Inasmuch as a spectrum of security solutions exist in the contemporary society, limited knowledge about the exploitation methodologies used to constitute wireless networks threatens free and easy application of wireless technologies in the world of business. Wireless technology is considered as a contemporary solution to the evaluation and assessment of security in a wireless environment at different levels. The main objective of this research paper is to critically analyze varieties of wireless honeypot systems and tools, which have been proposed and deployed. Furthermore, the research paper will also present the wireless framework that defines the wireless honeypot system, which is inclusive of a broad range of honeypot architectures.
In the technological world, honeypots are systems, which are designed to be broken as a way of luring an intruder away from other valuable systems within a network. The system logs and monitors the activities of the intruder. The effectiveness of honeypots exists in their ability to emulate services or systems such as web servers and firewalls, which could be the typical targets of a hacker. There are two types of honeypots. These are low interaction honeypots and high interaction honeypots. Low interaction honeypots are characterized by their minimal interaction with the hacker (Cracknell, 2010). These honeypots are involved in the evaluation of specific systems and services such as http. Their effectiveness in tracking hackers lies on the ease and simplicity of deployment and maintenance (Oudot, 2004). An additional advantage of low interaction honeypots is that they facilitate the reduction of the probability that a hacker will compromise other systems downstream since they only emulate limited services and system. Despite the perceived advantages, low interaction honeypots are relatively ineffective in tracking a hacker because they log limited amount of information regarding the activities of the hacker (Spitzner, 2010).
High interaction honeypots are relatively complex since in their operation they provide a hacker with access to the operating system. For the hacker this is considered as a platform for real interaction enabling the system to capture more information about the activities of the hacker (Cracknell, 2010). While low interaction honeypots often attempt to limit the activities of the hacker in term of accessing the services within a system, high interaction honeypots allow the hacker to engage in free logging in different platforms that define the system. A major limit of the high interaction honeypot system is that it provides the hacker with a platform of compromising the honeypot by using it to attack and hack other systems. In addition, high interaction honeypots are relatively complex in term of their deployment and maintained (Spitzner, 2010)
Evolution of wireless honeypots
In order to ensure the maintained of high security standards and the need to keep a tracking eye on the community of hackers, Kevin Poulsen introduces the concept of honeypots to wireless domain in 2002 (Poulsen, 2005). Through this concept, Poulsen envisioned the introduction of a new technique of trapping hackers (Poulsen, 2005). The first wireless honeypot, Wireless Information Security Experiment (WISE) was launched in 2002 with the desire to curb inherent insecurity that had characterized the wireless network at that time. Prior to the introduction of this security solution, wireless technology was defined by unauthorized access, use and spying and this threatened the security system of different institutions, individuals, and organizations (Spitzner, 2010).
Honeypot technology is considered as an innovation, which helps in the acquisition of information about a hacker, his level of expertise, frequency of attacks, the methodologies, and goals used in accessing the security of devices by deception. Honeypots operate through 3 defense mechanism, which include deception, deterrence, and detection (Cracknell, 2010). In deception, the honeypot technology allows systems to looks as productive as possible while in reality they are not productive and do not have any valuable information to give the hacker (Spitzner, 2010). In this defense mechanism, honeypots may emulate virtual environments or in some cases, real system but they do not serve any real work of production. In deception mechanism, the objective of the wireless honeypot is to keep the hacker busy, engage in the utilization of his resources to scrutinize and track his activities. The resulting attack patterns are used in in the incorporation of Intruder Detection Systems (IDS) as rules of attack (Spitzner, 2010).
When used as detection mechanisms, honeypots are deployed with real production system without the expectation of any legitimate activity. Through the detection mechanism, any activity within the system can be suspected as an attack which when logged in can be analyzed to detect the hacker, the type of information he seeks and any other information relevant in the protection of the wireless system (Chen, et al, 2005). When used as a deterrence mechanism, honeypots do not reveal their location but only indicate their presence in the network. The presence of such system within the network facilitates the development of fear in the attacker hence deterring him from engaging in any illegal activity with regard to hacking the system (Yek, 2004).
The effectiveness of deterrence is important for the hacker to fingerprint the presence of deception without being able to locate the honeypot within the network. The fact that wireless honeypot is a deception technology leads to the understanding that it can be used for good or bad. Deception can be essential in luring and trapping hackers. However, recent technology has made it possible for hackers to use legitimate hotspot AP’s such as SSID in deceiving and luring legitimate cleanest and in launching denial of service client miss-association among other attacks (Spitzner, 2010).
Existing wireless honeypot systems and tools
This wireless honeypot system launched in 2002 as an organized technique of gathering data about unwary Wi-Fi hackers and bandwidth borrowers, their technique of operation, attack frequency and signature among other variables (Oudot, 2004). The technology was an 802.11b network, which was deployed in Washington DC with the objective of ensuring that it was hacked from nearby WISE, was engaged in close monitoring of all the activities taking place within the network in which it was deployed (Spitzner, 2010). Five Cisco access points, some deliberately vulnerable computers as bait and two Omni-directional high-gain antennas for added reach to the nearby alleys and streets defined the network. On the back end of the system, a logging host was used in gathering information about detailed connection data from the points of access, while passive 802.11b sniffer defined by a customized intrusion detection system was used as a hypersensitive trip wire (Chen, et al, 2005). The web proxy onto which the system was hooked up provided intent connection, which played the role of intercepting all outgoing attempts of connection while presenting consent to monitor banner. This was aimed at providing information on how different persons within the network were using the internet. WISE, just like conventional honeypots, did not have a legitimate user. This explains why any suspicious activity that crossed it was scrutinized closely (Spitzner, 2010).
The success of the WISE technology in 2002 led the London based consulting company KPMG to develop a wireless honeypot in 2003. The objective of this system was to lure warring commuter in London (KPMG, 2003). The wireless honeypot was dummy network that used deception to appear as a legitimate corporate wireless network. To enable its functionality, three separate wireless pints were set up at different location around London’s Square Mile and each was allowed to operate for seven days. The activities of all the users who attempted to access the network were tracked, recorded, and analyzed. The objective of the setup was to engage in the establishment of prevalence of wireless hackers and wardrivers (KPMG, 2003).
In 2004, the concept of Proactive WIDS was introduced as a five-model system. These included the session analysis module, packet capture module, intrusion detection, alarm module, and honeypot. The operationalization this concept was facilitated by the development of an attack detection system using the packet capture module (Hsieh et al, 2004). Upon detection of an attack, the Proactive WIDS allowed for the use of honeypots in redirecting the attacker towards a fake AP and proving unnecessary information to the hacker as a way of keeping him attracted and highly involved in the system (Hsieh et al, 2004). Through this approach, the activities of the hacker were shifted to nonproductive events. The success of this technological approach is that it allowed for the honeypots quarantining all attack evens from the productive network. In addition, through Proactive WIDS honeypots were also able to detect the jamming of management frames and decrypting data frames on the fly to provide platform of redirecting them onto other devices (Hsieh et al, 2004).
Deceptive wireless honeypot is an approach to wireless security measures was defined by the Deception in Depth (DiD) concept, which was a layer three-ring model. Each of the rings had a deceptive strength. The ring that was defined as the central core was defined by its ability to embrace the most effective deception. Ring three, the peripheral ring, was considered as the most vulnerable with its Fake AP layer (Spitzner, 2010). The role of the ring was to produce an AP gateway for attackers to allow entry into ring two. Ring two uses fake AP software and its many fake access points in stimulating and confusing the attacker to enter into Ring 1 (Yek, 2004). This was the inner most ring and the central logging structure which encompassed the IDS SNORT that acted as Honeyd logs and packet sniffers which recorded online traffic passively (Yek and Australia, 2003). The central ring was considered as the most essential part of the model considering that had all the network data such as the source and destination. The collected data was used in the conformation of the extent of network penetration by a hacker (Yek and Australia, 2003).
The HoneySpot project was used as a basis of attacks to attempt breaking into a secure wireless network. There are two type of HoneySpot, which include private HoneySpot and public HoneySpot. Public HoneySpot is defined by its ability to stimulate public wireless data networks (Chen, et al, 2005). These pure hotspot networks are provided in public spaces such as airports, libraries, hotels and public spaces where there is high interest in offering visitors and customer with internet connectivity. HoneySpot that characterize public networks do not have access control mechanism at the wireless level and therefore the focus is often placed on wireless attacks at IP layers that are for open networks (Spitzner, 2010). A private HoneySpot is involved with the stimulation of a private wireless data often provided in homes or corporations. The private network provides access to a wired network to legitimate wireless clientele without the physical barriers that define wired connections. HoneySpot provides varieties of levels for public and private scenarios (Oudot, 2004). In public HoneySpot, Level 0 with Open wireless network is available. However, in private HoneySpot there are three levels that are defined WEP-based wireless network define Level 0 while WPA-based wireless network characterize Level 1 WPA 2 -based wireless network defines Level 2 (Yek, 2004). The Private HoneySpot incorporates all the components of a wireless security measure, which include a wireless Client module, a Wireless Access point, wireless data analysis module an optional wired infrastructure module and wireless monitor module (Jacksch, 2005).
The deployment of real wireless infrastructure resources such as high interaction honeypot technology provides a platform of deceiving a hacker of a real production network. The infrastructure resources include real access points and real administrative serves, which do not have any role in production except the interaction, and monitoring conducted around or with them (Galante et al, 2009). It is also possible to deploy low interaction honeypots as devices that emulate the behavior of real resources with the objective of luring and deceiving a hacker. The decision of which tool to use in deceiving an attacker is dependent on the objective of the architect. In honeypots, the tools used include Honeyd and fake AP. Honeyd is a powerful and commonly used OpenSource honeypot (Jacksch, 2005). A honeypot tool kit allows the user to build and customize solution according to his objective. It is possible to adjust and configure this tool kit in ways that can emulate basic WLAN component and services in varieties of ways (Oudot, 2004). Furthermore, the tool kit has the ability to emulate a fake network routing topology on a wireless environment. The effectiveness of this toolkit is aloe based on its ability to create fake IP stacks, which are essential in fooling remote OS fingerprints using tools such as Xprobe together with networking routing emulation and network infrastructure (Spitzner, 2010). Through this emulation technique, Honeyd creates an appearance of an actual wireless network to a hacker. Honeyd has the ability to copy well-selected webpages and use them as management and access points (Oudot, 2004). This is an effective security measure because it provides a platform of trapping hackers who use popular default passwords. Furthermore, Honeyd has the ability of monitoring attackers who attempt using open services such as DCHP through the creation of fake services (Galante et al, 2009).
Despite these benefits, one of the limitation of Honeyd is that it expects a specify type of behavior from an attacker and this explains why it is programed to function in a predetermined way. The danger of this approach is that if a hacker acts in a way that the emulation does not expect, and then honeyed will not know how to respond. This will generate into an error message hence breaking the deception (Spitzner, 2010)
Fake AP is a deception tool kit, which generates thousands of fake 802.11b access points through the manipulation of ESSID and BSSID fields. By providing thousands of access points, it is possible for Fake AP to be used in confusing wardrivers and Script Kiddies (Jacksch, 2005). This tool is relatively ineffective because ether idea defining its operationalization is relatively old. The contemporary technology has the ability of advising a hacker that a detected access point is fake and the traffic generated cannot be found on the work (Galante et al, 2009).
The framework of wireless honeypot
The main objective of a wireless honeypot from a design perspective is to provide real statistics about wireless attacks. This includes information on the frequency of attack, the type of attack, the expertise level of the attacker, the goals, and methodologies used by the attacker (Oudot, 2004). In addition, through the statistics provided by honeypots it is also possible to engage in the determination of the attack tool used.in the process of securing and protecting a network (Jacksch, 2005). The design of the honeypot was directed towards providing answers to the following questions:
- Which type of attack methodologies are extensively used in breaking into and exploiting the weaknesses of WEP-based wireless technologies?
- Which attack methodologies are often extensively used in bypassing hotspot access controls?
- What kind of attack methodologies are often extensively used in compromising wireless clients?
The use of wireless HoneySpot sin the identification of the extensively used attack mechanisms allow of the evaluation of the skills of wireless attackers and facilitates the development of effective and realistic security measures to enhance the effectiveness of wireless networking the future (Jacksch, 2005).
Upon the identification of the princes that define the design and objectives of wireless honeypots, it is important to understand the main components and the requirements of honeypots from an architectural approach. The modules that are considered mandatory in the architecture of wireless honeypots include: wireless Access Point Module (WAP) that provides the wireless network infrastructure for connecting hackers and clients (Spitzner, 2010). The infrastructure often conforms to one or multiple access points that provide a wireless connection.
In HoneySpot, the wireless network is often considered as the main target of hackers. Wireless Client (WC) module is a component of honeypot, which is representative of the authorized and automated end user device that connects to the wireless honeypot network. Its role is to ensure the stimulation of actual wireless traffic and ensure the provision of minimum traffic required by an attacker in launching some specific wireless attacks such as the use of traffic replays in accelerating WEP key cracking (Spitzner, 2010). Wireless Monitor (WMON) module is a wires honeypot device charged with the responsbility of collecting all the wireless traffic on a honeypot for offline and real time analysis. This is considered as an essential device since it has the ability of capturing all the wireless events happening in a honeypot (Oudot, 2004). Wireless Data Analysis (WDA) ensures the provision of capabilities required in the analysis of all the network traffic collected by WMON module. Upon the transfer of the collected traffic from WMON to WDA, the objective of the latter is to ensure the identification of all malicious activities and their details (Siles, 2007).
Wired Infrastructure (WI) module is an optional component considering that it is possible for wireless honeypot to be deployed without any wired networking infrastructure considering that it has the ability of providing wireless connectivity without additional networking capabilities (Oudot, 2004). Consequently, in the process of attempting to accurate simulation of real world scenarios a wireless honeypot can be integrated with a wired networking infrastructure, which stimulates a hotspot internet connection of an internal networking system within an organization. The WI component while proving these extended capabilities it is also an optional component considering that honeypots, especially those of private businesses, can be composed of wireless components when it is not necessary to include wired internet connection for analyzing layer-2 wireless attacks (Spitzner, 2010).
Figure1.0 Wireless Honeypot Architecture
The defining process of the operation of wireless honeypots is divided into six phases. Phase encompasses the addition and removal of vulnerabilities. The process of removal and deployment of vulnerabilities is characterized by the deployments and setting up of baits that will attract an attacker (Urbas et al, 2010). This includes taking decisions that regard the production systems that is to be duplicated, the network level of interaction, and the security policies, that is the amount of activity and interaction that an attacker can have with the honeypot. This is however dependent on the type of the type of attack that is to be analyzed and the level of risk that a network system can tolerate (Oudot, 2004). The determination of the quality of a honeypot is dependent on its ability to lure and deceive an attacker of a real production system. The incorporation of too much vulnerability is considered disadvantageous because of the high probability of revealing the identity of the honeypot hence decreasing the probability that it will be chosen by a hacker. It is important to engage in a calculated approach to ensure that enough vulnerability are added to attract a hacker while removing some commonly used vulnerabilities to generate the feeling of a real system. Some of t attributes considered in this phase include the attack scenario, 802.11 technology used in the wireless honeypots, security policy of the target network, infrastructure essential that define the bait for attackers and the level of interaction this is based on the understanding that networks often have varies levels of interaction at different modules (Urbas et al, 2010).
Phase 2 of operationalizing wireless honeypots is characterized by monitoring and logging activities. The process is defined by monitoring the activities of the trapped hacker without his knowledge. The success of this process is defined by logging the interactions at different network modules such as wireless access points, wireless client, wired infrastructure and wireless device administrative servers (Urbas et al, 2010). In the monitoring and logging process, it is important to evaluate the record of file changes, services accessed and key stress among other activities. During this phase, other apparatus of monitoring such as wireless sniffers are deployed at different locations within the network to log on-air before the attack, during the attack and after the attack (White et al 2009). The process involves the use of softwares such as Kismet together with package analyzers Wireshark that provides user interfaces for passive wireless network monitoring. The effectiveness of these softwares lies in their ability to operate on hear in monitor modes (FRMON) which makes it easier for them to capture pack test without being associated with the access points (Siles, 2007). The captured data, which appears in PCAP format, provide essential information, which is inclusive of the techniques used by an attacker in breaking layer 2 security policies (White et al 2009). It is possible to concierge the softwares to listen on the same wireless channels as the access point is configured or have more radios that can be used to provide a platform of constant scanning of events happening in other channels. This is an essential approach to monitoring the activities of attackers considering that it gives information about any wardriving activity that is happening around the area (Urbas et al, 2010).
