Honey pot and Evil Twin.
Good stuff Tor,
But again they seem to mention those 2 in the same sentences. In your
article
they mention honeypots but sometimes it is written honey pot, so perhaps
you didn´t
search for that one.
here is something from your link:
„Cisco couples these advanced detection and classification techniques with
an extensive attack, vulnerability, and performance detection library.
Examples of event classes detected include: rogue access points/clients, ad
hoc connections, hacker access points such as honeypots and evil twins,
network reconnaissance, authentication and encryption cracking,
man-in-the-middle attacks such as address/identity spoofing and replay
attacks, protocol attacks, denial-of-service (DoS) attacks, over-the-air and
network security vulnerabilities, and performance issues such as co-channel
interference and coverage holes.“
Does someone care to explain the difference ?
I am begining to think that there is no major difference between the two.
But the conversation is good. Makes you remember this forever J
So I stick with using both in OEQ format. That cant hurt.
regards. Kristjan
From: Tor A. L. Olsen [mailto:[email protected]]
Sent: 17. október 2010 17:48
To: Kelvin Dam
Cc: Kristján Ólafur Eðvarðsson; [email protected]
Subject: Re: [CCIE Wireless] 1. OEQ Answers (second)
I will go for Evil Twin as Kelvin advocates for.
Rouges offering same SSID is performing an "Impersonation and Spoofing
Attack" and if we take a look on Cisco WIPS "Impersonation and Spofing
Detection" is described as
"Analyzes traffic behavior, performs pattern matching and authentication
methods to detect tools and techniques such as MAC/IP spoofing, fake access
points, evil-twin access points, Dynamic Host Configuration Protocol (DHCP)
spoiling, and other methods, providing an alert of potential data theft or
unauthorized network access".
Herein is, in fact, mentioned the Evil Twin whereas there is nothing about
"Honeypot AP".
http://www.cisco.com/en/US/prod/collateral/wireless/ps9733/ps9817/data_sheet_c78-501388.html
As a side note I would like to mention that, in the CCNP Wireless Course
IAUWS, the definition of Evil Twin actually is stated as Rouge advertising
"our" SSID.
Tor
On 17/10/2010, at 17.19, Kelvin Dam wrote:
Im may very well be way off here, but Im not convinced that the definition
of "honeypot" you posted is correct.
I believe that a Evil Twin is an AccessPoint, broadcasting the same SSID
as a corporation for instance, trying to lure users to use it.
A HoneyPot is more or less the same, but doesnt have to be the same SSID,
and also used by admins to lure attackers into a confined subnet to
be monitored.
Im basing my assumptions on these :
Evil Twin
The attacker uses a bogus base station that someone connects to using
Wi-Fi wireless technology. By imitating the name of another, legitimate
wireless provider, they can fool people into trusting the internet services
that they are providing. When the users log into bank or e-mail accounts,
the phishers have access to the entire transaction, since it is sent through
their equipment.
Unwitting web users are invited to log into the attacker's server with
bogus login prompts, tempting them to give away sensitive information such
as usernames and passwords. Often users are unaware they have been duped
until well after the incident has occurred.
Users think they have logged on to a wireless hotspot connection when in
fact they have been tricked into connecting to the attacker's base station.
The hacker jams the connection to the legitimate base station by sending a
stronger signal within proximity to the wireless client - thereby turning
itself into an 'evil twin.'
A rogue Wi-Fi connection can be set up on a laptop with a bit of simple
programming and wireless card that acts as an access point. The access
points are hard to trace, since they can suddenly be shut off, and are easy
to build. A hacker can make their own wireless networks that appear to be
legitimate by simply giving their access point a similar name to the Wi-Fi
network on the premises. Since the hacker may be physically closer to the
victim than the real access point, their signal will be stronger,
potentially drawing more victims. The hacker's computer can be configured to
pass the person through to the legitimate access point while monitoring the
traffic of the victim, or it can simply say the system is temporarily
unavailable after obtaining a user id and password.[3]
HoneyPots
A honeypot is valuable as a surveillance and early-warning tool. While it
is often a computer, a honeypot can take other forms, such as files or data
records, or even unused IP address space. A honeypot that masquerades as an
open proxy to monitor and record those using the system is a sugarcane.
Honeypots should have no production value, and hence should not see any
legitimate traffic or activity. Whatever they capture is therefore malicious
or unauthorized. One practical application of this is a honeypot that
thwarts spam by masquerading as a type of system abused by spammers. These
honeypots categorize trapped material 100% accurately: it is all illicit.
Honeypots can carry risks to a network, and must be handled with care. If
they are not properly walled off, an attacker can use them to break into a
system.
