Embed Size (px)
Citation preview
The dangers posed by wireless honey pots
July 31
2013What dangers do users face when using a public Wi-Fi network. The document also discusses what is required to configure a honey pot Wi-Fi access point and some information resulting from one being built.
Contents
The Dangers posed by wireless honey pots......................................................................................3
Introduction.....................................................................................................................................3
Wi-Fi Hotspots, some of the risks......................................................................................................3
Smartphone leaks...........................................................................................................................4
Sidejacking.....................................................................................................................................5
Defending against the threat..............................................................................................................6
Use a VPN..................................................................................................................................6
Don’t wireless wander.................................................................................................................6
Anti-Virus and Firewall................................................................................................................7
Be vigilant...................................................................................................................................7
Core requirements for creating a Honey pot Wi-Fi access point........................................................8
Wi-Fi Router...................................................................................................................................8
Honey pot control server................................................................................................................9
Honey pot final setup.......................................................................................................................12
Collection of sample data.............................................................................................................12
Conclusion.......................................................................................................................................16
Reflection on learning......................................................................................................................16
REFERENCES.................................................................................................................................18
The dangers posed by wireless honey pots Page | 2
The Dangers posed by wireless honey pots
Introduction
Access to the internet has become more available to mobile device users either via the mobile phone network, (3G or 4G), or the reliance on Wi-Fi hotspots. For example, Virgin Media now offer Wi-Fi access in excess of 120 stations on the London Underground network. With this increase in Wi-Fi services is it possible to tempt users to connect to what they may perceive as being a more attractive Wi-Fi network? The temptation of something free perhaps? However, are they connecting to something more sinister like a Honey pot Wi-Fi access point?
Honey pot networks are generally used to divert an attacker’s attention away from a production network to the honey pot network by making it a more attractive proposition. The honey pot network can then be used to gain intelligence on attack techniques which in turn can be studied and defensive mechanisms implemented to further enhance the security of the production network.
This report will look at Wi-Fi honey pots not as a tool to learn and defend against attack techniques but to see what potential risks the user may face with their data and how to protect against the interception of that data. It will also show the process that could be employed to create a Wi-Fi honey pot and the observations of an experiment in a controlled environment.
Wi-Fi Hotspots, some of the risks.
Wi-Fi hotspots can be found everywhere from Café’s and Train Stations to Airports and shopping centers. According to the Office for National Statistics the growth in use has been significant from 0.7 million users in 2007 to 4.9 million users in 2011 Figure 1 : Wireless hotspot use in GreatBritain.
2008 2009 2010 2011
0
1
2
3
4
5
6
The use of wireless hotspots in Great Britainmillions
Figure 1 : Wireless hotspot use in Great Britain
We almost take it for granted that if we can see a public Wi-Fi hotspot we can get connectivity to the internet. Service providers have made it very easy to use their access points by not providing
The dangers posed by wireless honey pots Page | 3
any requirement to use a password for initial connection to their routers providing the service. With the vast increase in available hotspots the opportunity to exploit users also increases. Clearly if no encryption is used for communications between the user’s device and the hotspot router the potential to eavesdrop on data transmitted and received is very high. After all, the data is being transmitted and received using standard radio waves. There are a number of devices available such as Riverbed’s AirPcap, which can capture data frames transmitted via the 802.11 WLAN protocol. How tempting can it be, when sat in a public area with time to spare, to check emails and browse the web. Scanning for hotspots on your device is very simple which one do you choose?
There is no sure way to know if you have connected to a rogue hotspot or a legitimate one, they may look identical and even serve the webpage or services you were looking for. If the requirement of the rogue access point was to capture all your web traffic then giving the hotspot internet connectivity is highly desirable but not essential. Desirable because not all web services use SSL, (Secure Socket Layer), encryption. Many have no requirement and it’s these that will yield the most data that could be useful by capturing the data in clear text. It is not essential as the access point could be used to serve customized Webpages that may contain embedded malicious code or identical copies of legitimate Webpages that may fool the user into giving required information such as login credentials for a web service.
