PaulDotCom mailing list archives
Honeypot techniques for use in rogue APs.
From: bytesabit at gmail.com (bytes abit)
Date: Wed, 26 Aug 2009 09:51:03 -0300
I think this may help: http://msdn.microsoft.com/en-us/library/dd162722%28VS.85%29.aspx """ The *FindFirstPrinterChangeNotification* call specifies the type of changes to be monitored. You can specify a set of conditions to monitor for changes, a set of printer information fields to monitor, or both. A wait operation on the change notification handle succeeds when one of the specified changes occurs in the specified printer or print server. You then call the *FindNextPrinterChangeNotification*<http://msdn.microsoft.com/en-us/library/dd162723%28VS.85%29.aspx>function to retrieve information about the change, and to reset the change notification object for use in the next wait operation. """" On Wed, Aug 26, 2009 at 1:48 AM, Nathan Sweaney <NSweaney at tulsacash.com>wrote:
Rather than try to emulate all of that, what if you just skipped ahead to your really crafty idea and forward all incoming traffic to an actual device on the network? If you goal is just to hide on the network, then at that point you?re not limited to just being a printer, you can become any device, specific or random. If I?m scanning my network & see a new printer that I wasn?t aware of, then I may get suspicious. But if instead I just have Bob?s laptop or a Dell Switch listed twice, I may not notice. And if you do want to allow specific incoming traffic, you could either allow it by IP or get fancy with some sort of port-knocking implementation. ------------------------------ *From:* pauldotcom-bounces at mail.pauldotcom.com [mailto: pauldotcom-bounces at mail.pauldotcom.com] *On Behalf Of *bytes abit *Sent:* Tuesday, August 25, 2009 8:14 PM *To:* PaulDotCom Security Weekly Mailing List *Subject:* Re: [Pauldotcom] Honeypot techniques for use in rogue APs. Sounds interesting, well thought out. As for your redirects, a few IPTABLES commands would take care of that one, easy as pie... er well the crust is rather hard to make.. so I hesitate to use that expression ;P Enabling logging on the port activity and would be wise/useful as well. BTW: Watch Wolverine Origin, it's freaking great! HAHAHA Just got a message: Back of the shirt: www.thepiratebay.org .... Front of the shirt: http://tracker.btarena.org/ Jay On Tue, Aug 25, 2009 at 10:45 AM, Chris Merkel <cmerkel at gmail.com> wrote: The recent discussions on honeypots got me thinking - has anyone modified a wireless AP in a way to make it look like another device? A multi-function printer perhaps? (If the answer is "It's in Paul's book" - I will go out and purchase it right away ;-) What if: You could leave telnet open to allow logons to actually manage the AP (you would have to pick a print server that requires a logon, so it would look legit), from there, you would need to modify OpenWRT to run: FTP/21 - allow anonymous logons, set up the folder structure, change the banner HTTP/80 - Mirror the status pages from a typical print server TCP/515 - lpd TCP/631 - ipp TCP/9100 - lpd / jetdirect You would also need to change the MAC address to the vendor ID of the device you're emulating. If you wanted to get really crafty, you could figure out a way to forward packets sent to 515,631 and 9100 to forward to an actual network printer on the same subnet. Let's say you did all of those things - think you'd be able to fool nmap's service fingerprinting? What if you found a match between a printer and AP, so that they're running a similar embedded linux kernel - that would fool nmap's TCP fingerprinting, right? I don't have a WAP readily available, nor the time in the next few months to hack something together, but if anyone else is headed down this road, I'd be interested to know. -- - Chris Merkel _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090826/ce0262ec/attachment.htm
Current thread:
- Honeypot techniques for use in rogue APs. Chris Merkel (Aug 25)
- Honeypot techniques for use in rogue APs. bytes abit (Aug 25)
- Honeypot techniques for use in rogue APs. Nathan Sweaney (Aug 25)
- Honeypot techniques for use in rogue APs. bytes abit (Aug 26)
- Honeypot techniques for use in rogue APs. Nathan Sweaney (Aug 25)
- Honeypot techniques for use in rogue APs. bytes abit (Aug 25)