Filename | Fake Access Point (AP) |
Permission | rw-r--r-- |
Author | WhySoSeriousssssssssssss |
Date and Time | 22:50 |
Label | hack |
Action |
--------------------------------------------------------------------------------------------------------------
Fake AP
Fake AP generates thousands of counterfeit 802.11b access points. Hide in plain sight amongst Fake AP's cacophony of beacon frames. As part of a honeypot or as an instrument of your site security plan, Fake AP confuses Wardrivers, NetStumblers, Script Kiddies, and other undesirables.
A Fake AP can refer to:
- A Honeypot, which is a fake access point made to attract hackers and other wireless intruders in order to collect information about them.
- A Rogue access point physically installed on a (wired) network a hacker is attacking from the outside.
A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.
Honeypots can be classified based on their deployment and based on their level of involvement. Based on the deployment, honeypots may be classified as:
- Production Honeypots
- Research Honeypots
Based on the design criteria, honeypots can be classified into three categories as:
- Pure honeypots
- High interaction honeypots
- Low interaction honeypots
Pure honeypot is a full fledged production system. The activities of the attacker is monitored using a casual tap has been installed on the honeypots link to the network. No other software's are needed to be installed. Even though a pure honeypot is useful, stealthiness of the defense mechanisms can be ensured by a more controlled mechanism.
High interaction honeypots imitate the activities of the real systems that host a varieties of services and, therefore, an attacker may be allowed a lot of services to waste his time. According to recent researches in high interaction honeypot technology, by employing virtual machines, multiple honeypots can be hosted on single physical machine. Therefore, even if the honeypot is compromised, there is chance for quicker recovery. In general, high interaction honeypots provide more security by being difficult to detect but, on the negative side, are highly expensive to maintain. If virtual machines are not available, each honeypot need to maintained for each physical computer, which can be exorbitantly expensive.
Low interaction honeypot is based on the services that the attacker normally request for. These services are simulated by this classification of honeypot. There are many positives with the requirement of only few services by the attackers: ease of hosting multiple virtual machines on one physical system as they consume relatively few resources, fast response time of the virtual systems, and shorter code length reduces the complexity in the security of the virtual systems.
Spam versions
Spammers abuse vulnerable resources such as open mail relays and open proxies. Some system administrators have created honeypot programs that masquerade as these abusable resources to discover spammer activity. There are several capabilities such honeypots provide to these administrators and the existence of such fake abusable systems makes abuse more difficult or risky. Honeypots can be a powerful countermeasure to abuse from those who rely on very high volume abuse.
E-mail trap
An e-mail address that is not used for any other purpose than to receive spam can also be considered a spam honeypot. Compared with the term spamtrap, the term "honeypot" might better be reserved for systems and techniques used to detect or counter attacks and probes. Spam arrives at its destination "legitimately"—exactly as non-spam e-mail would arrive.
An amalgam of these techniques is Project Honey Pot. The distributed, open-source Project uses honeypot pages installed on websites around the world. These honeypot pages hand out uniquely tagged spamtrap e-mail addresses. E-mail address harvesting and Spammers can then be tracked as they gather and subsequently send to these spamtrap e-mail addresses.
Database honeypot
Databases often get attacked by intruders using SQL Injection. Because such activities are not recognized by basic firewalls, companies often use database firewalls. Some of the available SQL database firewalls provide/support honeypot architectures to let the intruder run against a trap database while the web application still runs as usual.
Fake AP using Airbase-NG
Creating a Fake AP and passing internet traffic through our Fake AP. The steps involved are basically:
- Configure dhcpd.conf
- Start the Fake AP with Airbase-NG
- Configure IP tables to pass through to host internet
- Capture / Monitor network traffic with tool of choice
In this case the test setup is as follows:
- Using BackTrack4 pre final
- Using a WiFi dongle to create a connection to internet on wlan1 (through gateway 192.168.1.1)
- Using my netbook wireless card (Atheros) to create the Fake AP
First to create/configure the dhcpd.conf file for later use:
nano /etc/dhcp3/dhcpd.conf
ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.2.128 netmask 255.255.255.128 {
option subnet-mask 255.255.255.128;
option broadcast-address 192.168.2.255;
option routers 192.168.2.129;
option domain-name-servers 4.2.2.2;
range 192.168.2.130 192.168.2.140;
}
Ctrl X - Y(es) - Enter to save the file.
Then to start the fake ap with airbase, the interface needs to be in monitor mode:
airmon-ng
airmon-ng start wlan0
airbase-ng -e "TEST_AP" -c 9 mon0
This will create a simple tap interface, on at0, with no encryption, on channel 9 and with the essid TEST_AP.
In this case there was already an internet connection up and running on wlan1, hence the warning messages, however this was of no further consequence. Then bring the interface up and assign subnet and gateway:
ifconfig at0 up
ifconfig at0 192.168.2.129 netmask 255.255.255.128
route add -net 192.168.2.128 netmask 255.255.255.128 gw 192.168.2.129
Needed to give further privilages to the dhcpd.
mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/dhcpd
Then to point the command to the alternative dhcpd.conf file and the alternative .pid file
dhcpd3 -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcpd/dhcpd.pid at0
Then to setup the iptables to route the traffic through the tap interface to the internet connection (internet connection being the one wlan1 is connected to over my 192.168.1.1 gateway).
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --out-interface wlan1 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to 192.168.1.1
Now basically you have a Fake AP which people can connect to and browse the internet all through your connection. Obviously this can be abused in any number of ways, all traffic can be captured and analyzed. Dsniff could be run on it together with urlsnarf or driftnet. And sessions could be hijacked in real time.
0 comments:
Post a Comment