PaulDotCom mailing list archives
Honeypot techniques for use in rogue APs.
From: bytesabit at gmail.com (bytes abit)
Date: Tue, 25 Aug 2009 22:14:19 -0300
Sounds interesting, well thought out. As for your redirects, a few IPTABLES commands would take care of that one, easy as pie... er well the crust is rather hard to make.. so I hesitate to use that expression ;P Enabling logging on the port activity and would be wise/useful as well. BTW: Watch Wolverine Origin, it's freaking great! HAHAHA Just got a message: Back of the shirt: www.thepiratebay.org .... Front of the shirt: http://tracker.btarena.org/ Jay On Tue, Aug 25, 2009 at 10:45 AM, Chris Merkel <cmerkel at gmail.com> wrote:
The recent discussions on honeypots got me thinking - has anyone modified a wireless AP in a way to make it look like another device? A multi-function printer perhaps? (If the answer is "It's in Paul's book" - I will go out and purchase it right away ;-) What if: You could leave telnet open to allow logons to actually manage the AP (you would have to pick a print server that requires a logon, so it would look legit), from there, you would need to modify OpenWRT to run: FTP/21 - allow anonymous logons, set up the folder structure, change the banner HTTP/80 - Mirror the status pages from a typical print server TCP/515 - lpd TCP/631 - ipp TCP/9100 - lpd / jetdirect You would also need to change the MAC address to the vendor ID of the device you're emulating. If you wanted to get really crafty, you could figure out a way to forward packets sent to 515,631 and 9100 to forward to an actual network printer on the same subnet. Let's say you did all of those things - think you'd be able to fool nmap's service fingerprinting? What if you found a match between a printer and AP, so that they're running a similar embedded linux kernel - that would fool nmap's TCP fingerprinting, right? I don't have a WAP readily available, nor the time in the next few months to hack something together, but if anyone else is headed down this road, I'd be interested to know. -- - Chris Merkel _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090825/bdf92897/attachment.htm
Current thread:
- Honeypot techniques for use in rogue APs. Chris Merkel (Aug 25)
- Honeypot techniques for use in rogue APs. bytes abit (Aug 25)
- Honeypot techniques for use in rogue APs. Nathan Sweaney (Aug 25)
- Honeypot techniques for use in rogue APs. bytes abit (Aug 26)
- Honeypot techniques for use in rogue APs. Nathan Sweaney (Aug 25)
- Honeypot techniques for use in rogue APs. bytes abit (Aug 25)