Wardriving: Tools & Techniques

Download Report

Transcript Wardriving: Tools & Techniques

War Driving
SecureSD Fall 2004
Tuesday, November 16th
2PM-3:30PM
War Driving
Tuesday 11/16, 2PM-3:30PM
Lee Barken, CISSP, MCP, CCNA, CPA
Co-Director, STAR Center, San Diego State University
http://starcenter.sdsu.edu
President, SoCalFreeNet.org
©2004 Lee Barken
http://www.SoCalFreeNet.org E-mail: [email protected]
War Driving
Tuesday 11/16, 2PM-3:30PM
Lee Barken, CISSP, MCP, CCNA, CPA
Co-Director, STAR Center, San Diego State University
http://starcenter.sdsu.edu
President, SoCalFreeNet.org
©2004 Lee Barken
http://www.SoCalFreeNet.org E-mail: [email protected]
War Driving
Tuesday 11/16, 2PM-3:30PM
Lee Barken, CISSP, MCP, CCNA, CPA
Co-Director, STAR Center, San Diego State University
http://starcenter.sdsu.edu
President, SoCalFreeNet.org
©2004 Lee Barken
http://www.SoCalFreeNet.org E-mail: [email protected]
Why are we here?
You are here
©2004 Lee Barken
Why are we here?

Why Do People War Drive?

Antenna Basics
You are here

Understanding the Protocol

Wardriving Tools & Techniques
©2004 Lee Barken
Code of Ethics for Security Professionals

Act with honesty, integrity and professionalism at all times.

Personal curiosity is not an excuse to break the law.

Respect the power of information and be willing to share your
knowledge for the advancement of the security field and the
protection of society.

Honor and maintain the confidentiality of all client information that
may be discovered during the course of an engagement.

Remember that even the smallest appearance of impropriety may
result in damage to your reputation and the credibility of our
profession.

