After taking the SANS Offensive Countermeasures course it really got me thinking about detecting the attacker, and being able to get details about who they are.  So I decided to mix my love for WIFI with a honeypot style approach.  I have started an experiment of sorts with the goal of finding out just how many hackers I have in my neighborhood.  There might not be any at all and if so I will move my little experiment and see if I get any hits elsewhere.  All of the hardware I'm using are old artifacts I had lying around.  It's nice when you can make use of things that are just collecting dust.  Here's the gear I'm using: D-Link DIR-601 wireless router running DD-WRT, a Dell Inspiron 1501 Laptop, and a 10 year old home built PC.  (Side note: This experiment is completely in no way touching my home network or the internet.  We wouldn't want there to be any way an attacker could leverage our honeypot against us)

First, the router itself is using open WEP encryption.  Making it easy to break.  We want the hacker to have to break in so when I look at logs later I can conclude that they did indeed "hack" into my network.  With DD-WRT it's probably a good idea to hide the info page or require a login before viewing first or someone can just navigate to 192.168.1.1 and see who is connected.  We want the attacker to have to search for targets on our network.  That way we can generate more logs with proof that they were there.  As you can see in the network diagram I'm actually using my desktop to connect wirelessly to my router and I'm connecting over ethernet with my laptop.  This may seem a little backwards.  I set it up this way because my desktop had more storage than my laptop at the time.  Making lemons out of lemonade right?... Or something like that.  The reason I'm not connecting my laptop over wifi is because I want there to only be one target for any hacker to try and deauthenticate to generate initialization vectors. This way I can hone in on where to watch and what to alert on for the actual WIFI attack itself.  Let's come back to monitoring the airwaves for attacks in a little bit.

Now that we have the hardware set up let's talk about the honeypot technology in use.  From this point on we are going to assume an attacker has cracked the WEP encryption on our router and has decided they want to steal some bandwidth or even try to attack other systems on the network.  What can we do to detect them?  Well for starters once they connect to our honeyspot the router itself will log their MAC and dish out an IP via DHCP for them.  The first and most important piece of honeypot software I implemented is a PHP script.  I wrote a two page website using PHP.  The first page is a welcome page with a warning banner letting the attacker know that this is a private computer system and anything they do here will be monitored.

This is extremely important for any honeypot.  You MUST tell the attacker they are being watched.  This splash page is doing a few other things besides just warning the attacker though.  With PHP you can do a few nifty tricks.  Every visit to my splash page the script is getting the visitors IP address, the time and date of their visit, what browser they are using to visit with, and their hostname.  These are all great for tracking the attacker.  Secondly, this page also presents the attacker with a login.  Below my warning banner is "To access so-and-so network resources login below:" followed by username and password boxes.  If the attacker decides to proceed in trying to access the network by brute force every login attempt they try will be logged. 

Let's say our attacker doesn't care about surfing the web.  This attacker is out to attack our clients.  Well the honeypage won't do too much good for this attacker.  So I'm using Honeyd to create 9 virtual servers for the attacker to attack.  If the attacker decides they want to enumerate my network they will see 12 IP's: 9 virtual Honeyd servers, the desktop with the honeypage, the laptop hosting Honeyd, and the router.  If they start to portscan these systems they will see a few Windows boxes, a couple Mac's, an Xbox, and a Commodore 64 all with various open ports!  When they scan the Windows boxes they
will notice a few have telnet and FTP open.  Using Honeyd and Python scripts we can make these virtual servers interactive.  The attacker can telnet in to the system and run what looks like to the attacker valid commands.  The whole time their input is being logged and the commands are useless to the attacker.  Once again this is great for research into what attackers are trying to do on our systems.