root@dafthack:~#‎ > ‎

Honeyspot v1.0

posted Apr 20, 2012, 7:46 AM by Beau Bullock   [ updated Oct 4, 2013, 1:35 PM ]

After taking the SANS Offensive Countermeasures course it really got me thinking about detecting the attacker, and being able to get details about who they are.  So I decided to mix my love for WIFI with a honeypot style approach.  I have started an experiment of sorts with the goal of finding out just how many hackers I have in my neighborhood.  There might not be any at all and if so I will move my little experiment and see if I get any hits elsewhere.  All of the hardware I'm using are old artifacts I had lying around.  It's nice when you can make use of things that are just collecting dust.  Here's the gear I'm using: D-Link DIR-601 wireless router running DD-WRT, a Dell Inspiron 1501 Laptop, and a 10 year old home built PC.  (Side note: This experiment is completely in no way touching my home network or the internet.  We wouldn't want there to be any way an attacker could leverage our honeypot against us)

First, the router itself is using open WEP encryption.  Making it easy to break.  We want the hacker to have to break in so when I look at logs later I can conclude that they did indeed "hack" into my network.  With DD-WRT it's probably a good idea to hide the info page or require a login before viewing first or someone can just navigate to 192.168.1.1 and see who is connected.  We want the attacker to have to search for targets on our network.  That way we can generate more logs with proof that they were there.  As you can see in the network diagram I'm actually using my desktop to connect wirelessly to my router and I'm connecting over ethernet with my laptop.  This may seem a little backwards.  I set it up this way because my desktop had more storage than my laptop at the time.  Making lemons out of lemonade right?... Or something like that.  The reason I'm not connecting my laptop over wifi is because I want there to only be one target for any hacker to try and deauthenticate to generate initialization vectors. This way I can hone in on where to watch and what to alert on for the actual WIFI attack itself.  Let's come back to monitoring the airwaves for attacks in a little bit.

Now that we have the hardware set up let's talk about the honeypot technology in use.  From this point on we are going to assume an attacker has cracked the WEP encryption on our router and has decided they want to steal some bandwidth or even try to attack other systems on the network.  What can we do to detect them?  Well for starters once they connect to our honeyspot the router itself will log their MAC and dish out an IP via DHCP for them.  The first and most important piece of honeypot software I implemented is a PHP script.  I wrote a two page website using PHP.  The first page is a welcome page with a warning banner letting the attacker know that this is a private computer system and anything they do here will be monitored.

This is extremely important for any honeypot.  You MUST tell the attacker they are being watched.  This splash page is doing a few other things besides just warning the attacker though.  With PHP you can do a few nifty tricks.  Every visit to my splash page the script is getting the visitors IP address, the time and date of their visit, what browser they are using to visit with, and their hostname.  These are all great for tracking the attacker.  Secondly, this page also presents the attacker with a login.  Below my warning banner is "To access so-and-so network resources login below:" followed by username and password boxes.  If the attacker decides to proceed in trying to access the network by brute force every login attempt they try will be logged. 

So for experimental purposes we can analyze the attackers attempts and get an idea of what might have worked for them in the past.   The second php page I created is very similar to the first. The main difference is that I added "Invalid username and/or password. Please try again." Of course their login attempts are futile as the login page will never actually let them access anything.  But they will keep on trying in hopes of pwning my network.  So you're probably wondering how do we get the attacker to visit our honeypage.  Well the DD-WRT has a nice DNSMasq service that can redirect pretty much anything you want.  I have it setup so anyone that opens a browser and tries to visit any .com, .net, .org, .us, .info, etc. get redirected straight to our honeypage.  So any bandwidth moochers will immediately be logged to our honeyserver the second they try to browse any webpage.

Let's say our attacker doesn't care about surfing the web.  This attacker is out to attack our clients.  Well the honeypage won't do too much good for this attacker.  So I'm using Honeyd to create 9 virtual servers for the attacker to attack.  If the attacker decides they want to enumerate my network they will see 12 IP's: 9 virtual Honeyd servers, the desktop with the honeypage, the laptop hosting Honeyd, and the router.  If they start to portscan these systems they will see a few Windows boxes, a couple Mac's, an Xbox, and a Commodore 64 all with various open ports!  When they scan the Windows boxes they
will notice a few have telnet and FTP open.  Using Honeyd and Python scripts we can make these virtual servers interactive.  The attacker can telnet in to the system and run what looks like to the attacker valid commands.  The whole time their input is being logged and the commands are useless to the attacker.  Once again this is great for research into what attackers are trying to do on our systems.

Lastly, It would be nice if we could implement some sort of WIDS (wireless intrusion detection system) to monitor the actual wireless attack itself.  Being able to monitor and detect when an attacker is trying to hack your WIFI router is pretty difficult to do.  Kismet has the ability to alert on wireless attacks but I need to do more research into setting it up right.  There are some commercial products that do WIDS pretty well but I'm looking to keep this project as cheap as possible so those are out of the picture.  If anyone knows of any open source or free WIDS please email me at beau {at} dafthack.com.  I would love to incorporate WIDS into Honeyspot v2.0.

That pretty much sums up version 1 of my Honeyspot.  There are a lot of features I still want to implement.  I will report back in a month or so to give you an update on if I actually got any hits.  Also, I plan on writing a how-to for this setup with the scripts I'm using too.

Disqus

The gadget spec URL could not be found