Lance Spitzner, the leader of the Honeynet Project, the definition of a honeypot is: A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.
A wireless honeypot, used properly, could reveal pertinent and accurate statistics about attacks on your infrastructure, including:
– The frequency of attacks
– The attacker’s skill level
– Goals and methods
Wireless honeypots, similar to their wired counterparts, can help protect your networks by diverting the attacker’s time and resources on fake targets. In the black hat community, hackers enjoy penetrating wireless networks for the following reasons:
– They are somewhat safe, because the attacker isn’t directly connected to the network.
– They are easy to hack, because there are a huge number of open or unsecured access points (APs) around.
– They are fun to attack, because the wireless network is still considered relatively new.
– They allow for a great deal of anonymity.
– There are a couple of wireless honeypots openly available. These are considered in the following subsections.
This honeypot can be configured to simulate a large network in a wireless environment. With such an architecture, an intruder will be led to believe that he has stumbled onto a big network and could lose hours of time before realization dawns. Another interesting feature of Honeyd is the ability to simulate an AP. By creating fake TCP/IP stacks to fool remote fingerprinting tools, you can easily create your own fake services. For example, by copying wellchosen
Web pages used to manage an AP, you could simulate an AP. This technique could then be used to monitor attackers who would try to connect to the management interface using well-known default passwords, or who would try other opened services, such as attacks over SNMP, DNS, DHCP, TFTP, etc.
FakeAP can send specific wireless network traffic to fool basic attackers. This tool is specifically for dealing with war drivers and is designed to create multiple targets for your wireless network to hide among. The theory is that targeting one network is an easy task, whereas dealing with a cloud of targets could be more difficult.
As a war-driving countermeasure, FakeAP generates 802.11b beacon frames as fast as possible, by playing with fields like MAC, ESSID, channel assignments, and so on. To quote from the Web site of the authors: “If one access point is good, 53,000 must be better.” FakeAP was a good idea when it was first released, but now most updated tools can advise the attacker that the detected APs are unusual; for example, no traffic may be generated on the discovered networks.
How and Where It’s Used
If you are going to deploy a wireless honeypot, remember that it will have to perfectly simulate reality. Wireless honeypots are affected by the same problems as wired ones, as well as other problems specific to the wireless environment. Also, a skilled attacker may be afraid of a network that appears too open. So when deploying a wireless honeypot:
– The better you simulate reality, the better the chances that you’ll catch skilled attackers — but expect fewer intrusions.
– The less you deal with stealth, the more you’ll see successful attacks but expect script kiddies rather than skilled attackers.
Next» Wireless Attack Steps