If a little voice in your head tells you that you might not be doing
the right thing—listen to that voice.
©2004 Lee Barken
Why Do People War Drive?
“Good guys and not so good guys”
 Because it’s fun
 To learn about wireless technology
 Looking for a place to check e-mail
 Defending our network/Look for rogue APs
 To gain unauthorized access / launch
attacks / other criminal activity
©2004 Lee Barken
Why Do People War Drive?
World Wide War Drive 4
 W W W D 4 June 12-19, 2004
 Total APs found: 228,537
 No WEP: 140,890 (61.6%)
 Default SSID: 71,805 (31.4%)
©2004 Lee Barken
Why Do People War Drive?
World Wide War Drive 4
 In San Diego……. 2 people
 Total APs found: 19,148
 No WEP: 11,962 (62.47%)
 Default SSID: 7,769 (40.57%)
©2004 Lee Barken
Antenna Basics
Antennas do not “amplify” the signal– they merely “focus” the energy in a particular direction.
Images courtesy:”Designing a Wireless Network”, Syngress Publishing.
©2004 Lee Barken
Antenna Basics
Antennas - Isotropic
Isotropic antenna: A hypothetical antenna that radiates or receives
equally in all directions. Note: Isotropic antennas do not exist
physically but represent convenient reference antennas for
expressing directional properties of physical antennas.
©2004 Lee Barken
Antenna Basics
Antennas - Omni
5 dBi
“Magnetic
Mount”
9 dBi
20 inches long
15.4 dBi
70 inches long
©2004 Lee Barken
Antenna Basics
Antennas – Patch, Panel, Sector
19 dBi
15.5 inches
square,
1.25 inches thick,
18 degree beam
width
16.5 dBi
Beam Width:
95 Degrees (H),
7 Degrees (V)
9.3 dBi
4.5 inches square,
60 degree beam
width
©2004 Lee Barken
Antenna Basics
Antennas – Parabolic Grid
24 dBi
8 degree beam width,
42” X 24”
©2004 Lee Barken
Antenna Basics
Antennas – Yagi
14.5 dBi
18 inches long
12 dBi
16 inches long
14 dBi
©2004 Lee Barken
Antenna Basics
Antennas – Phased Array
©2004 Lee Barken
Antenna Basics
Antennas – Pringles Can
©2004 Lee Barken
Antenna Basics
Antennas – Pringles Can
©2004 Lee Barken
Understanding the Protocol
Association
 “Open Network”
 “Closed Network”
(For simplification, I’m leaving out the “authentication” step in this presentation)
©2004 Lee Barken
Understanding the Protocol
“Open Network”
Client
Client
Client
Management Beacon
Association Request
Association Response
Access Point
Access Point
Access Point
©2004 Lee Barken
Understanding the Protocol
“Closed Network”
Client
Client
Client
Client
Probe Request
Probe Response
Association Request
Association Response
Access Point
Access Point
Access Point
Access Point
©2004 Lee Barken
What’s the problem with RF?
 Wireless signals
don’t STOP at your
walls.
 Wi-Fi is like putting
an Ethernet jack in
your parking lot.
San Francisco – Peter
Shipley
http://www.dis.org/filez/openlans.pdf
Image courtesy: Computerworld
©2004 Lee Barken
What’s the problem with RF?
©2004 Lee Barken
What’s the problem with RF?
http://www.dis.org/filez/openlans.pdf
©2004 Lee Barken
What’s the problem with RF?
http://www.dis.org/filez/openlans.pdf
©2004 Lee Barken
Wardriving: Tools & Techniques
Wardriving Trivia
 “Wardriving”
 “Access Point Discovery”
 “Lan Jacking”
 “WLAN Mapping”
 etc.
 War Games, 1983 movie introduced “War Dialing”.
©2004 Lee Barken
Wardriving: Tools & Techniques
WarChalking
Images Courtesy: http://www.warchalking.org
©2004 Lee Barken
Wardriving: Tools & Techniques
WarFlying?
©2004 Lee Barken
Images Courtesy: http://www.arstechnica.com/wankerdesk/3q02/warflying-1.html
Wardriving: Tools & Techniques
WarStrollering?
Images Courtesy: http://208.151.246.210/pictures/PersonalTelco/
©2004 Lee Barken
Wardriving: Tools & Techniques
WarStrollering?
Images Courtesy: http://208.151.246.210/pictures/PersonalTelco/
©2004 Lee Barken
Wardriving: Tools & Techniques
WarSailing?
Image courtesy: http://www.catalina42.org/war-sail/
©2004 Lee Barken
Wardriving: Tools & Techniques
Image courtesy: http://www.catalina42.org/war-sail/
©2004 Lee Barken
Wardriving: Tools & Techniques
Image courtesy: http://www.catalina42.org/war-sail/
©2004 Lee Barken
Wardriving: Tools & Techniques
Image courtesy: http://www.catalina42.org/war-sail/
©2004 Lee Barken
Wardriving: Tools & Techniques
What’s next?
©2004 Lee Barken
Discovering Wireless Networks
“Open Network”
 Easy! Just listen for Management Beacons.
 (or send probe requests with SSID set to the word “any”)
Management Beacon
SSID = default
©2004 Lee Barken
Discovering Wireless Networks
“Closed Network”
 You must get “lucky” and catch a legitimate association.
Probe Request
Wireless Client
Probe Response
SSID = ???
Association Request
Association Response
©2004 Lee Barken
Discovering Wireless Networks
“Closed Network”
 or… if you get impatient… spoof a disassociate frame
Associated
Wireless Client
SSID = ???
©2004 Lee Barken
Discovering Wireless Networks
“Closed Network”
 or… if you get impatient… spoof a disassociate frame
Probe Request
Wireless Client
Probe Response
SSID = ???
Association Request
Association Response
©2004 Lee Barken
Wardriving: Tools & Techniques
Hardware – Wireless NIC Chipsets
ADMtek










Atheros (cont.) Atmel (cont.) Orinoco (cont.) Prism (cont.)
Abocom
Accton
Addtron
Belkin
D-Link
Hawking Tech
SMC
3Com
Trendware
Xterasys
Aironet (Cisco)









Atmel

Cisco
Xircom

Atheros










Accton
Actiontec
D-Link
Enterasys
GemTek
IBM
Intel
Linksys
Netgear
Philips
Proxim
Senao/Engenius
SMC
3Com
Z-com






Accton
Actiontec
Dell
Belkin
Cnet
Compaq
D-Link
GemTek
Hawking Tech
Intel
Intel
Linksys
Netgear
SMC
3Com
Trendware
Z-com

Broadcom

















Apple
Belkin
Buffalo
Dell
GemTek
Linksys
Microsoft
Motorola
Trendware
Orinoco


Apple
Buffalo







Compaq
D-Link
Dell
Enterasys
HP
Lucent/Agere
Proxim
Sony
2Wire
Prism










Abocom
Accton
Actiontec
Belkin
Buffalo
Compaq
D-Link
Dell
Gateway
GemTek











Hawking Tech
Intel
Linksys
Netgear
Proxim
Senao/Engenius
SMC
3Com
Trendware
US Robotics
Z-com
Realtek








Abocom
Accton
Belkin
Bromax
D-Link
Linksys
Netgear
Zonet
©2004 Lee Barken
A very complete list: http://www.linux-wlan.org/docs/wlan_adapters.html.gz
Wardriving: Tools & Techniques
Hardware – Wireless NIC Chipsets
Hermes (Lucent)

Orinoco

Toshiba

Cabletron

Dell

Compaq WL110

IBM

Apple
Prism (Intersil)

Dlink

Linksys

SMC
 Addtron

Compaq WL100

Netgear

Gemtek

Zoom

Samsung

Senao
Airo (Cisco)

Cisco

Xircom

Dell
©2004 Lee Barken
Wardriving: Tools & Techniques
Hardware – Pigtails
©2004 Lee Barken
Wardriving: Tools & Techniques
Hardware – Pigtails
©2004 Lee Barken
Wardriving: Tools & Techniques
Hardware – Pigtails
©2004 Lee Barken
Wardriving: Tools & Techniques
Hardware – Antennas
©2004 Lee Barken
Wardriving: Tools & Techniques
Hardware – GPS
©2004 Lee Barken
Wardriving: Tools & Techniques
Software – Netstumbler
 http://www.netstumbler.com
 FREE
 Notebook & PDA Version
 Windows 2000, XP
 Orinoco, Prism Chipset
 “Most” Cards Work w/XP
(YMMV)
 GPS Support
©2004 Lee Barken
Wardriving: Tools & Techniques
Software – APSniff
 http://www.bretmounet.com/




apsniff
FREE
Notebook Version
Windows 2000 Only
Prism Chipset
©2004 Lee Barken
Wardriving: Tools & Techniques
Software – Aerosol
 http://www.sto




lenshoes.net/
sniph/aerosol.
html
FREE
Notebook
Version
Windows
Prism &
Hermes
Chipset
©2004 Lee Barken
Wardriving: Tools & Techniques
Software – Pocket Warrior
 http://www.pocketwarrior.org
 FREE
 PDA Version
 PocketPC 2002 (ARM, SH3,
MIPS)
 Prism Chipset
©2004 Lee Barken
Wardriving: Tools & Techniques
Software – Wireless Security Auditor (IBM)
 http://www.research.ibm.com




/gsal/wsa
“Research Prototype” (not
released)
Notebook & PDA Version
Linux
Cisco, Prism 2 Chipset
©2004 Lee Barken
Wardriving: Tools & Techniques
Software – Kismet
 http://www.kismetwireless.net
 FREE
 Notebook & PDA Version
 Linux
 Cisco, Prism, ADMTek, TI,
Atheros, Orinoco Chipset
 GPS Support
©2004 Lee Barken
Wardriving: Tools & Techniques
Software – dStumbler
 http://www.dachb0den.com/projects/bsd-airtools.html
 FREE
 Notebook Version
 *BSD
 Prism 2 Chipset
©2004 Lee Barken
Wardriving: Tools & Techniques
Software – AirMagnet
 http://www.airmagnet.com
 $3,495 MSRP
 Notebook & PDA Version
 Windows, PocketPC
 Only works with bundled
WLAN card
©2004 Lee Barken
Wardriving: Tools & Techniques
Software – Stumbverter
 http://www.sonar



