Rather than try to emulate all of that, what if you just skipped ahead to your really crafty idea and forward all incoming traffic to an actual device on the network? If you goal is just to hide on the network, then at that point you're not limited to just being a printer, you can become any device, specific or random.
If I'm scanning my network & see a new printer that I wasn't aware of, then I may get suspicious. But if instead I just have Bob's laptop or a Dell Switch listed twice, I may not notice. And if you do want to allow specific incoming traffic, you could either allow it by IP or get fancy with some sort of port-knocking implementation. ________________________________ From: [email protected] [mailto:[email protected]] On Behalf Of bytes abit Sent: Tuesday, August 25, 2009 8:14 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Honeypot techniques for use in rogue APs. Sounds interesting, well thought out. As for your redirects, a few IPTABLES commands would take care of that one, easy as pie... er well the crust is rather hard to make.. so I hesitate to use that expression ;P Enabling logging on the port activity and would be wise/useful as well. BTW: Watch Wolverine Origin, it's freaking great! HAHAHA Just got a message: Back of the shirt: www.thepiratebay.org .... Front of the shirt: http://tracker.btarena.org/ Jay On Tue, Aug 25, 2009 at 10:45 AM, Chris Merkel <[email protected]> wrote: The recent discussions on honeypots got me thinking - has anyone modified a wireless AP in a way to make it look like another device? A multi-function printer perhaps? (If the answer is "It's in Paul's book" - I will go out and purchase it right away ;-) What if: You could leave telnet open to allow logons to actually manage the AP (you would have to pick a print server that requires a logon, so it would look legit), from there, you would need to modify OpenWRT to run: FTP/21 - allow anonymous logons, set up the folder structure, change the banner HTTP/80 - Mirror the status pages from a typical print server TCP/515 - lpd TCP/631 - ipp TCP/9100 - lpd / jetdirect You would also need to change the MAC address to the vendor ID of the device you're emulating. If you wanted to get really crafty, you could figure out a way to forward packets sent to 515,631 and 9100 to forward to an actual network printer on the same subnet. Let's say you did all of those things - think you'd be able to fool nmap's service fingerprinting? What if you found a match between a printer and AP, so that they're running a similar embedded linux kernel - that would fool nmap's TCP fingerprinting, right? I don't have a WAP readily available, nor the time in the next few months to hack something together, but if anyone else is headed down this road, I'd be interested to know. -- - Chris Merkel _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
