High Quality
Open the downloaded document, and select print from the file menu (PDF reader required).
www.en.hakin9.orghakin9 3/2007
38
Attack
H
acking in the wireless sphere is moreindependent, original and wide, then,for example, web-hacking. You willunderstand why after reading this article. Im-agine! We will go to the Kremlin, Red Square(Russia) and take a warchalking tour under the President's towers.Everything, that is required for the begin-ning of the practical side is: notebook with Wi- card, some software for penetration tests,GPS module for navigation and, of course,a comfortable backpack. After perusal of thisarticle you will learn to make maps of the AP's,to analyze the security level of wireless Net-works and even to make jokes.
My equipment
GPS-receiver GlobalSat BU-303 USB onSiRF StarIIe/LP chipset, providing high qual-ity and speed of coordinates denition. Asit possesses almost minimal
cold start
– 45seconds.The problem is that at startup, the device
does not know
, where it is on the planet. Inorder to orient itself it starts to scan a range of frequencies, to analyze signals and calculateyour coordinates.The notebook is an Alienware NP9860 – the ideal tool for wardriving, and ideal for itscompactness.
Wi- positioning and GPS
With the development of Wi-Fi (Wireless Fidel-ity) and the actively growing number of WLANnetworks. Such decisions are very real and thewidespread availability literally everywhere,from small ofces to huge corporate sort net-works.It is not necessary to hide, today the safetyof such networks (standard 802.11 x) leavesmuch to be desired.
Analysing and MappingWireless Networks
Andrej Komarov (ITdefence Ltd/Russia)
Difculty
Wireless technologies are getting into our daily lives more andmore each day. For one it's a craze of convenience or the decisionof the different technological problems, and for others – ghtingthe jumping-off place where real cyberghts are unwrapped.What you will learn...
• Wi - positioning,• how to make a wardriver's map,• common attacks in the wireless infrastructure.
What you should know...
• Some knowledge on wireless technology,• basic knowledge on network analyzing.
Analysing and Mapping Wireless Networks
hakin9 3/2007www.en.hakin9.org
39
In the center of Moscow the wi- services are available at almostevery corner, under the ofcialpublic information for today in thecapital it is over ve-hundred publicaccess points.For simplication and the pres-entation of the work we shall useWi- positioning which is a methodof drawing AP's (Acess Points) ona special map that can be convertedinto one of the most popular graphicformats.We shall also use Netstambler (
netstumbler.com
) for our scanner.But you should remember that us-ing this tool can be easily detectedby Wireless IDS or special triangu-lation systems. First of all, there isspecial Easter egg in Netstumbler,hidden in LLC frames:• 0.3.2 Flurble gronk bloopit, bnipFrundletrune,• 0.3.2 All your 802.11b are belongto us,• 0.3.3
intentionally blank.
Secondly, some of IDS systems,like Wireless Snort, have specialpreprocessors, which can detectNetstumbler in about one sec-ond. For more information aboutthis there is a paper written titled
Analysis of WLAN discovery ap- plications for Intrusion Detection
(Joshua Wright).As the purpose of studying wehave chosen Ohotniy Riad, therewe will try to analyze the geo-dis-tribution of wireless activity and tovisually trace hotspots nding thedistance between them.
Wi- hotspot'smapping software
Products that can be used for navi-gation and Wi-Fi mapping.
Microsoft Mappoint Europe
Is a commercial cartographicalproduct supporting integration withmost of the GPS-devices and isabsolutely compatible with Nets-tambler.Compatibility occupies an impor-tant role, as the report after the scancannot be imported to all mappingsoftware that is suitable for GPSnavigation. At worst special scriptsmay be required of you to transformbroad gullies. A concrete example of this is MapSource MPS, for compat-ibility with which it is required to use
http://terenin.com/nets2mps.zip.
