Well, that's pretty much what I described :-). As I said, it's a well-known security concept. I know - I ran one in Lina.Net for fun and games ;-)
http://en.wikipedia.org/wiki/Honeypot_(computing) -- Marko Milivojevic - CCIE #18427 Senior Technical Instructor - IPexpert FREE CCIE training: http://bit.ly/vLecture Mailto: [email protected] Telephone: +1.810.326.1444 Web: http://www.ipexpert.com/ 2010/10/19 Kristján Ólafur Eðvarðsson <[email protected]>: > You are out of your territory Marko :-) > But a good photographic explaination :) > > But I find Kelvin Dam's explaination the best so far and probably > the most accurate. He sent this on sun. 17.10.2010 with permission Kevin :) > > "Good points all. > > Scanning through CCO, theres varius info about Evil Twins and Honeypots to be > found. > The two terms seems to be more or less pointing at the same thing. > > In one doc though, I came across this : > (source : > http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps6521/prod_white_paper0900aecd8040f7b2_ns337_Networking_Solutions_White_Paper.html) > <output emitted> > > honeypot* > * An authorized access point deployed by a network administrator to detect > and mitigate unauthorized network access. > > <snippet cut> > > So I think that Evil twins are APs not owned or deployed by admins, using the > same SSID as your Corp, and trying to lure people to use it. And Honeypots is > the same, OR setup by admins, using a bogus SSID to lure hackers to try and > hack that one instead. > > Kelvin" > > > > -----Original Message----- > From: Marko Milivojevic [mailto:[email protected]] > Sent: 19. október 2010 21:22 > To: Kelvin Dam > Cc: Kristján Ólafur Eðvarðsson; Tor A. L. Olsen; > [email protected] > Subject: Re: [CCIE Wireless] 1. OEQ Answers (second) > > Hello everyone, > > I'm by no means wireless expert, but... > > Honeypot is well-know "trapping" method, utilized to lure and analyze > malicious users/attackers. Service is deliberately left exposed with > the sole purpose of attracting attack. Think of it as ... a poisoned > honey pot used to catch mice, for example :-) > > Evil Twin most definitely sounds like something not pleasant ;-) > > -- > Marko Milivojevic - CCIE #18427 > Senior Technical Instructor - IPexpert > > FREE CCIE training: http://bit.ly/vLecture > > Mailto: [email protected] > Telephone: +1.810.326.1444 > Web: http://www.ipexpert.com/ > > 2010/10/17 Kelvin Dam <[email protected]>: >> Good points all. >> >> Scanning through CCO, theres varius info about Evil Twins and Honeypots to >> be found. >> The two terms seems to be more or less pointing at the same thing. >> >> In one doc though, I came across this : >> (source : >> http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps6521/prod_white_paper0900aecd8040f7b2_ns337_Networking_Solutions_White_Paper.html) >> >> <output emitted> >> >> honeypot* >> * An authorized access point deployed by a network administrator to detect >> and mitigate unauthorized network access. >> <snippet cut> >> >> So I think that Evil twins are APs not owned or deployed by admins, using >> the same SSID as your Corp, and trying to lure people to use it. And >> Honeypots is the same, OR setup by admins, using a bogus SSID to lure >> hackers to try and hack that one instead. >> >> Kelvin >> >> 2010/10/17 Kristján Ólafur Eðvarðsson <[email protected]> >>> >>> Honey pot and Evil Twin. >>> >>> >>> >>> Good stuff Tor, >>> >>> >>> >>> But again they seem to mention those 2 in the same sentences. In your >>> article >>> >>> they mention honeypots but sometimes it is written honey pot, so perhaps >>> you didn´t >>> >>> search for that one. >>> >>> >>> >>> here is something from your link: >>> >>> >>> >>> „Cisco couples these advanced detection and classification techniques with >>> an extensive attack, vulnerability, and performance detection library. >>> Examples of event classes detected include: rogue access points/clients, ad >>> hoc connections, hacker access points such as honeypots and evil twins, >>> network reconnaissance, authentication and encryption cracking, >>> man-in-the-middle attacks such as address/identity spoofing and replay >>> attacks, protocol attacks, denial-of-service (DoS) attacks, over-the-air and >>> network security vulnerabilities, and performance issues such as co-channel >>> interference and coverage holes.“ >>> >>> >>> >>> Does someone care to explain the difference ? >>> >>> I am begining to think that there is no major difference between the two. >>> >>> But the conversation is good. Makes you remember this forever J >>> >>> >>> >>> So I stick with using both in OEQ format. That cant hurt. >>> >>> >>> >>> regards. Kristjan >>> >>> >>> >>> From: Tor A. L. Olsen [mailto:[email protected]] >>> Sent: 17. október 2010 17:48 >>> To: Kelvin Dam >>> Cc: Kristján Ólafur Eðvarðsson; [email protected] >>> Subject: Re: [CCIE Wireless] 1. OEQ Answers (second) >>> >>> >>> >>> I will go for Evil Twin as Kelvin advocates for. >>> >>> >>> >>> Rouges offering same SSID is performing an "Impersonation and Spoofing >>> Attack" and if we take a look on Cisco WIPS "Impersonation and Spofing >>> Detection" is described as >>> >>> >>> >>> "Analyzes traffic behavior, performs pattern matching and authentication >>> methods to detect tools and techniques such as MAC/IP spoofing, fake access >>> points, evil-twin access points, Dynamic Host Configuration Protocol (DHCP) >>> spoiling, and other methods, providing an alert of potential data theft or >>> unauthorized network access". >>> >>> >>> >>> Herein is, in fact, mentioned the Evil Twin whereas there is nothing about >>> "Honeypot AP". >>> >>> >>> >>> >>> http://www.cisco.com/en/US/prod/collateral/wireless/ps9733/ps9817/data_sheet_c78-501388.html >>> >>> >>> >>> As a side note I would like to mention that, in the CCNP Wireless Course >>> IAUWS, the definition of Evil Twin actually is stated as Rouge advertising >>> "our" SSID. >>> >>> >>> >>> Tor >>> >>> >>> >>> On 17/10/2010, at 17.19, Kelvin Dam wrote: >>> >>> Im may very well be way off here, but Im not convinced that the definition >>> of "honeypot" you posted is correct. >>> >>> >>> >>> I believe that a Evil Twin is an AccessPoint, broadcasting the same SSID >>> as a corporation for instance, trying to lure users to use it. >>> >>> >>> >>> A HoneyPot is more or less the same, but doesnt have to be the same SSID, >>> and also used by admins to lure attackers into a confined subnet to >>> >>> be monitored. >>> >>> >>> >>> Im basing my assumptions on these : >>> >>> >>> >>> Evil Twin >>> >>> The attacker uses a bogus base station that someone connects to using >>> Wi-Fi wireless technology. By imitating the name of another, legitimate >>> wireless provider, they can fool people into trusting the internet services >>> that they are providing. When the users log into bank or e-mail accounts, >>> the phishers have access to the entire transaction, since it is sent through >>> their equipment. >>> >>> Unwitting web users are invited to log into the attacker's server with >>> bogus login prompts, tempting them to give away sensitive information such >>> as usernames and passwords. Often users are unaware they have been duped >>> until well after the incident has occurred. >>> >>> Users think they have logged on to a wireless hotspot connection when in >>> fact they have been tricked into connecting to the attacker's base station. >>> The hacker jams the connection to the legitimate base station by sending a >>> stronger signal within proximity to the wireless client - thereby turning >>> itself into an 'evil twin.' >>> >>> A rogue Wi-Fi connection can be set up on a laptop with a bit of simple >>> programming and wireless card that acts as an access point. The access >>> points are hard to trace, since they can suddenly be shut off, and are easy >>> to build. A hacker can make their own wireless networks that appear to be >>> legitimate by simply giving their access point a similar name to the Wi-Fi >>> network on the premises. Since the hacker may be physically closer to the >>> victim than the real access point, their signal will be stronger, >>> potentially drawing more victims. The hacker's computer can be configured to >>> pass the person through to the legitimate access point while monitoring the >>> traffic of the victim, or it can simply say the system is temporarily >>> unavailable after obtaining a user id and password.[3] >>> >>> >>> >>> HoneyPots >>> >>> A honeypot is valuable as a surveillance and early-warning tool. While it >>> is often a computer, a honeypot can take other forms, such as files or data >>> records, or even unused IP address space. A honeypot that masquerades as an >>> open proxy to monitor and record those using the system is a sugarcane. >>> Honeypots should have no production value, and hence should not see any >>> legitimate traffic or activity. Whatever they capture is therefore malicious >>> or unauthorized. One practical application of this is a honeypot that >>> thwarts spam by masquerading as a type of system abused by spammers. These >>> honeypots categorize trapped material 100% accurately: it is all illicit. >>> >>> Honeypots can carry risks to a network, and must be handled with care. If >>> they are not properly walled off, an attacker can use them to break into a >>> system. >>> >>> Victim hosts are an active network counter-intrusion tool. These computers >>> run special software, designed to appear to an intruder as being important >>> and worth looking into. In reality, these programs are dummies, and their >>> patterns are constructed specifically to foster interest in attackers. The >>> software installed on, and run by, victim hosts is dual purpose. First, >>> these dummy programs keep a network intruder occupied looking for valuable >>> information where none exists, effectively convincing him or her to isolate >>> themselves in what is truly an unimportant part of the network. This decoy >>> strategy is designed to keep an intruder from getting bored and heading into >>> truly security-critical systems. The second part of the victim host strategy >>> is intelligence gathering. Once an intruder has broken into the victim host, >>> the machine or a network administrator can examine the intrusion methods >>> used by the