Phase three in the operation of wireless honeypots involves the creation of an integrated database. This involves fusing the data logged and sniffed at different location of the network. The success of this phase is defined the availability of modules with data integrating and fusing capabilities. From a general perspective, these capacities are incorporated into data Analysis Module where all logged data are collected for a process of analysis at an isolated location through wireless or wired connections (Urbas et al, 2010).
Phase four is characterized by online analysis which outlines the rules that are to be used in the analysis process. For instance, A Mac spoofing detection rule can be used in checking for the initial three bytes of Mac Address, which resembles to its producer. In the online analysis, it is possible to identify wardriving activities by checking the existence of unique identities (Ids) using tools such as Kismet (White et al 2009). Furthermore, it is possible to detect WEP decryption attacks by packet replay mechanisms through the process of monitoring the traffic level of the probe response (Urbas & Krone, 2010). The success of this phase is dependent on the traffic level detected considering that it is possible to generate alerts in real-time to provide the administrator with knowledge about any suspicious activity that happens within the network and the resulting behavior (Urbas & Krone, 2010).
Phase five in the operationalization of wireless honeypot is the investigation phase. This is a post event phase where the results of online analysis, Signal information (RSSI) and integrated raw data are subjected to offline analysis (White et al 2009). The phase is incorporated with Analysis Modules that use forensic capability tools in the triangulation of the hacker’s position based on the signal level received and the supporting advanced wireless incidents handling tools. The essence of the investigation phases lies in its ability to find the location from where the wireless attack was performed and the threat on the wireless monitoring unit (Urbas & Krone, 2010). Furthermore, it helps in the identification of the tools such as antenna, software that were used by the attacker.
Phase 6 is the modification phase, which uses the results of the analysis from various phases in the modification of the network architecture and in the development of deceptive services to enhance the security of a wireless network (White et al 2009). These modifications and alterations are often made depending on the information acquired about the limitations and weaknesses of the existing security measures relative to the attackers and their methodologies (Siles, 2007). The modification process is inclusive of the incorporation of new rules generated in the offline and online analysis processes recommending the possible strategies for preventing and detecting attacks. In the modification phase it is possible for the administrator to decide the approach would increase the level of deception from WEP to WAP or the incorporation of more tough usernames and passwords designed to limit password guessing attacks (Urbas & Krone, 2010). During this stage, it is also possible to upgrade advanced Access Points (APs) firmware to the latest version to minimize the possibility of exploiting popular vulnerabilities. Furthermore, it is possible for the administrator to automate a procedure that resets the WAP and reinstates it to a popular period state as a way of ensuring that that there is no modification to its configuration (White et al 2009).
Attack scenario and the architecture of wireless honeypots
Type A: wireless honeypots for layer 2 attacks
These honeypot seek Layer 2 attacker who attempt to enter open and secured wireless networks using information broadcasted by wireless AP. When a wireless attacker attempts to break Layer 2 security, the AP sends beacons that contain Service Set Identifier (SSID) to communicate their presence. The emulation of the presence of too many Access points in one area is the technique through which honeypots create deception for the attackers (Spitzner, 2010).
Tape B: Honeypots for attacks against Wireless Infrastructure devices
These are honeypots directed against attackers attempting to gain control of wireless infrastructure devices. During such an attack, the hacker alters the default security settings and the configurations of an AP and gains access to the management net and administrative interface. To lure such an attacker, wireless honeypots deploy emulated access points of the attacker to connect while hiding the real WAP controlling administrative server (White et al 2009).
