Mobile Honeypots
How to Catch a Laptop Thief
Chris Clymer/Omal
Ohio 2600/Cleveland LUG
A hypothetical situation...
- You've encrypted your /home, use 26-character alphanumeric passwords for your BIOS, user, and root logins
- Someone steals your laptop
- You're screwed
[any material that should appear in print but not on the slide]
How to recover the laptop?
- Keep the thief from immediately wiping and ebaying the laptop
- Find a way to track the laptop
- Find a way to make the thief _use_ the laptop long enough so that we can track him
[any material that should appear in print but not on the slide]
Lets make an attractive target
- No BIOS, HDD, or any other security measures
- Install a Windows OS with no authentication
- Fill it up with (fake) finanical records, expensive software, and anything else tasty we can come up with.
[any material that should appear in print but not on the slide]
Why don't we care?
- This isn't really our OS
- Windows is running in emulation
- Our real OS is running underneath, invisible to the attacker
- Our real OS only runs if an attacker knows to make a keypress at a precise time
[any material that should appear in print but not on the slide]
Visual Representation
[any material that should appear in print but not on the slide]
Technologies we're using
- GRUB bootloader http://www.gnu.org/software/grub
- Linux Bootsplash http://www.bootsplash.org
- Qemu hardware emulation http://fabrice.bellard.free.fr/qemu
- basic unix shellscripting
[any material that should appear in print but not on the slide]
Building your base
- Create a small second partition...it will need to be just large enough for a slim Linux install, and the Windows OS and data you'll be using as your honeypot
- Do a slim Linux install...all it needs are some basic utilities, and qemu.
- To do this right, you'll probably want some nice sniffing tools as well
[any material that should appear in print but not on the slide]
What should grub do?
- We want to hide the the selection menu entirely
- this means using a GRUB splash image. More info: http://ruslug.rutgers.edu/~mcgrof/grub-images/
- Create a 640x480 image that is solid black. Convert it to 14-color indexed, and save as an xpm file. Gzip the resulting file
- Set grub to use this background, and set the menu to use the color black.
splashimage=(hd0,0)/GRUB/myfile.xpm.gz
foreground = 000000
background = 000000
[any material that should appear in print but not on the slide]
GRUB's boot order
- The 1st entry will boot your slim Linux install
- The second entry will boot your real Linux install
- Set the timer long enough that you can jump to the right kernel, but quick enough that an attacker does not get suspicious
[any material that should appear in print but not on the slide]
Now to hide the boot messages
- patch your kernel to support Linux bootsplash
- wget ftp://ftp.openbios.org/pub/bootsplash/kernel/bootsplash-3.1.6-2.6.15.diff
- yourbox:/usr/src/linux # patch -p1 < /path/to/bootsplash-3.1.6-2.6.15.diff
- "Console drivers" -> "Frame-Buffer support" -> "VESA VGA graphics console" -> "Use splash screen instead of boot logo". & "Initial Ramdisk support" in "Block Devices"
[any material that should appear in print but not on the slide]
Adding the userspace utilities
- wget ftp://ftp.openbios.org/pub/bootsplash/rpm-sources/bootsplash/bootsplash-3.0.7.tar.bz2
- tar -xvjf bootsplash-3.0.7.tar.bz2; cd bootsplash-3.0.7; make splash; cp splash /sbin/
- /sbin/splash -s -f /etc/bootsplash/themes/yourtheme/config/bootsplash-1024x768.cfg >> /boot/initrd.splash
[any material that should appear in print but not on the slide]
Hardware emulation with Qemu
- Install qemu(your distro should have it)
- Create an image: qemu-img create win.raw 4G
- Boot up a Windows installer: qemu -cdrom /dev/cdrom -boot d win.raw
- Do a standard Windows install
- Make sure to load it with tempting goodies
[any material that should appear in print but not on the slide]
Hardware emulation with Qemu
- Install qemu(your distro should have it)
- Create an image within the new Linux partition: qemu-img create win.raw 4G
- Boot up a Windows installer: qemu -cdrom /dev/cdrom -boot d win.raw
- Do a standard Windows install
- Make sure to load it with tempting goodies
[any material that should appear in print but not on the slide]
Scripting the bootup
- within your new, slim partition, add an entry to your startup scripts to boot the windows image early in the startup process
- The command is simply qemu win.raw
[any material that should appear in print but not on the slide]
Watching our attacker
- Our honeypot is now booted
- Add entries to your startup scripts to watch the activity on the machine
- Things like snort, ettercap, etc. are your friends. The idea is to log the network traffic, and send back interesting things like his IP, user/password, websites hes visiting, etc.
[any material that should appear in print but not on the slide]
Downsides?
- This is all a lot of work
- This is pretty inconvienent for us
- This still isn't all that realistic...attackers probably arne't going to boot the machine, or put it on the internet.
- We are basically crossing our fingers and hoping to get lucky
[any material that should appear in print but not on the slide]
Upsides?
- You _might_ get your laptop back
[any material that should appear in print but not on the slide]
Conclusion
- You might want to try this. Mor likely, its a step towards thinking about mobile device security in a new direction. I am actively working on improving what is admittedly a cumbersome and far from perfect procedure on http://chrisclymer.com
[any material that should appear in print but not on the slide]