intruder. This intelligence can be used to build specific >>> countermeasures to intrusion techniques, making truly important systems on >>> the network less vulnerable to intrusion. >>> >>> >>> Any takers on this? :) >>> >>> >>> >>> Kelvin >>> >>> 2010/10/15 Kristján Ólafur Eðvarðsson <[email protected]> >>> >>> Hi Kelvin, >>> >>> That OEQ was rather good. I gave it some thought and scrolled through >>> the help of my WCS server. Which in fact is very good and explains a lot >>> of things. >>> >>> It is a rouge AP so It cant be a friendly based on that fact. Malicious is >>> the same thing >>> basically as a rouge. So they are probably looking for a classification of >>> that rouge. >>> >>> I first read through the classifications of rouges and didn't see a clear >>> answer to that questions >>> but for everyone I like to share this info. >>> >>> "Rogue Access Point Classification Types >>> Rogue access points classification types include: >>> >>> Malicious-Detected but untrusted or unknown access points with a malicious >>> intent within the system. They also refer to access points that fit the >>> user-defined malicious rules or have been manually moved from the friendly >>> access point classification. See "Malicious Rogue APs" for more information. >>> Friendly-Known, acknowledged, or trusted access points. They also refer to >>> access points that fit the user-defined friendly rogue access point rules. >>> Friendly rogue access points cannot be contained. See "Friendly Rogue APs" >>> for more information. For more information on configuring friendly access >>> point rules, see "Configuring Friendly AP Controller Templates". >>> Unclassified-Rogue access point that are not classified as either >>> malicious or friendly. These access points can be contained and can be moved >>> manually to the friendly rogue access point list. See for more information. >>> See "Unclassified Rogue APs" for more information." >>> >>> However when I was reading this I just remembered that I have sometimes >>> got this warning in WCS >>> in real setups. "With Honey pot AP detected" >>> >>> And this seems to best answer to this question. Do you guys agree ? >>> >>> >>> "Honey Pot AP Detected >>> Alarm Description and Possible Causes >>> The addition of WLANs in the corporate environment introduces a whole new >>> class of threats for network security. RF signals that penetrate walls and >>> extend beyond intended boundaries can expose the network to unauthorized >>> users. A rogue access point can put the entire corporate network at risk for >>> outside penetration and attack. Not to understate the threat of the rogue >>> access point, there are many other wireless security risks and intrusions >>> such as mis-configured access points, unconfigured access points, and DoS >>> (denial-of-service) attacks. >>> >>> One of the most effective attacks facing enterprise networks implementing >>> wireless is the use of a "honey pot" access point. An intruder uses tools >>> such as NetStumbler, Wellenreiter, and MiniStumbler to discover the SSID of >>> the corporate access point. Then the intruder sets up an access point >>> outside the building premises or, if possible, within the premises and >>> broadcasts the discovered corporate SSID. An unsuspecting client then >>> connects to this "honey pot" access point with a higher signal strength. >>> When associated, the intruder performs attacks against the client station >>> because traffic is diverted through the "honey pot" access point. >>> >>> wIPS Solution >>> When a "honey pot" access point is identified and reported by the Cisco >>> Adaptive Wireless IPS, the WLAN administrator may use the integrated >>> over-the-air physical location capabilities, or trace device on the wired >>> network using rogue location discovery protocol (RLDP) or switchport tracing >>> to find the rogue device. " >>> >>> regards. Kristjan >>> >>> >>> >>> >>> ---------------------------------------------------------------------- >>> >>> Message: 1 >>> Date: Fri, 15 Oct 2010 08:24:00 +0200 >>> From: Kelvin Dam <[email protected]> >>> To: Stalder Dominic <[email protected]>, >>> [email protected] >>> Subject: Re: [CCIE Wireless] OEQ Answers (second) >>> Message-ID: >>> <[email protected]> >>> Content-Type: text/plain; charset="windows-1252" >>> >>> First question in that doc: >>> >>> *A rouge access point broadcasting a trusted SSID is called what? >>> >>> They are called ?Trusted APs? or ?Friendly APs?.* >>> >>> Is wrong I believe...A Rogue broadcasting a trusted SSID is a Evil Twin to >>> the best of my knowledge? >>> >>> Kelvin >>> >>> >>> 2010/10/13 Stalder Dominic <[email protected]> >>> >>> > And here with the small answer list ;-) >>> > _______________________________________________ >>> > For more information regarding industry leading CCIE Lab training, >>> > please >>> > visit www.ipexpert.com >>> > >>> > >>> >>> >>> -- >>> Kelvin Dam >>> -------------- next part -------------- >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >>> -- >>> Kelvin Dam >>> <ATT00001..txt> >>> >>> >> >> >> -- >> Kelvin Dam >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
