Hey guys, I thought I had layed this to rest. But when looking for something else I stubmled into this braindump for a cisco wirelss security exam. It takes of all doubt what Cicso wants out of that answer :-)
http://www.braindumps.org/Cisco/642-736/642-736-1.htm QUESTION NO: 4 Which option best describes an evil twin attack? A. A rouge access point broadcasting a trusted SSID B. A rogue access point broadcasting any SSID C. A rouge ad-hoc with the SSID "Free WiFi" D. A rouge access point spreading malware upon client connection ANS: A the honeypot term was confusing me cause I see every now and then a WCS allert about possible honeypots. so I guess that the programmers of WCS have different opinions or perhaps this is a matter of taste. At least if some written exam uses Evil Twin, than I guess that is what they would like to have. Just for fun, obviously this question wont kill anybody if so unlikely it will come up in the OEQ :) regards. kristjan -----Original Message----- From: Marko Milivojevic [mailto:[email protected]] Sent: 19. október 2010 22:19 To: Kristján Ólafur Eðvarðsson Cc: Kelvin Dam; Tor A. L. Olsen; [email protected] Subject: Re: [CCIE Wireless] 1. OEQ Answers (second) Nope, not at all a wireless thing. That's why I chimed in. I wouldn't know anything if it were. :-) -- Marko Milivojevic - CCIE #18427 Senior Technical Instructor - IPexpert FREE CCIE training: http://bit.ly/vLecture Mailto: [email protected] Telephone: +1.810.326.1444 Web: http://www.ipexpert.com/ 2010/10/19 Kristján Ólafur Eðvarðsson <[email protected]>: > Good aspect. Not only a wireless thingy ! > good article Marko! > > regards. Kristjan > > -----Original Message----- > From: Marko Milivojevic [mailto:[email protected]] > Sent: 19. október 2010 21:58 > To: Kristján Ólafur Eðvarðsson > Cc: Kelvin Dam; Tor A. L. Olsen; [email protected] > Subject: Re: [CCIE Wireless] 1. OEQ Answers (second) > > Well, that's pretty much what I described :-). As I said, it's a > well-known security concept. I know - I ran one in Lina.Net for fun > and games ;-) > > http://en.wikipedia.org/wiki/Honeypot_(computing) > > -- > Marko Milivojevic - CCIE #18427 > Senior Technical Instructor - IPexpert > > FREE CCIE training: http://bit.ly/vLecture > > Mailto: [email protected] > Telephone: +1.810.326.1444 > Web: http://www.ipexpert.com/ > > > > 2010/10/19 Kristján Ólafur Eðvarðsson <[email protected]>: >> You are out of your territory Marko :-) >> But a good photographic explaination :) >> >> But I find Kelvin Dam's explaination the best so far and probably >> the most accurate. He sent this on sun. 17.10.2010 with permission Kevin :) >> >> "Good points all. >> >> Scanning through CCO, theres varius info about Evil Twins and Honeypots to >> be found. >> The two terms seems to be more or less pointing at the same thing. >> >> In one doc though, I came across this : >> (source : >> http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps6521/prod_white_paper0900aecd8040f7b2_ns337_Networking_Solutions_White_Paper.html) >> <output emitted> >> >> honeypot* >> * An authorized access point deployed by a network administrator to detect >> and mitigate unauthorized network access. >> >> <snippet cut> >> >> So I think that Evil twins are APs not owned or deployed by admins, using >> the same SSID as your Corp, and trying to lure people to use it. And >> Honeypots is the same, OR setup by admins, using a bogus SSID to lure >> hackers to try and hack that one instead. >> >> Kelvin" >> >> >> >> -----Original Message----- >> From: Marko Milivojevic [mailto:[email protected]] >> Sent: 19. október 2010 21:22 >> To: Kelvin Dam >> Cc: Kristján Ólafur Eðvarðsson; Tor A. L. Olsen; >> [email protected] >> Subject: Re: [CCIE Wireless] 1. OEQ Answers (second) >> >> Hello everyone, >> >> I'm by no means wireless expert, but... >> >> Honeypot is well-know "trapping" method, utilized to lure and analyze >> malicious users/attackers. Service is deliberately left exposed with >> the sole purpose of attracting attack. Think of it as ... a poisoned >> honey pot used to catch mice, for example :-) >> >> Evil Twin most definitely sounds like something not pleasant ;-) >> >> -- >> Marko Milivojevic - CCIE #18427 >> Senior Technical Instructor - IPexpert >> >> FREE CCIE training: http://bit.ly/vLecture >> >> Mailto: [email protected] >> Telephone: +1.810.326.1444 >> Web: http://www.ipexpert.com/ >> >> 2010/10/17 Kelvin Dam <[email protected]>: >>> Good points all. >>> >>> Scanning through CCO, theres