************************************************* * * * The Definitive Guide To Wireless WarX'ing * * ----------------------------------------- * * v1.2.1 * * * * 09/04/02 * * * ************************************************* * * * by Slayer * * * * Slayer@Kraix.com * * * ************************************************* * * * www.KRAIX.com * * * *************************************************Contents:
II. Types of Wireless Networking
III. Wireless Hardware
2. Access Points
4. PCMCIA Cards
IV. Wireless Software (Tools)
1. NetStumbler and MiniStumbler
5. Fake AP
6. Wireless Security Auditor
18. AP Scanner
19. SSID Sniff
V. Wireless White Papers
1. Wireless LAN Security : 802.11b and Corporate Networks
2. Wireless HOWTO for Linux
3. Hacking the Invisible Network : Insecurities in 802.11x
4. Cracking WEP Keys : Applying Known Techniques to WEP Keys
5. The Need for a 802.11 Wireless Toolkit
6. Wireless LAN Security
7. Linksys BEFVP41 VPN...Wireless Mini HOWTO
8. SSID Defaults
9. What's Up With WEP
10. Default List of Passwords
VI. Wireless Web Sites
2. Milehigh Wireless
3. Wireless LAN 802.11x - Technical Information and Software
10. War Strolling and Cabbing
VII. WarX'ing (Why you're reading this :)
1. What is WarX'ing?
5. Example WarX'ing Setups
6. Something to Think About
VIII. Securing your WLAN
3. MAC Filtering
4. Fake AP
5. Disable SSID Broadcasting
X. Shameless Plug
This is my first _real_ documentation, so please...no flaming or anything. I put this together because I have been receiving a lot of emails and such regarding wireless networks. Everyone wants to know, what it is, how to do that, where to get this, is this legal...the list is huge. So instead of constantly sending out a bunch of small answers, I'm writing this paper to help you learn as much as possible. Side Note: Keep in mind that I am not an *expert* in this area. I did not design the 802.11x standard or anything. I've just done a lot with it :o).
Disclaimer: The purpose of this document in it's entirety is for educational purposes only. It is in no way meant for destructive or illegal purposes. Neither I (Slayer) or Kraix.com condone illegal activity, or anything that you may do with this information. I (Slayer) and Kraix.com feel that you are mature enough to make your own decisions, and not place blame on anyone else for your actions. By reading this, you are agreeing that you take full responsibility for your actions, and that they have nothing to do with Kraix.com or me (slayer).
II. Types of Wireless Networking
As you may have already figured out, there are a few different wireless types out there; 802.11a/b, BlueTooth, Radio Freq, and IrDA are to name a few. There really isn't a standard yet, because everyone thinks that their idea is the best, and they're pretty stubborn about it. Basically though, each type of wireless networking has it's ups and downs. I'll try to give you a brief overview of the ones that I know of.
1. 802.11a (that's an "A" after the numbers) - This is probably going to be the new standard for home and small office networking. I'm not too sure yet if it'll surpass 802.11b, but hey...time will tell. 802.11 was the first wireless protocol to come out, and i believe it would run at about 1-2Mbps (don't quote me on that). A little while later 802.11b came out, and it was faster, so people moved over to adopt that one. Now, .11a has been redone so that it's even faster than .11b. .11a now runs at 54Mbps in the 5Ghtz band and it uses what is called the "orthogonal frequency division multiplexing encoding scheme," (trust me, I couldn't make that up ;). If you want to learn more about OFDM, go run a Google on it, because I'm not going to go into it, all I'll mention is that it's more secure than WEP (Ha, "secure" and "WEP" shouldn't even be in the same sentence). Range on these devices will vary, but you should be able to get about 300ft. from an access point.
2. 802.11b (that's a "B" after the numbers) - .11b was the next revelation in wireless technology after .11 and before .11a. It is now commonly referred to as Wireless Fidelity or "WiFi" (pronounced like SciFi). .11b has a thoroughput of 11Mbps, and can fall back to 5.5Mbps, 2Mbps, and 1Mbps. All that means is that as the signal gets degraded (or farther away), your connection will drop to these levels. Right now, .11b is more-so the standard of wireless networking. There are more wireless LAN's and WAN's running .11b than any other architecture. Because of this, you will find more tools, and uses with this. When people are out there WarX'ing, this is the protocol that they're using. (WarX'ing is described later on.) It's primary security encryption is Wired Equivalent Privacy, or WEP for short. WEP can be used in 64bit or 128bit forms. All prism 1 cards can utilize WEP 64bit, but you'll need a Prism 2 card to use 128bit. But either way, I would strongly recommend that you do NOT rely solely on this, bad bad idea. Once again, I'm not going into how WEP works (or doesn't work). Google it if you're interested. Range on these devices will vary, but you should be able to get about 300ft. from an access point.
