantial level of function to it.

If the user doesn't support AUPAP and doesn't successfully authenticate with the network's "domain controller" or somesuch authority, the user would be limited to the most basic access (or none at all). If the user successfully authenticates, they have their appropriate access.

If the the user supports AUPAP, they could then choose to agree to different areas/levels of access, monitoring, etc. This would allow a publicly-accessible network to provide users with Internet Access (with permission to monitor/block), SMTP-send capabilities (with message/MAC Addr/system info logging), etc without users becoming upset that they weren't aware it was happening.

Of course, there will be plenty of "Click-through" users, but an AUP is more to cover the provider than the user.

--
1.3 You acknowledge that you are aware that some areas of MSN and the Internet may contain material that is unsuitable for minors, and you agree to supervise usage by minors whom you permit to use your MSN account. -- MSN [msn.com]

Re:*sigh*

[funky womble]

Seems there is an extension to DHCP to provide a URL: rfc2485 [isi.edu] (thanks Matt). The actual authentication in that case is by UAP [opengroup.org]. (Now we just need some client support)...

Re:*sigh*

[Delta-9]

I agree. I don't buy the statement that they are using it to figure out the "tricks of the trade." Anyone can figure out the tricks of the trade by browsing a couple websites. I found netstumbler [netstumbler.com] after doing very little research into this matter.

They are laying the groundwork for controlling and making precedent for what is "unauthorized access." Don't be suprised when someone is arrested for browsing /. from a public transportation bench in the near future. Its a shame that so many sysadmins can't do their job that people like this have to do it for them.

Re:*sigh*

[numatrix]

Not at all true. Honepots have gathered a number of very interesting exploits long before they become publically accessible on common hacking webpages. Check out the honeynet [honeynet.org] project if you don't believe me. It stands to reason that a wireless honeynet would be just as useful for the same reasons, maybe even more since I would expect the odds of getting someone more sophisticated on a wireless intrusion are higher than random internet ip scans.

Here is why WiFi Honeynets are necessary.

[Nonesuch]

I agree. I don't buy the statement that they are using it to figure out the "tricks of the trade." Anyone can figure out the tricks of the trade by browsing a couple websites. I found netstumbler after doing very little research into this matter.

However, the real 'black hats' are not going to be using Windows-based laptops with Netstumbler.

If I were after a specific target, I would use less-publicized software that supports a true 'passive' mode, sniff traffic (need several megabytes of captured traffic to crack WEP), then clone the MAC from a valid but not-currently-active client node to use for active probing. Attackers with criminal intent most likely have this whole process automated and scripted.

One purpose of honeypots is to detect new, unpublished exploits and tools 'in the wild'. This goal includes new WiFi intrusion tools.

They are laying the groundwork for controlling and making precedent for what is "unauthorized access." Don't be suprised when someone is arrested for browsing /. from a public transportation bench in the near future. Its a shame that so many sysadmins can't do their job that people like this have to do it for them.

Disclaimer: IANAL.

That a network was not adequately secured is no excuse for connecting and using their bandwidth without permission. Criminal "trespass to chattel" is not excusable by virtue of the victim not having taken extreme measures to protect their assets.

Changing the MAC

[stere0]

# ifconfig eth1 hw ether [mac] , where eth1 is your interface and [mac] your MAC, should work

Re:Changing the MAC

[DustMagnet]

That only works if your card supports it. Mine (prism2) doesn't, according to this page [remote-exploit.org]. I think that's why 11thangel wrote, "Time to find a WiFi card that can MAC-hop."

Re:Changing the MAC -- Prism2 / WLAN

[Uzmo]

If you have a prism2 chipset and are using the wlan-ng drivers on linux, then you can change the MAC on your wireless card. Change the MAC on the wireless card using the wlanctl-ng command similar to this: /sbin/wlanctl-ng wlan0 dot11req_mibset mibattribute=dot11StationID=[mac] Then change to the same MAC using the ifconfig command as mentioned by stere0. Cheers!

PLEASE MOD PARENT UP

[stere0]

What I said in my comment isn't complete for Prism cards without Uzmo's parent comment. Thanks in advance.

Re:Changing the MAC

[Pow]

It works on my orinoco but needs a bit kernel/orinoco driver tweaking. By default this _does not_ work on orinoco cards i.e. mac is not changed. Yes I verified that.
Basically

hermes_write_ltv(hw,
USER_BAP,
HERMES_RID_CNFOWNMACADDR,
HERMES_BYTES_TO_RECLEN(ETH_ALEN),
dev->dev_addr);

when resetting card does the trick. (i'm using orinoco_cs drivers).
If you are lazy to add this code where appropriate, use these patches [shmoo.com]. They support mac changing plus monitoring mode for orinoco/wavelan cards.

Sabotage their efforts

[Anonymous Coward]

They claim they want to find out how much real life hacking use wireless networks are getting... but then they tell people where these are (roughly, DC is not really a huge city). It seems to me that this will just lead to more people looking for them just for fun, and not for any real use.

Anyway, the real wireless hotspot in DC is going to be American University [american.edu] since they're going all wireless [wired.com] this year. Nothing says wide open like a campus network! ;-)

Honeypots

[ivrcti]

Wireless and honeypots.... Isn't that redundant?

Honeypot

[omegakidd]

Everyone remember my experience with a honeypot? http://www.msnbc.com/news/786016.asp

Re:Honeypot

[omegakidd]

hmm. I put the wrong link there. http://bsd.slashdot.org/article.pl?sid=02/06/22/18 31224&mode=nested&tid=172

After finding the WLAN honeypot

[greensquare]

Someone should put up a dual NIC router host that is on local broadband internet, and can get on the honey pot WLAN too. Then hack the AP's to make them point to that dual NIC machine as an internet gateway.
It would be nice having a small WLAN with 5 AP's available for anyone to use for surfing the internet. ( And the FEDS can even have their fun analyzing the logs.. )

Re:After finding the WLAN honeypot

[omegakidd]

Sounds like a great idea.

Help for Orinoco owners

[Anonymous Coward]

The new airsnort page [shmoo.com] has links to nifty stuff like a patch for "monitor mode" - now all those Prism2 owners will have nothing to hold over you.

The newer versions of this patch also let you change the MAC address with ifconfig as seen in another post on this story. Stock versions of the driver (as found in the pcmcia-cs distribution) don't.

Driving around with one of these things and a standard Lucent range extender popsicle antenna is almost boring now. LOTS of ISPs are getting into the business, and you get hits just about anywhere you go. You can even pick up a good signal while being chased by alligators at Brazos Bend state park outside Houston. It's everywhere.

MAC hopping with 802.11b cards

[undie]

The trusty Lucent/Agere Orinoco card, under Linux, can set MAC address with the standard 'ifconfig hw ether xx:xx:xx:xx:xx:xx' command - note, this only works with newer versions of the orinoco driver.

A MAC hopper wouldn't work too well, considering you must take the interface down to set MAC (this would obviously de-associate you from the AP).

I recommend using Snax's patches [shmoo.com] to enable RF Monitor mode as well, for use with Kismet [kismetwireless.net], an excellent passive 802.11b scanner.

Re:MAC hopping with 802.11b cards

[funky womble]

The win32 Orinoco driver even has a handy box where you can type in the MAC address.

O'Bother?

[Mr Guy]

O'bother being Winnie's Irish cousin. McBother is Winnie's scottish cousin of course. The exclamation being Oh bother, of course. I know, I know, off topic flamebait. It's my type A talking, not me!

Dumb question.

[Crusty Oldman]

Just what is a "high gain omni" antenna? Inquiring minds want to know!

Re:Dumb question.

[questionlp]

"high gain omni" is short for High gain omnidirectional antenna used by WiFi access points/bridges to help extend the range of an access point or a bridge... say if you are in a large warehouse using WiFi, you can setup an AP or a bridge with that type of antenna to reduce the number of "hops" necessary to send data from one end of the warehouse to the other.

At least, that's my understanding of it... feel free to correct me as I'm also learning the terminology and the equipment used in WiFi setups.

squished donut

[mks113]

Something like a J-pole. Compressed vertical pattern, omnidirectional horizontal pattern.