Smartphone leaksMost Smartphones and tablets have the capability to connect to wireless services to supplement their connectivity. These devices expose themselves in much the same way as a netbook or laptop computer, however their reliance on app technology can leave them more exposed. Whereas a standard computer uses a web browser primarily as its main tool for internet communications a Smartphone, as well as a web browser, uses apps that have be sourced in most cases from their provider’s app store. Are these apps to be trusted and what methods if any do they implement to secure their communications? The focus for a Smartphone’s manufacturer is the platform security and not so much the third party applications security, this is left to the developer and according to Denim Groups Designing Secure Mobile Apps
“Most developers are not trained to develop secure applications”
Many Smartphone apps require access to personal data stored on the device therefore increasing the risk and exposure of this sensitive information. The app accesses the personal data and potentially delivers its content over insecure media such as an open Wi-Fi hotspot.
Smartphone devices can leak some information constantly if their Wi-Fi mode is left on. Using Wireshark and an AirPcap device, it can be seen that a Smartphone device will constantly send out a probe request attempting to connect to Wi-Fi networks that it has in the past successfully connected to.
In Figure 2 - Wireshark capture showing a probe request, a Blackberry device is sending out a probe request for a wireless network called Soyuz. Although this information does not really tell us much in terms of personal data, it could be used to create a spoof Wi-Fi hotspot using the same SSID and tricking the phone into connecting as a trusted network. This technique could be used more effectively in public areas where a Wi-Fi hotspot has a high volume of devices connecting to it.
The dangers posed by wireless honey pots Page | 4
Figure 2 - Wireshark capture showing a probe request
SidejackingSidejacking is another word for session hijacking and is the process of stealing another user’s web session. When logging into sites such as Amazon, Facebook and Twitter the user should notice a padlock icon in the address bar. This padlock icon is an indication that the webpage is been delivered using SSL Secure Sockets Layer. SSL in the majority of cases uses 128 bit encryption ensuring that the data transferring between the client and server is secure and not liable to interception.
Sidejacking can be performed on sites that use SSL for the initial logon, but drop down to a standard non encrypted session once the username and password exchange has been completed. At this point the cookie can be captured in plain text and used to steal the session.
In 2010 software developer Eric Butler designed a plug-in for Firefox called Firesheep. Firesheep made it easy to steal the session cookie with just the Firefox Browser and packet sniffer such as Riverbed’s AirPcap adapter. Eric Butler states
“Websites have a responsibility to protect the people who depend on their services. They've been ignoring this responsibility for too long, and it's time for everyone to demand a more secure web. My hope is that Firesheep will help the users win.” (Butler, 24th Oct 2010)
Delivering a web session completely in SSL was thought to use too much processing power at both the web server and client ends however the Online Trust Alliance (OTA) stated that Google found that SSL used less than one percent of their CPU’s on their production machines, less that 10KB of memory per connection and less than two percent of network overhead. (OTA, Protecting Your Website With Always On SSL, Page 6, 2012)
The dangers posed by wireless honey pots Page | 5
As a result of Sidejacking, major websites are now implementing full SSL communications for the duration of user’s sessions making it extremely difficult for any type of data interception to take place. To protect against the Sidejacking process the use of a VPN, (Virtual Private Network), will assist as well as ensuring that the web session continues in SSL throughout.
Defending against the threat
The only way a user can protect themselves completely from Wi-Fi honey pots would be to never use their Wireless at all but clearly this is impracticable. However there are a number of steps that can be taken to, at the very least, reduce the footprint.
Use a VPNUsing a VPN solution is going to provide an extremely effective conduit for data transmission. Once a wireless client has successfully connected to the access point, a VPN can be setup between the users’ device and a VPN server. Once a VPN is established it creates a tunnel where encapsulated and encrypted data is passed from point to point using the public internetwork. This essentially appears as single connection or tunnel from a device to a target network that actually transits via different types of connection media as show in Figure 3 - VPN Connectivity
Figure 3 - VPN Connectivity
There are many VPN clients available both free and subscription. BT customers accessing the BT WIFI service have the option to download a free Cisco VPN security software package which aims to keep the users data secure. However VPN’s themselves have potential vulnerabilities which can compromise their purpose. NTA-Monitor found that out of the vast majority of VPN systems they tested for vulnerabilities, about 90% had significant security issues. (Roy Hills, Common VPN Security Flaws 2005, Page 15). The majority of the security issues can be successfully dealt with by applying good security procedures such as not using the default settings, user documentation and regular security testing. VPN solutions however are still a very successful method for protecting data over insecure networks.
Don’t wireless wanderOnce a client has successfully connected to a wireless access point various devices will give the option to connect when the access point is within range. Although this setting saves the hassle of manual connection it leaves the device open to roaming into what it may perceive as being a
The dangers posed by wireless honey pots Page | 6
preferred network. The user could be totally unaware that the device has connected to a rogue hotspot with the potential for data leakage or attack. A user would be strongly advised to only manually connect to hotspots that they are sure are legitimate.
Anti-Virus and FirewallHaving these products installed on devices and kept up to date is yet another barrier than can be introduced to protect the users.
Firstly the Anti-Virus (AV) package should stop any malicious code from being executed should this be the method on which the hotspot deliverers its attempted exploit. AV is not going to protect a device from every attack vector as exploits are written and rewritten all the time but it will however attempt to protect against the most well known.
Secondly, a firewall solution will help to protect the device from communication through ports that have not been authorized by the user. This may stop malicious code that may have bypassed the traditional AV mechanism by cutting off its communication path should it fall out of the range of authorized ports.
Some Microsoft operating systems will give the end user the choice of the type of network they are connecting to, this can be set on multiple connections and works by adjusting the firewall rule set. If for instance a Public profile is selected, the firewall set will be more restrictive. On the other hand if a Private profile is selected the service assumes the network is trusted more and the firewall rule set will be less restrictive, allowing for example the ability to share documents.
Be vigilantWhen using public Wi-Fi hotspots, whether they are open or encrypted, it always pays to keep a watch out for anything out of the ordinary. For instance a pop up window appears in a browser requiring personal details or logon account details. A web browser is redirecting to a site that wasn’t requested or even the request to install third party applications. If it doesn’t look or feel right then discontinue using the service, it would be better to terminate the connection than to find out later that the device really had been compromised or exploited.
The dangers posed by wireless honey pots Page | 7
Core requirements for creating a Honey pot Wi-Fi access point
There are many methods that can be employed to create a Wi-Fi hotspot, from utilizing a laptops wireless adapter and third party software to the purchase of such devices as the Wi-Fi Pineapple which is a professional all in one module favored by network penetration testers.
Here I will be explaining the requirements and setup for the test Honey pot utilizing a laptop to run most of the services required and a home broadband router to deliver the wireless network.
Wi-Fi RouterThis essential piece of hardware will deliver the radio element of the hotspot. Most types of home broadband wireless routers can form part of a hotspot as long as their wireless configuration settings can be customized. A standard home broadband wireless router will be used in the test Honey pot access point.
The following settings require some level of configuration:
SSIDThe Service Set Identifier (SSID) is a human readable string which identifies the wireless network to users when they scan to see what networks are available. This field can be customized as required, is case sensitive and can only be a maximum of 32bytes.
In Figure 4 - SSID identification with Airodump-ng, the SSID’s of multiple networks are found under the ESSID column. ESSID and SSID is the same thing however some network vendors choose to use either one or the other. According to Robert J. Bartz (2012) the term ESSID implies more than one access point using the same SSID and security settings.
Figure 4 - SSID identification with Airodump-ng
The dangers posed by wireless honey pots Page | 8
The SSID chosen for the test honey pot will be “Free WiFi”. The reason for this choice is to state that the hotspot is free to connect but doesn’t deliver access to the internet.
BSSIDIt is not essential to change the Basic service set identifier (BSSID) unless there is a requirement to exactly replicate a wireless access point. The BSSID is the MAC address of the interface that delivers the wireless signal. No spoofing of the BSSID is required on the test hotspot.
Wireless securityOn most home routers the level of security applied to the wireless network can be configured. Settings range from no security through Wired Equivalent Privacy (WEP) to Wireless Protected Access (WPA). As the wireless router will be used as a public hotspot, no wireless security will be implemented which replicates how the vast majority of public hotspots function.
