Wireless networking - Wardriving
Wardriving HOWTO (Un-official)
Fred fred@wardriving.com
$Revision: 1.0
$Date: 2002/04/09 01:51:14
This document functions as a starting guide to exploring wireless
networks,
from a legal, ethical and security point of view. I hereby claim
absolutely
no responsibility to which manner this information is used. Information
is
neither inherently good nor evil, but how people choose to use that
information makes them good or evil.
Table of Contents
1. Introduction & Background.
1.1 Introduction
1.2 Copyright
1.3 Wardriving.com
1.4 Other Resources
2. What do I need to go Wardriving?
2.1 Computers
2.2 Wireless Cards
2.3 Antennas
2.4 Why should I have a GPS Unit?
3. Why are people wardriving?
3.1 Is it legal?
3.2 What can be done to stop it?
1. Introduction & Background
1.1 Introduction
The 802.11 networking standard, also known as, "Wireless Ethernet",
WiFi, and
Wireless LAN has become very popular with Internet users and Corporations
looking for a cost-effective LAN extension that is easy to implement
and
provides reliable service. The most popular implementation (as of
April 2002)
is 802.11b. The 2.4Ghz range, 11Mb speed wireless LAN variety. 802.11b
encompasses all of the aforementioned characteristics, yet poorly
implements
one of the most fundamental aspects of networking, the security.
What is the
point of providing this type of service to your employees or even
your
family if you cannot guarantee that their communications are secure.
At least
with a wireless phone, someone cannot drive by your house and rack
up your
phone bill. This is exactly the problem with Wireless Ethernet.
People can
drive, walk or other wise approach the area that the wireless equipment
can
transmit in, and share your internet access or connect to your computer.
This process is known as "wardriving", or "LAN jacking".
1.2 Copyright Wardriving.com 2002. All rights reserved.
Redistribution and use, with or without modification, are permitted
provided
that the name of the author may not be used to endorse or promote
products
derived from this software without specific prior written permission.
The author disclaims all warranties with regard to this document,
including
all implied warranties of merchantability and fitness for a certain
purpose; in no event shall the author be liable for any special,
indirect
or consequential damages or any damages whatsoever resulting from
loss of
use, data or profits, whether in an action of contract, negligence
or
other tortuous action, arising out of or in connection with the
use of this
document.
Windows is a Trademark of Microsoft Corp.
Linux is a Trademark of Linus Torvalds
All other trademarks are the property of their respective owners.
1.3 Wardriving.com
Wardriving.com was started in April of 2001 following the news
report of
wardriving by Pete Shipley, and it's rise in popularity. The site
is a
one-man operation, it exists to further spread the knowledge about
wireless
security and relay news articles from various sources. It consists
mainly of
links and short writings on the subject. This HOWTO shall serve
as an
introduction to the activity known as "wardriving". For
the beginner this
will be a good source of starting information, but many links listed
in
the next section will also be very helpful.
1.4 Other Resources
Here are links to other HOWTOs and relevant documents.
The Linux Wireless LAN HOWTO
http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/
The Wireless HOWTO
http://www.ibiblio.org/pub/Linux/docs/HOWTO/Wireless-HOWTO
The Linux Laptop HOWTO
http://www.ibiblio.org/pub/Linux/docs/HOWTO/Laptop-HOWTO
The Linux PCMCIA HOWTO
http://www.ibiblio.org/pub/Linux/docs/HOWTO/PCMCIA-HOWTO
NetStumbler - Windows and Hermes based wireless cards
http://www.netstumbler.org/index.php
2 What do I need to go Wardriving?
2.1 Computers
The minimum requirement is an easily transported computer, 486 or
faster
with a PCMCIA slot for the wireless card.
The recommended configuration is a Pentium 233 or better Laptop
with one
free PCMCIA slot for the wireless card and a serial port for the
GPS.
The super-stealth configuration is a laptop or sub-notebook concealed
within a backpack with antenna and GPS attached.
A laptop is not required, if you have the space and capacity to
take a
full-sized computer with you, then as long as you have a wireless
card it
will work.
2.2 Wireless Cards
Wireless cards let your computer talk to other computers, much
like an
Ethernet card or a modem, just without the wires. Most 802.11b cards
come in
the PCMCIA form factor. Some regular 802.11 gear consisted of SSA's
(Single
Station Adapters) which acted as media translators between wireless
and an
Ethernet card. However the PCMCIA form is most popular. There are
adapters to
fit these cards into full-size computers through the PCI or ISA
bus. Linux
does work the ISA variety, Windows with both ISA and PCI.
2.3 Antennas
Antennas are optional, but if you want to remain at a relatively
safe
distance or you simply cannot approach the effective area of the
wireless
access point, then they are a must. Many companies that sell cards,
will also
sell you an antenna, but many cards do not come equipped with a
jack to plug
an antenna in. So many have resorted to modifying cards to add jacks
or
soldering wires to the built in antennas of their cards. Those same
people
are building antennas from everything from Pringles cans to PVC
pipe. These
are mainly directional designs, more commonly know as "yagi"
style antennas.
They focus the 2.4Ghz wave, usually through a condenser, to an element
specifically placed in the antenna. These designs can be quite complicated,
so prior experience with HAM radio or antenna building would be
a good idea.
2.4 Software
While this HOWTO mainly focuses on Linux, there are wardriving
tools
available for Macintosh, Linux, BSD and Windows. There are many
programs,
these are just a few notable ones, check wardriving.com for others.
Netstumbler is the most popular program for Windows and Lucent/Orinoco
and
other Hermes-based chipset wireless cards. (http://www.netstumbler.org)
Airsnort is Linux program that breaks WEP encryption with Prism2
based
chipset.
(http://airsnort.shmoo.com/)
Wellenreiter is a Linux sniffer that works with both Hermes and
Prism2
cards.
(http://www.remote-exploit.org)
Ap Scanner is a Macintosh program
(http://homepage.mac.com/typexi/Personal1.html)
Mognet is Java based program, portable. (http://http://www.chocobospore.org/)
2.5 GPS:Why should I have a GPS unit?
A question that I hear often. The GPS unit is used to output GPS
coordinates
to the computers' serial port. When you find a wireless LAN, many
programs
will log the exact coordinates (down to a few feet) of the effective
range
of that wireless LAN. The standard protocol is called NEMA, and
will
continuously dump to a serial port, via a special cable at 9600,8,N,1.
This
is an optional piece of equipment if you have a good memory or street
signs
to look at, but if you want to cover a large area in a short amount
of time,
or are doing this alone, they are essential. Most GPS units run
from $100 on
up to the thousands. The Garmin eTrex is nice for it's size and
the 12V +
Serial cable.
3. Why are people Wardriving?
3.1 Is it legal?
There is no cut and dry answer to this question, but simply driving
around a
city searching for the existence of wireless networks, with no ulterior
motive cannot be deemed illegal. However, if you are searching for
a place to
steal internet access, or commit computer crimes then the wardriving
you
performed was done in a malicious manner and could be treated as
such in
court. Don't forget in the US, simply receiving radio transmissions
on the
Cellular telephone frequencies (895-925 MHZ) is illegal, a similar
law could
be written to discourage this, but this isn't likely.
As with any questionable activity, there are always two sides. Whether
you
agree or disagree with the whole practice makes no difference to
me, but in
the future, legal proceedings and violations may be related to wardriving.
Technology is not bound to ethics. It is the application and use
(or abuse)
of that technology that brings ethics into it. To get back to the
question
this technology is not really new (802.11 IEEE Standard - 1997),
but this is
the peak of it's popularity. And at this peak it's good to get the
kinks
worked out, and the security of wireless Ethernet is a pretty huge
kink.
WEP(Wired Equivalent Privacy) uses up to 128-bit RC4 encryption,
but it was
implemented wrong, so now it makes no difference whether or not
you use it,
it's vulnerable. There are few built-in mechanisms that provide
security, not
broadcasting the ESSID is a start, but a sniffer can pick it up,
anything
else is left to other 3rd-party devices.
3.2 What can be done to stop it?
This is also not an easy question, there are some answers, don't
use it, wait
for 802.11a, use tunneling or another authentication mechanism.
If you have
determined that the information that will be transferred between
your computer
and an access point will not contain any personal or confidential
data, then
there s no problem in using the technology. Although, being blind
to the fact
that anyone can share your network is no excuse when someone pilfers
your
credit card number or cracks their way into your computers and across
the
Internet. I haven’t made that decision, but I will not set
up an access point
on my internal network.
As far as third party devices go, there are new technologies that
are
hardware-based and permit only certain authenticated hosts to use
that
connection, and provide separate encryption. There are also software
solutions, from RADIUS, to PPPoE, PPTP, IPSec, and using a firewall
in
connection with any of these technologies will help. Placing the
Access
Point on a DMZ and using tunneling to encrypt and authenticate users
is the
securest solution, next to waiting for something better.