Printer Friendly

Study of Honeypots: analysis of WiFi_Honeypots and Honeypots tools.


A wireless local area network (WLAN) links two or more devices using some wireless distribution method (typically spread-spectrum or OFDM radio), and usually providing a connection through an access point to the wider Internet. An Evil Twin hotspot is a Wi-Fi access point set up by a hacker or cybercriminal. Such a hotspots provides free Wi-Fi access to its clients. Hackers and/or cybercriminals create Evil Twin hotspots to steal passwords or cookies. Example:- laptop battery charger of LG is not same as dell or some other companies. There may have some variations. Likewise, signal strengths of fake APs and Genuine APs may be different. The Evil Twin hotspot owner may attempt to boost his or her hotspot's signal strength so that it overpowers the legitimate one. Airsnarf is a simple rogue wireless access point setup utility designed to demonstrate how a rogue AP can steal usernames and passwords from public wireless hotspots. Our work is to prevent session hijacking from fake access point. The session hijacking attack can be generally performed by using honey pots. Wireless IDS (WIDs) will sniff your surrounding air traffic for suspicious activities such as WEP/WPA/WPS attacking packets.

Honeypot can't prevent a particular intrusion or spread of virus or worm. It collect information and detect attack patterns. It is a tool to collect evidence or information and to gain as much as knowledge as possible especially on the attack patterns. In Fake_AP, hackers create a TRAP to steal or sniff secret information such as passwords and other valuable informations. Honeypot mimic web_server to TRAP hackers. Honeypot is a TRAP set to detect attempts at unauthorized access to a system. Honeypot would capture and collect all attempts of hacker. Honeypot catch hackers while they are in network and to redirect hackers to the honeypot system. It can be good chose for information gathering. Honeypots classified as two. They are production and research honeypot. Based on interaction level honeypots classified as three. They are high interaction level, medium interaction level, low interaction level. Gain network access, hackers can do two options. They are

Brute force and password guessing. Some of the hackers use honeypots to sniff the SSIDs in order to conduct a SSID_spoofing. Main aim of Rogue_AP is to conduct MiM attack and sniffing wireless network traffic. Instead of guessing the passwords, hackers use sniff passwords from the information exchange.

Session Hijacking Scenario:


User : Arun

Use web browser

"Hello server, this is my user name password".

Is this correct?

facebook server: if(user==valid)


printf("Valid user");

Send message with one session id:

valid user + unique session id

Intruder collected all data for future use within the session.

Sign of Honey-pots:

Unusual services and ports open meant to attract attackers and it may be a trap or honey-pot. If there is a lot of free space on the hard drive it may be honey pot. If you see directories with names such as "Credit_card_numbers", "admin_password", "social security number" etc. it may be a honeypot.

Related Work:

Hemanshu et al. (2013) proposed beacon frames generated by access point depends on the quality of the access point and beacon frames received by the legitimate user will also varies according to the climatic conditions. Authors fixed a threshold number of beacon frames received by the receiver according to the climatic conditions and on the basis of access points quality. If the number of received beacon signals in fixed time slot will be less than the threshold value. The received number of beacon signals also varies according to the climate conditions and quality of access point. The threshold value also varies accordingly. The fake access points act as honey pot and used to gather network information. If the fake access points are detected which will work like a honey pot then session hijacking could be prevented.

Taebeom et al. (2012) proposed a novel fake AP detection method to solve the aforementioned problems in the client-side. The method leverages received signal strengths (RSSs) and online detection algorithm. They analyzed based on fixed and optimal threshold values. In their assumption fixed threshold value was 2 and they identified the true positive was over than 99% and the false positive was less than 0.1% in three observations.

Hao Han et al. (2011) proposed a practical detection scheme based on the comparison of Receive Signal Strength (RSS) to prevent users from connecting to rogue APs. The basic idea of their solution is to force APs (both legitimate and fake) to report their GPS locations and transmission powers in beacons. Based on such information, users can validate whether the measured RSS matches the value estimated from the AP's location, transmission power, and its own GPS location. A rogue AP is a malicious AP that pretends to be a legitimate AP to induce users to connect. In a vehicular network, rogue APs can be classified into two categories are static and mobile. Vehicular rogue AP is assumed to be launched in a car with two wireless interfaces. The first interface pretends to be a valid AP, and the other interface is used to connect to Internet. The GPS location indicates the AP's coordinates in the form of a latitude-longitude pair.

Keijo Haataja et al. (2011) proposed two new Man-In-The-Middle (MITM) attacks on Bluetooth Secure Simple Pairing (SSP). Bluetooth is a technology for short range wireless data and realtime two-way audio/video transfer providing data rates up to 24 Mb/s. Bluetooth devices that communicate with each other form a piconet. The device that initiates a connection is the piconet master and all other devices within that piconet are slaves. Security levels classified are Silent (The device will never accept any connections), Private (The device cannot be discovered, i.e. it is a so-called non-discoverable device), Public(The device can be both discovered and connected to. It is therefore called a discoverable device). They provided a comparative analysis of the existing MITM attacks on Bluetooth.

