Re: Wireless honeypots

["Talisker" <offthecuff () lineone net>]

Hi Matt
I think it depends on what you wish to achieve, tracking the activities of
the wardriver or apprehending them.  If it's the former then just stick
ethereal on the input, but this will be discovered with trivial ease.  Once
inside the network is there much more to be learned from a wardriver that
you cannot learn from an Internet based Honeypot?  That brings us to
apprehending them, the joy of wardriving is the anonymity of it all, it is
difficult to physically locate the intruder.

I've been thinking about this for a while, even looking at the possibility
of three access points and triangulating the location of the wardriver.  I
suspect the carrot of free Internet access would be a better draw than
seemingly interesting data.

<humor>
Don't do this near a train line, I have a friend who has been wardriving
(passively) on a main line route.  At 125MPH with a high gain antenna you
only have enough time to get issued an IP address before you leave the
footprint of the AP.  He can't be the only one, anyone running a honeypot
will see loads of wardrivers for a few seconds each time.  Triangulation
would be a nightmare!!
</humor>

I have also been playing with a high (+17dB) gain directional parabolic
dish, with the thought of homing in on a rogue AP or wardriver.  Another
alternative is wardriving yourself with a GPS attached and feeding the
output into MapPoint through StumbVerter.  Both these methods are active and
the attacker will see the variance in your signal as you travel around.

thoughts?
take care
-andy

Taliskers Network Security Tools
http://www.networkintrusion.co.uk
----- Original Message -----
From: "Matt Harris" <mdh () unix si edu>
To: <honeypots () securityfocus com>
Sent: Monday, January 27, 2003 7:06 PM
Subject: Wireless honeypots


> Has anyone every theorized the possibility of a wireless honeypot - that
> is, a wireless ethernet with a wide-open access point (or a somewhat
> more secured one if you want more interesting data...) with maybe one or
> two honeypot hosts behind it (not connected to the internet, so no worry
> of problems with being used as a launchpoint for attacks)?  Sounds like
> a possibly fun idea - I'm thinking about doing this in various
> geographic areas (my workplace in downtown DC, my home in Bowie MD, etc)
> in order to gather statistical data about who/where is
> sniffing/searching for open wireless ethernet access.  If anyone else
> finds this idea interested let me know, maybe we could correlate
> efforts, etc.
>
> --
> /*
>  *
>  * Matt Harris - Senior UNIX Systems Engineer
>  * Smithsonian Institution, OCIO
>  *
>  */