What's New!

Chat with
Hackers

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 

Hacker
Wargames 

Meet the 
Happy Hacksters 

Help for 
Beginners 

Hacker 
Bookstore 

Humor 

It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

... more Überhacker II, Chapter 18: Ethernet Hacking: Wireless and Wired LANs

Following are examples from a wardriving session by William Marchand of UnixHQ (http://www.unixhq.org) using a Windows 2000 Professional laptop and Netstumbler.

Figure 1: Not connected yet.

He isn’t connected to anything yet, as shown in Figure 1. However, he fires up Netstumbler and lo and behold, he sees Fig. 2.

Figure 2: Bill is within range of a Wi-Fi access point on Channel 6. Details are in the right hand panel.

Figure 3: It looks like a strong signal.

Figure 4: Time to get online!

Figure 5: The deed is done.

If you want to locate vulnerable WLANs in wholesale lots, there is an even more interesting tool. At http://www.kismetwireless.net/ you can download Kismet, a WLAN sniffer that also separates and identifies many wireless networks in the area you are testing. A version of Kismet for Linux, Kismet also supports FreeBSD, OpenBSD and MacOSX in on the Überhacker CD-ROM.

Kismet works with any 802.11b wireless card that is capable of reporting raw packets (rfmonsupport). These include any Prism2 based card (Linksys, D-Link, Rangelan, etc), Cisco Aironet cards, and Orinoco based cards. Kismet also supports the WSP100 802.11b remote sensor by Network Chemistry and is able to monitor 802.11a networks with cards using the Ar5k chipset. Here’s where it gets interesting. There is a version that allows you to deploy many Kismet sensors for distributed sniffing. Each "drone" sensor sends packets over a TCP connection to a Kismet server. Its output can be piped into Snort (http://www.snort.org) and some other Intrusion Detection Systems (IDS).

You can get an idea of where easy-access Wi-Fi access points exist in abundance at http://www.WiFiMaps.com/ and http://www.wigle.net/ maps. If you hunt on foot, keep an eye out for chalk marks on sidewalks or walls. These often denote Wi-Fi access points.

If you would rather hunt while sitting in your hacker lab, you can get into WLANs that are tens of kilometers away by using a directional antenna. While a dog food can antenna as described above is free, you can reach much further with an antenna designed for the job. http://www.fab-corp.com/ is an example of a place where you can buy these.

There are many commercial products for detecting WLANs. They are often used in companies that have problems with employees setting up unauthorized access points. For example, AirMagnet (http://www.airmagnet.com/) can run on the iPAQ PDA, and detects problems such as a Wi-Fi access point advertising its SSID.

It is legal to detect WLANs, but not to use some of the wireless systems you may access. It is best to make sure a WLAN is open to the public before using it. However, unless it requires some sort of authentication to log on, law enforcement won’t waste time pursuing casual visitors to WLANs. If you do this and get busted anyhow, well, that’s the risk you take in any unauthorized computer access.

Now we come to the slightly hard part. How do you break in if the WLAN asks for some sort of authentication? Wired Equivalent Privacy (WEP) is a common way to authenticate, and can be broken in minutes if you have a computer with a reasonably fast CPU. Since some Wi-Fi hardware is incompatible with better ways than WEP to authenticate, chances are you can find a lot of WEP nets floating around.

Airsnort is an example of a program that cracks WEP keys. Once it has captured enough packets it can usually crack WEP in a second or so, if running on Linux with a reasonably fast CPU. Airsnort has varieties that run on BSD, Linux, OS X and Windows, and can be downloaded at http://airsnort.shmoo.com/. One version, for Unix-type operating systems, is on the Überhacker CD-ROM.

Now we come to the super hard part: WiFi Protected Access (WPA). It’s the latest, greatest way to keep intruders from abusing Wi-Fi. It can work, for example, with Windows Remote Authentication Dial-In Services to authenticate users – and keep the uninvited out. At this writing no technique has been publicized to break it. However, if by the time you read this, a way has been discovered, here are some web sites that are likely to offer downloads of the tools that do it, and instructions for their use.

http://www.worldwidewardrive.org/

http://www.wardriving.com/

http://www.churchofwifi.com

http://www.nakedwireless.ca/

https://mailsrv.dis.org/mailman/listinfo/wardriving

More --->>


Carolyn's most
popular book,
in 4th edition now!
For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Email:
Visit this group

© 2013 Happy Hacker All rights reserved.