War Driving

1
(No Transcript)
2
War Driving
Tuesday 11/16, 2PM-330PM
Lee Barken, CISSP, MCP, CCNA, CPA Co-Director,
STAR Center, San Diego State University http//sta
rcenter.sdsu.edu
President, SoCalFreeNet.org http//www.SoCalFreeNe
t.org E-mail barken_at_mail.com
3
War Driving
Tuesday 11/16, 2PM-330PM
Lee Barken, CISSP, MCP, CCNA, CPA Co-Director,
STAR Center, San Diego State University http//sta
rcenter.sdsu.edu
President, SoCalFreeNet.org http//www.SoCalFreeNe
t.org E-mail barken_at_mail.com
4
War Driving
Tuesday 11/16, 2PM-330PM
Lee Barken, CISSP, MCP, CCNA, CPA Co-Director,
STAR Center, San Diego State University http//sta
rcenter.sdsu.edu
President, SoCalFreeNet.org http//www.SoCalFreeNe
t.org E-mail barken_at_mail.com
5
Why are we here?
You are here
6
Why are we here?

• Why Do People War Drive?
• Antenna Basics
• Understanding the Protocol
• Wardriving Tools Techniques

You are here
7
Code of Ethics for Security Professionals

• Act with honesty, integrity and professionalism
  at all times.
• Personal curiosity is not an excuse to break the
  law.
• Respect the power of information and be willing
  to share your knowledge for the advancement of
  the security field and the protection of society.
• Honor and maintain the confidentiality of all
  client information that may be discovered during
  the course of an engagement.
• Remember that even the smallest appearance of
  impropriety may result in damage to your
  reputation and the credibility of our profession.
• If a little voice in your head tells you that you
  might not be doing the right thinglisten to that
  voice.

8
Why Do People War Drive?
Good guys and not so good guys

• Because its fun
• To learn about wireless technology
• Looking for a place to check e-mail
• Defending our network/Look for rogue APs
• To gain unauthorized access / launch attacks /
  other criminal activity

9
Why Do People War Drive?
World Wide War Drive 4

• W W W D 4 June 12-19, 2004
• Total APs found 228,537
• No WEP 140,890 (61.6)
• Default SSID 71,805 (31.4)

10
Why Do People War Drive?
World Wide War Drive 4

• In San Diego. 2 people
• Total APs found 19,148
• No WEP 11,962 (62.47)
• Default SSID 7,769 (40.57)

11
Antenna Basics
Antennas do not amplify the signal they merely
focus the energy in a particular direction.
Images courtesyDesigning a Wireless Network,
Syngress Publishing.
12
Antenna Basics
Antennas - Isotropic
Isotropic antenna A hypothetical antenna that
radiates or receives equally in all directions.
Note Isotropic antennas do not exist physically
but represent convenient reference antennas for
expressing directional properties of physical
antennas.
13
Antenna Basics
Antennas - Omni
5 dBi Magnetic Mount
9 dBi 20 inches long
15.4 dBi 70 inches long
14
Antenna Basics
Antennas Patch, Panel, Sector
19 dBi 15.5 inches square, 1.25 inches thick,
18 degree beam width
9.3 dBi 4.5 inches square, 60 degree beam width
16.5 dBi Beam Width 95 Degrees (H), 7 Degrees
(V)
15
Antenna Basics
Antennas Parabolic Grid
24 dBi 8 degree beam width, 42 X 24
16
Antenna Basics
Antennas Yagi
14.5 dBi 18 inches long
12 dBi 16 inches long
14 dBi
17
Antenna Basics
Antennas Phased Array
18
Antenna Basics
Antennas Pringles Can
19
Antenna Basics
Antennas Pringles Can
20
Understanding the Protocol
Association

• Open Network
• Closed Network

(For simplification, Im leaving out the
authentication step in this presentation)
21
Understanding the Protocol
Open Network
22
Understanding the Protocol
Closed Network
23
Whats the problem with RF?

• Wireless signals dont STOP at your walls.
• Wi-Fi is like putting an Ethernet jack in your
  parking lot.
• San Francisco Peter Shipley
• http//www.dis.org/filez/openlans.pdf

Image courtesy Computerworld
24
Whats the problem with RF?
25
Whats the problem with RF?
http//www.dis.org/filez/openlans.pdf
26
Whats the problem with RF?
http//www.dis.org/filez/openlans.pdf
27
Wardriving Tools Techniques
Wardriving Trivia

• Wardriving
• Access Point Discovery
• Lan Jacking
• WLAN Mapping
• etc.
• War Games, 1983 movie introduced War Dialing.