Chang-Lung Tsai et al. (2009) proposed novel intrusive behavior analysis scheme based on ant colony algorithm. The behavior of intrusion is detected by an intrusion detection module and analyzed based on Ant colony optimization algorithm. And developed honey pot for intrusive behavior analysis, misuse and some attacking such as probe, DoS, DDoS, R2L (remote to local), U2R (User to Root), evading IDS are performed. Authors worked on different capability of intruders.

Suman Jana et al. (2009) proposed clock skew of a wireless local area network access point (AP) to detect unauthorized APs quickly and accurately. The main goal behind using clock skews is to overcome one of the major limitations of existing solutions--the in ability to effectively detect Medium Access Control (MAC) address spoofing. Authors concluded that the use of clock skews appears to be an efficient and robust method for detecting fake APs in wireless local area networks. Setting up fake APs is not hard. Therefore, detecting unauthorized APs is a very important task of WLAN intrusion detection systems (WIDSs). Authors explored the possibility of using clock skews to uniquely identify different devices participating in a wireless ad hoc network. All nodes in an ad hoc network must broadcast beacon packets periodically containing time stamps according to their own clock. The time stamps in these beacon packets are meant for synchronizing the clocks of all nodes. Each participating device periodically synchronizes its clock using the beacon time stamps it receives, by applying a clock synchronization algorithm that ensures the monotonicity of each node's clock. Authors explained the detailed view about Beacon generation and Clock synchronization in IEEE 802.11 ad hoc networks. Authors mentioned one algorithm that used to detect fake APs based on clock skews.

Ionut Constandache et al. (2010) implemented CompAcc on Nokia N95 and 6210 phone models using Python as the programming platform. The main idea of CompAcc is to leverage the mobile phone's accelerometer and electronic compass to measure the walking speed and orientation of the mobile user. Updates are necessary because WiFi access points change over time as people shift in/out of apartments, homes and offices. Evaluation results demonstrated that CompAcc achieves average localization accuracy of around 11m, even in areas without WiFi. Operation of CompAcc clearly explained by authors.

Iyatiti Mokube et al. (2007) discussed about types and interaction levels briefly. They mentioned 'honeytokens' which is already defined by Spitzner. 'honeytoken' is a fake digital entity that can have many different applications. The use of a 'honeytoken' such as a fake login can help in tracking the activities, and determining the actions, capabilities and intentions of, a malicious intruder. And they discussed about factors, legal issues and challenges, advantages, privacy, entrapment, disadvantages, liability.

Konstantinos Pelechrinis et al. (2012) proposed and analysed a honeypot venue-based solution, enhanced with a challenge-response scheme, that flags users who are generating fake spatial information. Honeypot venues (HV), which are attractive to the cheaters. Authors proposed system for identifying possible cheating users. In brief, gamer cheaters are attracted by venues that can facilitate their goal for as many as possible virtual rewards. Monetary cheaters are clearly attracted by venues that offer special deals. Their work deals with the detection of cheating users with regards to the generated check-ins, it is also important for the location-based service provider to decide what measures it should take against them. Authors proposed a novel scheme for detecting fake check-ins in location-based services. Proposed system is based on the primitives of honeypots. As compared to other possible solutions (e.g., location proofs and secure localization) it possesses the advantage that it can be solely deployed by the location-based service provider without the need for trusted third party entities.

Thorsten Holz et al. (2005) presented several methods to detect suspicious environments. The term honeypot usually refers to an entity with certain features that make it especially attractive and can lure attackers into its vicinity. Authors discussed several ways to fingerprint current honeypot related technologies.

Nathalie Weiler, (2002) presented a system that helped in the defence in depth of a network from DDoS attacks. In addition to state-of-art active and passive security defences, they proposed a honeypot for such attacks. Author described a promising tool for luring attackers into the belief of a successful DDoS attack. Authors mentioned two different views of honeypots with diagram. Trinoo was the first widely known DDoS tool. It uses TCP to exchange control data between the attacker and the master attack host. The compromised slaves are controlled though UDP messages. These then operate an UDP flooding attack on the victim. And showed how such a system can be used in a defence in depth real-world network environment. And also identified different problems with the current realisation and provided first solutions to cope with the scalability of the honeypot.

Prajakta Shirbhate et al. (2012) presented a proactive defense scheme based on Honeypot security system (HPSS). They proposed an improved approach based on Intruder Detector System (IDS) which enhances the security of cyber. Their focused area is honeypot security for e-banking. Honeypots have been used to detect or capture the activity of outsider or perimeter threats. Honeypot security system (HPSS) keep the records of action performed by intruder i.e. which data he is downloading, sites he is visiting. And they described about the advantages of honeypot. Authors categorized some major activities involved are IP address tracing, Psychometric test and Captcha image. In IP address tracing, once person logins into the system first of all IP address is noted down. In this, both the IP tracing as well as Login test is performed. If he fails to login for couple of times he will be entered into the fake system. In security systems which are present currently there will be denial of service if a person fails to login for defined iterations. Psychometric test was performed to detect that is the person a regular and real customer or a hacker hacking other person's account. Captcha image is used to check whether the logged person is a person or machine.

Charles Bruno, (2006) evaluated wireless intrusion prevention systems. And the author described about Rogue AP detection and prevention. once a rogue is identified a WIPS should be able to disconnect clients from the rogue AP.A WIPS also should be able to detect and prevent multiple clients from accessing multiple rogue APs. Tolly group tested scenarios.

Collin Mulline et al., (2011) developed HoneyDroid, a smartphone honeypot for the Android operating system using the QEMU-based Android emulator. They employed virtualization to create system logs that are complete enough to replay an attack. In HoneyDroid, Android is not allowed to access hardware directly. This setup is similar to ReVirt, which is implemented by (G. W. Dunlap et al.). In difference to ReVirt which is based on a monolithic kernel, they built on a microkernel, which reduced the trusted computing base of the honeypot by orders of magnitude.

Radhika Goel et al., (2013) presented a general framework for wireless honeypot systems that encompasses a broad range of honeypot architectures, and categories previous systems according to that framework, highlighting the results of those projects. The results show that though an array of wireless honeypot models exists, none of them is able to provide full protection in real-time environment. The existing Wireless Honeypot Systems and Tools are WISE, KPMG's Wireless Honeypot, Proactive WIDS, Deceptive Wireless Honeypot, HoneySpot, Wireless Tools(Honeyd and Fake AP). Analysed based on 5 parameters. That are 'architecture', 'deception/detection system', 'depolyment technology', 'testing scanario', 'results of project'. And authors implemented honeypot framework. Online analysis is based on matching with existing rules. And authors described several architectures of different attacks.

A Technical Whitepaper AirMagnet, (2004) described about Rogue Devices and Business Risks with neat diagram. The term Rogue is used to refer to all unauthorized wireless devices. Rogue discovery plays an important role throughout this process. They mentioned to create a baseline list of untrusted APs and their characteristics, including MAC address, ESSID, channel, signal-to-noise ratio (SNR), and approximate location. Baseline is the main term used in IDS. To detect such malicious activities use their AirMagnet Enterprise Rogue Management Console.

N. Provos, (2004) presented Honeyd, a framework for virtual honeypots, that simulated a virtual computer systems at the network level. This paper provided a brief overview of the design and implementation of Honeyd, a daemon that simulated the TCP/IP stack of operating systems to create virtual honeypots. Honeyd supports TCP, UDP and ICMP. It listens to network requests destined for its configured virtual honeypots. Honeyd receives traffic for its virtual honeypots via a router or Proxy ARP. For each honeypot, Honeyd can simulate the network stack behavior of a different operating system. Honeyd mimics the network stack behavior of operating systems to fool fingerprinting tools like Nmap.

A. Galante et al., (2009) implemented a BlueBat: Towards Practical Bluetooth Honeypots. BlueBat is an effort to build and deploy a practical honeypot for capturing in the wild samples and empirically study malware prevalence. Described the design and implementation of a first prototype, focused on Bluetooth worms propagating over the OBEX Push service.

Kuo Fong Kao et al., (2014) implemented An Accurate Fake Access Point Detection Method Based on Deviation of Beacon Time Interval. Among various rogue APs, a fake AP with fully forging the SSID and MAC address of a legitimate AP is the hardest thing to detect and the highest probability of causing security breach. They proposed an algorithm that is based on the 'interval',' serial number', and 'timestamp of beacons'. And they proposed to synchronize the sequence numbers and timestamp of both legal and fake APs and able to identify whether a fake AP exists or not.

Xiaobo Long et al., (2010) proposed a mechanism for detecting session hijacking attacks in wireless networks. The proposed scheme is based on using a wavelet based analysis of the received signal strength. They developed a model to describe the changes in the received signal strength of a wireless station during a session hijack, while the received signal is embedded in colored noise caused by fading wireless channels. An optimal filter is then designed for the purpose of detection. The detection mechanism is validated using both simulation and experimental results.

Fake access point or wifi honeypots creation tools in kali linux:

First of all we need "Wireless antenna" for analysis work. Company: "Alpha"

Wifi Honeypots:

--> Trap

--> Which intentionally created exact the same as real.