3. BlueTooth - BlueTooth is a wireless type for short range devices. You can get about 10 meters (that's about 30ft) away before you lose connection. Of course, that's in lab results. Real world, you can get about 25-ish, but hey who's counting ;). Anyways, BlueTooth is being integrated into a lot of portable devices for use of Sync'ing things together. Such devices are handhelds (Compaq's iPaq), phones (Sony-Ericsson), and other little gadgets. It's really a way to replace IRDa, and in that way it's beneficial. BlueTooth generally has a transfer rate of about 1Mbps. That's not too bad, considering that it's only syncing, or passing streaming media. Leeching news groups with it...no. Using this standard to sync devices, or to get rid of wires is a great idea, but I don't see us buying a can of Jolt out of a machine with our phone anytime soon. So far, the best ways that I've seen this protocol being used are in PDA's for syncing, and in the new Sony-Ericsson T68i cell phone that uses a wireless (BlueTooth) handsfree headset. I want one sooo bad. I'd even be willing to write s review about it if someone donated one to me (hint, hint, :o).
4. Radio Frequencies - Cell Phones. This is how they work, by using alternating encrypted radio frequencies. I could write an entire thesis on this alone, but I'm not. All I'm going to tell you is that Cell Phones use them :). Phreaking is not my expertise at all, and I'm not about to begin to talk about something that I don't know enough about.
5. IrDA - Infrared Data Association. Basically, the stuff you're remote controls use. It's using a beam of light that we can't see to send a signal. The restrictions on this are enormous, but hey...it works. IrDA is used a lot in Cell Phones, PDA's (especially Palm's, I think they were the first to use it, but I could be wrong), laptops, wireless mice/keyboards; the list goes on and on. The major downfalls for IrDA are distance and line-of-sight. IrDA can only go about 1-2 meters and doesn't work unless there is a direct line-of-site. It's nice to sync your palm or your phone with your contact list on your laptop without wires and all, but if your cat lays down between the two, end of connection. BlueTooth is starting to replace the uses for IrDA, because it can go farther, more secure, does not need line-of-site, and it's a lot faster. IrDA has a transfer rate of about 75Kbps (that's a "K", not an "M").
III. Wireless Networking Hardware
For IrDA, BlueTooth, and Radio Frequencies, the hardware is basically built into the devices that's going to use it. There are a couple peripherals that you could buy, but they're not worth going into. I'm basically going to cover 802.11a/b hardware. The same type of hardware exists for both standards unless otherwise noted.
1. Wireless Routers - This is the most important piece of wireless technology that you will but when setting up a LAN or WAN. You must make sure that it's of the right archetecture, chipset (Prism 1 or 2), and that it has all the features that you need. For home use, you shouldn't spend over $200, unless you want some high-end stuff, or you're delving into the .11a world (.11a is a little more expensive). Pretty much every manufacture and their brother are making wireless routers. Linksys, 3com, Belkin, Intel, Cisco, Billy-Ray-Joe (just kidding). I personally use Belkin, and I haven't had any problems, but I would recommend that you buy a name-brand router. Remember, you get what you pay for. Remember that when you're looking at a Linksys $150 router on sale with 8 mail-in rebates from Best Buy.
2. Access Points - These are very useful in larger offices, or houses. They will relay the signal to extend your coverage. It acts kind of like a wireless hub. These are also made by all the same people that make the routers, and I suggest that if you purchase an access point, that you get the same brand as your router. Less likely to have compatibility issues.
3. Wireless NIC's - Um, it's a NIC (Network Interface Card) that's wireless. I think that this one is pretty self-explanitory. One idea though, is that instead of buying a wireless NIC, buy a PCI card that has a slot to insert a PCMCIA, or PC card, into it. These cards shouldn't cost more than $20, and you can use the PC card for more stuff.
4. Wireless PCMCIA (PC Cards) cards - These are the cards that go into your laptops, or other portable devices. There are two different architectures for these cards, Prism 1 and 2. 1 supports 64bit and 2 supports 128bit encryption. Almost all the cards are Type 2 cards (in relation to the thickness). In my opinion, the best cards out there right now are the Orinoco Gold cards. You can get them online for about $80.
5. Antennas - You can purchase, or make, external antennas that will increase your signal strength and distance. The most common form is called a Yagi (Like from Karate Kid, jk). These are sold all over the place online, and there are plans out that that show you how to build them from a scratch using a Pringles can and Radio Hack parts (Great way to disguise it for WarX'ing). One piece of hardware that you'll most definitely need is called a Pig Tail. This is a wire that will connect from your wireless card (on the antenna) to a thick coaxial cable or cable connector. The little piggies cost about $20.
IV. Wireless Software (Tools)
With the recent explosion of the wireless networking community, there has been a shadow within the software field. Recently it seems like there is a new wireless tool that comes out every day. I have tried to put together a list of tools, and their links, of what I think are probably the most useful. If I've used it before, or I know about it, I'll try to give a description about it also.
1. NetStumbler and MiniStumbler - Windows 2000, 9X, ME, XP, Pocket PC
I have to say that these are by far the most widely used
and proven wireless discovery tools on the net. Netstumbler will use your wireless card to detect all the wireless networks in the area. It will return the WLAN's SSID, channel, WEP or not, signal strength, and more! The GUI is insanely easy to use. Hell, even a L337 H4X0R could use this :). Two features that I really like are it's ability to modify the refresh rate of the scan, and that you can hook up a GPS unit to it to track your exact coordinates. You can then save this to a file and upload it to their server to add to their ever-expanding map of WLANs. MiniStumbler is the same as NetStumbler, except that it's for the iPaq handheld (oh the possibilities!).
Download: http://www.netstumbler.com/download.php?op=getit&lid=22 (NetStumbler) Download: http://www.netstumbler.com/download.php?op=getit&lid=21 (MiniStumbler)
2. Kismit - Linux
Kismet is a 802.11b wireless network sniffer. It is capable of sniffing using almost any wireless card supported in Linux, including Prism2 based cards supported by the Wlan-NG project (Linksys, Dlink, Rangelan, etc), cards which support standard packet capture via libpcap (Cisco), and limited support for cards without RF Monitor support. The latest stable release as of this writing is 2.4.6 on August 4th. You may want to go to the page to download the latest stable version.
3. WEPCrack - Linux
WEPCrack is an open source tool for breaking 802.11 WEP secret keys. This tool is is an implementation of the attack described by Fluhrer, Mantin, and Shamir in the paper "Weaknesses in the Key Scheduling Algorithm of RC4". WEPCrack was the first publicly available code that demonstrated the attack.
4. AirSnort - Linux
AirSnort is a wireless LAN (WLAN) tool which recovers encryption keys. AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. AirSnort requires approximately 5-10 million encrypted packets to be gathered. Once enough packets have been gathered, AirSnort can guess the encryption password in under a second.
5. Fake AP - Linux
Black Alchemy's Fake AP generates thousands of counterfeit 802.11b access points. Hide in plain sight amongst Fake AP's cacophony of beacon frames. As part of a honeypot or as an instrument of your site security plan, Fake AP confuses Wardrivers, NetStumblers, Script Kiddies, and other undesirables. Just so you know, some of the SSID's that are generated by Fake AP aren't exactly the cleanest of words :).
6. Wireless Security Auditor - Linux on an iPaq
WSA is an IBM research prototype of an 802.11 wireless LAN security auditor, running on Linux on an iPAQ PDA. WSA automatically audits a wireless network for proper security configuration, to help network administrators close any vulnerabilities before the hackers try to break in. Short and sweet: IBM's Linux version of Ministumbler. Still in Beta.
Download: Can't get it :( . If you can, email me!
7. THC-WarDrive - Linux
THC-WarDrive is a tool for mapping your city for wavelan networks with a GPS device while you are driving a car or walking through the streets. It is effective and flexible, a "must-download" for all wavelan nerds.
8. THC-RUT - Linux
THC-RUT (aRe yoU There) is a local network discovery tool developed to brute force its way into wvlan access points. It offers arp-request on ip-ranges and identifies the vendor of the NIC, spoofed DHCP, BOOTP and RARP requests, icmp-address mask request and router discovery techniques. This tool should be 'your first knife' on a foreign network.
9. MacStumbler - Mac OS X
MacStumbler is a little program that was written to emulate the workings of Netstumbler and Kismet for the Mac. It will only work with Apple Airport cards and is in extreme beta testing, so plan on you mac to crash a couple times trying to get this to run. There are a number of people out there using this, so it does work. The source code is also available if you're a fellow Mac coder and want to help out.
Download: http://homepage.mac.com/macstumbler/MacStumbler-06b.tgz (binary) Download: http://homepage.mac.com/macstumbler/06b-source.tgz (source)
10. BSD-AirTools - FreeBSD 4.4, OpenBSD 2.9/3.0, NetBSD 1.5.1+
bsd-airtools is a package that provides a complete toolset for wireless 802.11b auditing. Namely, it currently contains a BSD-based WEP cracking application, called dweputils (as well as kernel patches for NetBSD, OpenBSD, and FreeBSD). It also contains a curses based ap detection application similar to netstumbler (dstumbler) that can be used to detect wireless access points and connected nodes, view signal to noise graphs, and interactively scroll through scanned AP's and view statistics for each. It also includes a couple other tools to provide a complete toolset for making use of all 14 of the prism2 debug modes as well as do basic analysis of the hardware-based link-layer protocols provided by prism2's monitor debug mode.
Download: http://www.dachb0den.com/projects/bsd-airtools/bsd-airtools-v0.2.tgz Download: ftp://ftp.dachb0den.com/pub/projects/bsd-airtools/bsd-airtools-v0.2.tgz
11. PrismStumbler - Linux
Prismstumbler is a wireless LAN (WLAN) which scans for beaconframes from accesspoints. Prismstumbler operates by constantly switching channels an monitors any frames received on the currently selected channel.
12. Mognet - Linux
Mognet is a free, open source wireless ethernet sniffer/analyzer written in Java. It is licensed under the GNU General Public License. It was designed with handheld devices like the iPaq in mind, but will run just as well on a desktop or laptop.
13. WarLinux - Um... It is the OS.
A new linux distribution for Wardrivers. It is available on disk and bootable CD. It's mainly intended use is for systems administrators that want to audit and evaluate their wireless network installations. Should be handy for wardriving also. I hope you have a lot of CDs ready for this one. One guy took a pic of all the CDs he went through just to get this thing to work, there had to been at least 20 of em! But hey, in the end he got it!
14. Wellenreiter - Linux
Wellenreiter is a GTK/Perl program that makes the discovery and auditing of 802.11b wireless networks much easier. All three major wireless cards (Prism2 , Lucent, and Cisco) are supported. It has an embedded statistics engine for the common parameters provided by wireless drivers. Its scanner window can be used to discover access-points, networks, and ad-hoc cards. It detects SSID broadcasting or non-broadcasting networks in every channel. Non-broadcasting networks could be uncovered automatically. The manufacturer and WEP is automatically detected. A flexible sound event configuration lets you work in unattended environments. An ethereal / tcpdump-compatible dumpfile can be created for the whole session, so detailed analysis at another location is easy. GPS support tracks the location of the discovered networks immediately. Automatic associating is possible with randomly generated MAC addresses, so you don't have to work with your real MAC address anymore. Wellenreiter can reside on low-resolution devices that can run GTK/Perl and Linux/BSD (such as iPaqs). A SSID bruteforcer is included now too.
15. WaveStumbler - Linux
WaveStumbler is console based 802.11 network mapper for Linux. It reports the basic AP stuff like channel, WEP, ESSID, MAC etc. It has support for Hermes based cards (Compaq, Lucent/Agere, ... ) It still in development but tends to be stable.
16. AiroPeek - Windows 98, ME, 2000, XP (COMMERCIAL $1495 for 1 year!)
AiroPeek is a comprehensive packet analyzer for IEEE 802.11b wireless LANs, supporting all higher level network protocols such as TCP/IP, AppleTalk, NetBEUI and IPX. AiroPeek contains all of the network troubleshooting features familiar to EtherPeek. In addition, AiroPeek quickly isolates security problems, fully decodes 802.11b WLAN protocols, and analyzes wireless network performance with accurate identification of signal strength, channel and data rates.
Download: http://www.wildpackets.com/demo_buy/demos/apw (DEMO)
17. Stumbverter - Windows 2000, 9X, ME, XP
StumbVerter is a standalone application which allows you to import NetStumbler's summary files into Microsoft's MapPoint 2002 maps. The logged WAPs will be shown with small icons, their color and shape relating to WEP mode and signal strength. As the AP icons are created as MapPoint pushpins, the balloons contain other information, such as MAC address, signal strength, mode, etc. This balloon can also be used to write down useful information about the AP, notes, etc.
18. AP Scanner - Mac
AP Scanner is a small Macintosh-only application that will detect all in-range open 802.11 wireless network access points. It will show you a pretty little graph and show potential channel conflicts.
19. SSID Sniff - Linux
A nifty tool to use when looking to discover access points and save captured traffic. Comes with a configure script and supports Cisco Aironet and random prism2 based cards.
20. Wavemon - Linux
wavemon is a ncurses-based monitoring application for wireless network devices. It currently works under Linux with the Lucent Orinoco cards.
21. AirTraf - Linux
AirTraf is a package with many features. On a basic level, it performs packet capture/decode in the 802.11b wireless level. It gathers and organizes packets captured over the air based on the type of traffic (management, control, data), according to the dynamically detected access points (in case there are multiple in a given area), and performs bandwdith calculation as well as signal strength information on a per wireless node basis. It determines the SSID of access points, the channel it is operating under, the number of wireless nodes connected to the access point of interest, the overall load on the access point, as well as the bandwidth utilized by all connected wireless nodes. And as of AirTraf-0.3-1beta, AirTraf is database-aware, meaning that multiple sniffers can be polled via a central polling server periodically to gather up2date information, and saving the information for long-term load analysis over periods of days, weeks, months, and even years. The other feature of AirTraf includes tracking of access related activity generated in the area, it tracks all probe/authentication/association requests made to a given access point, and by observing access point's reaction, make a judgment as to the nature of activity, and determine whether the activity is hostile or friendly. (currently fairly unstable, and being worked on)
22. AirJack - Linux
AirJack is a nifty tool that will let you take over a connection to a WLAN. Short-short version: You DOS the AP filling it with forged ARP packets confusing the hell out of the AP causing it to dump. Then the clients start to look for a new AP, because they lost their connection. What the find is your box as the AP, and then when the real AP comes back, you're the middle man. Get it?
V. Wireless White Papers
After spending a couple days scouring the net for information on wireless networking and other such topics. I have come across a few white papers that I have found to be useful or interesting. White papers are documents that are instructional or informative. This document that I am writing can be considered a white paper. The following are links and brief descriptions of each white paper that I found. Some are HTML files, PDF documents, and even PowerPoint slides from different conventions.
1. Wireless LAN Security : 802.11b and Corporate Networks - A white paper written by the company Internet Security Systems.
2. Wireless HOWTO for Linux - This is a pretty informative guide on how to get your Linux box up and running for a wireless LAN. Remember that these are just guidelines, and that you'll have to make changes depending on your card, distro, and box.
3. Hacking the Invisible Network : Insecurities in 802.11x - A nice long white paper written by iDEFENSE. This document goes into great detail as to the vulnerabilities of wireless networking, I'm talking binary here.
4. Cracking WEP Keys : Applying Known Techniques to WEP Keys - This is a Power Point slide presentation from @Stake about how to go about cracking WEP keys, and the logistics behind it. If you're new to WEP, I recommend it for a quick overview.
5. The Need for a 802.11 Wireless Toolkit - This is a PDF white paper written by a guy from @Stake that was presented during the Black Hat Briefings in July of 2002.
6. Wireless LAN Security - Here is an excellent white paper in HTML format that describes everything that you need to know about wireless security, it's vulnerabilities, methods of attack, and much more.
7. Linksys BEFVP41 VPN Router to OpenBSD IPSec Server + Wireless Mini HOWTO - This document describes how to use the Linksys BEFVP41 VPN Router as a VPN Client to an OpenBSD IPSec Server.
8. SSID Defaults - Here is a TXT file that lists most of the manufactures default SSID's, default password login pairs, channels, and some other useful tidbits.
9. What's Up With WEP - Here's a quick read from IBM on how WEP works and other things WEP. There are some pictures that should help you out if you're reading impaired >:)
10. Default List of Passwords - I think this one is pretty self-explanatory. It's a huge list of default password and login settings for routers, firewalls, and everything else. If I were you, I would save this list, because who knows how long it'll stay here.
VI. Wireless Web Sites
I have compiled a list of my favorite 10 wireless web sites and list them here for you. Most of these sites all deal within a specific area of wireless, but there is some overlap. You'll just have to go there and check it out!
1. Netstumbler.com - The home of probably the most famous wireless tool on the net. Not only that, but they have current wireless news and events, a forum, geographical WLAN locations, and more. Definitely a must.
2. Milehigh Wireless - If you live in the Denver area, this is the perfect site for you. They talk about their free coverage ideas, and more.
3. Wireless LAN 802.11x - Technical Information and Software in German and English - Wow, what a long ass name. You will find a ton of links to software, sites, HOWTO's, and a ton of other stuff here. Hey and if your German, you're all set.
4. PersonalTelCo - Here's a nice page about WarDriving with some helpful links. There are some other sites in this page relating to wireless stuff, but they may be hard to find.
5. WarChalking.org - The official WarChalking homepage. The Blogging system here is pretty cool. It allows anyone to write stories relating to Warchalking, and then the story is rated among other warchalkers as to whether or not it gets published. You'll find some cool stories, pictures, and other misc. stuff here.
6. Wardriving.com - I think this one is pretty self-explanatory. This site is devoted entirely to Wardriving. Just go to it, I know you're going to.
7. WirelessCloud - WirelessCloud is a southern California based organization that is set out to provide free 802.11 access. I wish them luck!
8. Sputnik - These guys have made a couple different products that are very useful in the wireless industry. They also have some news articles relating to wireless, but they don't get updated too frequently.
9. NYCWireless - Ah, my hometown organization. These guys rule. They are another org out there that's trying to get free 802.11 access through-out New York City. They have already done a lot in the city, covering a lot of areas, and parks in the city. They've been featured on TechTV for a game they invented, and they also hold monthly meetings to go over new stuff. Everyone's invited and it's always free. Even if you don't live in NYC, you need to check these guys out.
10. War Strolling and Cabbing - Here's another NYC based guy that's going around Manhattan and mapping out the wireless networks. Using MacStumbler, it looks like he's getting a large area pretty covered. Doesn't look like he's doing any chalking though, so you'll have to check out the site to find the networks.
VII. WarX'ing (Why you're reading this :)
1. The first question that's probably in your head is, "What the hell is 'WarX'ing'". Well it's pretty simple. Right now there are many different types of Wireless scanning going about. You have WarDriving, WarChalking, WarStrolling, WarBoating, WarFlying, the list is endless. Because of this, I've adopted the term WarX'ing; the "X" is the variable for the different kinds. No matter what mode of transportation you use, you're doing the same thing...scanning. So instead of all these terms, I've decided on one simple term that covers them all. Judging by the context of the document, story, or whatever; I think you'll be able to figure out if they were on foot, or in a car.
The prefix "War" originally came from the good-ole days of BBS'ing. To find a modem on the other end of a phone line, you would do what is called WarDialing. Think of this as a primitive IP scan. You'd enter in a set of phone numbers to dial (ex. 555-1000 - 555-1100 ) and then the WarDialing program calls each number in the list to see if there's a modem at the other end, and then either makes a note of it, or tries to connect. I think you can see the connection here. For those of you that have no clue what WarX'ing (WarDriving/chalking/strolling/etc) is, I will go into more detail about each area below.
2. WarDriving - WarDriving is the act of scanning for wireless networks with a mobile device while driving around in a car. The most common form is when you take a laptop into a car and then turn on a stumbler to detect the networks. As the open networks appear you can either continue on, and make a list or a map, or pause to look around their network.
3. WarChalking - WarChaliking is the act of labeling a discovered network so that other WarX'ers can easily notice an open network and the details about it. The idea most likely originated from the old-school hobo chalking symbols. It's just a guess. If you go to Warchalking.org, they have a little cheat-sheet to help you out on how to draw out everything (CheatSheet: http://www.blackbeltjones.com/warchalking/warchalking0_9.pdf). I will attempt to draw out what the symbols are with my wonderful ASCII art skills. :)
Open Node: SSID
Closed Node: SSID
WEP Node: SSID AC
BW = Bandwidth and AC = Access Contact.
These three symbols are the ones from the little cheat-sheet. These are very adequate, but I propose a more detailed symbol for open nodes, because there's just more to know.
Proposed Symbol For Open Nodes:
SSID This will show (1) an open node, (2) the SSID, (3) CHannel, (4) BandWidth, CH )( ST (5) signal STrength, 1-3 depending, (5) and that the defaults have been BW changed. Signal strength: 1 = Not Good, 2=Good, 3=Excellent.
SSID This will relay the same info as the one above, but the colons (:) will CH:)(:ST signify that the router is using default settings.
With the use of these more enhanced symbols, fellow WarX'ers will know a lot more about the Node at hand, and whether or not it's worth it to stop and connect. After running into many )('s that have poor quality, or non-default settings, I feel that this could really help out everyone in the community, if we just took an extra 2 seconds.
4. WarStrolling - WarStrolling is just like WarDriving and all the other one's expect that you do your scanning on foot. You can either carry around a laptop or a handheld to detect the networks. By WarStrolling, you will have more time to delve into the networks that you stumble into, but you are also a lot more noticeable carrying around a laptop. If you have a handheld (like an iPaq) on the other hand, you will go unnoticed, but you can't do as much. If you're going WarStrolling, I would suggest that you use MiniStumbler from www.netstumbler.com. See the tools section in this white paper.
5. Examples on WarX'ing - I'm going to go over two different scenarios on how you can begin WarX'ing today. The first one is the most common, WarDriving.
If you are a beginner WarX'er you might have to do a little research on the net about certain things, but I'll try to go into as much detail as possible. The first thing that you are going to need is a laptop. Nothing fancy really. If you are going to run a Windows OS, I would recommend Windows 2000. XP will really piss you off once you find out that it doesn't like to let go of an AP after it finds one! If you're going to run a flavor of Linux, make sure that it's a current kernel and that you will have the drivers ready to get it to use your wireless card, it can be a real pain in the ass at first, but well worth it in the long run. This brings us to our next piece of hardware, a wireless PCMCIA (or PC Card) card. Prism II if possible, but not required. Make sure that it 802.11b (That's a "B"). If you use an "A" card, you won't pick up shit because the tools are for "B". Another thing that I would recommend (but is not necessary) is a DC to AC converter. This is a little box that will convert your car's cigarette lighter socket into an AC socket, so you can get juice for your laptop from your car. Just make sure that it will supply enough wattage to power it. Now load up your laptop with your favorite tools, and hit the road! I will once again empower my ASCII art skills to make a little diagram:
Windows WarX'ing Box Linux WarX'ing Box
OS - Windows 2000 (NO XP*) OS - Favorite Compatible Flavor (Debian) Wireless PCMCIA Card (Prism II*) Wireless PCMCIA Card (Prism II*) AC/DC Power Converter* AC/DC Power Converter*
Favorite Port Scanner* Favorite Port Scanner*
Windows Share Exploiter* Favorite Exploits*
GPS Unit* GPS Unit*
White Lightning Jolt Cola :) WEPCrack*
* optional THC-RUT*
Cherry Bomb Jolt Cola >:)
Dell Inspiron 4000 Laptop
Orinoco Gold Hermes PCMCIA Card
40 watt AC/DC converter
Exploits to test my *own* network >:)
No GPS (i don't care)
FakeAP (for home use really)
Cherry Bomb & White Lightning Jolt Cola :)
I'm also currently building my own portable yagi.
The GPS device is used to map out the coordinates of the located WLAN's. You can then upload them to a central server (like netstumbler.com) and add them to the ever growing map, or you can download a program like Stumbverter and make your own maps. You are obviously going to be able to do a lot more with a linux box, but not everyone is leet (i just wanted to use that word) enough to do so. I would also like to point out that there is not an * after Jolt. This is a necessity because the best time to go strolling around is at 3 in the morning when Joe Shmoe is asleep with is router and cable modem on :).
Once you are on a network, there is an endless possibility of the things you can do. I'm not even going to go into them, but from the list above, and with some common sense, I think you can figure it out.
A little side note (this should be obvious), make sure that your box is set to DHCP, because if it's not, you'll never connect to the network, unless you're lucky enough to be set to the same class and subnet. If you need help setting up your Linux box with a wireless card, go to the white papers section of this doc, there's a couple links there that should help you out.
The other area that you could dive into is WarStrolling. In this example, I'll tell you how to do the equivalent of above, but with a handheld. Pop this badboy in your pocket and start walking around! You will need 4 things to WarStrole, (1) Handheld PDA that either has a built in 802.11b device, or one that is capable of adding one to it, (2) a PCMCIA card adapter for your handheld (if needed), (3) a PCMCIA Wireless 802.11b card, (4) and stumbling software. I've heard of a couple people porting a version of linux to their iPaq's and then running linux programs on it, but I don't have any experience in this. I'll show you the setup which I use:
My WarStrolling Setup
Compaq iPaq 3950
Compaq iPaq PC Card Expansion Paq Plus (includes an extra battery!)
Orinoco Gold Hermes PCMCIA Card (Same one from my laptop)
Original Jolt Cola (It's hot out :)
That's it. I just turn it on and drop it into my pocket. While walking around NYC, catching open WiFi networks is like finding Ford in Detroit. You could also port over some network tools to play with while looking for networks, but I generally don't add anything fancy. There is an alternative to the PC cards though. For the handhelds, you could buy a compact flash adapter (if you need it), and then purchase a compact flash 802.11b card. They're not as strong as the PC cards, and some won't be recognized, but it is possible. The two major benefits to these cards over PC cards is that they are a lot smaller, and they take less power to use.
6. Something to Think About - When I first started, I was thinking, wow...I'm virtually undetectable, and even if they do notice I'm on their network, they could never find me. Well, after breaking into my own network, I found out that is very, very wrong. So I'm here to give you a couple pointers that should help you out.
- Change your computer name to something like "IISMonitor", "WorkStation5", or something else that's inconspicuous. If a net admin sees a box on his network labeled "Ul7R4 L337 H4X0R", he's going to wonder.
- If you're running a Linux box, spoof your MAC address. When you connect to a WiFi LAN, you will broadcast your MAC address to the router, so don't give them your real one. If you're running Windows, I'm sorry but I currently don't know how to spoof MAC addresses on a Windows box...I don't know if it's even possible.
- Don't sit in one place for too long. Just like cell phones, it is possible to triangulate your position. I was talking to a guy out in California that's working on a Stumbler detector. Basically it consists of three Honeypot WiFi routers set up in a triangle. When you walk inside the boundary...BAM, he's got ya.
- Use your head, don't sit outside a large corporate office at 3 in the morning with a custom spray-painted laptop that says "H4X0r" all over it. These places do have security, and you'll stick out like a soar thumb.
- Don't do anything destructive. There's no point in formatting a poor guys machine just because he doesn't know as much about computers as you do. Just think about if you formatted a Doctors machine with some really important shit on it. You talking about real peoples lives here. Changing an SSID to "SpreadEgl", or leaving a note on his desktop telling him how to secure his stuff...eh, that's borderline.
VIII. Securing your WLAN
There are some real simple steps to securing your WLAN, but most people don't follow them. The most common reason for a security hole in a WLAN is laziness. People somehow feel that whatever they're buying, it comes already secured. This is a BIG problem. When you purchase a new router, or firewall, they come with default settings and passwords. If you've read everything up to here, you would have seen a couple links to places that publish huge lists of default settings. This takes us to our first step.
1. Configuration - Like I just said, when you purchase a new wireless router, is comes with a default username/password, channel, and SSID. When an experienced WarX'er is tooling around, the first thing that (s)he'll notice is the SSID. If it's se to Linksys (Linksys's default SSID) or tsunami (Cisco's default SSID), they know that there's a real good chance of breaking into that router. So rule number one is CHAGE YOUR SSID. Keep in mind that if you make it something like "Don't Even Try", you're just beggin to get hacked. Just use common sense. Next, change your username and password. make your password a non-dictionary word, more than 8 characters, alphanumeric and non-alphanumeric symbols, and don't match it to your SSID, that would defeat the purpose. You may say, "Well no one ever come in my apt but me, so I don't need a fancy password." Most wireless routers have a Web Administration menu. Once a hacker or WarX'er is on your network, all they have to do is type in your routers IP into a browser, and BAM, they have control of your network.
2. WEP - Enable WEP, 128-bit if possible. I know that WEP can be cracked, and that it's not a magic answer to WiFi security, but it's just not worth the time and effort of cracking a network with WEP enabled when there are two others in the same area without it. Think of it like The Club for your car. It's just a deterrent to tell the thief to take the car next to your instead :).
3. MAC Filtering - Most WiFi routers will allow you to filter access to your WLAN by MAC address. You can add in the specific MAC addresses that you wish to allow, and if a requesting computer with an invalid MAC address wants it, it says "No". Yes, there is a way around this too (MAC Spoofing/MAC Brute Forcing), but once again...it's a deterrent.
4. Fake AP - Go download the program called Fake AP. It's an excellent little program written by a couple drunk blackhats from DefCon last summer. This will flood the air waves with a ton of fake AP SSID's. This way a WarX'er will have a list of all these bogus AP's with yours hiding in there somewhere. It's like looking for Joe-Bob in Iowa, and then dropping Times Square around him.
5. Disable SSID Broadcasting - Some of the higher-end WiFi routers will allow you to disable the broadcasting of the SSID. This will help out a lot, because if a WarX'er can't connect to what it can't see. Of course there are ways to passively monitor the traffic to determine an SSID, but again...this is a deterrent. Are we catching the pattern here?
6. Power - This is by far the most secure way to keep WarX'ers out from your network, WiFi or not...turn the power off. Pretty simple huh? If you're not using your WLAN, turn it off. Not only will you save on power costs, but it's a sure bet on keeping people out while you're asleep or out getting drunk :).
It's not really a conclusion, but more of me just saying good-bye. I really hope that this helps a lot of you out there and that maybe you even learned something. I just feel that after all these years of reading these white papers, I needed to return something. So, this is my contribution. If you would like to make any comments or suggestions, please email me at firstname.lastname@example.org . I will try to respond, but no guarantees.
X. Shameless Plug
If you're into photoshop, hacking, piercings, tattoos, or just misc cool stuff, go to Kraix.com. There's a ton of stuff there for you, and I promise you'll love it. There's no other site out there on the net like it. All PS tutorials are one of a kind, not ripped from other sites, or ideas taken from other people, 100% originality.
The Definitive Guide To Wireless WarX'ing is Copyright 2002 by Kraix.com. All Rights Reserved. Please email Slayer@Kraix.com for permission to publish.