Wi-Fi Mini Honeypot

Remember, you don't have to connect your honeypot to the Internet. In fact, you shouldn't, as you have no control of what potential users might do with the Internet access. After configuring it as described above, test whether it logs your connections. DD-WRT writes the log in /var/log/messages by default. You can check it using SSH. Here's an example fragment of such a log:


Jan  1 00:43:03 orange user.warn kernel: ACCEPT IN=br0 
 ↪OUT= MAC=00:26:5a:a1:bc:86:00:0c:f1:11:43:0e:08:00 
 ↪SRC=192.168.2.2 DST=192.168.2.1 LEN=84 TOS=0x00 PREC=0x00 
 ↪TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=22535 SEQ=1 
Jan  1 00:43:04 orange user.warn kernel: ACCEPT IN=br0 
 ↪OUT= MAC=00:26:5a:a1:bc:86:00:0c:f1:11:43:0e:08:00 
 ↪SRC=192.168.2.2 DST=192.168.2.1 LEN=84 TOS=0x00 PREC=0x00 
 ↪TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=22535 SEQ=2 

If you can see your packet info logged, just leave the router and wait, looking at the log from time to time.

Unfortunately, with such small resources, you can't do much more—at least within a few hours. This basic honeypot would log only packet headers, IPs and MAC addresses. You can see how a ping command is logged in the previous example. Generally, all the information you can collect is when somebody with a specified MAC and IP try to use your network—that's not much.

Logging Associations to USB Storage with OpenWrt

You can build a little more-advanced wireless honeypot with OpenWrt. Using it, you'll be able to log not only packets, MAC addresses and IP addresses, but also wireless associations, authentications, disassociations, deauthentications and timestamps. With a little effort, you also can expand your honeypot logging capabilities to use USB storage—that gives you a lot more space for logs.

My second router has 32MB of RAM, 8MB of Flash memory and USB support. On such hardware, you easily can install OpenWrt in a similar way as DD-WRT. Detailed instructions are available on the OpenWrt site. After installing it, setting up a wireless access point and logging in via SSH as root, you need to install a few more packages.

First, you'll need USB storage support:


opkg update
opkg install kmod-usb-ohci
opkg install kmod-usb2
insmod usb-ohci
insmod usbcore
insmod ehci-hcd

Now, after connecting a pendrive, dmesg should show it to you, for example, as /dev/sda. Make a directory for mounting your storage: mkdir /storage. Then mount it: mount /dev/sda1 /storage. You'll use it later for gathered data.

Next, you must decide what traffic to log. Let's assume you want to log all traffic forwarded by the router. To do this, use netfilter and iptables: iptables -I FORWARD -j LOG, just as you would do in a typical Linux distribution.

Listing 1 shows an example fragment of a log stored on the pendrive. It was generated by the user associating, authenticating, requesting IP through DHCP and connecting to google.pl:80.

Listing 1. Example Log Generated with OpenWrt and Stored on a Pendrive


Oct 15 10:17:01 white daemon.info hostapd: wlan0: 
 ↪STA 00:0c:f1:11:43:0e IEEE 802.11: authenticated
Oct 15 10:17:01 white daemon.info hostapd: wlan0: 
 ↪STA 00:0c:f1:11:43:0e IEEE 802.11: associated (aid 1)
Oct 15 10:17:01 white daemon.info hostapd: wlan0: 
 ↪STA 00:0c:f1:11:43:0e WPA: pairwise key handshake completed (RSN)
Oct 15 10:17:03 white daemon.info dnsmasq-dhcp[1106]: 
 ↪DHCPDISCOVER(br-lan) 192.168.1.99 00:0c:f1:11:43:0e
Oct 15 10:17:03 white daemon.info dnsmasq-dhcp[1106]: 
 ↪DHCPOFFER(br-lan) 192.168.1.99 00:0c:f1:11:43:0e
Oct 15 10:17:03 white daemon.info dnsmasq-dhcp[1106]: 
 ↪DHCPREQUEST(br-lan) 192.168.1.99 00:0c:f1:11:43:0e
Oct 15 10:17:03 white daemon.info dnsmasq-dhcp[1106]: 
 ↪DHCPACK(br-lan) 192.168.1.99 00:0c:f1:11:43:0e red
Oct 15 10:17:14 white user.warn kernel: IN=br-lan OUT=eth0.2 
 ↪SRC=192.168.1.99 DST=209.85.148.105 LEN=60 TOS=0x00 
 ↪PREC=0x00 TTL=63 ID=59445 DF PROTO=TCP
 ↪SPT=49958 DPT=80 WINDOW=14600 RES=0x00 SYN URGP=0
Oct 15 10:17:14 white user.warn kernel: IN=eth0.2 OUT=br-lan 
 ↪SRC=209.85.148.105 DST=192.168.1.99 LEN=60 TOS=0x00 
 ↪PREC=0x00 TTL=51 ID=6488 PROTO=TCP SPT=80 DPT=49958 
 ↪WINDOW=5672 RES=0x00 ACK SYN URGP=0
Oct 15 10:17:14 white user.warn kernel: IN=br-lan 
 ↪OUT=eth0.2 SRC=192.168.1.99 DST=209.85.148.105 LEN=52 
 ↪TOS=0x00 PREC=0x00 TTL=63 ID=59446 DF PROTO=TCP
 ↪SPT=49958 DPT=80 WINDOW=229 RES=0x00 ACK URGP=0
Oct 15 10:17:14 white user.warn kernel: IN=br-lan 
 ↪OUT=eth0.2 SRC=192.168.1.99 DST=209.85.148.105 
 ↪LEN=200 TOS=0x00 PREC=0x00 TTL=63 ID=59447 DF PROTO=TCP
 ↪SPT=49958 DPT=80 WINDOW=229 RES=0x00 ACK PSH URGP=0
Oct 15 10:17:15 white user.warn kernel: IN=eth0.2 OUT=br-lan 
 ↪SRC=209.85.148.105 DST=192.168.1.99 LEN=52 TOS=0x00 
 ↪PREC=0x00 TTL=51 ID=6489 PROTO=TCP SPT=80
 ↪DPT=49958 WINDOW=106 RES=0x00 ACK URGP=0
Oct 15 10:17:15 white user.warn kernel: IN=eth0.2 OUT=br-lan 
 ↪SRC=209.85.148.105 DST=192.168.1.99 LEN=561 TOS=0x00 
 ↪PREC=0x00 TTL=51 ID=6490 PROTO=TCP SPT=80
 ↪DPT=49958 WINDOW=106 RES=0x00 ACK PSH URGP=0