varius info about Evil Twins and Honeypots to >>> be found. >>> The two terms seems to be more or less pointing at the same thing. >>> >>> In one doc though, I came across this : >>> (source : >>> http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps6521/prod_white_paper0900aecd8040f7b2_ns337_Networking_Solutions_White_Paper.html) >>> >>> <output emitted> >>> >>> honeypot* >>> * An authorized access point deployed by a network administrator to detect >>> and mitigate unauthorized network access. >>> <snippet cut> >>> >>> So I think that Evil twins are APs not owned or deployed by admins, using >>> the same SSID as your Corp, and trying to lure people to use it. And >>> Honeypots is the same, OR setup by admins, using a bogus SSID to lure >>> hackers to try and hack that one instead. >>> >>> Kelvin >>> >>> 2010/10/17 Kristján Ólafur Eðvarðsson <[email protected]> >>>> >>>> Honey pot and Evil Twin. >>>> >>>> >>>> >>>> Good stuff Tor, >>>> >>>> >>>> >>>> But again they seem to mention those 2 in the same sentences. In your >>>> article >>>> >>>> they mention honeypots but sometimes it is written honey pot, so perhaps >>>> you didn´t >>>> >>>> search for that one. >>>> >>>> >>>> >>>> here is something from your link: >>>> >>>> >>>> >>>> „Cisco couples these advanced detection and classification techniques with >>>> an extensive attack, vulnerability, and performance detection library. >>>> Examples of event classes detected include: rogue access points/clients, ad >>>> hoc connections, hacker access points such as honeypots and evil twins, >>>> network reconnaissance, authentication and encryption cracking, >>>> man-in-the-middle attacks such as address/identity spoofing and replay >>>> attacks, protocol attacks, denial-of-service (DoS) attacks, over-the-air >>>> and >>>> network security vulnerabilities, and performance issues such as co-channel >>>> interference and coverage holes.“ >>>> >>>> >>>> >>>> Does someone care to explain the difference ? >>>> >>>> I am begining to think that there is no major difference between the two. >>>> >>>> But the conversation is good. Makes you remember this forever J >>>> >>>> >>>> >>>> So I stick with using both in OEQ format. That cant hurt. >>>> >>>> >>>> >>>> regards. Kristjan >>>> >>>> >>>> >>>> From: Tor A. L. Olsen [mailto:[email protected]] >>>> Sent: 17. október 2010 17:48 >>>> To: Kelvin Dam >>>> Cc: Kristján Ólafur Eðvarðsson; [email protected] >>>> Subject: Re: [CCIE Wireless] 1. OEQ Answers (second) >>>> >>>> >>>> >>>> I will go for Evil Twin as Kelvin advocates for. >>>> >>>> >>>> >>>> Rouges offering same SSID is performing an "Impersonation and Spoofing >>>> Attack" and if we take a look on Cisco WIPS "Impersonation and Spofing >>>> Detection" is described as >>>> >>>> >>>> >>>> "Analyzes traffic behavior, performs pattern matching and authentication >>>> methods to detect tools and techniques such as MAC/IP spoofing, fake access >>>> points, evil-twin access points, Dynamic Host Configuration Protocol (DHCP) >>>> spoiling, and other methods, providing an alert of potential data theft or >>>> unauthorized network access". >>>> >>>> >>>> >>>> Herein is, in fact, mentioned the Evil Twin whereas there is nothing about >>>> "Honeypot AP". >>>> >>>> >>>> >>>> >>>> http://www.cisco.com/en/US/prod/collateral/wireless/ps9733/ps9817/data_sheet_c78-501388.html >>>> >>>> >>>> >>>> As a side note I would like to mention that, in the CCNP Wireless Course >>>> IAUWS, the definition of Evil Twin actually is stated as Rouge advertising >>>> "our" SSID. >>>> >>>> >>>> >>>> Tor >>>> >>>> >>>> >>>> On 17/10/2010, at 17.19, Kelvin Dam wrote: >>>> >>>> Im may very well be way off here, but Im not convinced that the definition >>>> of "honeypot" you posted is correct. >>>> >>>> >>>> >>>> I believe that a Evil Twin is an AccessPoint, broadcasting the same SSID >>>> as a corporation for instance, trying to lure users to use it. >>>> >>>> >>>> >>>> A HoneyPot is more or less the same, but doesnt have to be the same SSID, >>>> and also used by admins to lure attackers into a confined subnet to >>>> >>>> be monitored. >>>> >>>> >>>> >>>> Im basing my assumptions on these : >>>> >>>> >>>> >>>> Evil Twin >>>> >>>> The attacker uses a bogus base station that someone connects to using >>>> Wi-Fi wireless technology. By imitating the name of another, legitimate >>>> wireless provider, they can fool people into trusting the internet services >>>> that they are providing. When the users log into bank or e-mail accounts, >>>> the phishers have access to the entire transaction, since it is sent >>>> through >>>> their equipment. >>>> >>>> Unwitting web users are invited to log into the attacker's server with >>>> bogus login prompts, tempting them to give away sensitive information such >>>> as usernames and passwords. Often users are unaware they have been duped >>>> until well after the incident has occurred. >>>> >>>> Users think they have logged on to a wireless hotspot connection when in >>>> fact they have been tricked into connecting to the attacker's base station. >>>> The hacker jams the connection to the legitimate base station by sending a >>>> stronger signal within proximity to the wireless client - thereby turning >>>> itself into an 'evil twin.' >>>> >>>> A rogue Wi-Fi connection can be set up on a laptop with a bit of simple >>>> programming and wireless card that acts as an access point. The access >>>> points are hard to trace, since they can suddenly be shut off, and are easy >>>> to build. A hacker can make their own wireless networks that appear to be >>>> legitimate by simply giving their access point a similar name to the Wi-Fi >>>> network on the premises. Since the hacker may be physically closer to the >>>> victim than the real access point, their signal will be stronger, >>>> potentially drawing more victims. The hacker's computer can be configured >>>> to >>>> pass the person through to the legitimate access point while monitoring the >>>> traffic of the victim, or it can simply say the system is temporarily >>>> unavailable after obtaining a user id and password.[3] >>>> >>>> >>>> >>>> HoneyPots >>>> >>>> A honeypot is valuable as a surveillance and early-warning tool. While it >>>> is often a computer, a honeypot can take other forms, such as files or data >>>> records, or even unused IP address space. A honeypot that masquerades as an >>>> open proxy to monitor and record those using the system is a sugarcane. >>>> Honeypots should have no production value, and hence should not see any >>>> legitimate traffic or activity. Whatever they capture is therefore >>>> malicious >>>> or unauthorized. One practical application of this is a honeypot that >>>> thwarts spam by masquerading as a type of system abused by spammers. These >>>> honeypots categorize trapped material 100% accurately: it is all illicit. >>>> >>>> Honeypots can carry risks to a network, and must be handled with care. If >>>> they are not properly walled off, an attacker can use them to break into a >>>> system. >>>> >>>> Victim hosts are an active network counter-intrusion tool. These computers >>>> run special software, designed to appear to an intruder as being important >>>> and worth looking into. In reality, these programs are dummies, and their >>>> patterns are constructed specifically to foster interest in attackers. The >>>> software installed on, and run by, victim hosts is dual purpose. First, >>>> these dummy programs keep a network intruder occupied looking for valuable >>>> information where none exists, effectively convincing him or her to isolate >>>> themselves in what is truly an unimportant part of the network. This decoy >>>> strategy is designed to keep an intruder from getting bored and heading >>>> into >>>> truly security-critical systems. The second part of the victim host >>>> strategy >>>> is intelligence gathering. Once an intruder has broken into the victim >>>> host, >>>> the machine or a network administrator can examine the intrusion methods >>>> used by the intruder. This intelligence can be used to build specific >>>> countermeasures to intrusion techniques, making truly important systems on >>>> the network less vulnerable to intrusion. >>>> >>>> >>>> Any takers on this? :) >>>> >>>> >>>> >>>> Kelvin >>>> >>>> 2010/10/15 Kristján Ólafur Eðvarðsson <[email protected]> >>>> >>>> Hi Kelvin, >>>> >>>> That OEQ was rather good. I gave it some thought and scrolled through >>>> the help of my WCS server. Which in fact is very good and explains a lot >>>> of things. >>>> >>>> It is a rouge AP so It cant be a friendly based on that fact. Malicious is >>>> the same thing >>>> basically as a rouge. So they are probably looking for a classification of >>>> that rouge. >>>> >>>> I first read through the classifications of rouges and didn't see a clear >>>> answer to that questions >>>> but for everyone I like to share this info. >>>> >>>> "Rogue Access Point Classification Types >>>> Rogue access points classification types include: >>>> >>>> Malicious-Detected but untrusted or unknown access points with a malicious >>>> intent within the system. They also refer to access points that fit the >>>> user-defined malicious rules or have been manually moved from the friendly >>>> access point classification. See "Malicious Rogue APs" for more >>>> information. >>>> Friendly-Known, acknowledged, or trusted access points. They also refer to >>>> access points that fit the user-defined friendly rogue access point rules. >>>> Friendly rogue access points cannot be contained. See "Friendly Rogue APs" >>>> for more information. For more information on configuring friendly access >>>> point rules, see "Configuring Friendly AP Controller Templates". >>>> Unclassified-Rogue access point that are not classified as either >>>> malicious or friendly. These access points can be contained and can be >>>> moved >>>> manually to the friendly rogue access point list. See for more information. >>>> See "Unclassified Rogue APs" for more information." >>>> >>>> However when I was reading this I just remembered that I have sometimes >>>> got this warning in WCS >>>> in real setups. "With Honey pot AP detected" >>>> >>>> And this seems to best answer to this question. Do you guys agree ? >>>> >>>> >>>> "Honey Pot AP Detected >>>> Alarm Description and Possible Causes >>>> The addition of WLANs in the corporate environment introduces a whole new >>>> class of threats for network security. RF signals that penetrate walls and >>>> extend beyond intended boundaries can expose the network to unauthorized >>>> users. A rogue access point can put the entire corporate network at risk >>>> for >>>> outside penetration and attack. Not to understate the threat of the rogue >>>> access point, there are many other wireless security risks and intrusions >>>> such as mis-configured access points, unconfigured access points, and DoS >>>> (denial-of-service) attacks. >>>> >>>> One of the most effective attacks facing enterprise networks implementing >>>> wireless is the use of a "honey pot" access point. An intruder uses tools >>>> such as NetStumbler, Wellenreiter, and MiniStumbler to discover the SSID of >>>> the corporate access point. Then the intruder sets up an access point >>>> outside the building premises or, if possible, within the premises and >>>> broadcasts the discovered corporate SSID. An unsuspecting client then >>>> connects to this "honey pot" access point with a higher signal strength. >>>> When associated, the intruder performs attacks against the client station >>>> because traffic is diverted through the "honey pot" access point. >>>> >>>> wIPS Solution >>>> When a "honey pot" access point is identified and reported by the Cisco >>>> Adaptive Wireless IPS, the WLAN administrator may use the integrated >>>> over-the-air physical location capabilities, or trace device on the wired >>>> network using rogue location discovery protocol (RLDP) or switchport >>>> tracing >>>> to find the rogue device. " >>>> >>>> regards. Kristjan >>>> >>>> >>>> >>>> >>>> ---------------------------------------------------------------------- >>>> >>>> Message: 1 >>>> Date: Fri, 15 Oct 2010 08:24:00 +0200 >>>> From: Kelvin Dam <[email protected]> >>>> To: Stalder Dominic <[email protected]>, >>>> [email protected] >>>> Subject: Re: [CCIE Wireless] OEQ Answers (second) >>>> Message-ID: >>>> <[email protected]> >>>> Content-Type: text/plain; charset="windows-1252" >>>> >>>> First question in that doc: >>>> >>>> *A rouge access point broadcasting a trusted SSID is called what? >>>> >>>> They are called ?Trusted APs? or ?Friendly APs?.* >>>> >>>> Is wrong I believe...A Rogue broadcasting a trusted SSID is a Evil Twin to >>>> the best of my knowledge? >>>> >>>> Kelvin >>>> >>>> >>>> 2010/10/13 Stalder Dominic <[email protected]> >>>> >>>> > And here with the small answer list ;-) >>>> > _______________________________________________ >>>> > For more information regarding industry leading CCIE Lab training, >>>> > please >>>> > visit www.ipexpert.com >>>> > >>>> > >>>> >>>> >>>> -- >>>> Kelvin Dam >>>> -------------- next part -------------- >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, please >>>> visit www.ipexpert.com >>>> >>>> >>>> -- >>>> Kelvin Dam >>>> <ATT00001..txt> >>>> >>>> >>> >>> >>> -- >>> Kelvin Dam >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, please >>> visit www.ipexpert.com >>> >>> >> > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
