SANS ISC: Sensor Ideas for DEFCON

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Chris D wrote in to ask: "I'll be attending the DEFCON conference in Vegas next week which we all know will be ripe with practitioners practitioning and think this would be a good opportunity to catch and observe new exploits or techniques. Is there any application or VM image that you would recommend that can run on a laptop or Pi that poses an attractive target but is purposeful in collecting security info like PCAP data and logs that I can monitor after the fact?  My thought is to have something I can carry with me while I travel and then put up on the public wifi and just see what kind of magnificent beasts I capture."

I know that DEFCON has this reputation of being "the worlds most hostile network," but I wouldn't expect to see the latest and greatest zero-days being deployed there.  The only thing I've actually seen hacked on the DEFCON network were WiFi Pineapples. It is however, and interesting opportunity to collect traffic from various protocols and media.

I've done my share of "go somewhere interesting, set up a sensor, collect traffic to play with later."  In my case, not a lot of post-game analysis ever went into what I captured, but it's a good exercise for when you get that phonecall sending you out on a real incident and you need to "go somewhere less-interesting, set up a sensor, and collect traffic."

Personally, I would add extra instrumentation to whatever laptop you take with you to use there.  Collecting firewall logs, or setting up honeypot listeners to capture traffic and trend to compare to other networks might be insightful and not require any extra hardware.

Wi-fi specific equipment to join and monitor the public wi-fi might be of interest to you, either simply join with a hardrened and instrumented system and collect what comes at you, or going a more passive approach with sniffing via kismet.  You're millage will vary depending on how they've secured it.

There will be more going on there than just Wi-fi:

• Bluetooth, which you can see what is advertising without much special hardware, or set up your own advertised service to see what comes knocking.
• Zigbee/Zwave which is somewhat popular in the IoT space.
• Sofware Defined Radio (SDR) the mind boggles at what might be available here, there's probably a lot of noise and activity on the ISM bands during some of the demonstrations and in the villages.

What portable hardware whould you suggest for a sensor, and what sort of traffic would you want to target with it?