*************************************************

* *
* The Definitive Guide To Wireless WarX'ing *
* ----------------------------------------- *
* v1.2.1 *
* *
* 09/04/02 *
* *
*************************************************
* *
* by Slayer *
* *
* Slayer@Kraix.com *
* *
*************************************************
* *
* www.KRAIX.com *
* *
*************************************************

Contents:
---------

I. Introduction

II. Types of Wireless Networking

1.802.11a
2.802.11b
3.BlueTooth
4.Radio Frequencies
5.IrDA

III. Wireless Hardware

1. Routers
2. Access Points
3. NIC's
4. PCMCIA Cards
5. Antennas

IV. Wireless Software (Tools)

1. NetStumbler and MiniStumbler
2. Kismit
3. WEPCrack
4. AirSnort
5. Fake AP
 6. Wireless Security Auditor
7. THC-WarDrive
8. THC-RUT
9. MacStumbler
10. BSD-AirTools
11. PrismStumbler
12. Mognet
13. WarLinux
14. Wellenreiter
15. WaveStumbler
16. AiroPeek
17. Stumbverter
18. AP Scanner
19. SSID Sniff
20. Wavemon
21. AirTraf
22. AirJack

V. Wireless White Papers

1. Wireless LAN Security : 802.11b and Corporate Networks
2. Wireless HOWTO for Linux
3. Hacking the Invisible Network : Insecurities in 802.11x
4. Cracking WEP Keys : Applying Known Techniques to WEP
Keys
5. The Need for a 802.11 Wireless Toolkit
6. Wireless LAN Security
7. Linksys BEFVP41 VPN...Wireless Mini HOWTO
8. SSID Defaults
9. What's Up With WEP
10. Default List of Passwords

VI. Wireless Web Sites

1. Netstumbler.com
2. Milehigh Wireless
3. Wireless LAN 802.11x - Technical Information and Software
4. PersonalTelCo
5. WarChalking.org
6. Wardriving.com
7. WirelessCloud
8. Sputnik
9. NYCWireless
10. War Strolling and Cabbing

VII. WarX'ing (Why you're reading this :)

1. What is WarX'ing?
2. WarDriving
 3. WarChalking
4. WarStrolling
5. Example WarX'ing Setups
6. Something to Think About

VIII. Securing your WLAN

1. Configuration
2. WEP
3. MAC Filtering
4. Fake AP
5. Disable SSID Broadcasting
5. Power

IX. Conclusion

X. Shameless Plug

**************************************************************************************
**************************************************************************************

------------------------------------------------
I. Introduction
------------------------------------------------
This is my first _real_ documentation, so please...no flaming or anything.
I put this together because I have been receiving a lot of emails and such
regarding wireless networks. Everyone wants to know, what it is, how to do that,
where to get this, is this legal...the list is huge. So instead of constantly sending
out a bunch of small answers, I'm writing this paper to help you learn as much
as possible. Side Note: Keep in mind that I am not an *expert* in this area. I did
not design the 802.11x standard or anything. I've just done a lot with it :o).

Disclaimer: The purpose of this document in it's entirety is for educational

purposes
only. It is in no way meant for destructive or illegal purposes. Neither I (Slayer)
or Kraix.com condone illegal activity, or anything that you may do with this
information. I (Slayer) and Kraix.com feel that you are mature enough to make
your own
decisions, and not place blame on anyone else for your actions. By reading this,
you
are agreeing that you take full responsibility for your actions, and that they have
nothing to do with Kraix.com or me (slayer).

------------------------------------------------
 II. Types of Wireless Networking
------------------------------------------------
As you may have already figured out, there are a few different wireless types out
there; 802.11a/b, BlueTooth, Radio Freq, and IrDA are to name a few. There
really isn't
a standard yet, because everyone thinks that their idea is the best, and they're
pretty
stubborn about it. Basically though, each type of wireless networking has it's ups
and
downs. I'll try to give you a brief overview of the ones that I know of.

