Hello everyone, I'm by no means wireless expert, but...
Honeypot is well-know "trapping" method, utilized to lure and analyze malicious users/attackers. Service is deliberately left exposed with the sole purpose of attracting attack. Think of it as ... a poisoned honey pot used to catch mice, for example :-) Evil Twin most definitely sounds like something not pleasant ;-) -- Marko Milivojevic - CCIE #18427 Senior Technical Instructor - IPexpert FREE CCIE training: http://bit.ly/vLecture Mailto: [email protected] Telephone: +1.810.326.1444 Web: http://www.ipexpert.com/ 2010/10/17 Kelvin Dam <[email protected]>: > Good points all. > > Scanning through CCO, theres varius info about Evil Twins and Honeypots to > be found. > The two terms seems to be more or less pointing at the same thing. > > In one doc though, I came across this : > (source : > http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps6521/prod_white_paper0900aecd8040f7b2_ns337_Networking_Solutions_White_Paper.html) > > <output emitted> > > honeypot* > * An authorized access point deployed by a network administrator to detect > and mitigate unauthorized network access. > <snippet cut> > > So I think that Evil twins are APs not owned or deployed by admins, using > the same SSID as your Corp, and trying to lure people to use it. And > Honeypots is the same, OR setup by admins, using a bogus SSID to lure > hackers to try and hack that one instead. > > Kelvin > > 2010/10/17 Kristján Ólafur Eðvarðsson <[email protected]> >> >> Honey pot and Evil Twin. >> >> >> >> Good stuff Tor, >> >> >> >> But again they seem to mention those 2 in the same sentences. In your >> article >> >> they mention honeypots but sometimes it is written honey pot, so perhaps >> you didn´t >> >> search for that one. >> >> >> >> here is something from your link: >> >> >> >> „Cisco couples these advanced detection and classification techniques with >> an extensive attack, vulnerability, and performance detection library. >> Examples of event classes detected include: rogue access points/clients, ad >> hoc connections, hacker access points such as honeypots and evil twins, >> network reconnaissance, authentication and encryption cracking, >> man-in-the-middle attacks such as address/identity spoofing and replay >> attacks, protocol attacks, denial-of-service (DoS) attacks, over-the-air and >> network security vulnerabilities, and performance issues such as co-channel >> interference and coverage holes.“ >> >> >> >> Does someone care to explain the difference ? >> >> I am begining to think that there is no major difference between the two. >> >> But the conversation is good. Makes you remember this forever J >> >> >> >> So I stick with using both in OEQ format. That cant hurt. >> >> >> >> regards. Kristjan >> >> >> >> From: Tor A. L. Olsen [mailto:[email protected]] >> Sent: 17. október 2010 17:48 >> To: Kelvin Dam >> Cc: Kristján Ólafur Eðvarðsson; [email protected] >> Subject: Re: [CCIE Wireless] 1. OEQ Answers (second) >> >> >> >> I will go for Evil Twin as Kelvin advocates for. >> >> >> >> Rouges offering same SSID is performing an "Impersonation and Spoofing >> Attack" and if we take a look on Cisco WIPS "Impersonation and Spofing >> Detection" is described as >> >> >> >> "Analyzes traffic behavior, performs pattern matching and authentication >> methods to detect tools and techniques such as MAC/IP spoofing, fake access >> points, evil-twin access points, Dynamic Host Configuration Protocol (DHCP) >> spoiling, and other methods, providing an alert of potential data theft or >> unauthorized network access". >> >> >> >> Herein is, in fact, mentioned the Evil Twin whereas there is nothing about >> "Honeypot AP". >> >> >> >> >> http://www.cisco.com/en/US/prod/collateral/wireless/ps9733/ps9817/data_sheet_c78-501388.html >> >> >> >> As a side note I would like to mention that, in the CCNP Wireless Course >> IAUWS, the definition of Evil Twin actually is stated as Rouge advertising >> "our" SSID. >> >> >> >> Tor >> >> >> >> On 17/10/2010, at 17.19, Kelvin Dam wrote: >> >> Im may very well be way off here, but Im not convinced that the definition >> of "honeypot" you posted is correct. >> >> >> >> I believe that a Evil Twin is an AccessPoint, broadcasting the same SSID >> as a corporation for instance, trying to lure users to use it. >> >> >> >> A HoneyPot is more or less the same, but doesnt have to be the same SSID, >> and also