--> Steps:

--> start wlan0 on monitor mon0

--> airmon-ng start wlan0

--> Creating wifi honeypots

--> /usr/bin/wifi-honey <essid> <channel> <interface>

--> /usr/bin/wifi-honey fake_ap 6 mon0

-->where essid --> name of fake access point


--> Download "Easy-creds" from source forge.

--> Set alpha wireless antenna card

--> tar -xvf <file_name.gz>

--> cd easy-creds/

--> ./


--> Do necessary steps.

--> 6 modules

* Airbase_NG: Multi-purpose tool aimed at attacking clients as opposed to the Access Point (AP) itself. It cracks WEP and WPA keys using dictionary attacks.

* SSL Strip: sslstrip is an SSL stripping proxy, designed to make unencrypted HTTP sessions look as much as possible like HTTPS sessions.

* Ettercap: Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN.

* Dsniff: Dsniff is a set of password sniffing and network traffic analysis tools.

* URL Snarf: Sniffs an interface for HTTP traffic and dumps any URLs, and their originating IP address.

* DMESG: dmesg (display message or driver message) is a command on most Linux- and Unix-based operating systems that prints the message buffer of the kernel.

--> If anyone established our Fake_AP, his/her plaintext passwords can be visible to the attacker.

PWN Star:

--> Download "Pwnstar.tgz"

--> tar -xvf <PwnStar.tgz>

--> ./PwnStar

-->We can see so many options .

--> But our analysis work mainly focused on "First_option".

-->Honey-pot: Get the victim onto your Access Point, then use nmap. And do necessary steps.


-->Kali_linux ->Wireless Attacks -->Wireless Tools -->fern-wifi-cracker

Wifi honeypots discovery tools:

Hotspot is the places where wireless network is available for public use. Access point is used to connect wireless devices to a wireless network. Access points are configured to broadcast SSIDs to authorized users. To verify authorized users, password is required. SSID broadcasting is a major problem that allows attackers to steal an SSID and have the AP assumes they are allowed to connect. Wired Equivalent Privacy (WEP) is a WLAN client authenticating and data encryption protocol. WiFi Protected access (WPA) is an advanced WLAN client authenticating and data encryption protocol using TKIP, MIC and AES encryption. Wireless access points are specially configured nodes on WLANs. SSID is a Service Set Identifier and is the name of WLAN. War Walking Attackers walk around with Wi-Fi enabled laptops to detect open wireless networks. WarChalking is used to draw symbols in public places to advertise open Wi-Fi networks. In WarDriving, attackers drive around with Wi-Fi enabled laptops to detect open wireless networks. In WarFlying, attackers fly around with Wi-Fi enabled laptops to detect open wireless networks.

Rogue access point is used for creating open backdoor into trusted network by installing an unsecured AP. A rogue access point is an unauthorized access point in a wireless network. Attackers typically deploy these access points to sniff important data on the network. Attackers can also use rogue access points to hijack user sessions on the wireless network. After identifying the access point in the network, the next step is to verify whether or not the identified access point is a rogue access point. Investigator has to check MAC_address, Vendor, SSID, Signal_strength.

Detecting Wireless Access Points:

Manual: To detect WAPs, the investigator has to physically visit the area. He or she can then use techniques to detect the Wireless Access Points.

Active Scanning: Broadcasting a message and waiting for a response from devices in the range.

Passive Scanning: Identifies the presence of any wireless communication.

Next option is to use vulnerability scanners. Excellent example is Nessus.

Tools for Detecting Wireless Lan:

Net Stumbler, Mini Stumbler, In SSIDer, Kismet, Kis MAC, I-Stumbler, Wifi explorer, Wifi Hopper, Retina WiFi Scanner, Wireless Mon, Wireless NetView, Wireless Network Watcher, Xirrus-Wi-Fi-monitor, OutSSIDer, Wireless Scanner, WiFi Channel Scanner, WiFi Hotspot Scanner, Portable WiFi Network Monitor, WiFi Guard, Wave Stumbler, SSID Sniff for Linux, Wi-Finder, WiFi Stumbler, Wellenreiter wireless penetration tool.

Packet Sniffing:

aircrack_ng, SSID Sniff for Linux.

Wireless Bandwidth Leakage:


Honeypots tools:


We had given brief idea about fake access point and we had mentioned some important tools in daily life of investigators in digital forensics. We mentioned about honey pots and wifi honeypots. Intruders create fake access points for session hijacking or password sniffing or cookie stealing or sniffing SSIDs. In this paper, we analysed '27-WiFi Honeypot discovery tools' and '13 Normal Honeypot tools'. Our analsysis work is based on parameters. In Wifi honeypot discovery, our analysis work is based on 5parameters ('Software_name', 'vendor', 'aim', 'uses', 'OSs'). In normal honeypot discovery, our analysis work is based on 5 parameters ('Software_name', 'vendor, Main package(s) & Port numbers', 'aim', 'uses', 'OSs'). Before analysis we categorized the wifi honeypot tools. We made a literature survey about 20 related papers. And we explained about fake access point creation and steps in Kali Linux (Forensics).