Dynamic Host Configuration Protocol (DHCP)Dynamic Host Configuration Protocol (DHCP) can be configured to allocate a set range of Internet Protocol (IP) addresses and related network information such as Domain Name Server (DNS) information to the wireless clients. It is not essential that DHCP serves the clients from the router as a DHCP service can be set to run from the hotspot server. The DHCP service on the broadband router will be utilized on the test hotspot. The range that will be used will be the standard IANA private range of 192.168.0.0 – 192.168.255.255. From within that range the router will serve 192.168.1.10 – 192.168.1.254 and a subnet of 255.255.255.0
Honey pot control serverThe control server can be anything from a workstation to a netbook computer. The device can either connect via cable or wirelessly to the hotspot router. In the test equipment, this role will be served by a standard laptop running Microsoft Windows XP. The laptop will be connected via a standard cat5 network cable. From the IP range allocated the server will be allocated 192.168.1.5 which falls outside the range allocated to DHCP but within the network range.
The following services will be running on the control server.
WebserverAs wireless clients connect to the honey pot they are to be redirected to a landing page. A Webserver is required to serve that default web page and any other associated web pages. The server will be serving pages via the default port 80 and may also require the ability to serve pages via HTTPS port 443. If there is a requirement to serve HTTPS then secure certificate implementations will have to be considered. The controlled honey pot that will be used here will not be implementing any HTTPS functionality for ease of configuration and testing.
In Figure 5 - Hot spot landing page, is the customized page that is displayed when a user connects a device to the honey pot hot spot and requests a URL. As this is performed in a controlled environment, the page makes it clear why this page has been delivered and where to seek further information.
A custom form for user input has also been created and this form along with its role is discussed later.
The dangers posed by wireless honey pots Page | 9
Figure 5 - Hot spot landing page
Domain Name System (DNS)DNS is a naming system used to convert Internet Protocol (IP) addresses into computer names or services that are easy to understand. The process can also work backwards converting names into IP’s. A good example of this could be www.google.com, this easily understandable domain name is translated by DNS into 173.194.34.178. This result was easily obtained by sending a ping packet to www.google.com and allowing DNS to resolve it to an IP address of which a computer will use to route the data.
In Figure 6 - Ping resolving www.google.com to a computer IP address, the command window is displayed showing the output of that ping request and the DNS resolution that has taken place.
Figure 6 - Ping resolving www.google.com to a computer IP address
The dangers posed by wireless honey pots Page | 10
DNS on the honey control pot server will resolve all DNS queries to the Webserver IP address. The resolution is done in this manner to ensure a custom webpage can be served back to the client regardless of the address entered in the connecting client’s web browser.
The dangers posed by wireless honey pots Page | 11
Honey pot final setup
In Figure 7 - Final setup, the setup is complete and ready to capture details entered by the victim laptop using wireless.
Figure 7 - Final setup
Collection of sample data
The Victim client searches for and connects to a Wi-Fi network called Free WiFi. The Wi-Fi router will allocate the connecting computer with all the required network information using DHCP.
Using the Chrome web browser, the user enters www.google.co.uk and submits. The DNS service running on the Honey spot Wi-Fi control computer resolves this name query to 192.168.1.5 which is the IP address of the Webserver service. The successful resolution of this query can be seen in Figure 8 - DNS Resolution at honey pot
The dangers posed by wireless honey pots Page | 12
Figure 8 - DNS Resolution at honey pot
The DNS server configuration file contains a wildcard entry which resolves all DNS queries to the same IP address as show in Figure 9 - DNS configuration wildcard
Figure 9 - DNS configuration wildcard
The dangers posed by wireless honey pots Page | 13
The Webserver will now serve the default page back to the connected victim’s browser. As this is a controlled environment the victim is required to append the URL originally entered with /form.html, this request will now deliver a custom form back to the browser as show in Figure 10 - User entryform
Figure 10 - User entry form
On the Wireless packet capture computer, Wireshark is started and a capture of wireless traffic is selected using the PCAP adapter.
The form that is now displayed on the victim computer is completed with the entry of a Username and Password. Note when data is entered into the Password field as show in Figure 10 - Userentry form, asterisks replace the password text. Does this obscure the password from the network as well as the user entering the data? This will be revealed in the network capture file that is being produced on the Wireless packet capture computer running Wireshark. The details entered into the form are transferred back to the Webserver by using the Submit function.