This honeypot is a little more advanced, although you still don't have much control over user activity on the Internet. You either shouldn't connect the router to the Internet, filter the traffic with iptables and/or set up a proxy between your router and the Internet. Or, you can set up a proxy on your router!

______________________

Marcin Teodorczyk is a GNU/Linux user with more than 12 years of experience. For the past four years, he's been using Arch Linux exclusively on his personal computers.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Xorauguynazdbuj

Zikinellelysqno's picture

ontocheme xaikalitag brurcewibra http://usillumaror.com - iziananatt poursotbato http://gussannghor.com Galefelpreelt

It is quiet helping

Anonymous's picture

Initially when public are not aware buy wi-fi system and usage different thoughts came to mind. but with every new day use and reliability of it has een increases. Printers computers mobile every thing is dependent on it. I was facing problem in printer wire the easily solution i fgound ask your hp printer to connect through wireless.

great post

Damilare Bakare's picture

what a great post you have here on the WiFi mini honeypot, learned a lot check out for Cisco wireless router products

Its something we call technology

ellem's picture

Its good but some times its shows abnormal previous while using it. This is just awesome wi-fi changes technology on daily bases. I really wonder that how quickly time changing.My motorcycle tracker can be easily operate by it.I am just looking that some service provider who can provide My motorcycle gloves a unique technology for someone special.

Very nice post. I just

Jiad's picture

Very nice post. I just stumbled upon your blog and wanted to say that I have truly enjoyed surfing around your blog posts. In any case I’ll be subscribing to your feed and I hope you write again soon!
voyance gratuite

Why using a honeypot anyway?

ΕΠΙΠΛΑ's picture

If you secure your rooter with somethingbetter than WEP ex. WPA why bothering to know who is attacking - they can't break it.

Cheers,

ΕΠΙΠΛΑ

Is better to know the devils

Anonymous's picture

Is better to know the devils there than to hide and hope he goes away,No?

Default SSID or using a

Anonymous's picture

Default SSID or using a dictionary word for the SSID under 10 characters - The use of rainbow tables can crack WPA WPA2. WPA2 Enterprise as a starting point should only be considered "secure".

WPA(2)-PSK with AES cypher

Anonymous's picture

WPA(2)-PSK with AES cypher with 63 characters long, random passphrase cannot be beaten by any rainbow table in some finite time. that is how I secure my WLANs and trust me, no one can beat that.

What about WAPs?

Ant's picture

I have an old Linksys WAP11 (not a router). Will this work too?

Thank you in advance. :)

Live connection needed...

Joejoejoejoe's picture

As far as I know, a live connection to the route/honeypot is mandatory in order to crack WEP and WPA... So if you don't have one, nobody will ever get in your honeypot...

Xorauguyna

Demaemiain's picture

ontocheme xaikalitag brurcewibra http://uillumaror.com - iziananatt poursotbato http://gusannghor.com Galefelpreelt

English only please.

Anonymous's picture

English only please.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix