Build a wireless intrusion honeypot to discover enterprises with stealth hackers (1)

As we all know, wireless networks have always been a weakness when they bring about flexible access while security issues. enterprise wireless networks or home wireless networks are easy to attract "Tourists". On the one hand, WEP, WPA and other encryption measures have been cracked, making wireless encryption useless. On the other hand, automatic network searching for automatic connections in wireless networks also allow many "not interested" to connect to your wireless network. So how can we prevent attacks and intrusions against wireless networks? Can we use necessary measures to counter intruders? Today, I would like to invite readers to build a wireless intrusion honeypot with the anti-customer team to show intruders what they are.

I. What is wireless intrusion into honeypot:

First, we need to clarify what a honeypot is. There is a definition in the field of network management and network security-a honeypot is a security resource. Its value lies in being scanned, attacked, and attacked. This definition indicates that the honeypot does not have other practical functions. Therefore, all inbound/outbound network traffic may indicate scanning, attack, and attack. The core value of honeypot lies in the monitoring, detection and analysis of these attack activities. To put it bluntly, a honeypot is a fake system that attracts intruders and then traps them. A system with vulnerabilities can be used to detect intruders and quickly locate them.

Wireless intrusion into the honeypot works the same way, but it is a wireless network with intrusion vulnerabilities, attracting intruders and then trapping them, in this way, the network parameters are located to collect the basic information of intruders, so as to better prevent them. For example, you can use MAC address filtering or IP address blocking to disable hosts that may intrude into the system and cancel the permission to connect to the wireless network.

2. How to Build a wireless intrusion Honeypot system:

So how do ordinary users and enterprise network users build a wireless intrusion Honeypot system? Two factors are required for the creation of the honeypot system.

The first is to establish a vulnerable wireless network. We can select a broadcast SSID network ID as needed and use a simple KEY to encrypt WEP. All settings are completed through the wireless router. the wireless network and related parameters are enabled on the wireless parameter setting interface. (1)

After a vulnerable wireless network is enabled, we can scan the network using a wireless scanning tool to confirm that the vulnerability exists and runs stably. (2)

Second, we should be able to perform reasonable monitoring on intruders. Generally, we are done through monitoring tools or network management programs. sniffer tools are a good choice; if it is an enterprise wireless device and has the mirror port forwarding function, it will be better. We can directly monitor the attacker access port or the total egress through the mirror port for sniffer monitoring. All data traffic will be forwarded to the sniffer monitoring end, so that we can carefully analyze the network traffic and related data information of intruders.

However, for most devices and home users, it is very difficult to have wireless network devices with the mirror port forwarding function. How can we achieve reasonable monitoring purposes? In my personal experience, it can be done through the HUB. Although in the actual network application process, the HUB is prone to broadcast packet flooding and repeated packet forwarding, however, this disadvantage can be applied to the establishment of a wireless intrusion Honeypot system, connect a HUB device at the wireless device exit, and then connect an interface at the HUB to the upper-layer device or the Internet, another interface is directly connected to the monitoring host where the sniffer software is installed. In this way, when an intruder connects to a wireless device, related data packets will be forwarded to the HUB, because the HUB will copy equivalent data to each port, therefore, when another interface is directly connected to the monitoring host where the sniffer software is installed, the corresponding network data can be viewed. These data are generated by intruders, therefore, the attacker can be properly monitored.