There is logic to it, but it doesn't necessicarily apply to the moniker!

Re:Dumb question.

[craw]

Go to [yahoo.com]
this address in DC (2650 Wisconsin Ave NW). Knock on the door. Point to the roof and asked the occupants what is a "high gain omni" antenna.

That's easy to find the hacker

[Jonny Ringo]

Once they are in your system just look out the window at the teenagers in their parents mini van with a a light glow on there pimply face from their laptop.

please remember to proceed with caution when confronting the nerd.

After you find the cracker...

[Nonesuch]

please remember to proceed with caution when confronting the nerd.

Depending on the response time in your neighborhood, you might just want to call the cops and let them deal with the script kiddie.

Just remember to keep your low-light camcorder running, you might get some footage worthy of sale to CNN, or at least a good item for a "bloopers reel" (Or is that 8100P3R5 R331 in leet speak?) at the DEFCON film festival.

Or if you live in Brooklyn, just call on the Hasidim with shotguns [nandotimes.com].

It's probably bogus...

[Pig Hogger]

Since it's been "advertised" on Slashdot, most crackers know it, and they won't bother with it. So, nobody will know if the honeypot is genuinely bogus...

Honey, I'm Home

[Anonymous Coward]

Would someone please explain to me exactly what crime is committed if my wifi enabled pc alerts me to an open port. And I "walk in" to see if I'm welcome.
And if the net is available and I surf what have I taken?
Bandwidth?
Well I receive 10's of millions of unwanted bytes daily of unrequested/unwelcome advertisements which are "taking" my bandwidth. Whats the difference?
And furthermore couldn't an open wifi port be called an "attractive nuisance" in legal parlance. Like a swimming pool without a fence.

BTW I have an open to the net wifi port operating as I type. Am I a victim or a perpetrator.

war-driving in D.C.

[ZeroLogic7]

Frankly, I can't imagine why SAIC would advertise the fact that they're setting up a WiFi honey pot. It's not net enabled, so for most war drivers, it probably won't be that interesting. Besides, if they were trying to incriminate, don't associate to any cisco gear. Most companies who are savy enough to buy the high end gear will most likely turn on WEP and VPN to a firewall anyway. (ah, the glory of cracking a key only to experience the agony of finding something ELSE in the way.) So if you find a cisco AP that's not WEP enabled, it's a likely candidate.

Maybe they're advertising because no one landed in their little pot so they're trying stoke the flames a little. I found several hundred AP's just driving a couple miles and back downtown. I would think it would be a little more interesting to situate your honey pot in a corporate area with low to medium RF traffic. Pinpointing a car in a relatively suburban area would be much easier than downtown. (and people wonder why I tinted my windows)

If you want to attract a war driver, dump something interesting on the air. You'd be surprised how much internal crap dumps out onto wireless due to broadcast traffic. (oh, you say you're on a switch? hehe..)

And how far can they track the "intruder?" I've been able to get line of sight at several miles to a few AP's while driving downtown. (and as long as someone else is driving, once they get a fix on me, they won't have me at that point for very long.) (course, LOS at a couple miles would be hard to keep associating while driving.)

As for the Mac-hopping comment... What good is that? Or are you talking about channel hopping? Get a real nic that monitors on all channels simultaneously. And war driving just isn't war driving unless you have a external antennas for both your GPS and your WiFi cards. (In some cases, an amplifier can help...)

Re:war-driving in D.C.

[funky womble]

Get a real nic that monitors on all channels simultaneously.

Such as...?

Re:war-driving in D.C.

[ZeroLogic7]

cisco lmc-352... or pcm-352 if you don't use external antennas

Re:High-Gain Omnidirectional Antenna

[funky womble]

Omnidirectional usually refers to 360 degrees around the antenna (H-plane). The higher the gain, the narrower the vertical beamwidth (E-plane).

So in order to cover more people it probably would be better to use a couple of sector antennas with a down-tilt (as often seen on cellular base stations).

An alternative would be an amplified lower gain omni (but in many situations that wouldn't work as well since it will pick up more noise).