War Driving

War Driving

SecureSD Fall 2004Tuesday, November 16th

2PM-3:30PM

©2004 Lee Barken

War DrivingTuesday 11/16, 2PM-3:30PM

Lee Barken, CISSP, MCP, CCNA, CPACo-Director, STAR Center, San Diego State University

http://starcenter.sdsu.edu

President, SoCalFreeNet.orghttp://www.SoCalFreeNet.org E-mail: [email protected]

©2004 Lee Barken





©2004 Lee Barken





©2004 Lee Barken

Why are we here?

You are here

©2004 Lee Barken

Why Do People War Drive?

Antenna Basics

Understanding the Protocol

Wardriving Tools & Techniques

Why are we here?

You are here

©2004 Lee Barken

Code of Ethics for Security Professionals Act with honesty, integrity and professionalism at all times.

Personal curiosity is not an excuse to break the law.

Respect the power of information and be willing to share your knowledge for the advancement of the security field and the protection of society.

Honor and maintain the confidentiality of all client information that may be discovered during the course of an engagement.

Remember that even the smallest appearance of impropriety may result in damage to your reputation and the credibility of our profession.

If a little voice in your head tells you that you might not be doing the right thing—listen to that voice.

©2004 Lee Barken

Because it’s fun

To learn about wireless technology

Looking for a place to check e-mail

Defending our network/Look for rogue APs

To gain unauthorized access / launch attacks / other criminal activity

Why Do People War Drive?“Good guys and not so good guys”

©2004 Lee Barken

Why Do People War Drive?World Wide War Drive 4

W W W D 4 June 12-19, 2004

Total APs found: 228,537

No WEP: 140,890 (61.6%)

Default SSID: 71,805 (31.4%)

©2004 Lee Barken

Why Do People War Drive?World Wide War Drive 4

In San Diego……. 2 people

Total APs found: 19,148

No WEP: 11,962 (62.47%)

Default SSID: 7,769 (40.57%)

©2004 Lee Barken

Antenna BasicsAntennas do not “amplify” the signal– they merely “focus” the energy in a particular direction.

Images courtesy:”Designing a Wireless Network”, Syngress Publishing.

©2004 Lee Barken

Antenna BasicsAntennas - Isotropic

Isotropic antenna: A hypothetical antenna that radiates or receives equally in all directions. Note: Isotropic antennas do not exist physically but represent convenient reference antennas for

expressing directional properties of physical antennas.

©2004 Lee Barken

Antenna BasicsAntennas - Omni

5 dBi“Magnetic

Mount”

9 dBi20 inches long

15.4 dBi70 inches long

©2004 Lee Barken

Antenna BasicsAntennas – Patch, Panel, Sector

16.5 dBiBeam Width:

95 Degrees (H),7 Degrees (V)

19 dBi15.5 inches

square, 1.25 inches thick, 18 degree beam

width

9.3 dBi4.5 inches square,60 degree beam

width

©2004 Lee Barken

Antenna BasicsAntennas – Parabolic Grid

24 dBi8 degree beam width,

42” X 24”

©2004 Lee Barken

Antenna BasicsAntennas – Yagi

12 dBi16 inches long

14 dBi

14.5 dBi18 inches long

©2004 Lee Barken

Antenna BasicsAntennas – Phased Array

©2004 Lee Barken

Antenna BasicsAntennas – Pringles Can

©2004 Lee Barken

Antenna BasicsAntennas – Pringles Can

©2004 Lee Barken

Understanding the ProtocolAssociation

“Open Network” “Closed Network”

(For simplification, I’m leaving out the “authentication” step in this presentation)

©2004 Lee Barken

Understanding the Protocol“Open Network”

Client Access PointManagement Beacon

Client Access PointAssociation Request

Client Access PointAssociation Response

©2004 Lee Barken

Understanding the Protocol“Closed Network”

Client Access PointProbe Response

Client Access PointAssociation Request

Client Access PointAssociation Response

Client Access PointProbe Request

©2004 Lee Barken

What’s the problem with RF? Wireless signals

don’t STOP at your walls.

Wi-Fi is like putting an Ethernet jack in your parking lot.

San Francisco – Peter Shipley

http://www.dis.org/filez/openlans.pdfImage courtesy: Computerworld

©2004 Lee Barken

What’s the problem with RF?

©2004 Lee Barken


http://www.dis.org/filez/openlans.pdf

©2004 Lee Barken


http://www.dis.org/filez/openlans.pdf

©2004 Lee Barken

Wardriving: Tools & Techniques

“Wardriving” “Access Point Discovery” “Lan Jacking” “WLAN Mapping” etc.

War Games, 1983 movie introduced “War Dialing”.

Wardriving Trivia

©2004 Lee Barken


Images Courtesy: http://www.warchalking.org

WarChalking

©2004 Lee Barken


Images Courtesy: http://www.arstechnica.com/wankerdesk/3q02/warflying-1.html

WarFlying?

