A lot of research has been done on the security of WiFi infrastructure. So many vulnerabilities either in the protocol or in their implementation have been discovered for launching different types of attacks on Access Points. At the same time, wireless client's security has not been given that much attention. I am more interested in finding vulnerable clients, and if possible, getting information from the client. In some cases, we can have complete control over wireless client, how???, that we will see later.
Generally, APs in enterprises are configured with the best security possible, so trying to get access to the enterprise network is quite difficult. But clients keep moving, they connect to the secure AP within enterprise, but who stops them from connecting to other APs when they are travelling??? Everyone wants internet access on the move, and for them, hotspots are easily available at coffee-shops, airports etc. So my point is, finding a client which might be vulnerable is easier. Depending on what information we can get from the client, a misconfigured client can give access to its enterprise network also.
Generally, APs in enterprises are configured with the best security possible, so trying to get access to the enterprise network is quite difficult. But clients keep moving, they connect to the secure AP within enterprise, but who stops them from connecting to other APs when they are travelling??? Everyone wants internet access on the move, and for them, hotspots are easily available at coffee-shops, airports etc. So my point is, finding a client which might be vulnerable is easier. Depending on what information we can get from the client, a misconfigured client can give access to its enterprise network also.
First of all, if a wireless client is connected to an Open AP, all your layer 2 data traffic will be unencrypted. So if you are surfing web, i can read all your data. You dont need to worry about your username/passwords if you are using https (Secure http protocol) as it will provide you application layer security. So, if you are connected to some legitimate AP, and accessing internet over https, all an attacker can do is passively sniff you http data, which in most cases not at all useful for attacker :) . Apart from this, attacker can also do a DoS attack, but again, attacker woudnt get anything besides disrupting the client connection.
So there, the concept of honeypot comes into picture. "HoneyPot is a type of WiFi attack, where a hacker sets its service set identifier (SSID) to be the same as an access point at the local hotspot or corporate wireless network. This results in the unassuming client connecting to hacker's access point instead of legitimate AP." If the attacker is successful in getting the client connected to his AP, now at least layer two traffic is in control of the attacker. So after having a basic idea of what a honeypot is, we will continue in the next posts with the evolution of honeypot over last few year and how it can be integrated with other tools to make it more potent.
So if you guys are interested in having hands on ..... be ready with these items :)1. Any linux machine will do, but i would recommend using "Backtrack" . Its freely available on www.remote-exploit.org/backtrack.html
2. Madwifi-ng wireless driver (BackTrack has it)
3. Any atheros based wireless card (cisco/netgear etc)
Interesting to know!!
ReplyDelete