Type C: Honeypots for attacks directed at wireless clients
The architecture of the honeypot is designed to lure attackers into the deployment of vulnerable wireless clients. Whenever a client is connected to a wireless network without effective security measures it is possible for an attacker to exploit the vulnerabilities of the network to attack a client (White et al 2009). This is through the deployment of Rough Access Point using tools such as KARMA to sends stronger signal that deceive the client that he is using the official AP hence capturing their credentials and use them in launching an attack. When honeypots are deployed in the form of vulnerable clients, they generate automated client traffic that detect and deceive the Rough Access points (Spitzner, 2010).
Type D: honeypots for attacks against wired infrastructure
The architecture of this honeypot is designed to seek attackers attempting to enter a wireless network targeting the connecting wired infrastructure. The honeypots are made using emulated access points that is plugged into real wired network infrastructure. In the process of providing internet connection, honeypots block the outgoing network traffic using an intrusion prevention system (Urbas & Krone, 2010).
Type E: integrated architecture
This approach to the development of wireless honeypots covers all the possible attack scenarios on a wireless network. The design is incorporated with emulated access points, which are essential in confusing the attacker of the real target. There are fake web interfaces, which allow the administrators to monitor all kinds of attackers (Spitzner, 2010).
Honeypot technology is considered as an innovation, which helps in the acquisition of information about a hacker, his level of expertise, frequency of attacks, the methodologies, and goals used in accessing the security of devices by deception, deterrence, and detection. The main objective of a wireless honeypot from a design perspective is to provide real statistics about wireless attacks. This includes information on the frequency of attack, the type of attack, the expertise level of the attacker, the goals, and methodologies used by the attacker. This is often accomplished through the integration of Wireless Client module, a Wireless Access Point, Wireless Data Analysis module an optional Wired Infrastructure module and Wireless Monitor module
Chen, J., Jiang, M &. Liu, Y. (2005). Wireless LAN security and IEEE 802.11i. Wireless
Cracknell, P. (2010). The Wireless Honeypot Project: A brief Look at How Wireless Networks
Are Used and misused in the City of London, Technical Report, RSA Security UK Limited (RSA SUL), CISSP.
Galante, A., Kokos, A and Zanero, S. (2009). “BlueBat: Towards practical Bluetooth
honeypots,” Proceedings of the 2009 IEEE International conference on Communications, pp. 1-6.
Hsieh, C. Lee, C and Huang, L. (2004). “The implementation of a proactive wireless intrusion
detection system,” Proceedings of CIT ’04, 2004.
Jacksch, E. (2005). Tenebris Wireless Honeypot Project: Assessing the Threat Against Wireless
Access Points, CISSP, Tenebris Technologies Inc,
KPMG. (2003). KPMG, Survey Reveals Hackers Hunt for Wireless Networks Whilst Commuting,
Oudot, L. (2004).Wireless Honeypot Countermeasures, Security focus
Poulsen, K. (2005). W-Fi Honeypots a new Hacker’s Trap.
Siles, R. (2007). HoneySpot: The Wireless HoneyPot, The Spanish Honeynet Project, Spain.
Spitzner. L. (2010). Honeypots: Definitions and Value of Honeypot.
Urbas, G and Krone, T. (2010). “Mobile and wireless technologies: security and risk factors,”
Trends & Issues in Crime and Criminal Justice, vol. 329.
White, J. Brown, S. Ramaswamy, S. and Itmi, M. (2009). “Securing P2P wireless
communications by deploying honeytokens in a cooperative maritime network,” Proceedings CISSE ’09, 2009.
White, J. Brown, S. Ramaswamy, S. and Itmi, M. (2009). “Securing P2P wireless
communications by deploying honeytokens in a cooperative maritime network,” Proceedings CISSE ’09, 2009.
Yek. S. (2004). “Implementing network defense using deception in a wireless honeypot,” 2nd
Australian Computer, Information and Network Forensics Conference, Fremantle, Western Australia.
Yek, S and Australia, W. (2003). “Measuring the effectiveness of deception in a wireless
honeypot,” Proceedings 1st Australian Computer Network and Information Forensics Conference, pp. 1-10, 2003.