iPhone Honeypot Project

June 24, 2010

Routers, NAT and Packets, Oh My!

The last couple of days have been spent destroying my home network, much to the anger of my family for lack of interwebs. From the last post, it was suggested to try out OpenWRT on my router which is essentially a minamalistic version of Linux designed for use with a variety of routers. From their documentation, users and IRC channel, I was told I could record all packet data using tcpdump and pass-through all connections to the iPhone to save on having to build a home-made bridge to do the work. Unfortunately, I tried this several times which almost bricked my router and took several hours to get back online. In the end, I had to revert to the previous configuration but I have decided to upgrade the firmware on both the router (Zyxel Prestigue – 3.0) and the Wireless AP (Linksys WAP54G).

As it stands, this was a postitive move. The upgraded firmware gave me SUA configuration options in the NAT configuration. This allowed me configured a pass-through forwarding all connections from the WAN to the LAN to a specific IP address. I tested this without the bridge and ran tcpdump on the iPhone itself, NOT’ing the IP addresss I was sshing from to avoid heaps of packets showing up from the SSH connection.

tcpdump -w ~/Media/test.pcap host not

This was tested to ensure that the NAT on the router wasn’t translating ALL addresses and connection attempts as they wre being passed-through. The last thing I’d need is a heap of adresses originating from within the network. The test was conducted and the test.pcap file was transferred and exmained using Wireshark. This proved successful. I also attempted opening an SSH connection from redbrick.dcu.ie via their proxy server and threw a few bad passwords at it to see what the login attempts would look like. This looked promising.

The following is a screenshot of the analysis with some of the packet info:

.. and some of the packets extracted via tcpdump:

This all looks good. The next step is to a unix box, forward all traffic to it and bridge two interfaces together. I can then begin to sniff on the bridged interface (br0) and record the data. This may be ideal to store into a MySQL db for easier extraction/analysis.

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Blog at WordPress.com.

%d bloggers like this: