*************************************************
* *
* The Definitive Guide To Wireless WarX'ing *
* ----------------------------------------- *
* v1.2.1 *
* *
* 09/04/02 *
* *
*************************************************
* *
* by Slayer *
* *
* Slayer@Kraix.com *
* *
*************************************************
* *
* www.KRAIX.com *
* *
*************************************************
Contents:
---------
I. Introduction
II. Types of Wireless Networking
1.802.11a
2.802.11b
3.BlueTooth
4.Radio Frequencies
5.IrDA
III. Wireless Hardware
1. Routers
2. Access Points
3. NIC's
4. PCMCIA Cards
5. Antennas
IV. Wireless Software (Tools)
1. NetStumbler and MiniStumbler
2. Kismit
3. WEPCrack
4. AirSnort
5. Fake AP
6. Wireless Security Auditor
7. THC-WarDrive
8. THC-RUT
9. MacStumbler
10. BSD-AirTools
11. PrismStumbler
12. Mognet
13. WarLinux
14. Wellenreiter
15. WaveStumbler
16. AiroPeek
17. Stumbverter
18. AP Scanner
19. SSID Sniff
20. Wavemon
21. AirTraf
22. AirJack
V. Wireless White Papers
1. Wireless LAN Security : 802.11b and Corporate Networks
2. Wireless HOWTO for Linux
3. Hacking the Invisible Network : Insecurities in 802.11x
4. Cracking WEP Keys : Applying Known Techniques to WEP Keys
5. The Need for a 802.11 Wireless Toolkit
6. Wireless LAN Security
7. Linksys BEFVP41 VPN...Wireless Mini HOWTO
8. SSID Defaults
9. What's Up With WEP
10. Default List of Passwords
VI. Wireless Web Sites
1. Netstumbler.com
2. Milehigh Wireless
3. Wireless LAN 802.11x - Technical Information and Software
4. PersonalTelCo
5. WarChalking.org
6. Wardriving.com
7. WirelessCloud
8. Sputnik
9. NYCWireless
10. War Strolling and Cabbing
VII. WarX'ing (Why you're reading this :)
1. What is WarX'ing?
2. WarDriving
3. WarChalking
4. WarStrolling
5. Example WarX'ing Setups
6. Something to Think About
VIII. Securing your WLAN
1. Configuration
2. WEP
3. MAC Filtering
4. Fake AP
5. Disable SSID Broadcasting
5. Power
IX. Conclusion
X. Shameless Plug
**************************************************************************************
**************************************************************************************
------------------------------------------------
I. Introduction
------------------------------------------------
This is my first _real_ documentation, so please...no flaming or anything.
I put this together because I have been receiving a lot of emails and such
regarding wireless networks. Everyone wants to know, what it is, how to do that,
where to get this, is this legal...the list is huge. So instead of constantly sending
out a bunch of small answers, I'm writing this paper to help you learn as much
as possible. Side Note: Keep in mind that I am not an *expert* in this area. I did
not design the 802.11x standard or anything. I've just done a lot with it :o).
Disclaimer: The purpose of this document in it's entirety is for educational purposes
only. It is in no way meant for destructive or illegal purposes. Neither I (Slayer)
or Kraix.com condone illegal activity, or anything that you may do with this
information. I (Slayer) and Kraix.com feel that you are mature enough to make your own
decisions, and not place blame on anyone else for your actions. By reading this, you
are agreeing that you take full responsibility for your actions, and that they have
nothing to do with Kraix.com or me (slayer).
------------------------------------------------
II. Types of Wireless Networking
------------------------------------------------
As you may have already figured out, there are a few different wireless types out
there; 802.11a/b, BlueTooth, Radio Freq, and IrDA are to name a few. There really isn't
a standard yet, because everyone thinks that their idea is the best, and they're pretty
stubborn about it. Basically though, each type of wireless networking has it's ups and
downs. I'll try to give you a brief overview of the ones that I know of.
1. 802.11a (that's an "A" after the numbers) - This is probably going to be the new
standard for home and small office networking. I'm not too sure yet if it'll surpass
802.11b, but hey...time will tell. 802.11 was the first wireless protocol to come out,
and i believe it would run at about 1-2Mbps (don't quote me on that). A little while later
802.11b came out, and it was faster, so people moved over to adopt that one. Now, .11a has
been redone so that it's even faster than .11b. .11a now runs at 54Mbps in the 5Ghtz band
and it uses what is called the "orthogonal frequency division multiplexing encoding
scheme," (trust me, I couldn't make that up ;). If you want to learn more about OFDM,
go run a Google on it, because I'm not going to go into it, all I'll mention is that it's
more secure than WEP (Ha, "secure" and "WEP" shouldn't even be in the same sentence).
Range on these devices will vary, but you should be able to get about 300ft. from an
access point.
2. 802.11b (that's a "B" after the numbers) - .11b was the next revelation in wireless
technology after .11 and before .11a. It is now commonly referred to as Wireless
Fidelity or "WiFi" (pronounced like SciFi). .11b has a thoroughput of 11Mbps, and can fall
back to 5.5Mbps, 2Mbps, and 1Mbps. All that means is that as the signal gets degraded (or farther away), your connection will drop to these levels. Right now, .11b is more-so the
standard of wireless networking. There are more wireless LAN's and WAN's running .11b than
any other architecture. Because of this, you will find more tools, and uses with this.
When people are out there WarX'ing, this is the protocol that they're using. (WarX'ing
is described later on.) It's primary security encryption is Wired Equivalent Privacy,
or WEP for short. WEP can be used in 64bit or 128bit forms. All prism 1 cards can utilize
WEP 64bit, but you'll need a Prism 2 card to use 128bit. But either way, I would
strongly recommend that you do NOT rely solely on this, bad bad idea. Once again, I'm not
going into how WEP works (or doesn't work). Google it if you're interested. Range on
these devices will vary, but you should be able to get about 300ft. from an access point.
3. BlueTooth - BlueTooth is a wireless type for short range devices. You can get about 10
meters (that's about 30ft) away before you lose connection. Of course, that's in lab
results. Real world, you can get about 25-ish, but hey who's counting ;). Anyways,
BlueTooth is being integrated into a lot of portable devices for use of Sync'ing things
together. Such devices are handhelds (Compaq's iPaq), phones (Sony-Ericsson), and
other little gadgets. It's really a way to replace IRDa, and in that way it's beneficial.
BlueTooth generally has a transfer rate of about 1Mbps. That's not too bad, considering
that it's only syncing, or passing streaming media. Leeching news groups with it...no.
Using this standard to sync devices, or to get rid of wires is a great idea, but I don't
see us buying a can of Jolt out of a machine with our phone anytime soon. So far, the best
ways that I've seen this protocol being used are in PDA's for syncing, and in the new
Sony-Ericsson T68i cell phone that uses a wireless (BlueTooth) handsfree headset.
I want one sooo bad. I'd even be willing to write s review about it if someone donated
one to me (hint, hint, :o).
4. Radio Frequencies - Cell Phones. This is how they work, by using alternating
encrypted radio frequencies. I could write an entire thesis on this alone, but I'm not.
All I'm going to tell you is that Cell Phones use them :). Phreaking is not my expertise
at all, and I'm not about to begin to talk about something that I don't know enough
about.
5. IrDA - Infrared Data Association. Basically, the stuff you're remote controls use.
It's using a beam of light that we can't see to send a signal. The restrictions on this
are enormous, but hey...it works. IrDA is used a lot in Cell Phones, PDA's (especially
Palm's, I think they were the first to use it, but I could be wrong), laptops, wireless
mice/keyboards; the list goes on and on. The major downfalls for IrDA are distance and
line-of-sight. IrDA can only go about 1-2 meters and doesn't work unless there is a direct
line-of-site. It's nice to sync your palm or your phone with your contact list on your
laptop without wires and all, but if your cat lays down between the two, end of connection.
BlueTooth is starting to replace the uses for IrDA, because it can go farther, more secure,
does not need line-of-site, and it's a lot faster. IrDA has a transfer rate of about
75Kbps (that's a "K", not an "M").
------------------------------------------------
III. Wireless Networking Hardware
------------------------------------------------
For IrDA, BlueTooth, and Radio Frequencies, the hardware is basically built into the
devices that's going to use it. There are a couple peripherals that you could buy, but
they're not worth going into. I'm basically going to cover 802.11a/b hardware. The same
type of hardware exists for both standards unless otherwise noted.
1. Wireless Routers - This is the most important piece of wireless technology that you
will but when setting up a LAN or WAN. You must make sure that it's of the right
archetecture, chipset (Prism 1 or 2), and that it has all the features that you need.
For home use, you shouldn't spend over $200, unless you want some high-end stuff, or
you're delving into the .11a world (.11a is a little more expensive). Pretty much
every manufacture and their brother are making wireless routers. Linksys, 3com, Belkin,
Intel, Cisco, Billy-Ray-Joe (just kidding). I personally use Belkin, and I haven't had any
problems, but I would recommend that you buy a name-brand router. Remember, you get what
you pay for. Remember that when you're looking at a Linksys $150 router on sale with 8
mail-in rebates from Best Buy.
2. Access Points - These are very useful in larger offices, or houses. They will relay
the signal to extend your coverage. It acts kind of like a wireless hub. These are also
made by all the same people that make the routers, and I suggest that if you purchase
an access point, that you get the same brand as your router. Less likely to have
compatibility issues.
3. Wireless NIC's - Um, it's a NIC (Network Interface Card) that's wireless. I think that
this one is pretty self-explanitory. One idea though, is that instead of buying a wireless
NIC, buy a PCI card that has a slot to insert a PCMCIA, or PC card, into it. These cards
shouldn't cost more than $20, and you can use the PC card for more stuff.
4. Wireless PCMCIA (PC Cards) cards - These are the cards that go into your laptops, or
other portable devices. There are two different architectures for these cards, Prism 1 and
2. 1 supports 64bit and 2 supports 128bit encryption. Almost all the cards are Type 2
cards (in relation to the thickness). In my opinion, the best cards out there right now
are the Orinoco Gold cards. You can get them online for about $80.
5. Antennas - You can purchase, or make, external antennas that will increase your signal
strength and distance. The most common form is called a Yagi (Like from Karate Kid, jk).
These are sold all over the place online, and there are plans out that that show you
how to build them from a scratch using a Pringles can and Radio Hack parts (Great way
to disguise it for WarX'ing). One piece of hardware that you'll most definitely need is
called a Pig Tail. This is a wire that will connect from your wireless card (on
the antenna) to a thick coaxial cable or cable connector. The little piggies cost about
$20.
------------------------------------------------
IV. Wireless Software (Tools)
------------------------------------------------
With the recent explosion of the wireless networking community, there has been a shadow
within the software field. Recently it seems like there is a new wireless tool that comes
out every day. I have tried to put together a list of tools, and their links, of what I
think are probably the most useful. If I've used it before, or I know about it, I'll try
to give a description about it also.
1. NetStumbler and MiniStumbler - Windows 2000, 9X, ME, XP, Pocket PC
I have to say that these are by far the most widely used
and proven wireless discovery tools on the net. Netstumbler will use your wireless card
to detect all the wireless networks in the area. It will return the WLAN's SSID, channel,
WEP or not, signal strength, and more! The GUI is insanely easy to use. Hell, even a
L337 H4X0R could use this :). Two features that I really like are it's ability to modify
the refresh rate of the scan, and that you can hook up a GPS unit to it to track your
exact coordinates. You can then save this to a file and upload it to their server to add
to their ever-expanding map of WLANs. MiniStumbler is the same as NetStumbler, except
that it's for the iPaq handheld (oh the possibilities!).
Homepage: http://www.netstumbler.com
Readme: http://www.stumbler.net/readme/readme_0_3_30.html
Download: http://www.netstumbler.com/download.php?op=getit&lid=22 (NetStumbler)
Download: http://www.netstumbler.com/download.php?op=getit&lid=21 (MiniStumbler)
2. Kismit - Linux
Kismet is a 802.11b wireless network sniffer. It is capable of sniffing using
almost any wireless card supported in Linux, including Prism2 based cards supported by the
Wlan-NG project (Linksys, Dlink, Rangelan, etc), cards which support standard packet
capture via libpcap (Cisco), and limited support for cards without RF Monitor support.
The latest stable release as of this writing is 2.4.6 on August 4th. You may want to go
to the page to download the latest stable version.
Homepage: http://www.kismetwireless.net
Download: http://www.kismetwireless.net/code/kismet-2.4.6.tar.gz
3. WEPCrack - Linux
WEPCrack is an open source tool for breaking 802.11 WEP secret keys. This tool is is an
implementation of the attack described by Fluhrer, Mantin, and Shamir in the paper
"Weaknesses in the Key Scheduling Algorithm of RC4". WEPCrack was the first publicly
available code that demonstrated the attack.
Homepage: http://wepcrack.sourceforge.net/
Download: http://sourceforge.net/project/showfiles.php?group_id=32993&release_id=49357
4. AirSnort - Linux
AirSnort is a wireless LAN (WLAN) tool which recovers encryption keys. AirSnort operates by
passively monitoring transmissions, computing the encryption key when enough packets have
been gathered. AirSnort requires approximately 5-10 million encrypted packets to be
gathered. Once enough packets have been gathered, AirSnort can guess the encryption
password in under a second.
Homepage: http://airsnort.shmoo.com/
Download: http://prdownloads.sourceforge.net/airsnort/airsnort-0.2.1.tar.gz?download
5. Fake AP - Linux
Black Alchemy's Fake AP generates thousands of counterfeit 802.11b access points. Hide in
plain sight amongst Fake AP's cacophony of beacon frames. As part of a honeypot or as an
instrument of your site security plan, Fake AP confuses Wardrivers, NetStumblers, Script
Kiddies, and other undesirables. Just so you know, some of the SSID's that are generated
by Fake AP aren't exactly the cleanest of words :).
Homepage: http://www.blackalchemy.to/Projects/fakeap/fake-ap.html
Download: http://www.blackalchemy.to/Projects/fakeap/fakeap-0.2.tar.gz
6. Wireless Security Auditor - Linux on an iPaq
WSA is an IBM research prototype of an 802.11 wireless LAN security auditor, running on
Linux on an iPAQ PDA. WSA automatically audits a wireless network for proper security
configuration, to help network administrators close any vulnerabilities before the hackers
try to break in. Short and sweet: IBM's Linux version of Ministumbler. Still in Beta.
Homepage: http://researchweb.watson.ibm.com/gsal/wsa/
Download: Can't get it :( . If you can, email me!
7. THC-WarDrive - Linux
THC-WarDrive is a tool for mapping your city for wavelan networks with a GPS device while
you are driving a car or walking through the streets. It is effective and flexible, a
"must-download" for all wavelan nerds.
Homepage: http://www.thehackerschoice.com
Download: http://www.thehackerschoice.com/download.php?t=r&d=wardrive-2.3.tar.gz
8. THC-RUT - Linux
THC-RUT (aRe yoU There) is a local network discovery tool developed to brute force its way
into wvlan access points. It offers arp-request on ip-ranges and identifies the vendor of
the NIC, spoofed DHCP, BOOTP and RARP requests, icmp-address mask request and router
discovery techniques. This tool should be 'your first knife' on a foreign network.
Homepage: http://www.thehackerschoice.com
Download: http://www.thehackerschoice.com/download.php?t=r&d=thcrut-0.1.tar.gz
9. MacStumbler - Mac OS X
MacStumbler is a little program that was written to emulate the workings of Netstumbler
and Kismet for the Mac. It will only work with Apple Airport cards and is in extreme
beta testing, so plan on you mac to crash a couple times trying to get this to run.
There are a number of people out there using this, so it does work. The source code is
also available if you're a fellow Mac coder and want to help out.
Homepage: http://homepage.mac.com/macstumbler/
Download: http://homepage.mac.com/macstumbler/MacStumbler-06b.tgz (binary)
Download: http://homepage.mac.com/macstumbler/06b-source.tgz (source)
10. BSD-AirTools - FreeBSD 4.4, OpenBSD 2.9/3.0, NetBSD 1.5.1+
bsd-airtools is a package that provides a complete toolset for wireless 802.11b auditing.
Namely, it currently contains a BSD-based WEP cracking application, called dweputils (as
well as kernel patches for NetBSD, OpenBSD, and FreeBSD). It also contains a curses based
ap detection application similar to netstumbler (dstumbler) that can be used to detect
wireless access points and connected nodes, view signal to noise graphs, and interactively
scroll through scanned AP's and view statistics for each. It also includes a couple other
tools to provide a complete toolset for making use of all 14 of the prism2 debug modes as
well as do basic analysis of the hardware-based link-layer protocols provided by prism2's
monitor debug mode.
Homepage: http://www.dachb0den.com/projects/bsd-airtools.html
Download: http://www.dachb0den.com/projects/bsd-airtools/bsd-airtools-v0.2.tgz
Download: ftp://ftp.dachb0den.com/pub/projects/bsd-airtools/bsd-airtools-v0.2.tgz
11. PrismStumbler - Linux
Prismstumbler is a wireless LAN (WLAN) which scans for beaconframes from accesspoints.
Prismstumbler operates by constantly switching channels an monitors any frames received on
the currently selected channel.
Homepage: http://prismstumbler.sourceforge.net/
Download: http://www.monolith81.de/download/prismstumbler-0.5.0.tar.gz
12. Mognet - Linux
Mognet is a free, open source wireless ethernet sniffer/analyzer written in Java. It is
licensed under the GNU General Public License. It was designed with handheld devices like
the iPaq in mind, but will run just as well on a desktop or laptop.
Homepage: http://chocobospore.org/mognet/
Download: http://www.monolith81.de/download/Mognet-1.14.tar.gz
13. WarLinux - Um... It is the OS.
A new linux distribution for Wardrivers. It is available on disk and bootable CD. It's
mainly intended use is for systems administrators that want to audit and evaluate their
wireless network installations. Should be handy for wardriving also. I hope you have a lot
of CDs ready for this one. One guy took a pic of all the CDs he went through just to get
this thing to work, there had to been at least 20 of em! But hey, in the end he got it!
Homepage: https://sourceforge.net/projects/warlinux/
Download: http://prdownloads.sourceforge.net/warlinux/warLinux.iso?download
14. Wellenreiter - Linux
Wellenreiter is a GTK/Perl program that makes the discovery and auditing of 802.11b
wireless networks much easier. All three major wireless cards (Prism2 , Lucent, and Cisco)
are supported. It has an embedded statistics engine for the common parameters provided by
wireless drivers. Its scanner window can be used to discover access-points, networks, and
ad-hoc cards. It detects SSID broadcasting or non-broadcasting networks in every channel.
Non-broadcasting networks could be uncovered automatically. The manufacturer and WEP is
automatically detected. A flexible sound event configuration lets you work in unattended
environments. An ethereal / tcpdump-compatible dumpfile can be created for the whole
session, so detailed analysis at another location is easy. GPS support tracks the location
of the discovered networks immediately. Automatic associating is possible with randomly
generated MAC addresses, so you don't have to work with your real MAC address anymore.
Wellenreiter can reside on low-resolution devices that can run GTK/Perl and Linux/BSD (such
as iPaqs). A SSID bruteforcer is included now too.
Homepage: http://www.remote-exploit.org
Download: http://www.remote-exploit.org/modules.php?name=Downloads&d_op=getit&lid=25
15. WaveStumbler - Linux
WaveStumbler is console based 802.11 network mapper for Linux. It reports the basic AP
stuff like channel, WEP, ESSID, MAC etc. It has support for Hermes based cards (Compaq,
Lucent/Agere, ... ) It still in development but tends to be stable.
Homepage: http://www.cqure.net/tools08.html
Download: http://www.cqure.net/tools/wavestumbler-1.2.0.tar.gz
16. AiroPeek - Windows 98, ME, 2000, XP (COMMERCIAL $1495 for 1 year!)
AiroPeek is a comprehensive packet analyzer for IEEE 802.11b wireless LANs, supporting all
higher level network protocols such as TCP/IP, AppleTalk, NetBEUI and IPX. AiroPeek
contains all of the network troubleshooting features familiar to EtherPeek. In addition,
AiroPeek quickly isolates security problems, fully decodes 802.11b WLAN protocols, and
analyzes wireless network performance with accurate identification of signal strength, channel and data rates.
Homepage: http://www.wildpackets.com/products/airopeek
Download: http://www.wildpackets.com/demo_buy/demos/apw (DEMO)
17. Stumbverter - Windows 2000, 9X, ME, XP
StumbVerter is a standalone application which allows you to import NetStumbler's summary
files into Microsoft's MapPoint 2002 maps. The logged WAPs will be shown with small icons,
their color and shape relating to WEP mode and signal strength. As the AP icons are created
as MapPoint pushpins, the balloons contain other information, such as MAC address, signal
strength, mode, etc. This balloon can also be used to write down useful information about
the AP, notes, etc.
Homepage: http://www.sonar-security.com/
Download: http://www.sonar-security.com/files/StumbVerter_V010_full.zip
18. AP Scanner - Mac
AP Scanner is a small Macintosh-only application that will detect all in-range open 802.11
wireless network access points. It will show you a pretty little graph and show potential
channel conflicts.
Homepage: http://homepage.mac.com/typexi/Personal1.html
Download: http://homepage.mac.com/typexi/.cv/typexi/Public/AP%20Scanner%201.0%20Dist.sit-link.sit
19. SSID Sniff - Linux
A nifty tool to use when looking to discover access points and save captured traffic. Comes
with a configure script and supports Cisco Aironet and random prism2 based cards.
Homepage: http://www.bastard.net/~kos/wifi/
Download: http://www.bastard.net/~kos/wifi/ssidsniff-0.36.tar.gz
20. Wavemon - Linux
wavemon is a ncurses-based monitoring application for wireless network devices. It currently works under Linux with the Lucent Orinoco cards.
Homepage: http://www.jm-music.de/projects.html
Download: http://www.jm-music.de/wavemon-current.tar.gz
21. AirTraf - Linux
AirTraf is a package with many features. On a basic level, it performs packet
capture/decode in the 802.11b wireless level. It gathers and organizes packets captured
over the air based on the type of traffic (management, control, data), according to the
dynamically detected access points (in case there are multiple in a given area), and
performs bandwdith calculation as well as signal strength information on a per wireless
node basis. It determines the SSID of access points, the channel it is operating under, the
number of wireless nodes connected to the access point of interest, the overall load on the
access point, as well as the bandwidth utilized by all connected wireless nodes. And as of
AirTraf-0.3-1beta, AirTraf is database-aware, meaning that multiple sniffers can be polled
via a central polling server periodically to gather up2date information, and saving the
information for long-term load analysis over periods of days, weeks, months, and even
years. The other feature of AirTraf includes tracking of access related activity generated
in the area, it tracks all probe/authentication/association requests made to a given access
point, and by observing access point's reaction, make a judgment as to the nature of
activity, and determine whether the activity is hostile or friendly. (currently fairly
unstable, and being worked on)
Homepage: http://airtraf.sourceforge.net/index.php
Download: http://prdownloads.sourceforge.net/airtraf/airtraf-0.5.0.tar.gz
22. AirJack - Linux
AirJack is a nifty tool that will let you take over a connection to a WLAN. Short-short
version: You DOS the AP filling it with forged ARP packets confusing the hell out of
the AP causing it to dump. Then the clients start to look for a new AP, because they lost
their connection. What the find is your box as the AP, and then when the real AP comes
back, you're the middle man. Get it?
Homepage: http://802.11ninja.net/
Download: http://802.11ninja.net/airjack-v0.6.2-alpha.tar.bz2
------------------------------------------------
V. Wireless White Papers
------------------------------------------------
After spending a couple days scouring the net for information on wireless networking
and other such topics. I have come across a few white papers that I have found to be
useful or interesting. White papers are documents that are instructional or
informative. This document that I am writing can be considered a white paper. The following
are links and brief descriptions of each white paper that I found. Some are HTML files,
PDF documents, and even PowerPoint slides from different conventions.
1. Wireless LAN Security : 802.11b and Corporate Networks - A white paper written by the
company Internet Security Systems.
Link: http://documents.iss.net/whitepapers/wireless_LAN_security.pdf
2. Wireless HOWTO for Linux - This is a pretty informative guide on how to get your
Linux box up and running for a wireless LAN. Remember that these are just guidelines,
and that you'll have to make changes depending on your card, distro, and box.
Link: http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-formats/html_single/Wireless-HOWTO.html
3. Hacking the Invisible Network : Insecurities in 802.11x - A nice long white paper
written by iDEFENSE. This document goes into great detail as to the vulnerabilities
of wireless networking, I'm talking binary here.
Link: http://www.net-security.org/dl/articles/Wireless.pdf
4. Cracking WEP Keys : Applying Known Techniques to WEP Keys - This is a Power Point
slide presentation from @Stake about how to go about cracking WEP keys, and the
logistics behind it. If you're new to WEP, I recommend it for a quick overview.
Link: http://www.lava.net/~newsham/wlan/WEP_password_cracker.ppt
5. The Need for a 802.11 Wireless Toolkit - This is a PDF white paper written by a guy
from @Stake that was presented during the Black Hat Briefings in July of 2002.
Link: http://www.packetfactory.net/projects/radiate/802.11_toolkit-2.0.pdf
6. Wireless LAN Security - Here is an excellent white paper in HTML format that
describes everything that you need to know about wireless security, it's vulnerabilities,
methods of attack, and much more.
Link: http://www.packetninja.ca/starrrt.html
7. Linksys BEFVP41 VPN Router to OpenBSD IPSec Server + Wireless Mini HOWTO - This document
describes how to use the Linksys BEFVP41 VPN Router as a VPN Client to an OpenBSD IPSec
Server.
Link: http://ruff.cs.jmu.edu/~beetle/download/befvp41.html
8. SSID Defaults - Here is a TXT file that lists most of the manufactures default SSID's,
default password login pairs, channels, and some other useful tidbits.
Link: http://www.wi2600.org/mediawhore/nf0/wireless/ssid_defaults/ssid_defaults-1.0.5.txt
9. What's Up With WEP - Here's a quick read from IBM on how WEP works and other things
WEP. There are some pictures that should help you out if you're reading impaired >:)
Link: http://www-106.ibm.com/developerworks/library/s-wep/?article=wir
10. Default List of Passwords - I think this one is pretty self-explanatory. It's a huge
list of default password and login settings for routers, firewalls, and everything else.
If I were you, I would save this list, because who knows how long it'll stay here.
Link: http://www.aaws25.hemscott.net/Default%20password%20list.htm
------------------------------------------------
VI. Wireless Web Sites
------------------------------------------------
I have compiled a list of my favorite 10 wireless web sites and list them here for you.
