Middler on a Wireless Honeypot – Securing My Wireless
Thu, Jun 25, 2009When most of us think of running a wireless network at home we starting thinking of all the buzzwords and acronyms we can use to secure them. But not me. I like to take a different approach to my wireless. Instead of thinking of it like “No one but me should be able to surf porn on my wireless” or “Those hackers are going to drive by and send spam”. None of that.
I like to think of my wireless as more of a honeypot. I know everyone gets on “free”, open wireless networks. If not because they don’t know it’s illegal but because it’s easy and, well, free. Almost an evil twin setup but it’s not pretending to be anything. It’s also an interesting challenge to keep a network functioning and protect my somewhat important things in a somewhat hostile environment. I don’t know if anyone that is connecting to my network is malicious or infected with confliker. But most importantly it gives me a reason to practice some offensive security.
I wouldn’t say I currently monitor my network, hopefully I can post more on this another time. Sure I take a look at logs from time to time but I don’t run an IDS or any automated system to notify me of unusual behavior or otherwise track how things are running. I have about 3 devices and a couple of laptops that are usually on and need access to the Internet so I can tell when something isn’t quite right, really it’s just not enough to miss anything big.
One day when I felt like looking at logs in my free time I noticed a few things. Someone was borrowing my wireless! What for, I wondered. A few tcpdumps later I found they were checking email and news, no big deal. So, I start to think. Who is this? What OS are they running? How often do they use to my wireless? How long do they stay? And how can I screw with them…
The first thing that always comes to mind is upsidedownternet. But it’s been done. Last time I found someone on my wireless I rick rolled them by redirecting all web traffic to my web server which conveniently had a copy of Rick on it . The next idea I had was Metasploit.
This is a really interesting idea, but by itself just doesn’t work. Sure I can run autopwn but it’s not entirely automated and requires that you be able to port scan and make connections to the device. Vista, which I have found by watching network traffic, has the firewall turned on by default. So I have to be a bit more creative. That’s when I remember a presentation I saw at Shmoocon about a new tool called the Middler.
The Middler is still in alpha and doesn’t quite work yet but I don’t need all of the functionality anyway, I already own all the devices between my leeching neighbors and the Internet. Middler uses ARP spoofing to redirect all traffic through your computer and then allows for proxy plugins that can do all sorts of interesting things. So far it only supports HTTP but what it does with HTTP is very cool. Once someone connects to the proxy it gathers information from the client: user agent, browser, version, cookies etc. Then makes a connection to the requested server. Once the page has been downloaded a couple of extra items are added. One iframe goes to Metasploit’s browser autopwn. A java script is added that acts as a key logger and BeEF is used to also send exploits to the client. Because Middler is in alpha it doesn’t really work and I’ve been trying to add some support for OpenBSD.
Up until recently having someone borrow my Internet access hasn’t been a problem. After all, a little web browsing doesn’t bother anything. But now I have a new leecher and they aren’t interested in surfing the web much from what I can tell. They are using bittorrent or some other crappy P2P software… or they have a virus. Either way when they get on the Internet they pretty much bring my wireless to a halt. And that is not OK. So now I have to actually lock down my network. How does someone go about “securing” a wireless network? No crypto allowed by the way.