©2004 Lee Barken


Images Courtesy: http://208.151.246.210/pictures/PersonalTelco/

WarStrollering?

©2004 Lee Barken


WarStrollering?

Images Courtesy: http://208.151.246.210/pictures/PersonalTelco/

©2004 Lee Barken


Image courtesy: http://www.catalina42.org/war-sail/

WarSailing?

©2004 Lee Barken



©2004 Lee Barken



©2004 Lee Barken



©2004 Lee Barken

Wardriving: Tools & TechniquesWhat’s next?

©2004 Lee Barken

Discovering Wireless Networks

Easy! Just listen for Management Beacons. (or send probe requests with SSID set to the word “any”)

“Open Network”

SSID = defaultAttacker

Management Beacon

©2004 Lee Barken


You must get “lucky” and catch a legitimate association.

“Closed Network”

SSID = ???

Attacker

Wireless Client Probe Response

Probe Request

Association Request

Association Response

©2004 Lee Barken

Discovering Wireless Networks“Closed Network”

SSID = ???

Attacker

Wireless Client

Associated

Disassociate

or… if you get impatient… spoof a disassociate frame

©2004 Lee Barken


or… if you get impatient… spoof a disassociate frame

“Closed Network”

SSID = ???

Attacker

Wireless Client Probe Response

Probe Request

Association Request

Association Response

©2004 Lee Barken

ADMtek Abocom Accton Addtron Belkin D-Link Hawking Tech SMC 3Com Trendware Xterasys

Aironet (Cisco) Cisco Xircom

Atheros Accton Actiontec D-Link Enterasys GemTek IBM

Wardriving: Tools & TechniquesHardware – Wireless NIC Chipsets

Atheros (cont.) Intel Linksys Netgear Philips Proxim Senao/Engenius SMC 3Com Z-com

Atmel Accton Actiontec Dell Belkin Cnet Compaq D-Link GemTek Hawking Tech Intel

Atmel (cont.) Intel Linksys Netgear SMC 3Com Trendware Z-com

Broadcom Apple Belkin Buffalo Dell GemTek Linksys Microsoft Motorola Trendware

Orinoco Apple Buffalo

A very complete list: http://www.linux-wlan.org/docs/wlan_adapters.html.gz

Orinoco (cont.) Compaq D-Link Dell Enterasys HP Lucent/Agere Proxim Sony 2Wire

Prism Abocom Accton Actiontec Belkin Buffalo Compaq D-Link Dell Gateway GemTek

Prism (cont.) Hawking Tech Intel Linksys Netgear Proxim Senao/Engenius SMC 3Com Trendware US Robotics Z-com

Realtek Abocom Accton Belkin Bromax D-Link Linksys Netgear Zonet

©2004 Lee Barken

Wardriving: Tools & TechniquesHardware – Wireless NIC Chipsets

Hermes (Lucent) Orinoco Toshiba Cabletron Dell Compaq WL110 IBM Apple

Prism (Intersil) Dlink Linksys SMC Addtron Compaq WL100 Netgear Gemtek Zoom Samsung Senao

Airo (Cisco) Cisco Xircom Dell

©2004 Lee Barken

Wardriving: Tools & TechniquesHardware – Pigtails

©2004 Lee Barken


©2004 Lee Barken


©2004 Lee Barken

Wardriving: Tools & TechniquesHardware – Antennas

©2004 Lee Barken

Wardriving: Tools & TechniquesHardware – GPS

©2004 Lee Barken

Wardriving: Tools & TechniquesSoftware – Netstumbler

http://www.netstumbler.com FREE Notebook & PDA Version Windows 2000, XP Orinoco, Prism Chipset “Most” Cards Work w/XP

(YMMV) GPS Support

©2004 Lee Barken

Wardriving: Tools & TechniquesSoftware – APSniff

http://www.bretmounet.com/apsniff

FREE Notebook Version Windows 2000 Only Prism Chipset

©2004 Lee Barken

Wardriving: Tools & TechniquesSoftware – Aerosol

http://www.stolenshoes.net/sniph/aerosol.html

FREE Notebook

Version Windows Prism &

Hermes Chipset

©2004 Lee Barken

Wardriving: Tools & TechniquesSoftware – Pocket Warrior

http://www.pocketwarrior.org FREE PDA Version PocketPC 2002 (ARM, SH3,

MIPS) Prism Chipset

©2004 Lee Barken

Wardriving: Tools & TechniquesSoftware – Wireless Security Auditor (IBM)

http://www.research.ibm.com/gsal/wsa

“Research Prototype” (not released)

Notebook & PDA Version Linux Cisco, Prism 2 Chipset

©2004 Lee Barken

Wardriving: Tools & TechniquesSoftware – Kismet

http://www.kismetwireless.net FREE Notebook & PDA Version Linux Cisco, Prism, ADMTek, TI,

Atheros, Orinoco Chipset GPS Support

©2004 Lee Barken

Wardriving: Tools & TechniquesSoftware – dStumbler

http://www.dachb0den.com/projects/bsd-airtools.html FREE Notebook Version *BSD Prism 2 Chipset

©2004 Lee Barken

Wardriving: Tools & TechniquesSoftware – AirMagnet

http://www.airmagnet.com $3,495 MSRP Notebook & PDA Version Windows, PocketPC Only works with bundled

WLAN card

©2004 Lee Barken

Wardriving: Tools & TechniquesSoftware – Stumbverter

http://www.sonar-security.com

FREE Imports Data from

NetStumbler Requires Microsoft

MapPoint 2002 Windows

©2004 Lee Barken

Wardriving: Tools & TechniquesAll-in-one bootable CD’s

WarLinux

(http://sourceforge.net/projects/warlinux) WarBSD

(http://digiflux.org/warbsd/) Knoppix

(http://www.knopper.net/knoppix/index-en.html)

©2004 Lee Barken

Wardriving: Tools & TechniquesWireless Packet Sniffers

Ethereal (http://www.ethereal.com) Packetyzer (http://www.packetyzer.com) WildPackets – Airopeek (http://www.wildpackets.com) Finisar – Surveyor Wireless (http://www.finisar.com) Network Associates – Sniffer Wireless (http://www.sniffer.com)

©2004 Lee Barken

Wardriving: Tools & TechniquesWireless Packet Sniffers

PDA Version: Airscanner (requires Pocket PC 2002)

http://airscanner.com/downloads/sniffer/sniffer.html

©2004 Lee Barken

Wardriving: Tools & TechniquesVehicles

-

©2004 Lee Barken


-

©2004 Lee Barken


-

©2004 Lee Barken


-

©2004 Lee Barken


-

©2004 Lee Barken


-

©2004 Lee Barken


-

©2004 Lee Barken


-

©2004 Lee Barken

Wardriving: Tools & TechniquesWardriving “Built-In” to XP?

Source:http://www.infoworld.com/articles/op/xml/02/07/22/020722opcurve.xml

Snippet:For all his success at bringing Microsoft's warring constituencies together, there are still things beyond Bill and Steve's control. "I was in a hotel in Sun Valley last week that was not wired," Ballmer recalls. "So I turned on my PC, and XP tells me there is a wireless network available. So I connect to something called Mountaineer.

"Well, I don't know what that is. But I VPN into Microsoft. It worked! I don't know whose broadband I used," he chuckles. "I didn't see it in Bill's room. I called him up and said, 'Hey, come over to my room.' So soon everyone is there and connecting to the Internet through my room."

©2004 Lee Barken

1. Obey traffic laws. It's your community too, the traffic laws are there for everyone's safety, besides, doing doughnuts at 3am gets unwanted attention from the authorities.

2. Obey private property and no-trespassing signs. Don't trespass in order to scan an area. That's what the directional antenna is for :) You wouldn't want people trespassing on your property would you?

3. Don't connect. The vast majority of AP's out there were not intended by their owners to be accessed by you, even if they configured it so you could access it if you wanted to. There is much legal question as to the trouble you can get into for accessing a network through a misconfigured AP. Also it's a matter of respect, you wouldn't want people rooting through your computers just because you happened to make a mistake, so don't do it to them.

4. Don't use your data for personal gain. Share the data with like-minded people, show it to people who can change things for the better, but don't try and make any money or status off your data. It's just wrong to expect these people to reward you for pointing out their own stupidity.

5. Don't warchalk Other peoples networks. Only chalk your own if you want to indicate your willingness to share access. If you chalk some strangers network, it dilutes the use of the symbols to indicate free access. If you’re a business and you have a public AP and a non-public one, indicate with the open one, but also indicate the closed one with the closed symbol, differentiating them so people know the difference.

6. Be like that hiker motto; 'Take only pictures, leave only footprints'. Stumblers should 'Take only SSID's, leave only tire marks'. Leaving tire marks by not loitering and moving on is better than leaving a log entry by doing something stupid.

Stumbler Code of Ethics v0.1

These are by no means rules that must be followed, but they are a collection of suggestions for safe, ethical, and legal stumbling. I encourage you to follow them.http://www.renderlab.net/projects/wardrive/ethics.html By Renderman, [email protected]

©2004 Lee Barken


Disabling TCP/IPhttp://www.worldwidewardrive.org/nodhcp.html

©2004 Lee Barken

Wireless signals don’t stop at your walls Use an omni antenna When choosing a WLAN card:

– What chipset does it use?– Is there an external antenna connector?

Use Netstumbler/Kismet/dStumbler– Or, a protocol analyzer

Don’t forget to unbind your TCP/IP stack!!!

Summary

©2004 Lee Barken

Questions?Lee Barken, CISSP, MCP, CCNA, CPA

Co-Director, STAR Center, San Diego State Universityhttp://starcenter.sdsu.edu


Documents

War Driving