Most of these sites all deal within a specific area of wireless, but there is some
overlap. You'll just have to go there and check it out!
1. Netstumbler.com - The home of probably the most famous wireless tool on the net. Not
only that, but they have current wireless news and events, a forum, geographical WLAN
locations, and more. Definitely a must.
Link: http://www.netstumbler.com
2. Milehigh Wireless - If you live in the Denver area, this is the perfect site for you.
They talk about their free coverage ideas, and more.
Link: http://www.milehighwireless.net/wiki-moinmoin/moin.cgi
3. Wireless LAN 802.11x - Technical Information and Software in German and English -
Wow, what a long ass name. You will find a ton of links to software, sites, HOWTO's, and
a ton of other stuff here. Hey and if your German, you're all set.
Link: http://www.monolith81.de/software_linux.htm
4. PersonalTelCo - Here's a nice page about WarDriving with some helpful links. There are
some other sites in this page relating to wireless stuff, but they may be hard to find.
Link: http://www.personaltelco.net/index.cgi/WarDriving
5. WarChalking.org - The official WarChalking homepage. The Blogging system here is pretty
cool. It allows anyone to write stories relating to Warchalking, and then the story is
rated among other warchalkers as to whether or not it gets published. You'll find
some cool stories, pictures, and other misc. stuff here.
Link: http://www.warchalking.org/
6. Wardriving.com - I think this one is pretty self-explanatory. This site is devoted
entirely to Wardriving. Just go to it, I know you're going to.
Link: http://www.wardriving.com
7. WirelessCloud - WirelessCloud is a southern California based organization that is set
out to provide free 802.11 access. I wish them luck!
Link: http://www.wirelesscloud.net/wirelesscloud/index.htm
8. Sputnik - These guys have made a couple different products that are very useful in the
wireless industry. They also have some news articles relating to wireless, but they don't
get updated too frequently.
Link: http://www.sputnik.com/
9. NYCWireless - Ah, my hometown organization. These guys rule. They are another org out
there that's trying to get free 802.11 access through-out New York City. They have already
done a lot in the city, covering a lot of areas, and parks in the city. They've been
featured on TechTV for a game they invented, and they also hold monthly meetings to go
over new stuff. Everyone's invited and it's always free. Even if you don't live in NYC,
you need to check these guys out.
Link http://www.nycwireless.net/
10. War Strolling and Cabbing - Here's another NYC based guy that's going around
Manhattan and mapping out the wireless networks. Using MacStumbler, it looks like
he's getting a large area pretty covered. Doesn't look like he's doing any chalking
though, so you'll have to check out the site to find the networks.
Link: http://www.joemaller.com/wifi/
------------------------------------------------
VII. WarX'ing (Why you're reading this :)
------------------------------------------------
1. The first question that's probably in your head is, "What the hell is 'WarX'ing'". Well
it's pretty simple. Right now there are many different types of Wireless scanning going
about. You have WarDriving, WarChalking, WarStrolling, WarBoating, WarFlying, the list
is endless. Because of this, I've adopted the term WarX'ing; the "X" is the variable
for the different kinds. No matter what mode of transportation you use, you're doing the
same thing...scanning. So instead of all these terms, I've decided on one simple term that
covers them all. Judging by the context of the document, story, or whatever; I think you'll
be able to figure out if they were on foot, or in a car.
The prefix "War" originally came from the good-ole days of BBS'ing. To find a modem on the
other end of a phone line, you would do what is called WarDialing. Think of this as a
primitive IP scan. You'd enter in a set of phone numbers to dial (ex. 555-1000 - 555-1100 )
and then the WarDialing program calls each number in the list to see if there's a modem
at the other end, and then either makes a note of it, or tries to connect. I think you
can see the connection here. For those of you that have no clue what WarX'ing
(WarDriving/chalking/strolling/etc) is, I will go into more detail about each area below.
2. WarDriving - WarDriving is the act of scanning for wireless networks with a mobile
device while driving around in a car. The most common form is when you take a laptop
into a car and then turn on a stumbler to detect the networks. As the open networks appear
you can either continue on, and make a list or a map, or pause to look around their
network.
3. WarChalking - WarChaliking is the act of labeling a discovered network so that other
WarX'ers can easily notice an open network and the details about it. The idea most likely
originated from the old-school hobo chalking symbols. It's just a guess. If you go to
Warchalking.org, they have a little cheat-sheet to help you out on how to draw out
everything (CheatSheet: http://www.blackbeltjones.com/warchalking/warchalking0_9.pdf). I
will attempt to draw out what the symbols are with my wonderful ASCII art skills. :)
---------------------------------------
Open Node: SSID
)(
BW
Closed Node: SSID
()
WEP Node: SSID AC
(W)
BW
BW = Bandwidth and AC = Access Contact.
---------------------------------------
These three symbols are the ones from the little cheat-sheet. These are very adequate, but
I propose a more detailed symbol for open nodes, because there's just more to know.
Proposed Symbol For Open Nodes:
SSID This will show (1) an open node, (2) the SSID, (3) CHannel, (4) BandWidth,
CH )( ST (5) signal STrength, 1-3 depending, (5) and that the defaults have been
BW changed. Signal strength: 1 = Not Good, 2=Good, 3=Excellent.
SSID This will relay the same info as the one above, but the colons (:) will
CH:)(:ST signify that the router is using default settings.
