War Driving
SecureSD Fall 2004Tuesday, November 16th
2PM-3:30PM
©2004 Lee Barken
War DrivingTuesday 11/16, 2PM-3:30PM
Lee Barken, CISSP, MCP, CCNA, CPACo-Director, STAR Center, San Diego State University
http://starcenter.sdsu.edu
President, SoCalFreeNet.orghttp://www.SoCalFreeNet.org E-mail: [email protected]
©2004 Lee Barken
War DrivingTuesday 11/16, 2PM-3:30PM
Lee Barken, CISSP, MCP, CCNA, CPACo-Director, STAR Center, San Diego State University
http://starcenter.sdsu.edu
President, SoCalFreeNet.orghttp://www.SoCalFreeNet.org E-mail: [email protected]
©2004 Lee Barken
War DrivingTuesday 11/16, 2PM-3:30PM
Lee Barken, CISSP, MCP, CCNA, CPACo-Director, STAR Center, San Diego State University
http://starcenter.sdsu.edu
President, SoCalFreeNet.orghttp://www.SoCalFreeNet.org E-mail: [email protected]
©2004 Lee Barken
Why are we here?
You are here
©2004 Lee Barken
Why Do People War Drive?
Antenna Basics
Understanding the Protocol
Wardriving Tools & Techniques
Why are we here?
You are here
©2004 Lee Barken
Code of Ethics for Security Professionals Act with honesty, integrity and professionalism at all times.
Personal curiosity is not an excuse to break the law.
Respect the power of information and be willing to share your knowledge for the advancement of the security field and the protection of society.
Honor and maintain the confidentiality of all client information that may be discovered during the course of an engagement.
Remember that even the smallest appearance of impropriety may result in damage to your reputation and the credibility of our profession.
If a little voice in your head tells you that you might not be doing the right thing—listen to that voice.
©2004 Lee Barken
Because it’s fun
To learn about wireless technology
Looking for a place to check e-mail
Defending our network/Look for rogue APs
To gain unauthorized access / launch attacks / other criminal activity
Why Do People War Drive?“Good guys and not so good guys”
©2004 Lee Barken
Why Do People War Drive?World Wide War Drive 4
W W W D 4 June 12-19, 2004
Total APs found: 228,537
No WEP: 140,890 (61.6%)
Default SSID: 71,805 (31.4%)
©2004 Lee Barken
Why Do People War Drive?World Wide War Drive 4
In San Diego……. 2 people
Total APs found: 19,148
No WEP: 11,962 (62.47%)
Default SSID: 7,769 (40.57%)
©2004 Lee Barken
Antenna BasicsAntennas do not “amplify” the signal– they merely “focus” the energy in a particular direction.
Images courtesy:”Designing a Wireless Network”, Syngress Publishing.
©2004 Lee Barken
Antenna BasicsAntennas - Isotropic
Isotropic antenna: A hypothetical antenna that radiates or receives equally in all directions. Note: Isotropic antennas do not exist physically but represent convenient reference antennas for
expressing directional properties of physical antennas.
©2004 Lee Barken
Antenna BasicsAntennas - Omni
5 dBi“Magnetic
Mount”
9 dBi20 inches long
15.4 dBi70 inches long
©2004 Lee Barken
Antenna BasicsAntennas – Patch, Panel, Sector
16.5 dBiBeam Width:
95 Degrees (H),7 Degrees (V)
19 dBi15.5 inches
square, 1.25 inches thick, 18 degree beam
width
9.3 dBi4.5 inches square,60 degree beam
width
©2004 Lee Barken
Antenna BasicsAntennas – Parabolic Grid
24 dBi8 degree beam width,
42” X 24”
©2004 Lee Barken
Antenna BasicsAntennas – Yagi
12 dBi16 inches long
14 dBi
14.5 dBi18 inches long
©2004 Lee Barken
Antenna BasicsAntennas – Phased Array
©2004 Lee Barken
Antenna BasicsAntennas – Pringles Can
©2004 Lee Barken
Antenna BasicsAntennas – Pringles Can
©2004 Lee Barken
Understanding the ProtocolAssociation
“Open Network” “Closed Network”
(For simplification, I’m leaving out the “authentication” step in this presentation)
©2004 Lee Barken
Understanding the Protocol“Open Network”
Client Access PointManagement Beacon
Client Access PointAssociation Request
Client Access PointAssociation Response
©2004 Lee Barken
Understanding the Protocol“Closed Network”
Client Access PointProbe Response
Client Access PointAssociation Request
Client Access PointAssociation Response
Client Access PointProbe Request
©2004 Lee Barken
What’s the problem with RF? Wireless signals
don’t STOP at your walls.
Wi-Fi is like putting an Ethernet jack in your parking lot.
San Francisco – Peter Shipley
http://www.dis.org/filez/openlans.pdfImage courtesy: Computerworld
©2004 Lee Barken
What’s the problem with RF?
©2004 Lee Barken
What’s the problem with RF?
http://www.dis.org/filez/openlans.pdf
©2004 Lee Barken
What’s the problem with RF?
http://www.dis.org/filez/openlans.pdf
©2004 Lee Barken
Wardriving: Tools & Techniques
“Wardriving” “Access Point Discovery” “Lan Jacking” “WLAN Mapping” etc.
War Games, 1983 movie introduced “War Dialing”.
Wardriving Trivia
©2004 Lee Barken
Wardriving: Tools & Techniques
Images Courtesy: http://www.warchalking.org
WarChalking
©2004 Lee Barken
Wardriving: Tools & Techniques
Images Courtesy: http://www.arstechnica.com/wankerdesk/3q02/warflying-1.html
WarFlying?
©2004 Lee Barken
Wardriving: Tools & Techniques
Images Courtesy: http://208.151.246.210/pictures/PersonalTelco/
WarStrollering?
©2004 Lee Barken
Wardriving: Tools & Techniques
WarStrollering?
Images Courtesy: http://208.151.246.210/pictures/PersonalTelco/
©2004 Lee Barken
Wardriving: Tools & Techniques
Image courtesy: http://www.catalina42.org/war-sail/
WarSailing?
©2004 Lee Barken
Wardriving: Tools & Techniques
Image courtesy: http://www.catalina42.org/war-sail/
©2004 Lee Barken
Wardriving: Tools & Techniques
Image courtesy: http://www.catalina42.org/war-sail/
©2004 Lee Barken
Wardriving: Tools & Techniques
Image courtesy: http://www.catalina42.org/war-sail/
©2004 Lee Barken
Wardriving: Tools & TechniquesWhat’s next?
©2004 Lee Barken
Discovering Wireless Networks
Easy! Just listen for Management Beacons. (or send probe requests with SSID set to the word “any”)
“Open Network”
SSID = defaultAttacker
Management Beacon
©2004 Lee Barken
Discovering Wireless Networks
You must get “lucky” and catch a legitimate association.
“Closed Network”
SSID = ???
Attacker
Wireless Client Probe Response
Probe Request
Association Request
Association Response
©2004 Lee Barken
Discovering Wireless Networks“Closed Network”
SSID = ???
Attacker
Wireless Client
Associated
Disassociate
or… if you get impatient… spoof a disassociate frame
©2004 Lee Barken
Discovering Wireless Networks
or… if you get impatient… spoof a disassociate frame
“Closed Network”
SSID = ???
Attacker
Wireless Client Probe Response
Probe Request
Association Request
Association Response
©2004 Lee Barken
ADMtek Abocom Accton Addtron Belkin D-Link Hawking Tech SMC 3Com Trendware Xterasys
Aironet (Cisco) Cisco Xircom
Atheros Accton Actiontec D-Link Enterasys GemTek IBM
Wardriving: Tools & TechniquesHardware – Wireless NIC Chipsets
Atheros (cont.) Intel Linksys Netgear Philips Proxim Senao/Engenius SMC 3Com Z-com
Atmel Accton Actiontec Dell Belkin Cnet Compaq D-Link GemTek Hawking Tech Intel
Atmel (cont.) Intel Linksys Netgear SMC 3Com Trendware Z-com
Broadcom Apple Belkin Buffalo Dell GemTek Linksys Microsoft Motorola Trendware
Orinoco Apple Buffalo
A very complete list: http://www.linux-wlan.org/docs/wlan_adapters.html.gz
Orinoco (cont.) Compaq D-Link Dell Enterasys HP Lucent/Agere Proxim Sony 2Wire
Prism Abocom Accton Actiontec Belkin Buffalo Compaq D-Link Dell Gateway GemTek
Prism (cont.) Hawking Tech Intel Linksys Netgear Proxim Senao/Engenius SMC 3Com Trendware US Robotics Z-com
Realtek Abocom Accton Belkin Bromax D-Link Linksys Netgear Zonet
©2004 Lee Barken
Wardriving: Tools & TechniquesHardware – Wireless NIC Chipsets
Hermes (Lucent) Orinoco Toshiba Cabletron Dell Compaq WL110 IBM Apple
Prism (Intersil) Dlink Linksys SMC Addtron Compaq WL100 Netgear Gemtek Zoom Samsung Senao
Airo (Cisco) Cisco Xircom Dell
©2004 Lee Barken
Wardriving: Tools & TechniquesHardware – Pigtails
©2004 Lee Barken
Wardriving: Tools & TechniquesHardware – Pigtails
©2004 Lee Barken
Wardriving: Tools & TechniquesHardware – Pigtails
©2004 Lee Barken
Wardriving: Tools & TechniquesHardware – Antennas
©2004 Lee Barken
Wardriving: Tools & TechniquesHardware – GPS
©2004 Lee Barken
Wardriving: Tools & TechniquesSoftware – Netstumbler
http://www.netstumbler.com FREE Notebook & PDA Version Windows 2000, XP Orinoco, Prism Chipset “Most” Cards Work w/XP
(YMMV) GPS Support
©2004 Lee Barken
Wardriving: Tools & TechniquesSoftware – APSniff
http://www.bretmounet.com/apsniff
FREE Notebook Version Windows 2000 Only Prism Chipset
©2004 Lee Barken
Wardriving: Tools & TechniquesSoftware – Aerosol
http://www.stolenshoes.net/sniph/aerosol.html
FREE Notebook
Version Windows Prism &
Hermes Chipset
©2004 Lee Barken
Wardriving: Tools & TechniquesSoftware – Pocket Warrior
http://www.pocketwarrior.org FREE PDA Version PocketPC 2002 (ARM, SH3,
MIPS) Prism Chipset
©2004 Lee Barken
Wardriving: Tools & TechniquesSoftware – Wireless Security Auditor (IBM)
http://www.research.ibm.com/gsal/wsa
“Research Prototype” (not released)
Notebook & PDA Version Linux Cisco, Prism 2 Chipset
©2004 Lee Barken
Wardriving: Tools & TechniquesSoftware – Kismet
http://www.kismetwireless.net FREE Notebook & PDA Version Linux Cisco, Prism, ADMTek, TI,
Atheros, Orinoco Chipset GPS Support
©2004 Lee Barken
Wardriving: Tools & TechniquesSoftware – dStumbler
http://www.dachb0den.com/projects/bsd-airtools.html FREE Notebook Version *BSD Prism 2 Chipset
©2004 Lee Barken
Wardriving: Tools & TechniquesSoftware – AirMagnet
http://www.airmagnet.com $3,495 MSRP Notebook & PDA Version Windows, PocketPC Only works with bundled
WLAN card
©2004 Lee Barken
Wardriving: Tools & TechniquesSoftware – Stumbverter
http://www.sonar-security.com
FREE Imports Data from
NetStumbler Requires Microsoft
MapPoint 2002 Windows
©2004 Lee Barken
Wardriving: Tools & TechniquesAll-in-one bootable CD’s
WarLinux
(http://sourceforge.net/projects/warlinux) WarBSD
(http://digiflux.org/warbsd/) Knoppix
(http://www.knopper.net/knoppix/index-en.html)
©2004 Lee Barken
Wardriving: Tools & TechniquesWireless Packet Sniffers
Ethereal (http://www.ethereal.com) Packetyzer (http://www.packetyzer.com) WildPackets – Airopeek (http://www.wildpackets.com) Finisar – Surveyor Wireless (http://www.finisar.com) Network Associates – Sniffer Wireless (http://www.sniffer.com)
©2004 Lee Barken
Wardriving: Tools & TechniquesWireless Packet Sniffers
PDA Version: Airscanner (requires Pocket PC 2002)
http://airscanner.com/downloads/sniffer/sniffer.html
©2004 Lee Barken
Wardriving: Tools & TechniquesVehicles
-
©2004 Lee Barken
Wardriving: Tools & TechniquesVehicles
-
©2004 Lee Barken
Wardriving: Tools & TechniquesVehicles
-
©2004 Lee Barken
Wardriving: Tools & TechniquesVehicles
-
©2004 Lee Barken
Wardriving: Tools & TechniquesVehicles
-
©2004 Lee Barken
Wardriving: Tools & TechniquesVehicles
-
©2004 Lee Barken
Wardriving: Tools & TechniquesVehicles
-
©2004 Lee Barken
Wardriving: Tools & TechniquesVehicles
-
©2004 Lee Barken
Wardriving: Tools & TechniquesWardriving “Built-In” to XP?