Victim hosts are an active network counter-intrusion tool. These computers
run special software, designed to appear to an intruder as being important
and worth looking into. In reality, these programs are dummies, and their
patterns are constructed specifically to foster interest in attackers. The
software installed on, and run by, victim hosts is dual purpose. First,
these dummy programs keep a network intruder occupied looking for valuable
information where none exists, effectively convincing him or her to isolate
themselves in what is truly an unimportant part of the network. This decoy
strategy is designed to keep an intruder from getting bored and heading into
truly security-critical systems. The second part of the victim host strategy
is intelligence gathering. Once an intruder has broken into the victim host,
the machine or a network administrator can examine the intrusion methods
used by the intruder. This intelligence can be used to build specific
countermeasures to intrusion techniques, making truly important systems on
the network less vulnerable to intrusion.
Any takers on this? :)
Kelvin
2010/10/15 Kristján Ólafur Eðvarðsson<[email protected]>
Hi Kelvin,
That OEQ was rather good. I gave it some thought and scrolled through
the help of my WCS server. Which in fact is very good and explains a lot
of things.
It is a rouge AP so It cant be a friendly based on that fact. Malicious is
the same thing
basically as a rouge. So they are probably looking for a classification of
that rouge.
I first read through the classifications of rouges and didn't see a clear
answer to that questions
but for everyone I like to share this info.
"Rogue Access Point Classification Types
Rogue access points classification types include:
Malicious-Detected but untrusted or unknown access points with a malicious
intent within the system. They also refer to access points that fit the
user-defined malicious rules or have been manually moved from the friendly
access point classification. See "Malicious Rogue APs" for more information.
Friendly-Known, acknowledged, or trusted access points. They also refer to
access points that fit the user-defined friendly rogue access point rules.
Friendly rogue access points cannot be contained. See "Friendly Rogue APs"
for more information. For more information on configuring friendly access
point rules, see "Configuring Friendly AP Controller Templates".
Unclassified-Rogue access point that are not classified as either
malicious or friendly. These access points can be contained and can be moved
manually to the friendly rogue access point list. See for more information.
See "Unclassified Rogue APs" for more information."
However when I was reading this I just remembered that I have sometimes
got this warning in WCS
in real setups. "With Honey pot AP detected"
And this seems to best answer to this question. Do you guys agree ?
"Honey Pot AP Detected
Alarm Description and Possible Causes
The addition of WLANs in the corporate environment introduces a whole new
class of threats for network security. RF signals that penetrate walls and
extend beyond intended boundaries can expose the network to unauthorized
users. A rogue access point can put the entire corporate network at risk for
outside penetration and attack. Not to understate the threat of the rogue
access point, there are many other wireless security risks and intrusions
such as mis-configured access points, unconfigured access points, and DoS
(denial-of-service) attacks.
One of the most effective attacks facing enterprise networks implementing
wireless is the use of a "honey pot" access point. An intruder uses tools
such as NetStumbler, Wellenreiter, and MiniStumbler to discover the SSID of
the corporate access point. Then the intruder sets up an access point
outside the building premises or, if possible, within the premises and
broadcasts the discovered corporate SSID. An unsuspecting client then
connects to this "honey pot" access point with a higher signal strength.
When associated, the intruder performs attacks against the client station
because traffic is diverted through the "honey pot" access point.
wIPS Solution
When a "honey pot" access point is identified and reported by the Cisco
Adaptive Wireless IPS, the WLAN administrator may use the integrated
over-the-air physical location capabilities, or trace device on the wired
network using rogue location discovery protocol (RLDP) or switchport tracing
to find the rogue device. "
regards. Kristjan
----------------------------------------------------------------------
Message: 1
Date: Fri, 15 Oct 2010 08:24:00 +0200
From: Kelvin Dam<[email protected]>
To: Stalder Dominic<[email protected]>,
[email protected]
Subject: Re: [CCIE Wireless] OEQ Answers (second)
Message-ID:
<[email protected]>
Content-Type: text/plain; charset="windows-1252"
First question in that doc:
*A rouge access point broadcasting a trusted SSID is called what?
They are called ?Trusted APs? or ?Friendly APs?.*
Is wrong I believe...A Rogue broadcasting a trusted SSID is a Evil Twin to
the best of my knowledge?
Kelvin
2010/10/13 Stalder Dominic<[email protected]>
And here with the small answer list ;-)
_______________________________________________
For more information regarding industry leading CCIE Lab training,
please
visit www.ipexpert.com
--
Kelvin Dam
-------------- next part --------------
_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com
--
Kelvin Dam
<ATT00001..txt>