BW
With the use of these more enhanced symbols, fellow WarX'ers will know a lot more about
the Node at hand, and whether or not it's worth it to stop and connect. After running
into many )('s that have poor quality, or non-default settings, I feel that this could
really help out everyone in the community, if we just took an extra 2 seconds.
4. WarStrolling - WarStrolling is just like WarDriving and all the other one's expect that
you do your scanning on foot. You can either carry around a laptop or a handheld to detect
the networks. By WarStrolling, you will have more time to delve into the networks that
you stumble into, but you are also a lot more noticeable carrying around a laptop. If you
have a handheld (like an iPaq) on the other hand, you will go unnoticed, but you can't do
as much. If you're going WarStrolling, I would suggest that you use MiniStumbler from
www.netstumbler.com. See the tools section in this white paper.
5. Examples on WarX'ing - I'm going to go over two different scenarios on how you can begin
WarX'ing today. The first one is the most common, WarDriving.
If you are a beginner WarX'er you might have to do a little research on the net about
certain things, but I'll try to go into as much detail as possible. The first thing that
you are going to need is a laptop. Nothing fancy really. If you are going to run a
Windows OS, I would recommend Windows 2000. XP will really piss you off once you find out
that it doesn't like to let go of an AP after it finds one! If you're going to run a
flavor of Linux, make sure that it's a current kernel and that you will have the drivers
ready to get it to use your wireless card, it can be a real pain in the ass at first, but
well worth it in the long run. This brings us to our next piece of hardware, a wireless
PCMCIA (or PC Card) card. Prism II if possible, but not required. Make sure that it
802.11b (That's a "B"). If you use an "A" card, you won't pick up shit because the tools
are for "B". Another thing that I would recommend (but is not necessary) is a DC to AC
converter. This is a little box that will convert your car's cigarette lighter socket into
an AC socket, so you can get juice for your laptop from your car. Just make sure that it
will supply enough wattage to power it. Now load up your laptop with your favorite tools,
and hit the road! I will once again empower my ASCII art skills to make a little diagram:
Windows WarX'ing Box Linux WarX'ing Box
-------------------- ------------------
OS - Windows 2000 (NO XP*) OS - Favorite Compatible Flavor (Debian)
Wireless PCMCIA Card (Prism II*) Wireless PCMCIA Card (Prism II*)
AC/DC Power Converter* AC/DC Power Converter*
NetStumbler Kismet
Favorite Port Scanner* Favorite Port Scanner*
Windows Share Exploiter* Favorite Exploits*
GPS Unit* GPS Unit*
White Lightning Jolt Cola :) WEPCrack*
AirSnort*
FakeAP*
* optional THC-RUT*
SSIDSniff*
AirJack*
Cherry Bomb Jolt Cola >:)
My Setup
--------------------
Dell Inspiron 4000 Laptop
Debian Linux
Orinoco Gold Hermes PCMCIA Card
40 watt AC/DC converter
Kismet
nmap
Exploits to test my *own* network >:)
No GPS (i don't care)
WEPCrack
AirSnort
FakeAP (for home use really)
THC-RUT
THC-Wardrive
SSIDSniff
AirJack
AirMonkey
Cherry Bomb & White Lightning Jolt Cola :)
I'm also currently building my own portable yagi.
The GPS device is used to map out the coordinates of the located WLAN's. You can then
upload them to a central server (like netstumbler.com) and add them to the ever growing
map, or you can download a program like Stumbverter and make your own maps.
You are obviously going to be able to do a lot more with a linux box, but not everyone
is leet (i just wanted to use that word) enough to do so. I would also like to point
out that there is not an * after Jolt. This is a necessity because the best time to go
strolling around is at 3 in the morning when Joe Shmoe is asleep with is router and
cable modem on :).
Once you are on a network, there is an endless possibility of the things you can do.
I'm not even going to go into them, but from the list above, and with some common sense,
I think you can figure it out.
A little side note (this should be obvious), make sure that your box is set to DHCP,
because if it's not, you'll never connect to the network, unless you're lucky enough to be
set to the same class and subnet. If you need help setting up your Linux box with a
wireless card, go to the white papers section of this doc, there's a couple links there
that should help you out.
The other area that you could dive into is WarStrolling. In this example, I'll tell you
how to do the equivalent of above, but with a handheld. Pop this badboy in your pocket
and start walking around! You will need 4 things to WarStrole, (1) Handheld PDA that either
has a built in 802.11b device, or one that is capable of adding one to it, (2) a PCMCIA
card adapter for your handheld (if needed), (3) a PCMCIA Wireless 802.11b card, (4) and
stumbling software. I've heard of a couple people porting a version of linux to their
iPaq's and then running linux programs on it, but I don't have any experience in this.
I'll show you the setup which I use:
My WarStrolling Setup
---------------------
Compaq iPaq 3950
Compaq iPaq PC Card Expansion Paq Plus (includes an extra battery!)
Orinoco Gold Hermes PCMCIA Card (Same one from my laptop)
MiniStumbler
Original Jolt Cola (It's hot out :)
That's it. I just turn it on and drop it into my pocket. While walking around NYC, catching
open WiFi networks is like finding Ford in Detroit. You could also port over some network
tools to play with while looking for networks, but I generally don't add anything fancy.
There is an alternative to the PC cards though. For the handhelds, you could buy a compact
flash adapter (if you need it), and then purchase a compact flash 802.11b card. They're
not as strong as the PC cards, and some won't be recognized, but it is possible. The
two major benefits to these cards over PC cards is that they are a lot smaller, and they
take less power to use.