28
Wardriving Tools Techniques
WarChalking
Images Courtesy http//www.warchalking.org
29
Wardriving Tools Techniques
WarFlying?
Images Courtesy http//www.arstechnica.com/wanker
desk/3q02/warflying-1.html
30
Wardriving Tools Techniques
WarStrollering?
Images Courtesy http//208.151.246.210/pictures/P
ersonalTelco/
31
Wardriving Tools Techniques
WarStrollering?
Images Courtesy http//208.151.246.210/pictures/P
ersonalTelco/
32
Wardriving Tools Techniques
WarSailing?
Image courtesy http//www.catalina42.org/war-sail
/
33
Wardriving Tools Techniques
Image courtesy http//www.catalina42.org/war-sail
/
34
Wardriving Tools Techniques
Image courtesy http//www.catalina42.org/war-sail
/
35
Wardriving Tools Techniques
Image courtesy http//www.catalina42.org/war-sail
/
36
Wardriving Tools Techniques
Whats next?
37
Discovering Wireless Networks
Open Network

• Easy! Just listen for Management Beacons.
• (or send probe requests with SSID set to the word
  any)

Management Beacon
38
Discovering Wireless Networks
Closed Network

• You must get lucky and catch a legitimate
  association.

Probe Request
Probe Response
Association Request
Association Response
39
Discovering Wireless Networks
Closed Network

• or if you get impatient spoof a disassociate
  frame

Associated
Disassociate
40
Discovering Wireless Networks
Closed Network

• or if you get impatient spoof a disassociate
  frame

Probe Request
Probe Response
Association Request
Association Response
41
Wardriving Tools Techniques
Hardware Wireless NIC Chipsets

• ADMtek
• Abocom
• Accton
• Addtron
• Belkin
• D-Link
• Hawking Tech
• SMC
• 3Com
• Trendware
• Xterasys
• Aironet (Cisco)
• Cisco
• Xircom
• Atheros
• Accton
• Actiontec
• D-Link
• Enterasys

• Atheros (cont.)
• Intel
• Linksys
• Netgear
• Philips
• Proxim
• Senao/Engenius
• SMC
• 3Com
• Z-com
• Atmel
• Accton
• Actiontec
• Dell
• Belkin
• Cnet
• Compaq
• D-Link
• GemTek

• Atmel (cont.)
• Intel
• Linksys
• Netgear
• SMC
• 3Com
• Trendware
• Z-com
• Broadcom
• Apple
• Belkin
• Buffalo
• Dell
• GemTek
• Linksys
• Microsoft
• Motorola
• Trendware
• Orinoco

• Orinoco (cont.)
• Compaq
• D-Link
• Dell
• Enterasys
• HP
• Lucent/Agere
• Proxim
• Sony
• 2Wire
• Prism
• Abocom
• Accton
• Actiontec
• Belkin
• Buffalo
• Compaq
• D-Link
• Dell

• Prism (cont.)
• Hawking Tech
• Intel
• Linksys
• Netgear
• Proxim
• Senao/Engenius
• SMC
• 3Com
• Trendware
• US Robotics
• Z-com
• Realtek
• Abocom
• Accton
• Belkin
• Bromax
• D-Link
• Linksys

A very complete list http//www.linux-wlan.org/do
cs/wlan_adapters.html.gz
42
Wardriving Tools Techniques
Hardware Wireless NIC Chipsets

• Hermes (Lucent)
• Orinoco
• Toshiba
• Cabletron
• Dell
• Compaq WL110
• IBM
• Apple

• Prism (Intersil)
• Dlink
• Linksys
• SMC
• Addtron
• Compaq WL100
• Netgear
• Gemtek
• Zoom
• Samsung
• Senao

• Airo (Cisco)
• Cisco
• Xircom
• Dell

43
Wardriving Tools Techniques
Hardware Pigtails
44
Wardriving Tools Techniques
Hardware Pigtails
45
Wardriving Tools Techniques
Hardware Pigtails
46
Wardriving Tools Techniques
Hardware Antennas
47
Wardriving Tools Techniques
Hardware GPS
48
Wardriving Tools Techniques
Software Netstumbler

• http//www.netstumbler.com
• FREE
• Notebook PDA Version
• Windows 2000, XP
• Orinoco, Prism Chipset
• Most Cards Work w/XP (YMMV)
• GPS Support

49
Wardriving Tools Techniques
Software APSniff

• http//www.bretmounet.com/apsniff
• FREE
• Notebook Version
• Windows 2000 Only
• Prism Chipset

50
Wardriving Tools Techniques
Software Aerosol

• http//www.stolenshoes.net/sniph/aerosol.html
• FREE
• Notebook Version
• Windows
• Prism Hermes Chipset

51
Wardriving Tools Techniques
Software Pocket Warrior

• http//www.pocketwarrior.org
• FREE
• PDA Version
• PocketPC 2002 (ARM, SH3, MIPS)
• Prism Chipset

52
Wardriving Tools Techniques
Software Wireless Security Auditor (IBM)

• http//www.research.ibm.com/gsal/wsa
• Research Prototype (not released)
• Notebook PDA Version
• Linux
• Cisco, Prism 2 Chipset

53
Wardriving Tools Techniques
Software Kismet

• http//www.kismetwireless.net
• FREE
• Notebook PDA Version
• Linux
• Cisco, Prism, ADMTek, TI, Atheros, Orinoco
  Chipset
• GPS Support

54
Wardriving Tools Techniques
Software dStumbler

• http//www.dachb0den.com/projects/bsd-airtools.htm
  l
• FREE
• Notebook Version
• BSD
• Prism 2 Chipset

