Trapping Wireless Bad Guys

Simulating honeypot in a wireless environment Zi Bin, Cheah cheah@stud.ntnu.no Paper for TTM4137 Department of Telematics Norwegian University of Science and Technology 1. Introduction In recent years, wireless Internet has become ubiquitous . These connections are available at home, university, cafeteria and many more places. The popularity of wireless Internet usage has, predictably, sparked securities concerns. Data are now transfered over-the-air and could be prone to attack. Malicious attacker can perform different ill-intentioned activities. Amongst others, driving around searching for wireless connection, commonly known as wardriving. After a vulnerable wireless access point has been found, attackers can further use this wireless network to cause harm to this network, or worse, using this network as a proxy to harm other networks. This paper has shown a general outline of how attacker works in Section 3. Section 4 shows the steps in setting up a wireless honeypot network to trap attackers. 2. Honeypots Honeypot is a concept proposed by the Honeynet Project[1]. The word honeypot means, in strict terms, host that are created to be probed and be penetrated by hackers. As the name implies, they are the bee's pots in cyberspace-created to attract attackers to approach them. Honeypot can be a Linux host, Windows host, BSD host, network printer, PDA and as such. Apart from real physical host, virtual host can be setuped using daemons. The word Honeynet is actually the broad concept of deploying the honeypot network. These includes honeypot, honeywall and other relevant tools. However, sometimes people use honeypot to describe the whole notion of honeynet. Honeywall is a host that is attached to the router, in our case, the wireless router with access points(AP). Honeywall makes sure all incoming and outgoing packets are filtered. Apart from introducing Honeypot to trap wireless bad guys, this article also explore why honeypot is needed equally, or even more so, in a wireless environment. 3 What do bad guys do? Not all crooks robe the bank the same way, same goes for cyber crooks. Discussed below are only the general steps they take.

3.1 Probe and crack Wireless Access Points Firstly, attackers start of by probing available wireless AP in the surrounding. This can be done by scanning the environment for availables AP. This is done using NetStumbler or kismet. After netstumbler /kismet detects the wireless AP, these AP can be accessed freely if not protected, or cracked quite easily if protected with WEP. The cracking of WEP key is done using Aircrack-ng suite. The cracking time varies, it can take minutes to weeks depending on the traffic load of the network. 3.2 Analyze hosts and ports After entering the network, attackers then use probing tools such as nmap or xprobe to probe the network's hosts. In later stage of this essay, we will discuss how honeypots can be setup as hosts. The snippet below is an example of nmap ping scan to determine which network is up. The command below pings IP in the range of 10.50.100-255. It manages to detect some hosts that are up. [usr-1@srv-1 ~]$ nmap -sP 10.50.100.1-255 Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2005-06-13 15:50 PDT Host 10.50.100.1 appears to be up. Host 10.50.100.2 appears to be up. Host 10.50.100.22 appears to be up. Host mondo (10.50.100.72) appears to be up. Host 10.50.100.82 appears to be up. Nmap run completed -- 255 IP addresses (5 hosts up) scanned in 3.228 seconds The attacker goes one step further to prob one of the host that is alive (up) and managed to find exposed ports. Starting Nmap 4.20 ( http://insecure.org ) at 2007-10-27 13:48 CEST Interesting ports on 10.50.100.1 Not shown: 1695 closed ports PORT STATE SERVICE 1033/tcp open netinfo 3306/tcp open mysql 3.3 Starting Attacking After discovering open ports and the services, attackers may now start attacking the host. Attackers usually adjust attacking methods based on service available. Those methods of attack is not discussed here.

4. Wireless Honeypots setup Diagram 1 the setup of our wireless environment with honeypots and honeywall.

Diagram 1 4.1Create Wireless Access Point There are a few ways to create wireless AP. We can setup a wireless router to act as the wireless AP, or turn a wireless card into Master mode to simulate an Access Point[2]. 4.2 Setup Honeywall and Honeypot Next we need to create a network (behind the AP). This network can either be real or virtual . The network can consist of one or more hosts. These hosts serve as honeypots. Some of the hosts are real physical host, while others can be virtual ones. Virtual host are installed as daemon. Famous honeypot daemon includes honeyd[3]. Thirdly, we need to create a honeywall between the wireless AP and the network. The honeywall sits in between the AP and the network so that it can analyze all packets passing through it. The honeywall has to be setup in the computer that has the wireless card set into the master mode. Of course, if we use a router instead of just the wireless card of the computer, then the honeywall sits between the wireless router and the network. All packets coming in and going out of the network will be screened by the honeywall. 4.3 Create Traffic Simulating trafc can be an important issue on a wireless network dedicated to honeypot activity. Attackers need trafc packets and signal beacons to detect existing wireless AP. They also need data packets to capture IV in data packets to crack WEP keys[4] These simulated traffic makes a honeynet appears as a full-service network. Some honeynet has real physical host, and therefore can react like a real host when prob by the attacker. Sites such as [5] provides a series of restricted service scripts, including SMTP and asimple web proxy. Another method including sending recorded packets using software such as tcpreplay. The rst concept of using perl script to automate dialogs between clients and servers with random

sessions and commands was rst published here[6]. 4.4 Enable Internet Access (optional) Offering Internet increases the realism of the honeypot nework. However we should limit the outgoing connection to forbid attackers from launching attacks from out network after the network is being taken over. Honeywall also comes with snort-inline[5] for Intrusion Prevention System that limits connections. 4.5 Trap them! After everything has been setup. It is now playing the patience game. If a wireless attacker do exist in the surrounding, we will be able to detect it. Diagram 2 is the web interface of honeywall that allows us to prob in detail packets that passes through the wireless network. We will not be discussing in detail the data analysis in this essay. However, it is important to know that the interface has a high level of data granularity.

Diagram 2 5. Conclusion Wireless Internet will continue to flourish in the future. It is important to have defence mechanisms such as firewall and Intrusion Detection system to thwart attackers. Wireless honeypot offers a new way of defence by trapping an attacker. Honeypot not only traps attacker, but offer a way to observe and learn the way attacker work-by capturing all his activities.
Reference

[1]http://www.honeynet.org/ [2]http://palisade.plynt.com/issues/2007Feb/cracking-wep/ [3]http://www.honeyd.org/ [4]WLAN Analysis and Construction, TTM4137 Lab http://zibin.tehais.com/wp-content/uploads/2007/10/Lab%20Report-TTM4137.pdf http://palisade.plynt.com/issues/2007Feb/cracking-wep/ [5]www.citi.umich.edu/u/provos/honeyd/ [6]Hervieux and Meurisse, Symposium Scurit des Technologies de l'Information et des Communications, SSTIC 2003, Rennes, France, UML as a Honeypot, http://www.sstic.org/SSTIC03/resumes03.shtml#UML http://www.sstic.org/SSTIC03/presentations/Honeypots_UML___M._Hervieux_T._Meurisse/ [7]http://snort-inline.sourceforge.net/