In real time by using a wire-less network and a computer andthe mechanism of Microsoft Loca-tion Finder, which uses a data-base of known points of accessfor Wi-Fi to create the denitionof coordinates of the user. (
http:// wireless.gayamerican.org/microsoft-mappoint-wi.html
)
Microsoft Streets And Tips
Analogue of Microsoft AutoRoute.This software is ideal for automo-bile fans (including wardrivers) as itis geared to be visually convenientexplaining where you are at anygiven moment.There is also an option of voice support. For successfull im-portation of the scanner's reportuse StreetStumbler 2004 RC4.6(
http://home.adelphia.net/~kg4ixs/ ss2004
).This program will transformreceived NS. The file and all of theinformation from it will be visually
Figure 2.
Wiimap
Skovoznoy[eof/cup]NK 1Wi-Fi adapter NK 1Wi-Fi adapter NK 1Wi-Fi adapter FirewallAP
Figure 1.
Kreml
hakin9 3/2007www.en.hakin9.org
Attack
40
displayed on a
map
. (
http://www.microsoft.com/streets/ProductDet ails.aspx?pid=001
)
AVTOGIS
This tool is absolutely compatiblewith Netstambler, and is necessaryto start the scanner together withStumbverter and to connect theGPS-module. With it's help you cannd the necessary street, houseor any city object. (
http://www.kiberso.com/
)Of course you will note, that allof the products are commercial, butthere are absolutely free-of-chargerealizations of such ideas. Wardriversare self-educated people that havewritten a huge amount of scripts, al-lowing the conversion of NS reportsinto a suitable format. One of themis PHP Stumbler Parder v1.1 (
http: //kb3ipd.com/phpStumblerParser/ index.php
).All received information willcontain breadth, longitude, MACaddress of the removed point, SSID,the information on the channel, andthe type of authorization. PersonallyI prefer to use the
.kml
format.This is what Google Earth serv-ice supports and you can use it for Wi- mapping. Swing Google EarthDesktop (
http://desktop.google.com/ download/earth/GoogleEarth.exe
),
File
>
Open
>.We import the report that we ndon the Internet. Near us is a hotspot,therefore we have found ourselveson the map, having connected toit. But what to do, if it had not ap-peared, and there is only the GPSand the module? Well- let's take ad-vantage of our favourite service andprogram GPS TrackMaker 13 (
http:// www.ruslapland.ru/gps.htm
).If you do not want to spend your own money for gprs for the purposeof pumping maps onto a laptop doall stuff at home. Load GE/GPSand load the maps from the Inter-net, surf the planned districts for warwalking.The program will bring thereceived structures into memory(
temporary
) and the les will savedin
C: \Documents and Settings \PCname \ApplicationData \Google\GoogleEarth
.Because we are not connectedto the Internet, you can start Goog-le Earth and ignore all the inquir-ies about connecting to a network – preload the data from there – andon the screen and you will see thecached images in the advanceprepared square. For more a moreevident perception I recommendKNSGEM (
http://www.rjpi.com/ knsgem.htm
).This program will help
to paint
a habitual map over the presentmap of the warwalker – to illumi-nate the found points in variouscolors, and to paint over zones of a radio covering a certain area or to lead remote lines.
Figure 3.
map
Listing 1.
A special script you can inject your report into the map
GDownloadUrl ("WARDRIVING_REPORT.xml",function (data)
{ var xml = GXml.parse (data);
var markers = xml.documentElement.getElementsByTagName ("marker");
for
(var i = 0; i <markers.length; i ++) {
var point =
new
GLatLng (parseFloat (markers [i].getAttribute
("lat")),
parseFloat (markers [i].getAttribute ("lng")));
var marker = createMarker (point, '<small> <B> SSID </B>:'+ markers
[i].getAttribute ("ssid") +'<br> <B> MAC: </B>
'+markers [i].getAttribute ("bssid") +'<br> <B>
Time: </B>'+markers [i].getAttribute ("time_gmt") +
'</small>');
map.addOverlay (marker);
// map.addOverlay (new GMarker (point, icon));
}
Add a Comment