The Art of casual WiFi hacking
Jeremy Martin, CISSP-ISSAP, NSA-IAM/IEM, CEH –
It is a cloudy Friday night and I am in
the listening to another episode of
2600’s “Off the hook” radio when the
interruption of the phone catches my
attention. I had been expecting the
call from my colleague, because I
needed help with some new proof-of-
concept ideas for a penetration test I
have the following week. During the
conversation, we eagerly decided to
head out for the night to Wardrive in
the area. Wardriving is always a good
excuse to test new programs and
ideas. We position both laptops for
optimal WiFi signal, easy access to
the GPS devices, and secure them for
the least amount of movement while
driving. Right before we leave, we
make sure the power converter is
turned on, and the systems are
plugged in. To cover all our bases,
one laptop runs Windows XP Pro,
NetStumbler, and Cain&Able while
the second system has Suse 9.2 Linux
with Kismet, Airsnort, Aircrack, and
Void11. Using two devices with such
different environments improves
success while surveying WiFi in an
area or “footprinting” them.
Here is where the fun begins. After driving for a few Wardriving
miles, we enter a well lit street in the business section of Also referred to as “Geek’s catch and
town, and hear the ping of live access points every few release fishing”, is the act of driving
seconds. Even though we have been doing this for years, around and scanning for open WiFi
we are both amazed at the percentage of companies that hotspots. This is considered a sport in
employ WiFi that do not implement any sort of many circles and is growing in popularity
encryption. This allows us to park and let Kismet do what across the globe.
it does best... passively listen to network traffic running
over the 802.11 signal. We are able to map several Warwalking
subnets and gather other interesting information being Is similar to Wardriving, but on foot.
broadcast to the public. At the end of the night, we were There are many PDA devices that will
able to gather over 127 WiFi hotspots after only driving allow you to install wireless and network
seventeen miles round trip. With this type of information auditing tools.
gathered, playtime for hackers begins.
, Wardrive is done for many reasons. Some do it for a social activity with friends. Others Wardrive
as a community service to increase awareness, as a business model to secure for profit, or even the
cause the dreaded criminal acts of spreading viruses, hack, or commit fraud.
The Gear
Windows system: Linux system:
♦ Acer Aspire 1520 laptop ♦ Acer Travelmate
♦ Riklen GPS ♦ Microsoft MN-520
♦ FM Modulator ♦ Suse Linux 9.2
♦ Windows XP Pro ♦ Kismet
♦ NetStumbler ♦ AirSnort
♦ Cain & Able ♦ Void11
♦ MS Streets & Trips
Wardriving does not take a long list of special tools and equipment. Above is a list of equipment I
use and have found to work, it is not a requirements list. Almost any WiFi enabled Windows
machine can scan for hotspots right out of the box by installing either Cain or NetStumbler. Linux is
another story. Since the Linux environment allows for more direct access to the hardware, there are
more items to consider. These include Linux compatibility, correct drivers, and knowledge of
iwconfig or similar configuration utility for using the card in promiscuous mode. Many “Live
Linux” distributions take care of most the work for you if the WiFi card has compatible chipsets.
The most common and well known WiFi chipset for Linux use is the PRISM 2. The Orinoco Gold
card became very popular because of it’s easy of use and ability to work with most Linux
environments out of the box. You can use most Windows based cards in a Linux environment by
using an NDIS driver, but they will not work for scanning purposes because of the inability to access
the hardware directly.
The problem you may come across is that most Windows based scanning utilities use a method of
scanning called “Active scanning” because of the limited access to the hardware. When scanning for
WiFi using an active scanning method, your device sends out a request on every channel and logs all
replies. The traffic produced can be immense and is also noisy. Anyone setup to listen for incoming
connections will instantly know you are scanning because of this.
NetStumbler is an active Windows based scanner that produces the information you need for
mapping WiFi hotspots including SSID, Encryption, and GPS coordinates. Since the program
constantly screams out “ARE THERE ANY ACCESS POINTS OUT THERE”, the responses are
more abundant. One of the issues you may come across is that the traffic is so chatty that other
devices scanning may get spammed by fake access points. NetStumbler is not self contained and it
uses Windows drivers to access the WiFi card, causing the Wireless Zero Configuration to shut
down when run. Wireless Zero Configuration in WinXP allows the operating system to find
available WiFi networks. This is a problem for connecting to an access point while Wardriving.
The easiest way to resolve this is to save the NetStumbler data, close the program, and refresh the
available networks.