Article history:

Received 3 September 2014

Received in revised form 30 October 2014

Accepted 4 November 2014


A Technical Whitepaper Air Magnet, 2004."Best Practices for Rogue Detection and Annihilation",

Air Magnet and Tools", International Journal of Network Security.

Chang-Lung Tsai, Chun-Chi Tseng, Chin-Chuan Han, 2009. "Intrusive behavior analysis based on honey pot tracking and ant algorithm analysis", Security Technology International Carnahan Conference.

Charles Bruno, The tolly Group, 2006. "Evaluating wireless intrusion prevention systems", The Tolly Group.

Collin Mulliner, Steffen Liebergeld, and Matthias Lange, 2011."Poster: HoneyDroid--Creating a Smartphone Honeypot", IEEE.

Galante, A., A. Kokos, S. Zanero, "BlueBat: Towards Practical Bluetooth Honeypots", IEEE.

Hao Han, Fengyuan Xu, C.C. Tan, Yifan Zhang, Qun Li, 2011."Defending against vehicular rogue APs",

Hemashu Kamboj, Gurpreet Singh, 2013."Fake Access Point Detection and Prevention Techniques", Journal of P2P Network Trends and Technology (IJPTT). INFOCOM, IEEE.

Ionut Constandache, Romit Roy Choudhury, Injong Rhee, 2010. "Towards Mobile Phone Localization

Iyatiti Mokube and Michele Adams, 2007."Honeypots: Concepts, Approaches, and Challenges", ACM.

Keijo Haataja and Pekka Toivanen, 201L"Two practical man-in-the-middle attacks on Bluetooth

Konstantinos Pelechrinis, Prashant Krishnamurthy, Ke Zhang, 2012. "Gaming the Game: Honeypot Venues Against Cheaters in Location-based Social Networks", arXiv.

Kuo Fong Kao, Wen Ching Chen, Jui Chi Chang; Heng Te Chu, 2014, "An Accurate Fake Access Point Detection Method Based on Deviation of Beacon Time Interval", IEEE.

Nathalie Weiler, 2002. "Honeypots for Distributed Denial of Service Attacks", IEEE.

Prajakta Shirbhate, Vaishnavi Dhamankar, Purva Deshpande & Smita Kapse, 2012. "Honeypot Security System For E-Banking", Undergraduate Academic Research Journal (Uarj).

Provos, N., 2004. "a virtual honeypot framework", USENIX Security Symposium.

Radhika Goel, Anjali Sardana and R.C. Joshi, 2013. "Wireless Honeypot: Framework, Architectures secure simple pairing and countermeasures", Wireless Communications, IEEE.

Suman Jana and Sneha K. Kasera, 2009. "On Fast and Accurate Detection of Unauthorized Wireless Access Points Using Clock Skews", IEEE.

Taebeom Ki, Haemin Park, Hyunchul Jung, Heejo Lee, 2012. "Online Detection of Fake Access Points Using Received Signal Strengths", Vehicular Technology Conference (VTC Spring), IEEE.

Thorsten Holz and Frederic Raynal, 2005. "Detecting Honeypots and other suspicious environments", IEEE. without War-Driving", Technical Program at IEEE INFOCOM.

Xiaobo Long, B. Sikdar, 2010. "A mechanism for detecting session hijacks in wireless networks", IEEE.

(1) Poonkuntran. S and (2) Arun Anoop M

(1) Professor, Velammal College of Engineering and Technology, Madurai-09, Tamilnadu, India

(2) Assistant Professor, MES Engineering College, Kuttipuram, Malapuram (Dt.), Kerala, India

Corresponding Author: Dr. Poonkuntran, S., Professor, Velammal College of Engineering and Technology, Madurai-09, Tamilnadu, India, E-mail:

Table 1: Analysis of WiFi Honeypot/Fake AP discovery tools

Softwarename        Vendor                 Aim

[1] Net Stumbler     Is a tool for
                                           windows facilitates
                                           detection of
                                           wireless LAN.

                    Marius Milner

[2] Mini Stumbler     Is a tool for
                                           window's facilitates
                                           detection of
                                           wireless LAN.

[3] InSSIDer        Meta Geek, LLC         Is a tool for WiFi
                    Written in C.          network scanning.

[4] Kismet          www.kismetwireless.    Is a tool for
                    net                    Wireless monitoring.

                    Written in C++

                    Mike Kershaw

[5] Kis MAC      Is a tool for
                                           Wireless Network

[6] Aircrack-ng    Is a tool for Packet
                    Written in C           sniffing.
                    Christopher Devine
                    then Thomas

[7] I Stumbler       Is a tool for
                    AlfWatt                finding wireless
                                           network and devices.

[8] NetSpot     Is a tool for
                                           Wireless bandwidth

[9] Wifi     Is a tool for

Explorer            Adrian G.              Wireless network

[10] Wifi Hopper     Is a tool for
                                           network discovery.

[11] Retina      Is a tool for
WiFi Scanner                               checking the status
                                           of WiFi networks.

[12] Wireless      Is a tool for
Mon                                        network information.

[13] Wireless      Is a tool to show
NetView                                    all detected WiFi

[14] Wireless      It is designed to
Network Watcher                            display all
                                           connected computers
                                           to your wireless

[15] Xirrus      Displays the
Wi-Fi Monitor.                             surrounding Wi-Fi

[16] OutSSIDer      outSSIDer offers a
                                           simple software
                                           solution that still
                                           lend you a hand if
                                           you want to connect
                                           to a ttireless
                                           access point on the

[17] Wireless                              It is a commandline
Scanner                                    application that
                                           enables users to
                                           view all available
                                           connections in their

[18] WiFi      WiFi Channel Scanner
Channel                                    protides users with
Scanner                                    a simple means of
                                           detecting all
                                           available ttireless
                                           netsvork connections
                                           in their area.

[19] WiFi       Displays the nearest
Hotspot                                    WiFi networks that
Scanner                                    you can connect to.

[20] Portable    It can conduct an
WiFi Network                               extensive scan on a
Monitor                                    WiFi network in
                                           order to detect
                                           potential intruders.

[21] WiFi      Scans the network
Guard                                      for any nets'
                                           connected devices
                                           that could possible
                                           belong to an

[22] Wave     WaveStumble r is
Stumbler            tools08.html           used for gathering
                                           basic information
                                           from the access

[23] SSED           http:.wwtv.bastard.    [1] Discover access
Sniff for           net~kos.wifi           points and save the
Linux                                      captured traffic.

                                           [2] Sniffer

[24] Wi-Finder      http:wiki.             Boingo Wi-Finder
                  will help you find
                    index.php WiFin der    thousands of free
                                           and Boingo hotspots
                                           around the world.

[25] WiFi           http: download.        Meraki WiFi Smmbler
Smmbler                  is a web based
                                           wireless network
                                           scanner and
                                           monitoring tool.

[26] Wellenreiter   http: sourceforge.     Wellenreiter is a
wireless            net projects           GTK Perl program
penetration tool.   wellenreiter           that makes the

[27] AirCheck       http://www.            Wireless Network
Wi-Fi Tester.     Tester.

Softwarename        Uses                   Operating

[1] Net Stumbler    [1] Sniffing:          Window's
                    Listens for            9X,2000,XP
                    available data
                    transmission while
                    between users.

                    [2] Finding MAC
                    addresses of an AP.

                    [3] War driving.

                    [4] Option for
                    finding WEP
                    encryption status.

                    [5] Detecting rogue

[2] Mini Stumbler   [1] Sniffing:          Window's CE
                    Listens for
                    available data
                    transmission while
                    between users.

                    [2] Finding MAC
                    addresses of an AP.

                    [3] War driving.

                    [4] Option for
                    finding WEP
                    encryption status.

                    [5] Detecting rogue

[3] InSSIDer        [1] Gather             Window's,
                    information from       APPLE OS X
                    wireless card and

                    [2] GPS Support.

[4] Kismet          [1] Packet sniffer.    Linux, Free

                    [2]IDS.                BSD, Mac OS X.

                    [3] Network
                    detector.              Client can
                                           rim on windows.

[5] Kis MAC         [1] Reveals hidden     Mac OS X

                    [2] Show's MAC
                    addresses, IP
                    addresses, Signal
                    Strengths of

                    [3] GPS Support.

[6] Aircrack-ng     [1] WPA and WEP        Linux:windows.
                    cracker and analysis

                    [2] WEP encryption
                    key recovery.

[7] I Stumbler      [1] Find wireless      MAC OS X
                    network and devices
                    with Bluetooth
                    enabled Mac

                    [2] Detection of
                    open wireless

[8] NetSpot         [1] WiFi signal        Mac OS X
                    strength booster.

                    [2] Test wireless
                    network speed.

[9] Wifi            [1] Wireless           OSX
                    network analyser.

[10] Wifi Hopper    [1] Network            Window's,
                    discovery and site     Linux

                    [2] GPS Support.

[11] Retina         [1] Search for         Windows
WiFi Scanner        available ip

                    [2] Update discovery
                    timeout and retry'

[12] Wireless       [1] Gather detailed    Windows.
Mon                 information about
                    wireless network
                    detect in our area.