1. 802.11a (that's an "A" after the numbers) - This is probably going to be the
new
standard for home and small office networking. I'm not too sure yet if it'll surpass
802.11b, but hey...time will tell. 802.11 was the first wireless protocol to come
out,
and i believe it would run at about 1-2Mbps (don't quote me on that). A little while
later
802.11b came out, and it was faster, so people moved over to adopt that one.
Now, .11a has
been redone so that it's even faster than .11b. .11a now runs at 54Mbps in the
5Ghtz band
and it uses what is called the "orthogonal frequency division multiplexing
encoding
scheme," (trust me, I couldn't make that up ;). If you want to learn more about
OFDM,
go run a Google on it, because I'm not going to go into it, all I'll mention is that it's
more secure than WEP (Ha, "secure" and "WEP" shouldn't even be in the same
sentence).
Range on these devices will vary, but you should be able to get about 300ft. from
an
access point.

2. 802.11b (that's a "B" after the numbers) - .11b was the next revelation in
wireless
technology after .11 and before .11a. It is now commonly referred to as Wireless
Fidelity or "WiFi" (pronounced like SciFi). .11b has a thoroughput of 11Mbps, and
can fall
back to 5.5Mbps, 2Mbps, and 1Mbps. All that means is that as the signal gets
degraded (or farther away), your connection will drop to these levels. Right now,
.11b is more-so the
standard of wireless networking. There are more wireless LAN's and WAN's
running .11b than
any other architecture. Because of this, you will find more tools, and uses with
this.
When people are out there WarX'ing, this is the protocol that they're using.
(WarX'ing
is described later on.) It's primary security encryption is Wired Equivalent Privacy,
or WEP for short. WEP can be used in 64bit or 128bit forms. All prism 1 cards
can utilize
WEP 64bit, but you'll need a Prism 2 card to use 128bit. But either way, I would
strongly recommend that you do NOT rely solely on this, bad bad idea. Once
again, I'm not
going into how WEP works (or doesn't work). Google it if you're interested.
Range on
these devices will vary, but you should be able to get about 300ft. from an access
point.

3. BlueTooth - BlueTooth is a wireless type for short range devices. You can get
about 10
meters (that's about 30ft) away before you lose connection. Of course, that's in
lab
results. Real world, you can get about 25-ish, but hey who's counting ;).
Anyways,
BlueTooth is being integrated into a lot of portable devices for use of Sync'ing
things
together. Such devices are handhelds (Compaq's iPaq), phones (Sony-Ericsson),
and
other little gadgets. It's really a way to replace IRDa, and in that way it's
beneficial.
BlueTooth generally has a transfer rate of about 1Mbps. That's not too bad,
considering
that it's only syncing, or passing streaming media. Leeching news groups with
it...no.
Using this standard to sync devices, or to get rid of wires is a great idea, but I
don't
see us buying a can of Jolt out of a machine with our phone anytime soon. So
far, the best
ways that I've seen this protocol being used are in PDA's for syncing, and in the
new
Sony-Ericsson T68i cell phone that uses a wireless (BlueTooth) handsfree
headset.
I want one sooo bad. I'd even be willing to write s review about it if someone
donated
one to me (hint, hint, :o).

4. Radio Frequencies - Cell Phones. This is how they work, by using alternating
encrypted radio frequencies. I could write an entire thesis on this alone, but I'm
not.
All I'm going to tell you is that Cell Phones use them :). Phreaking is not my
expertise
at all, and I'm not about to begin to talk about something that I don't know enough
about.

5. IrDA - Infrared Data Association. Basically, the stuff you're remote controls
use.
It's using a beam of light that we can't see to send a signal. The restrictions on
this
are enormous, but hey...it works. IrDA is used a lot in Cell Phones, PDA's
(especially
Palm's, I think they were the first to use it, but I could be wrong), laptops, wireless
mice/keyboards; the list goes on and on. The major downfalls for IrDA are
distance and
line-of-sight. IrDA can only go about 1-2 meters and doesn't work unless there is
a direct
line-of-site. It's nice to sync your palm or your phone with your contact list on your
laptop without wires and all, but if your cat lays down between the two, end of
connection.
BlueTooth is starting to replace the uses for IrDA, because it can go farther, more
secure,
does not need line-of-site, and it's a lot faster. IrDA has a transfer rate of about
75Kbps (that's a "K", not an "M").