Jeremy Martin, CISSP-ISSAP, NSA-IAM/IEM, CEH –
It is a cloudy Friday night and I am in
the listening to another episode of
2600’s “Off the hook” radio when the
interruption of the phone catches my
attention. I had been expecting the
call from my colleague, because I
needed help with some new proof-of-
concept ideas for a penetration test I
have the following week. During the
conversation, we eagerly decided to
head out for the night to Wardrive in
the area. Wardriving is always a good
excuse to test new programs and
ideas. We position both laptops for
optimal WiFi signal, easy access to
the GPS devices, and secure them for
the least amount of movement while
driving. Right before we leave, we
make sure the power converter is
turned on, and the systems are
plugged in. To cover all our bases,
one laptop runs Windows XP Pro,
NetStumbler, and Cain&Able while
the second system has Suse 9.2 Linux
with Kismet, Airsnort, Aircrack, and
Void11. Using two devices with such
different environments improves
success while surveying WiFi in an
area or “footprinting” them.
Here is where the fun begins. After driving for a few Wardriving
miles, we enter a well lit street in the business section of Also referred to as “Geek’s catch and
town, and hear the ping of live access points every few release fishing”, is the act of driving
seconds. Even though we have been doing this for years, around and scanning for open WiFi
we are both amazed at the percentage of companies that hotspots. This is considered a sport in
employ WiFi that do not implement any sort of many circles and is growing in popularity
encryption. This allows us to park and let Kismet do what across the globe.
it does best... passively listen to network traffic running
over the 802.11 signal. We are able to map several Warwalking
subnets and gather other interesting information being Is similar to Wardriving, but on foot.
broadcast to the public. At the end of the night, we were There are many PDA devices that will
able to gather over 127 WiFi hotspots after only driving allow you to install wireless and network
seventeen miles round trip. With this type of information auditing tools.
gathered, playtime for hackers begins.
, Wardrive is done for many reasons. Some do it for a social activity with friends. Others Wardrive
as a community service to increase awareness, as a business model to secure for profit, or even the
cause the dreaded criminal acts of spreading viruses, hack, or commit fraud.
The Gear
Windows system: Linux system:
♦ Acer Aspire 1520 laptop ♦ Acer Travelmate
♦ Riklen GPS ♦ Microsoft MN-520
♦ FM Modulator ♦ Suse Linux 9.2
♦ Windows XP Pro ♦ Kismet
♦ NetStumbler ♦ AirSnort
♦ Cain & Able ♦ Void11
♦ MS Streets & Trips
Wardriving does not take a long list of special tools and equipment. Above is a list of equipment I
use and have found to work, it is not a requirements list. Almost any WiFi enabled Windows
machine can scan for hotspots right out of the box by installing either Cain or NetStumbler. Linux is
another story. Since the Linux environment allows for more direct access to the hardware, there are
more items to consider. These include Linux compatibility, correct drivers, and knowledge of
iwconfig or similar configuration utility for using the card in promiscuous mode. Many “Live
Linux” distributions take care of most the work for you if the WiFi card has compatible chipsets.
The most common and well known WiFi chipset for Linux use is the PRISM 2. The Orinoco Gold
card became very popular because of it’s easy of use and ability to work with most Linux
environments out of the box. You can use most Windows based cards in a Linux environment by
using an NDIS driver, but they will not work for scanning purposes because of the inability to access
the hardware directly.
The problem you may come across is that most Windows based scanning utilities use a method of
scanning called “Active scanning” because of the limited access to the hardware. When scanning for
WiFi using an active scanning method, your device sends out a request on every channel and logs all
replies. The traffic produced can be immense and is also noisy. Anyone setup to listen for incoming
connections will instantly know you are scanning because of this.
NetStumbler is an active Windows based scanner that produces the information you need for
mapping WiFi hotspots including SSID, Encryption, and GPS coordinates. Since the program
constantly screams out “ARE THERE ANY ACCESS POINTS OUT THERE”, the responses are
more abundant. One of the issues you may come across is that the traffic is so chatty that other
devices scanning may get spammed by fake access points. NetStumbler is not self contained and it
uses Windows drivers to access the WiFi card, causing the Wireless Zero Configuration to shut
down when run. Wireless Zero Configuration in WinXP allows the operating system to find
available WiFi networks. This is a problem for connecting to an access point while Wardriving.
The easiest way to resolve this is to save the NetStumbler data, close the program, and refresh the
available networks.