                    [2] Check 'signal
                    coverage area'.

[13] Wireless       [1] Show' previous     Window's
NetView             'signal
                    frequency', ' chann
                    el number' etc.

[14] Wireless       [1] Scan ip            Windows.
Network Watcher     addresses also.

                    [2] Display all
                    connected computers

[15] Xirrus         [1] Displays data      Window's.
Wi-Fi Monitor.      such as 'connection
                    status', 'IP
                    address' and '
                    MAC',' adapter' and
                    even current and
                    past signal

                    [2] Reveals the
                    security level.

[16] OutSSIDer      outSSIDer              Windows.
                    attempts to connect
                    to any open access
                    point that comes
                    within range as you
                    walk down the
                    streets hunting for

[17] Wireless       Wireless Scanner       Windows.
Scanner             does not require
                    installation, so you
                    can drop the
                    executable file in
                    any location on the
                    hard drive and call
                    its process from a
                    Command Prompt

[18] WiFi           show's the 'name',     Windows.
Channel             channel', 'signal'
Scanner             'quality','
                    authentication' and
                    cipher algorithms',
                    along with the 'MAC
                    address' for each
                    network found

[19] WiFi           Display the found      Window's.
Hotspot             connections, along
Scanner             with their name,
                    'Security Type',
                    'Physical Type',
                    'MAC Address' and
                    'Last Detected'

[20] Portable       It is a network        Windows.
WiFi Network        scanner.

[21] WiFi           shows the 'name',      Linux.
Guard               'channel', '
                    signal quality',
                    'authentication' and
                    algorithms', along
                    with the 'MAC
                    address' for each
                    network found

[22] Wave           [1] Console based      Linux
Stumbler            802.11 network
                    mapper for Linux.

                    [2] Gathering
                    information from the
                    access point like
                    'channel', 'WEP                    'ESSID (Extended
                    Sendee Set
                    Identifier)', 'MAC'

[23] SSED           [1] Access points      Linux
Sniff for           discovery.
                    [2] SSID Sniffing

[24] Wi-Finder      Actively searches      windows
                    for Wi-Fi hotspot
                    signals and alerts
                    you when one is

[25] WiFi           Uses your computer's   windows
Smmbler             Wi-Fi antenna to
                    scan local access

[26] Wellenreiter   uses for penetration   Windows.
wireless            and auditing.
penetration tool.

[27] AirCheck       It is a handheld       Windows.
Wi-Fi Tester.       device to test your
                    current WLAN
                    security settings.

Table 2: Analysis of Honeypot tools

Software Name      Vendor, Main           Aim
                   package(s) & port_

1) Honeyd          ->       Real time
                   ->Require              activities
                   WinPcap (free packet
                   capture architecture
                   for windows)

2) KFSensor        ->     Real time
                   ->77 preconfigured     activities
                   ports (58 TCP ports
                   & 19 UDP ports)

3) SPECTER         ->      Real time
                   ->Emulate 14 Oss.      activities

                   ->Emulate 11 non
                   malicious network

                   ->Emulate Trojan
                   horse ports.

4) ARGOS           ->       Real time
                   argos/                 logging

5) BACK OFFICER    ->www.guardiansof      Real time
                   Frames/Fileutil.htm    activities

                   services (eg:
                   -smtp, telnet..)

6) GHH (Google     ->www.ghh.             Real time
Hack Honeypot)        logging

                   ->Emulate vulnerable
                   web application by
                   allowing itself to
                   be indexed by
                   search engines.

7) HIHAT (High     ->www.hihat.           Real time
Interaction        logging
Honeypot                                  activities

8) HoneyBot        ->Open over 1000       Real time
(Medium            UDP & TCP ports.       logging
Interaction                               activities
level)             ->Sockets mimic
                   vulnerable services.
                   When an attacker
                   connects to these
                   services they are
                   fooled into thinking
                   they are attacking
                   real services.


9) KIPPO           ->         SSH Honeypot
(Medium            com/kippo

10) Glastopf       ->          Collect
                   glastopf               information
                                          about web
                   ->Emulate 1000s of     application.
                   vulnerabilities to
                   gather data from
                   attacks targeting
                   web application.

11) Omnivora       ->     Collect
(Low Interaction   projects/omnivore      malwares
                   ->Written in
                   Borland Delphia

12) Honey Bow      ->     Honeypot
Sensor (High       projects/honeybow
level)             ->Released under
                   the name of
         , can
                   be integrated with
                   nepenthes sensor.