Source:http://www.infoworld.com/articles/op/xml/02/07/22/020722opcurve.xml
Snippet:For all his success at bringing Microsoft's warring constituencies together, there are still things beyond Bill and Steve's control. "I was in a hotel in Sun Valley last week that was not wired," Ballmer recalls. "So I turned on my PC, and XP tells me there is a wireless network available. So I connect to something called Mountaineer.
"Well, I don't know what that is. But I VPN into Microsoft. It worked! I don't know whose broadband I used," he chuckles. "I didn't see it in Bill's room. I called him up and said, 'Hey, come over to my room.' So soon everyone is there and connecting to the Internet through my room."
©2004 Lee Barken
1. Obey traffic laws. It's your community too, the traffic laws are there for everyone's safety, besides, doing doughnuts at 3am gets unwanted attention from the authorities.
2. Obey private property and no-trespassing signs. Don't trespass in order to scan an area. That's what the directional antenna is for :) You wouldn't want people trespassing on your property would you?
3. Don't connect. The vast majority of AP's out there were not intended by their owners to be accessed by you, even if they configured it so you could access it if you wanted to. There is much legal question as to the trouble you can get into for accessing a network through a misconfigured AP. Also it's a matter of respect, you wouldn't want people rooting through your computers just because you happened to make a mistake, so don't do it to them.
4. Don't use your data for personal gain. Share the data with like-minded people, show it to people who can change things for the better, but don't try and make any money or status off your data. It's just wrong to expect these people to reward you for pointing out their own stupidity.
5. Don't warchalk Other peoples networks. Only chalk your own if you want to indicate your willingness to share access. If you chalk some strangers network, it dilutes the use of the symbols to indicate free access. If you’re a business and you have a public AP and a non-public one, indicate with the open one, but also indicate the closed one with the closed symbol, differentiating them so people know the difference.
6. Be like that hiker motto; 'Take only pictures, leave only footprints'. Stumblers should 'Take only SSID's, leave only tire marks'. Leaving tire marks by not loitering and moving on is better than leaving a log entry by doing something stupid.
Stumbler Code of Ethics v0.1
These are by no means rules that must be followed, but they are a collection of suggestions for safe, ethical, and legal stumbling. I encourage you to follow them.http://www.renderlab.net/projects/wardrive/ethics.html By Renderman, [email protected]
©2004 Lee Barken
Wardriving: Tools & Techniques
Disabling TCP/IPhttp://www.worldwidewardrive.org/nodhcp.html
©2004 Lee Barken
Wireless signals don’t stop at your walls Use an omni antenna When choosing a WLAN card:
– What chipset does it use?– Is there an external antenna connector?
Use Netstumbler/Kismet/dStumbler– Or, a protocol analyzer
Don’t forget to unbind your TCP/IP stack!!!
Summary
©2004 Lee Barken
Questions?Lee Barken, CISSP, MCP, CCNA, CPA
Co-Director, STAR Center, San Diego State Universityhttp://starcenter.sdsu.edu
President, SoCalFreeNet.orghttp://www.SoCalFreeNet.org E-mail: [email protected]