Honeypot techniques for use in rogue APs.

[cmerkel at gmail.com (Chris Merkel)]

The recent discussions on honeypots got me thinking - has anyone modified a
wireless AP in a way to make it look like another device? A multi-function
printer perhaps? (If the answer is "It's in Paul's book" - I will go out and
purchase it right away ;-)

What if:

You could leave telnet open to allow logons to actually manage the AP (you
would have to pick a print server that requires a logon, so it would look
legit), from there, you would need to modify OpenWRT to run:
FTP/21 - allow anonymous logons, set up the folder structure, change the
banner
HTTP/80 - Mirror the status pages from a typical print server
TCP/515 - lpd
TCP/631 - ipp
TCP/9100 - lpd / jetdirect

You would also need to change the MAC address to the vendor ID of the device
you're emulating.

If you wanted to get really crafty, you could figure out a way to forward
packets sent to 515,631 and 9100 to forward to an actual network printer on
the same subnet.

Let's say you did all of those things - think you'd be able to fool nmap's
service fingerprinting? What if you found a match between a printer and AP,
so that they're running a similar embedded linux kernel - that would fool
nmap's TCP fingerprinting, right?

I don't have a WAP readily available, nor the time in the next few months to
hack something together, but if anyone else is headed down this road, I'd be
interested to know.

-- 
- Chris Merkel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090825/1d4c1f34/attachment.htm