------------------------------------------------
III. Wireless Networking Hardware
------------------------------------------------
For IrDA, BlueTooth, and Radio Frequencies, the hardware is basically built into
the
devices that's going to use it. There are a couple peripherals that you could buy,
but
they're not worth going into. I'm basically going to cover 802.11a/b hardware. The
same
type of hardware exists for both standards unless otherwise noted.

1. Wireless Routers - This is the most important piece of wireless technology that
you
will but when setting up a LAN or WAN. You must make sure that it's of the right
archetecture, chipset (Prism 1 or 2), and that it has all the features that you need.
For home use, you shouldn't spend over $200, unless you want some high-end
stuff, or
you're delving into the .11a world (.11a is a little more expensive). Pretty much
every manufacture and their brother are making wireless routers. Linksys, 3com,
Belkin,
Intel, Cisco, Billy-Ray-Joe (just kidding). I personally use Belkin, and I haven't
had any
problems, but I would recommend that you buy a name-brand router. Remember,
you get what
you pay for. Remember that when you're looking at a Linksys $150 router on sale
with 8
mail-in rebates from Best Buy.

2. Access Points - These are very useful in larger offices, or houses. They will
relay
the signal to extend your coverage. It acts kind of like a wireless hub. These are
also
made by all the same people that make the routers, and I suggest that if you
purchase
an access point, that you get the same brand as your router. Less likely to have
compatibility issues.

3. Wireless NIC's - Um, it's a NIC (Network Interface Card) that's wireless. I think
that
this one is pretty self-explanitory. One idea though, is that instead of buying a
wireless
NIC, buy a PCI card that has a slot to insert a PCMCIA, or PC card, into it. These
cards
shouldn't cost more than $20, and you can use the PC card for more stuff.

4. Wireless PCMCIA (PC Cards) cards - These are the cards that go into your
laptops, or
other portable devices. There are two different architectures for these cards,
Prism 1 and
2. 1 supports 64bit and 2 supports 128bit encryption. Almost all the cards are
Type 2
cards (in relation to the thickness). In my opinion, the best cards out there right
now
are the Orinoco Gold cards. You can get them online for about $80.

5. Antennas - You can purchase, or make, external antennas that will increase
your signal
strength and distance. The most common form is called a Yagi (Like from Karate
Kid, jk).
These are sold all over the place online, and there are plans out that that show
you
how to build them from a scratch using a Pringles can and Radio Hack parts
(Great way
to disguise it for WarX'ing). One piece of hardware that you'll most definitely need
is
called a Pig Tail. This is a wire that will connect from your wireless card (on
the antenna) to a thick coaxial cable or cable connector. The little piggies cost
about
$20.

------------------------------------------------
IV. Wireless Software (Tools)
------------------------------------------------
With the recent explosion of the wireless networking community, there has been
a shadow
within the software field. Recently it seems like there is a new wireless tool that
comes
out every day. I have tried to put together a list of tools, and their links, of what I
think are probably the most useful. If I've used it before, or I know about it, I'll try
to give a description about it also.

1. NetStumbler and MiniStumbler - Windows 2000, 9X, ME, XP, Pocket PC

I have to say that these are by far the most widely used
and proven wireless discovery tools on the net. Netstumbler will use your
wireless card
to detect all the wireless networks in the area. It will return the WLAN's SSID,
channel,
WEP or not, signal strength, and more! The GUI is insanely easy to use. Hell,
even a
L337 H4X0R could use this :). Two features that I really like are it's ability to
modify
the refresh rate of the scan, and that you can hook up a GPS unit to it to track
your
exact coordinates. You can then save this to a file and upload it to their server to
add
to their ever-expanding map of WLANs. MiniStumbler is the same as
NetStumbler, except
that it's for the iPaq handheld (oh the possibilities!).

Homepage: http://www.netstumbler.com
Readme: http://www.stumbler.net/readme/readme_0_3_30.html
Download: http://www.netstumbler.com/download.php?op=getit&lid=22
(NetStumbler)
Download: http://www.netstumbler.com/download.php?op=getit&lid=21
(MiniStumbler)

2. Kismit - Linux

Kismet is a 802.11b wireless network sniffer. It is capable of sniffing using

almost any wireless card supported in Linux, including Prism2 based cards
supported by the
Wlan-NG project (Linksys, Dlink, Rangelan, etc), cards which support standard
packet
capture via libpcap (Cisco), and limited support for cards without RF Monitor
support.
The latest stable release as of this writing is 2.4.6 on August 4th. You may want
to go
to the page to download the latest stable version.

Homepage: http://www.kismetwireless.net
Download: http://www.kismetwireless.net/code/kismet-2.4.6.tar.gz

3. WEPCrack - Linux

WEPCrack is an open source tool for breaking 802.11 WEP secret keys. This
tool is is an
implementation of the attack described by Fluhrer, Mantin, and Shamir in the
paper
"Weaknesses in the Key Scheduling Algorithm of RC4". WEPCrack was the first
publicly
available code that demonstrated the attack.

Homepage: http://wepcrack.sourceforge.net/
Download:
http://sourceforge.net/project/showfiles.php?group_id=32993&release_id=49357

4. AirSnort - Linux

AirSnort is a wireless LAN (WLAN) tool which recovers encryption keys. AirSnort
operates by
passively monitoring transmissions, computing the encryption key when enough
packets have
been gathered. AirSnort requires approximately 5-10 million encrypted packets to
be
gathered. Once enough packets have been gathered, AirSnort can guess the
encryption
password in under a second.

Homepage: http://airsnort.shmoo.com/
Download: http://prdownloads.sourceforge.net/airsnort/airsnort-
0.2.1.tar.gz?download

5. Fake AP - Linux

Black Alchemy's Fake AP generates thousands of counterfeit 802.11b access

points. Hide in
plain sight amongst Fake AP's cacophony of beacon frames. As part of a
honeypot or as an
instrument of your site security plan, Fake AP confuses Wardrivers,
NetStumblers, Script
Kiddies, and other undesirables. Just so you know, some of the SSID's that are
generated
by Fake AP aren't exactly the cleanest of words :).

Homepage: http://www.blackalchemy.to/Projects/fakeap/fake-ap.html
Download: http://www.blackalchemy.to/Projects/fakeap/fakeap-0.2.tar.gz

6. Wireless Security Auditor - Linux on an iPaq

WSA is an IBM research prototype of an 802.11 wireless LAN security auditor,

running on
Linux on an iPAQ PDA. WSA automatically audits a wireless network for proper
security
configuration, to help network administrators close any vulnerabilities before the
hackers
try to break in. Short and sweet: IBM's Linux version of Ministumbler. Still in Beta.

Homepage: http://researchweb.watson.ibm.com/gsal/wsa/
Download: Can't get it :( . If you can, email me!

7. THC-WarDrive - Linux

THC-WarDrive is a tool for mapping your city for wavelan networks with a GPS
device while
you are driving a car or walking through the streets. It is effective and flexible, a
"must-download" for all wavelan nerds.
Homepage: http://www.thehackerschoice.com
Download: http://www.thehackerschoice.com/download.php?t=r&d=wardrive-
2.3.tar.gz

8. THC-RUT - Linux

THC-RUT (aRe yoU There) is a local network discovery tool developed to brute
force its way
into wvlan access points. It offers arp-request on ip-ranges and identifies the
vendor of
the NIC, spoofed DHCP, BOOTP and RARP requests, icmp-address mask
request and router
discovery techniques. This tool should be 'your first knife' on a foreign network.

Homepage: http://www.thehackerschoice.com
Download: http://www.thehackerschoice.com/download.php?t=r&d=thcrut-
0.1.tar.gz

9. MacStumbler - Mac OS X

MacStumbler is a little program that was written to emulate the workings of

Netstumbler
and Kismet for the Mac. It will only work with Apple Airport cards and is in
extreme
beta testing, so plan on you mac to crash a couple times trying to get this to run.
There are a number of people out there using this, so it does work. The source
code is
also available if you're a fellow Mac coder and want to help out.