6. Something to Think About - When I first started, I was thinking, wow...I'm virtually
undetectable, and even if they do notice I'm on their network, they could never find
me. Well, after breaking into my own network, I found out that is very, very wrong. So
I'm here to give you a couple pointers that should help you out.
- Change your computer name to something like "IISMonitor", "WorkStation5", or something
else that's inconspicuous. If a net admin sees a box on his network labeled
"Ul7R4 L337 H4X0R", he's going to wonder.
- If you're running a Linux box, spoof your MAC address. When you connect to a WiFi LAN,
you will broadcast your MAC address to the router, so don't give them your real one.
If you're running Windows, I'm sorry but I currently don't know how to spoof MAC
addresses on a Windows box...I don't know if it's even possible.
- Don't sit in one place for too long. Just like cell phones, it is possible to
triangulate your position. I was talking to a guy out in California that's working
on a Stumbler detector. Basically it consists of three Honeypot WiFi routers set
up in a triangle. When you walk inside the boundary...BAM, he's got ya.
- Use your head, don't sit outside a large corporate office at 3 in the morning with
a custom spray-painted laptop that says "H4X0r" all over it. These places do have
security, and you'll stick out like a soar thumb.
- Don't do anything destructive. There's no point in formatting a poor guys machine
just because he doesn't know as much about computers as you do. Just think about if
you formatted a Doctors machine with some really important shit on it. You talking
about real peoples lives here. Changing an SSID to "SpreadEgl", or leaving a note on
his desktop telling him how to secure his stuff...eh, that's borderline.
------------------------------------------------
VIII. Securing your WLAN
------------------------------------------------
There are some real simple steps to securing your WLAN, but most people don't follow them.
The most common reason for a security hole in a WLAN is laziness. People somehow feel
that whatever they're buying, it comes already secured. This is a BIG problem. When you
purchase a new router, or firewall, they come with default settings and passwords. If
you've read everything up to here, you would have seen a couple links to places that
publish huge lists of default settings. This takes us to our first step.
1. Configuration - Like I just said, when you purchase a new wireless router, is comes
with a default username/password, channel, and SSID. When an experienced WarX'er is
tooling around, the first thing that (s)he'll notice is the SSID. If it's se to Linksys
(Linksys's default SSID) or tsunami (Cisco's default SSID), they know that there's a real
good chance of breaking into that router. So rule number one is CHAGE YOUR SSID. Keep
in mind that if you make it something like "Don't Even Try", you're just beggin to get
hacked. Just use common sense. Next, change your username and password. make your password
a non-dictionary word, more than 8 characters, alphanumeric and non-alphanumeric symbols,
and don't match it to your SSID, that would defeat the purpose. You may say, "Well no one
ever come in my apt but me, so I don't need a fancy password." Most wireless routers have
a Web Administration menu. Once a hacker or WarX'er is on your network, all they have to
do is type in your routers IP into a browser, and BAM, they have control of your network.
2. WEP - Enable WEP, 128-bit if possible. I know that WEP can be cracked, and that it's
not a magic answer to WiFi security, but it's just not worth the time and effort of
cracking a network with WEP enabled when there are two others in the same area without it.
Think of it like The Club for your car. It's just a deterrent to tell the thief to take
the car next to your instead :).
3. MAC Filtering - Most WiFi routers will allow you to filter access to your WLAN by
MAC address. You can add in the specific MAC addresses that you wish to allow, and if a
requesting computer with an invalid MAC address wants it, it says "No". Yes, there is a
way around this too (MAC Spoofing/MAC Brute Forcing), but once again...it's a deterrent.
4. Fake AP - Go download the program called Fake AP. It's an excellent little program
written by a couple drunk blackhats from DefCon last summer. This will flood the air waves
with a ton of fake AP SSID's. This way a WarX'er will have a list of all these bogus AP's
with yours hiding in there somewhere. It's like looking for Joe-Bob in Iowa, and then
dropping Times Square around him.
5. Disable SSID Broadcasting - Some of the higher-end WiFi routers will allow you to
disable the broadcasting of the SSID. This will help out a lot, because if a WarX'er
can't connect to what it can't see. Of course there are ways to passively monitor the
traffic to determine an SSID, but again...this is a deterrent. Are we catching the pattern
here?
6. Power - This is by far the most secure way to keep WarX'ers out from your network, WiFi
or not...turn the power off. Pretty simple huh? If you're not using your WLAN, turn it off.
Not only will you save on power costs, but it's a sure bet on keeping people out while
you're asleep or out getting drunk :).
------------------------------------------------
IX. Conclusion
------------------------------------------------
It's not really a conclusion, but more of me just saying good-bye. I really hope that this
helps a lot of you out there and that maybe you even learned something. I just feel that
after all these years of reading these white papers, I needed to return something. So,
this is my contribution. If you would like to make any comments or suggestions, please
email me at slayer@kraix.com . I will try to respond, but no guarantees.
------------------------------------------------
X. Shameless Plug
------------------------------------------------
If you're into photoshop, hacking, piercings, tattoos, or just misc cool stuff,
go to Kraix.com. There's a ton of stuff there for you, and I promise you'll love it.
There's no other site out there on the net like it. All PS tutorials are one of a kind,
not ripped from other sites, or ideas taken from other people, 100% originality.
www.KRAIX.com
The Definitive Guide To Wireless WarX'ing is Copyright 2002 by Kraix.com.
All Rights Reserved. Please email Slayer@Kraix.com for permission to publish.
This article is free to distribute in its current format, and unchanged.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