security.com
FREE
Imports Data from
NetStumbler
Requires Microsoft
MapPoint 2002
Windows
©2004 Lee Barken
Wardriving: Tools & Techniques
All-in-one bootable CD’s
 WarLinux
(http://sourceforge.net/projects/warlinux)
 WarBSD
(http://digiflux.org/warbsd/)
 Knoppix
(http://www.knopper.net/knoppix/index-en.html)
©2004 Lee Barken
Wardriving: Tools & Techniques
Wireless Packet Sniffers
 Ethereal (http://www.ethereal.com)
 Packetyzer (http://www.packetyzer.com)
 WildPackets – Airopeek (http://www.wildpackets.com)
 Finisar – Surveyor Wireless (http://www.finisar.com)
©2004 Lee Barken
 Network Associates – Sniffer Wireless (http://www.sniffer.com)
Wardriving: Tools & Techniques
Wireless Packet Sniffers
PDA Version: Airscanner (requires Pocket PC 2002)
http://airscanner.com/downloads/sniffer/sniffer.html
©2004 Lee Barken
Wardriving: Tools & Techniques
Vehicles
-
©2004 Lee Barken
Wardriving: Tools & Techniques
Vehicles
-
©2004 Lee Barken
Wardriving: Tools & Techniques
Vehicles
-
©2004 Lee Barken
Wardriving: Tools & Techniques
Vehicles
-
©2004 Lee Barken
Wardriving: Tools & Techniques
Vehicles
-
©2004 Lee Barken
Wardriving: Tools & Techniques
Vehicles
-
©2004 Lee Barken
Wardriving: Tools & Techniques
Vehicles
-
©2004 Lee Barken
Wardriving: Tools & Techniques
Vehicles
-
©2004 Lee Barken
Wardriving: Tools & Techniques
Wardriving “Built-In” to XP?
Source:
http://www.infoworld.com/articles/op/xml/02/07/22/020722opcurve.xml
Snippet:
For all his success at bringing Microsoft's warring constituencies together, there
are still things beyond Bill and Steve's control. "I was in a hotel in Sun Valley last
week that was not wired," Ballmer recalls. "So I turned on my PC, and XP tells
me there is a wireless network available. So I connect to something called
Mountaineer.
"Well, I don't know what that is. But I VPN into Microsoft. It worked! I don't know
whose broadband I used," he chuckles. "I didn't see it in Bill's room. I called him
up and said, 'Hey, come over to my room.' So soon everyone is there and
connecting to the Internet through my room."
©2004 Lee Barken
Stumbler Code of Ethics v0.1
http://www.renderlab.net/projects/wardrive/ethics.html
By Renderman, [email protected]
These are by no means rules that must be followed, but they are a collection of suggestions for safe, ethical, and legal stumbling. I encourage you to follow them.
1. Obey traffic laws. It's your community too, the traffic laws are there for everyone's safety, besides,
doing doughnuts at 3am gets unwanted attention from the authorities.
2. Obey private property and no-trespassing signs. Don't trespass in order to scan an area. That's
what the directional antenna is for :) You wouldn't want people trespassing on your property would
you?
3. Don't connect. The vast majority of AP's out there were not intended by their owners to be accessed
by you, even if they configured it so you could access it if you wanted to. There is much legal question
as to the trouble you can get into for accessing a network through a misconfigured AP. Also it's a
matter of respect, you wouldn't want people rooting through your computers just because you
happened to make a mistake, so don't do it to them.
4. Don't use your data for personal gain. Share the data with like-minded people, show it to people
who can change things for the better, but don't try and make any money or status off your data. It's just
wrong to expect these people to reward you for pointing out their own stupidity.
5. Don't warchalk Other peoples networks. Only chalk your own if you want to indicate your willingness
to share access. If you chalk some strangers network, it dilutes the use of the symbols to indicate free
access. If you’re a business and you have a public AP and a non-public one, indicate with the open
one, but also indicate the closed one with the closed symbol, differentiating them so people know the
difference.
6. Be like that hiker motto; 'Take only pictures, leave only footprints'.
Stumblers should 'Take only SSID's, leave only tire marks'.
Leaving tire marks by not loitering and moving on is better than
©2004 Lee Barken
leaving a log entry by doing something stupid.
Wardriving: Tools & Techniques
Disabling TCP/IP
http://www.worldwidewardrive.org/nodhcp.html
©2004 Lee Barken
Summary



Wireless signals don’t stop at your walls
Use an omni antenna
When choosing a WLAN card:
–
–

Use Netstumbler/Kismet/dStumbler
–

What chipset does it use?
Is there an external antenna connector?
Or, a protocol analyzer
Don’t forget to unbind your TCP/IP
stack!!!
©2004 Lee Barken
Questions?
Lee Barken, CISSP, MCP, CCNA, CPA
Co-Director, STAR Center, San Diego State University
http://starcenter.sdsu.edu
President, SoCalFreeNet.org
©2004 Lee Barken
http://www.SoCalFreeNet.org E-mail: [email protected]