The Digital Matrix Project Honeynet (or Honeypot as some would call it) was created to study the threat level of hackers and stumblers in the 802.11 environment. Another aspect of the project is to test various intrusion detection methods and to learn what tools, techniques and tactics the wireless trespassers are using against discovered networks.
Besides the standard tools shown in the demonstration we also showed you two custom in-house applications used in the honey pot. NetStumbler SpyGlass and AirSnare are two custom applications written to help evaluate the above conditions.
NetStumbler SpyGlass: This program monitors the airwaves and alerts on NetStumbler, modified NetStumbler and some Site Monitor activity. A NetStumbler alert is someone running NetStumbler in its original condition. A modified NetStumbler alert is someone running a modified version with the beacon text modified. A modified alert can help analyze the threat level of the stumbler showing that this person MAY possess a couple extra skills over that of the default stumbler (ie: able to run a HEX editor and or talk his friend out of giving him a copy of the modified NetStumbler). Last, the Site Monitor alert is an indication of someone running a site monitor application. Not overly concerning, however coming from an unfriendly MAC address could be cause to heighten one's alertness. Currently the on-screen list and the voice prompts for each detection are the only alerts. As demonstrated, NetStumbler can be "stealth" to NSSpyglass by turning off the querying of access point names. However, stealth NetStumber detection may be possible by detecting layer 2 LLC activity, however that is outside of the scope of this presentation.
Please note that NetStumbler SpyGlass is constantly under improvement and development, so screen shots may differ slightly from the version seen in the live demo.
AirSnare: This program monitors the air waves for suspicious activity that doesn't match normal network activity. One task it performs is watching for unfriendly MAC addresses. When an unfriendly MAC address shows up on the network, AirSnare gives you the option of either tracking the MAC and it's movements around the network with AirSnare or launching Ethereal and monitoring activity with the sniffer. AirSnare also checks for possible elite (leet, 31337, etc.) MAC addresses that contain words indicating a condition that network activity from this MAC address might want to be watched closely. Each of the alert conditions is announced by voice prompt, displays the action on the list and turns the application background color red. AirSnare performs a few other tasks possibly mentioned during the live demo which won't be discussed on this web page.
Please note that AirSnare is constantly under improvement and development, so screen shots may differ slightly from the version seen in the live demo.
Many applications used in the demo are available on the Net.
AirSnare - Intrusion Detection Software for Windows - MAC monitoring - AirSnare Web Site
NSSpyglass - NetStumbler Detection Software for Windows - NSSpyglass Web Site
Honeynet version 2
Version 2 of the Digital Matrix Honeynet now includes a couple of other programs.
Web Server: The Web server application responds back to file requests and directory transversals as "200 OK" yet doesn't really allow the hacker to do anything. They can "deface" the website, however all defacements are directed to a separate file and doesn't really change the web page.
Telnet Server: The telnet server can act as any type of telnet connection. Currently it is acting like a Cisco'ish type router. The hacker can use common commands including "rebooting" the router. All commands are logged to a file.
Access Point Remote Admin: The AP Remote Admin program looks and feels like a Linksys Access Point accessed by the Administrative Web Page. All actions by the hacker to the psudo-Linksys AP are logged.
FTP Server: The FTP server gathers FTP'd files and logs access.
SMTP Server: The SMTP server can act as an SMTP server while logging all activity to a file or it can act as an SMTP proxy, and forward all SMTP communications to a real SMTP server while logging all activity.
We are also working on setting up a pcAnywhere machine to observe attacks towards remote access programs.
Other Links: