Leading hackers down the garden path

Can a hacker be controlled by predetermined deception? Limiting the decision making capabilities of hackers is one technique of network countermeasure that a honeynet enables. By furnishing a honeynet with a realistic range of services but restricted vulnerabilities, a hacker may be forced to direct their attacks to the only available exploits. This research discusses the deployment of a honeynet configured with a deceptive TELNET and TFTP exploit. Four hackers were invited to attack the honeynet and the analysis of their compromise identified if they engaged in a guided pathway to the intended deception. Hand trace analysis was performed on network log files to determine their primary attack vector. Conceptual analysis and frequency analyses methods were adopted to verify the hacker’s compromise and subsequent deception. The results demonstrated how three out of four hackers were lead down a misguided pathway of network deception

A deception based framework for the application of deceptive countermeasures in 802.11b wireless networks

The advance of 802.11 b wireless networking has been beset by inherent and in-built security problems. Network security tools that are freely available may intercept network transmissions readily and stealthily, making organisations highly vulnerable to attack. Therefore, it is incumbent upon defending organisations to take initiative and implement proactive defences against common network attacks. Deception is an essential element of effective security that has been widely used in networks to understand attack methods and intrusions. However, little thought has been given to the type and the effectiveness of the deception. Deceptions deployed in nature, the military and in cyberspace were investigated to provide an understanding of how deception may be used in network security. Deceptive network countermeasures and attacks may then be tested on a wireless honeypot as an investigation into the effectiveness of deceptions used in network security. A structured framework, that describes the type of deception and its modus operandi, was utilised to deploy existing honeypot technologies for intrusion detection. Network countermeasures and attacks were mapped to deception types in the framework. This enabled the honeypot to appear as a realistic network and deceive targets in varying deceptive conditions. The investigation was to determine if particular deceptive countermeasures may reduce the effectiveness of particular attacks. The effectiveness of deceptions was measured, and determined by the honeypot\u27s ability to fool the attacking tools used. This was done using brute force network attacks on the wireless honeypot. The attack tools provided quantifiable forensic data from network sniffing, scans, and probes of the wireless honeypot. The aim was to deceive the attack tools into believing a wireless network existed, and contained vulnerabilities that may be further exploited by the naive attacker

Leading hackers down the garden path

Can a hacker be controlled by predetermined deception? Limiting the decision making capabilities of hackers is one technique of network countermeasure that a honeynet enables. By furnishing a honeynet with a realistic range of services but restricted vulnerabilities, a hacker may be forced to direct their attacks to the only available exploits. This research discusses the deployment of a honeynet configured with a deceptive TELNET and TFTP exploit. Four hackers were invited to attack the honeynet and the analysis of their compromise identified if they engaged in a guided pathway to the intended deception. Hand trace analysis was performed on network log files to determine their primary attack vector. Conceptual analysis and frequency analyses methods were adopted to verify the hacker’s compromise and subsequent deception. The results demonstrated how three out of four hackers were lead down a misguided pathway of network deception

How to build a faraday on the cheap for wireless security testing

The commonly known security weaknesses associated with the 802.11b wireless standard have introduced a variety of security measures to countermeasure attacks. Using a wireless honeypot, a fake wireless network may be configured through emulation of devices and the TCP/IP fingerprinting of OS network stacks. TCP/IP fingerprinting is one of the most popular methods employed to determine the type of OS running on a target and this information can then be used to determine the type of vulnerabilities to target on the host. Testing the effectiveness of this technique to ensure that a wireless honeypot using honeyd may deceive an attacker has been an ongoing study due to problems conducting TCP/IP fingerprinting in the wireless environment. Research conducted in a university laboratory showed that the results were ineffective and the time taken to conduct testing could be as long as 60 hours. The subsequent exploration of different testing methods and locations illuminated on an ideal research facility called a faraday cage. The design and construction of the faraday is discussed in this paper as an affordable solution for controlled and reliable testing of TCP/IP fingerprinting against the scanning tool Network Mapper (NMAP). The results are useful when looking to deploy a deceptive honeypot as a defence mechanism against wireless attackers

If You go Down the Internet Today - Deceptive Honeypots

This is preliminary research into the effectiveness of deceptive defensive measures in particular honeypots that use deceit as a primary defensive and offensive mechanism. Initial research has been conducted using the Deception Tool Kit and its ability to fool commonly available network scanning tools such as Nessus and Nmap The preliminary research indicates that these deceptive tools have a place in modern network defence architecture

The development of an attack vector using applied levels of deceptive strategy for directing attack in a honeynet

Deception has long been part of an effective strategy for the guileful and determined predator. Deceptive lessons learned from the animal kingdom have since been passed over to the realm of network security. Home users and organisations alike may adopt deceptive strategies as a proactive and preventative measure for monitoring and securing wired and wireless networks. Honeypots and honeynets are digital entities that are able to emulate the behaviours and functionality of genuine computerised systems. A honeypot\u27s ability to deceive network attack tools may alIow defenders to tailor network countermeasures according to predicted attack vectors. In this research, an exploratory study of honeynet architecture and deployment was undertaken to create a virtual network to deceive network attacks and direct an attack vector through a predetennined deception

Blackhat fingerprinting of the wired and wireless honeynet

TCP/IP fingerprinting is a common technique used to detect unique network stack characteristics of an Operating System (OS). Its usage for network compromise is renowned for performing host discovery and in aiding the blackhat to determine a tailored exploit of detected OSs. The honeyd honeynet is able to countermeasure blackhats utilising TCP/IP fingerprinting via host device emulation on a virtual network. Honeyd allows the creation of host personalities that respond to network stack fingerprinting as a real network would. The nature of this technique however, has shown to provide inconsistent and unreliable results when performed over wired and wireless network mediums. This paper presents ongoing research into the TCP/IP fingerprinting capabilities of the popular host discovery tool Network Mapper (NMAP) on the honeyd honeynet. The forensic analysis of raw packet-captures allowed the researcher to identify differences in the modus operandi and outcomes of fingerprinting over the two mediums. The results of this exploratory study show the process of discovery to uncover how TCP/IP fingerprinting with NMAP and honeyd needs to be tested for effective network countermeasure