13) Honey Drive    ->sourceforge.         Honeypot

                   ->Contains over 10
                   pre-installed and
                   honeypot software

Software Name      Vendor, Main           Uses

1) Honeyd          ->       Useful for
                                          capturing an
                   ->Require WinPcap      intruders
                   (free packet           initial
                   capture architecture   investigations.
                   for windows)

2) KFSensor        ->     Understand the
                                          importance of
                   ->77 preconfigured     alerts and
                   ports (58 TCP ports    logging.
                   & 19 UDP ports)

3) SPECTER         ->      Can enable/
                                          disable ports
                   ->Emulate 14 Oss.      or services.

                   ->Emulate 11 non
                   malicious network

                   ->Emulate Trojan
                   horse ports.

4) ARGOS           ->       Identify and
                   argos/                 produce remedies
                                          for worms &

5) BACK OFFICER    ->www.guardiansof      Ability to alarm
             when attacker is
                   Frames/Fileutil.htm    at our doorknob.

                   services (eg:
                   -smtp, telnet..)

6) GHH (Google     ->www.ghh.             Allowing itself
Hack Honeypot)        to be indexed by
                                          search engines.

                   ->Emulate vulnerable
                   web application by
                   allowing itself to
                   be indexed by
                   search engines.

7) HIHAT (High     ->www.hihat.           Automatically
Interaction        scans for known
Honeypot                                  attacks.

8) HoneyBot        ->Open over 1000       Safely capture
(Medium            UDP & TCP ports.       all communication
Interaction                               With the attacker
level)             ->Sockets mimic        and logs for
                   vulnerable services.   future analysis
                   When an attacker
                   connects to these
                   services they are
                   fooled into thinking
                   they are attacking
                   real services.


9) KIPPO           ->         Designed to log
(Medium            com/kippo              brute force
Interaction                               attacks.

10) Glastopf       ->          Collect
                   glastopf               information about
                                          web application
                   ->Emulate 1000s of     based attacks
                   vulnerabilities to     like SQL injection,
                   gather data from       Local and remote
                   attacks targeting      file inclusion
                   web application.       attacks.

11) Omnivora       ->     Collect autonomous
(Low Interaction   projects/omnivore      spreading malwares.
                   ->Written in
                   Borland Delphia

12) Honey Bow      ->     Honeypot
Sensor (High       projects/honeybow
level)             ->Released under
                   the name of
         , can
                   be integrated with
                   nepenthes sensor.

13) Honey Drive    ->sourceforge.         Honeydrive also
                   net/projects/          includes a suite
                   honeydrive             of tools for
                   ->Contains over 10     forensics,
                   pre-installed and      monitoring.
                   honeypot software

Software Name      Vendor, Main           OSs

1) Honeyd          ->       Windows & Linux

                   ->Require              Niels Provos
                   WinPcap(free packet    (Unix/Linux
                   capture architecture   Version)
                   for windows)
                                          Michael Davis

2) KFSensor        ->     Windows based
                                          honey pot IDS
                   ->77 preconfigured
                   ports(58 TCP ports &
                   19 UDP ports)

3) SPECTER         ->      windows

                   ->Emulate 14 Oss.

                   ->Emulate 11 non
                   malicious network

                   ->Emulate Trojan
                   horse ports.

4) ARGOS           ->       windows

5) BACK OFFICER    ->www.guardiansof      windows

                   services (eg:
                   -smtp, telnet..)

6) GHH (Google     ->www.ghh.             windows
Hack Honeypot)

                   ->Emulate vulnerable
                   web application by
                   allowing itself to
                   be indexed by
                   search engines.

7) HIHAT (High     ->www.hihat.           windows

8) HoneyBot        ->Open over 1000       windows
(Medium            UDP & TCP ports.
level)             ->Sockets mimic
                   vulnerable services.
                   When an attacker
                   connects to these
                   services they are
                   fooled into thinking
                   they are attacking
                   real services.


9) KIPPO           ->         Linux
(Medium            com/kippo

10) Glastopf       ->          windows

                   ->Emulate 1000s of
                   vulnerabilities to
                   gather data from
                   attacks targeting
                   web application.

11) Omnivora       ->     Windows
(Low Interaction   projects/omnivore
                   ->Written in
                   Borland Delphia

12) Honey Bow      ->     Linux
Sensor (High       projects/honeybow
level)             ->Released under
                   the name of
         , can
                   be integrated with
                   nepenthes sensor.

13) Honey Drive    ->sourceforge.         Linux

                   ->Contains over 10
                   pre-installed and
                   honeypot software
COPYRIGHT 2014 American-Eurasian Network for Scientific Information
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2014 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Poonkuntran, S.; Arun, Anoop, M.
Publication:Advances in Natural and Applied Sciences
Article Type:Report
Date:Oct 1, 2014
Previous Article:Hybrid genetic algorithm approach for mobile robot path planning.
Next Article:Detection and mitigation system for routing attacks in BGP.

Terms of use | Privacy policy | Copyright © 2020 Farlex, Inc. | Feedback | For webmasters