Once the form transaction has taken place, the running network packet capture can be terminated and the results saved.
The wireless packet capture data can be filtered using Wireshark to ease the burden of trawling through many thousands of captured frames in search of the HTTP transaction traffic. Once the traffic has been filtered to only display HTTP, the capture is scrutinized for the HTML command POST which will contain the data submitted by the victim via the form.
Figure 11 Filtered HTTP with selected HTML POST, shows the filtered packet capture file.
The dangers posed by wireless honey pots Page | 14
Figure 11 Filtered HTTP with selected HTML POST
By following the stream collected, it is easy to see the data that was transmitted in the form was transmitted with no encryption as none was provided by either the web browser or the network connection provided by the wireless router. Therefore the details entered were captured in clear text and show in the POST command sent by the victim. Figure 12 Username and Passwordcaptured
Figure 12 Username and Password captured
The dangers posed by wireless honey pots Page | 15
The test is now complete with a successful capture of the credentials the user has used in the form that was served by the Webserver.
ConclusionCreating a simple fake access point is quite achievable by using just a handful of free tools available to download from the Internet. As long as there is knowledge about core network services like DHCP and DNS and the ability to create a simple web page then it is clear to see how public Wi-Fi hotspots are an easy target. The custom webpage that is being delivered can be made to look like a legitimate hotspot login page or even a popular social media website. This in turn can fool users into thinking that their login details will be legitimately used to access Internet services.
Users don’t always check to ensure their web session is being encrypted and some may not understand the secure process at all? It would be possible with some more work to make the honey pot deliver a page via SSL / HTTPS and then have the custom form deliver its data to a file for extraction, therefore fully replicating a public access point that would be very difficult to differentiate between legitimate and fake.
As we have seen, there are a number of mechanisms that can be employed to ensure the transfer of data is as secure as it can be but these methods also have flaws. Employing methods such as a VPN will go a long way to safeguarding the transactions you make but nothing one hundred percent guarantees that your data is not been targeted.
As long as public Wi-Fi hotspots continue to operate with no encryption then the threat from eavesdropping will always be present.
Reflection on learning
Choosing this subject of research was easy as I had been exploring the possibilities of setting up a honey pot network. This report certainly helped me to understand the full workings of a honey pot Wi-Fi network and to successfully implement the requirements for one was very satisfying.
At first I was very concerned that I wouldn’t make the word count as this is essentially the first report that I have attempted in this manner. Once I started to build the report, the words came falling out which took me by surprise. I was wary of waffle and have attempted to keep to the facts, solid research makes it easier to stick to the subject.
Researching came quite easy to me as I do this frequently in my current role writing courseware. What wasn’t as easy was getting used to using the online book library. Having not used this method before, it took a little getting used to but eventually it became as essential as using the standard internet “Google” type of search. Researching some of the elements of this report really changed my opinion on what I thought was fact to the actual reality. For example, I was unaware that VPN solutions were vulnerable until I investigated it further.
Having not referenced work before was a little daunting, would I be laying out the references correctly, have I ensured that all the subject matter was actually captured in the referencing? Seeing the references build at the end of the document was satisfying as it was indicating a good level of research. There were a couple of online referencing tools that helped a great deal.
The dangers posed by wireless honey pots Page | 16
Having marked students BTEC work in the past, it was important to include some diagrams as I feel this balance of text and illustration make a document easier to interpret. All but one of the diagrams were self generated either using a screen capture or a software package to layout the network diagrams. I am particularly pleased with my network diagrams. I do however think that some of the screenshots are difficult to interpret easily and maybe cropping them would have been a good idea to enable the detail they contain to be enhanced.
Writing this report using various formatting techniques in Word was a good lesson in itself. Having never really used functions such as the header/footer and the use of subheadings made me see how much better a report can be laid out and of course how much easier it is to read.
Overall a very satisfying piece of work which I hope will convey my findings in a easy to read and well structured first report.
The dangers posed by wireless honey pots Page | 17
REFERENCES
Honey pot (computing). URL: http://en.wikipedia.org/wiki/Honeypot_(computing) [21st March 2013]
Virgin Media Wi-Fi on the Tube. URL: http://my.virginmedia.com/wifi/index.html [21st March 2013]
Internet Access - Households and Individuals, 2011. 2013. Internet Access - Households and Individuals, 2011. URL: http://www.ons.gov.uk/ons/rel/rdit2/internet-access---households-and-individuals/2011/stb-internet-access-2011.html#tab-Wireless-Hotspots. [Accessed 24 June 2013].
Riverbed | Wireshark Enhancement Products - Wireless Traffic Packet Capture. 2013. Riverbed | Wireshark Enhancement Products - Wireless Traffic Packet Capture. URL: http://www.riverbed.com/products-solutions/products/performance-management/wireshark-enhancement-products/Wireless-Traffic-Packet-Capture.html#tab3. [Accessed 24 June 2013].
Designing Secure Mobile Apps. 2013. Designing Secure Mobile Apps. URL: http://www.slideshare.net/denimgroup/designing-secure-mobile-apps. [Accessed 24 June 2013].
Gerald Combs. Wireshark (Version 1.8.6) [Computer Program] http://www.wireshark.org
WinPcap (Version 4.1.3) [Computer Program] http://www.winpcap.org
Virtual Private Networking: An Overview. 2013. Virtual Private Networking: An Overview. URL: http://technet.microsoft.com/en-us/library/bb742566.aspx. [Accessed 24 June 2013].
Get a secure VPN software with BT Wi-fi | BT Wi-fi. 2013. Get a secure VPN software with BT Wi-fi | BT Wi-fi. URL:http://www.btwifi.co.uk/help/security/vpn-software.jsp. [Accessed 24 June 2013].
NTA Monitor | Common VPN Security Flaws. 2013. NTA Monitor | Common VPN Security Flaws. URL: http://www.nta-monitor.com/whitepapers/common-vpn-security-flaws. [Accessed 24 June 2013].
Firesheep - codebutler. 2013. Firesheep - codebutler. URL:http://codebutler.com/firesheep/. [Accessed 24 June 2013].
TechNet Blogs 2013. TechNetBlogs URL:http://blogs.technet.com/b/networking/archive/2010/09/08/network-location-awareness-nla-and-how-it-relates-to-windows-firewall-profiles.aspx. [Accessed 25 June 2013].
IEEE Standard Association - IEEE Get Program. 2013. IEEE Standard Association - IEEE Get Program. [ONLINE] Available at:http://standards.ieee.org/getieee802/download/802.11-2007.pdf. [Accessed 27 June 2013].
Robert J Bartz (2012). CWTS: Certified Wireless Technology Specialist Official Study Guide 2nd
Edition (PW0-071) (Google eBook)
HakShop — WiFi Pineapple Mark IV. 2013. HakShop — WiFi Pineapple Mark IV. URL: http://hakshop.myshopify.com/products/wifi-pineapple. [Accessed 27 June 2013].
Oracle VirtualBox (Version 4.2.14) [Computer Program] https://www.virtualbox.org/
Backtrack R3 (Version R3) [Operating System] http://www.backtrack-linux.org
The dangers posed by wireless honey pots Page | 18
Airodump-ng (Version 1.2) [Computer Program] http://www.aircrack-ng.org/
Service Name and Transport Protocol Port Number Registry. 2013. Service Name and Transport Protocol Port Number Registry. URL:http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml. [Accessed 27 June 2013].
cmd.exe (Version 5.1.2600.5512) [Computer Program] Microsoft Corporation embedded in Microsoft Windows XP
Microsoft Windows XP (130503-1418 SP 3) [Operating System] http://www.microsoft.com/en-gb/download/windows-xp.aspx
Google Chrome (Version 27.0.1453.116 m) [Computer Program] https://www.google.com/intl/en/chrome/browser/
Online Form Builder with Cloud Storage Database | Wufoo . 2013. Online Form Builder with Cloud Storage Database | Wufoo . URL:http://www.wufoo.com/. [Accessed 02 July 2013].
Achal Dhir Dual DHCP DNS Server (Version 7.03) [Computer Program] http://sourceforge.net/projects/dhcp-dns-server/?source=navbar
USBWebserver8 (Version 8.5) [Computer Program] http://www.usbwebserver.net/en/index.php
The dangers posed by wireless honey pots Page | 19