55
Wardriving Tools Techniques
Software AirMagnet

• http//www.airmagnet.com
• 3,495 MSRP
• Notebook PDA Version
• Windows, PocketPC
• Only works with bundled WLAN card

56
Wardriving Tools Techniques
Software Stumbverter

• http//www.sonar-security.com
• FREE
• Imports Data from NetStumbler
• Requires Microsoft MapPoint 2002
• Windows

57
Wardriving Tools Techniques
All-in-one bootable CDs

• WarLinux
• (http//sourceforge.net/projects/warlinux)
• WarBSD
• (http//digiflux.org/warbsd/)
• Knoppix
• (http//www.knopper.net/knoppix/index-en.html)

.iso
58
Wardriving Tools Techniques
Wireless Packet Sniffers

• Ethereal (http//www.ethereal.com)
• Packetyzer (http//www.packetyzer.com)
• WildPackets Airopeek (http//www.wildpackets.com
  )
• Finisar Surveyor Wireless (http//www.finisar.co
  m)
• Network Associates Sniffer Wireless
  (http//www.sniffer.com)

59
Wardriving Tools Techniques
Wireless Packet Sniffers
PDA Version Airscanner (requires Pocket PC
2002) http//airscanner.com/downloads/sniffer/snif
fer.html
60
Wardriving Tools Techniques
Vehicles
-
61
Wardriving Tools Techniques
Vehicles
-
62
Wardriving Tools Techniques
Vehicles
-
63
Wardriving Tools Techniques
Vehicles
-
64
Wardriving Tools Techniques
Vehicles
-
65
Wardriving Tools Techniques
Vehicles
-
66
Wardriving Tools Techniques
Vehicles
-
67
Wardriving Tools Techniques
Vehicles
-
68
Wardriving Tools Techniques
Wardriving Built-In to XP?
Source http//www.infoworld.com/articles/op/xml/0
2/07/22/020722opcurve.xml Snippet For all his
success at bringing Microsoft's warring
constituencies together, there are still things
beyond Bill and Steve's control. "I was in a
hotel in Sun Valley last week that was not
wired," Ballmer recalls. "So I turned on my PC,
and XP tells me there is a wireless network
available. So I connect to something called
Mountaineer. "Well, I don't know what that is.
But I VPN into Microsoft. It worked! I don't know
whose broadband I used," he chuckles. "I didn't
see it in Bill's room. I called him up and said,
'Hey, come over to my room.' So soon everyone is
there and connecting to the Internet through my
room."
69
Stumbler Code of Ethics v0.1
http//www.renderlab.net/projects/wardrive/ethics
.html By Renderman,
Render_at_Renderlab.net
These are by no means rules that must be
followed, but they are a collection of
suggestions for safe, ethical, and legal
stumbling. I encourage you to follow them.
1. Obey traffic laws. It's your community too,
the traffic laws are there for everyone's safety,
besides, doing doughnuts at 3am gets unwanted
attention from the authorities. 2. Obey private
property and no-trespassing signs. Don't trespass
in order to scan an area. That's what the
directional antenna is for ) You wouldn't want
people trespassing on your property would you? 3.
Don't connect. The vast majority of AP's out
there were not intended by their owners to be
accessed by you, even if they configured it so
you could access it if you wanted to. There is
much legal question as to the trouble you can get
into for accessing a network through a
misconfigured AP. Also it's a matter of respect,
you wouldn't want people rooting through your
computers just because you happened to make a
mistake, so don't do it to them. 4. Don't use
your data for personal gain. Share the data with
like-minded people, show it to people who can
change things for the better, but don't try and
make any money or status off your data. It's just
wrong to expect these people to reward you for
pointing out their own stupidity. 5. Don't
warchalk Other peoples networks. Only chalk your
own if you want to indicate your willingness to
share access. If you chalk some strangers
network, it dilutes the use of the symbols to
indicate free access. If youre a business and
you have a public AP and a non-public one,
indicate with the open one, but also indicate the
closed one with the closed symbol,
differentiating them so people know the
difference. 6. Be like that hiker motto 'Take
only pictures, leave only footprints'. Stumblers
should 'Take only SSID's, leave only tire marks'.
Leaving tire marks by not loitering and moving
on is better than leaving a log entry by doing
something stupid.
70
Wardriving Tools Techniques
Disabling TCP/IP
http//www.worldwidewardrive.org/nodhcp.html
71
Summary

• Wireless signals dont stop at your walls
• Use an omni antenna
• When choosing a WLAN card
• What chipset does it use?
• Is there an external antenna connector?
• Use Netstumbler/Kismet/dStumbler
• Or, a protocol analyzer
• Dont forget to unbind your TCP/IP stack!!!

72
Questions?
Lee Barken, CISSP, MCP, CCNA, CPA Co-Director,
STAR Center, San Diego State University http//sta
rcenter.sdsu.edu
President, SoCalFreeNet.org http//www.SoCalFreeNe
t.org E-mail barken_at_mail.com