used by admins to lure attackers into a confined subnet to >> >> be monitored. >> >> >> >> Im basing my assumptions on these : >> >> >> >> Evil Twin >> >> The attacker uses a bogus base station that someone connects to using >> Wi-Fi wireless technology. By imitating the name of another, legitimate >> wireless provider, they can fool people into trusting the internet services >> that they are providing. When the users log into bank or e-mail accounts, >> the phishers have access to the entire transaction, since it is sent through >> their equipment. >> >> Unwitting web users are invited to log into the attacker's server with >> bogus login prompts, tempting them to give away sensitive information such >> as usernames and passwords. Often users are unaware they have been duped >> until well after the incident has occurred. >> >> Users think they have logged on to a wireless hotspot connection when in >> fact they have been tricked into connecting to the attacker's base station. >> The hacker jams the connection to the legitimate base station by sending a >> stronger signal within proximity to the wireless client - thereby turning >> itself into an 'evil twin.' >> >> A rogue Wi-Fi connection can be set up on a laptop with a bit of simple >> programming and wireless card that acts as an access point. The access >> points are hard to trace, since they can suddenly be shut off, and are easy >> to build. A hacker can make their own wireless networks that appear to be >> legitimate by simply giving their access point a similar name to the Wi-Fi >> network on the premises. Since the hacker may be physically closer to the >> victim than the real access point, their signal will be stronger, >> potentially drawing more victims. The hacker's computer can be configured to >> pass the person through to the legitimate access point while monitoring the >> traffic of the victim, or it can simply say the system is temporarily >> unavailable after obtaining a user id and password.[3] >> >> >> >> HoneyPots >> >> A honeypot is valuable as a surveillance and early-warning tool. While it >> is often a computer, a honeypot can take other forms, such as files or data >> records, or even unused IP address space. A honeypot that masquerades as an >> open proxy to monitor and record those using the system is a sugarcane. >> Honeypots should have no production value, and hence should not see any >> legitimate traffic or activity. Whatever they capture is therefore malicious >> or unauthorized. One practical application of this is a honeypot that >> thwarts spam by masquerading as a type of system abused by spammers. These >> honeypots categorize trapped material 100% accurately: it is all illicit. >> >> Honeypots can carry risks to a network, and must be handled with care. If >> they are not properly walled off, an attacker can use them to break into a >> system. >> >> Victim hosts are an active network counter-intrusion tool. These computers >> run special software, designed to appear to an intruder as being important >> and worth looking into. In reality, these programs are dummies, and their >> patterns are constructed specifically to foster interest in attackers. The >> software installed on, and run by, victim hosts is dual purpose. First, >> these dummy programs keep a network intruder occupied looking for valuable >> information where none exists, effectively convincing him or her to isolate >> themselves in what is truly an unimportant part of the network. This decoy >> strategy is designed to keep an intruder from getting bored and heading into >> truly security-critical systems. The second part of the victim host strategy >> is intelligence gathering. Once an intruder has broken into the victim host, >> the machine or a network administrator can examine the intrusion methods >> used by the intruder. This intelligence can be used to build specific >> countermeasures to intrusion techniques, making truly important systems on >> the network less vulnerable to intrusion. >> >> >> Any takers on this? :) >> >> >> >> Kelvin >> >> 2010/10/15 Kristján Ólafur Eðvarðsson <[email protected]> >> >> Hi Kelvin, >> >> That OEQ was rather good. I gave it some thought and scrolled through >> the help of my WCS server. Which in fact is very good and explains a lot >> of things. >> >> It is a rouge AP so It cant be a friendly based on that fact. Malicious is >> the same thing >> basically as a rouge. So they are probably looking for a classification of >> that rouge. >> >> I first read through the classifications of rouges and didn't see a clear >> answer to that questions >> but for everyone I like to share this info. >> >> "Rogue Access Point Classification Types >> Rogue access points classification types include: >> >> Malicious-Detected but untrusted or unknown access points with a malicious >> intent within the system. They also refer to access points that fit the >> user-defined malicious rules or have been manually moved from the friendly >> access point classification. See "Malicious Rogue APs" for more information. >> Friendly-Known, acknowledged, or trusted access points. They also refer to >> access points that fit the user-defined friendly rogue access point rules. >> Friendly rogue access points cannot be contained. See "Friendly Rogue APs" >> for more information. For more information on configuring friendly access >> point rules, see "Configuring Friendly AP Controller Templates". >> Unclassified-Rogue access point that are not classified as either >> malicious or friendly. These access points can be contained and can be moved >> manually to the friendly rogue access point list. See for more information. >> See "Unclassified Rogue APs" for more information." >> >> However when I was reading this I just remembered that I have sometimes >> got this warning in WCS >> in real setups. "With Honey pot AP detected" >> >> And this seems to best answer to this question. Do you guys agree ? >> >> >> "Honey Pot AP Detected >> Alarm Description and Possible Causes >> The addition of WLANs in the corporate environment introduces a whole new >> class of threats for network security. RF signals that penetrate walls and >> extend beyond intended boundaries can expose the network to unauthorized >> users. A rogue access point can put the entire corporate network at risk for >> outside penetration and attack. Not to understate the threat of the rogue >> access point, there are many other wireless security risks and intrusions >> such as mis-configured access points, unconfigured access points, and DoS >> (denial-of-service) attacks. >> >> One of the most effective attacks facing enterprise networks implementing >> wireless is the use of a "honey pot" access point. An intruder uses tools >> such as NetStumbler, Wellenreiter, and MiniStumbler to discover the SSID of >> the corporate access point. Then the intruder sets up an access point >> outside the building premises or, if possible, within the premises and >> broadcasts the discovered corporate SSID. An unsuspecting client then >> connects to this "honey pot" access point with a higher signal strength. >> When associated, the intruder performs attacks against the client station >> because traffic is diverted through the "honey pot" access point. >> >> wIPS Solution >> When a "honey pot" access point is identified and reported by the Cisco >> Adaptive Wireless IPS, the WLAN administrator may use the integrated >> over-the-air physical location capabilities, or trace device on the wired >> network using rogue location discovery protocol (RLDP) or switchport tracing >> to find the rogue device. " >> >> regards. Kristjan >> >> >> >> >> ---------------------------------------------------------------------- >> >> Message: 1 >> Date: Fri, 15 Oct 2010 08:24:00 +0200 >> From: Kelvin Dam <[email protected]> >> To: Stalder Dominic <[email protected]>, >> [email protected] >> Subject: Re: [CCIE Wireless] OEQ Answers (second) >> Message-ID: >> <[email protected]> >> Content-Type: text/plain; charset="windows-1252" >> >> First question in that doc: >> >> *A rouge access point broadcasting a trusted SSID is called what? >> >> They are called ?Trusted APs? or ?Friendly APs?.* >> >> Is wrong I believe...A Rogue broadcasting a trusted SSID is a Evil Twin to >> the best of my knowledge? >> >> Kelvin >> >> >> 2010/10/13 Stalder Dominic <[email protected]> >> >> > And here with the small answer list ;-) >> > _______________________________________________ >> > For more information regarding industry leading CCIE Lab training, >> > please >> > visit www.ipexpert.com >> > >> > >> >> >> -- >> Kelvin Dam >> -------------- next part -------------- >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> >> -- >> Kelvin Dam >> <ATT00001..txt> >> >> > > > -- > Kelvin Dam > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