Homepage: http://homepage.mac.com/macstumbler/
Download: http://homepage.mac.com/macstumbler/MacStumbler-06b.tgz
(binary)
Download: http://homepage.mac.com/macstumbler/06b-source.tgz (source)

10. BSD-AirTools - FreeBSD 4.4, OpenBSD 2.9/3.0, NetBSD 1.5.1+

bsd-airtools is a package that provides a complete toolset for wireless 802.11b

auditing.
Namely, it currently contains a BSD-based WEP cracking application, called
dweputils (as
well as kernel patches for NetBSD, OpenBSD, and FreeBSD). It also contains a
curses based
ap detection application similar to netstumbler (dstumbler) that can be used to
detect
wireless access points and connected nodes, view signal to noise graphs, and
interactively
scroll through scanned AP's and view statistics for each. It also includes a couple
other
tools to provide a complete toolset for making use of all 14 of the prism2 debug
modes as
well as do basic analysis of the hardware-based link-layer protocols provided by
prism2's
monitor debug mode.

Homepage: http://www.dachb0den.com/projects/bsd-airtools.html
Download: http://www.dachb0den.com/projects/bsd-airtools/bsd-airtools-v0.2.tgz
Download: ftp://ftp.dachb0den.com/pub/projects/bsd-airtools/bsd-airtools-v0.2.tgz

11. PrismStumbler - Linux

Prismstumbler is a wireless LAN (WLAN) which scans for beaconframes from

accesspoints.
Prismstumbler operates by constantly switching channels an monitors any
frames received on
the currently selected channel.

Homepage: http://prismstumbler.sourceforge.net/
Download: http://www.monolith81.de/download/prismstumbler-0.5.0.tar.gz

12. Mognet - Linux

Mognet is a free, open source wireless ethernet sniffer/analyzer written in Java. It

is
licensed under the GNU General Public License. It was designed with handheld
devices like
the iPaq in mind, but will run just as well on a desktop or laptop.

Homepage: http://chocobospore.org/mognet/
Download: http://www.monolith81.de/download/Mognet-1.14.tar.gz

13. WarLinux - Um... It is the OS.

A new linux distribution for Wardrivers. It is available on disk and bootable CD.
It's
mainly intended use is for systems administrators that want to audit and evaluate
their
wireless network installations. Should be handy for wardriving also. I hope you
have a lot
of CDs ready for this one. One guy took a pic of all the CDs he went through just
to get
this thing to work, there had to been at least 20 of em! But hey, in the end he got
it!

Homepage: https://sourceforge.net/projects/warlinux/
Download: http://prdownloads.sourceforge.net/warlinux/warLinux.iso?download

14. Wellenreiter - Linux

Wellenreiter is a GTK/Perl program that makes the discovery and auditing of

802.11b
wireless networks much easier. All three major wireless cards (Prism2 , Lucent,
and Cisco)
are supported. It has an embedded statistics engine for the common parameters
provided by
wireless drivers. Its scanner window can be used to discover access-points,
networks, and
ad-hoc cards. It detects SSID broadcasting or non-broadcasting networks in
every channel.
Non-broadcasting networks could be uncovered automatically. The manufacturer
and WEP is
automatically detected. A flexible sound event configuration lets you work in
unattended
environments. An ethereal / tcpdump-compatible dumpfile can be created for the
whole
session, so detailed analysis at another location is easy. GPS support tracks the
location
of the discovered networks immediately. Automatic associating is possible with
randomly
generated MAC addresses, so you don't have to work with your real MAC
address anymore.
Wellenreiter can reside on low-resolution devices that can run GTK/Perl and
Linux/BSD (such
as iPaqs). A SSID bruteforcer is included now too.

Homepage: http://www.remote-exploit.org
Download: http://www.remote-
exploit.org/modules.php?name=Downloads&d_op=getit&lid=25
15. WaveStumbler - Linux

WaveStumbler is console based 802.11 network mapper for Linux. It reports the
basic AP
stuff like channel, WEP, ESSID, MAC etc. It has support for Hermes based cards
(Compaq,
Lucent/Agere, ... ) It still in development but tends to be stable.

Homepage: http://www.cqure.net/tools08.html
Download: http://www.cqure.net/tools/wavestumbler-1.2.0.tar.gz

16. AiroPeek - Windows 98, ME, 2000, XP (COMMERCIAL $1495 for 1 year!)

AiroPeek is a comprehensive packet analyzer for IEEE 802.11b wireless LANs,

supporting all
higher level network protocols such as TCP/IP, AppleTalk, NetBEUI and IPX.
AiroPeek
contains all of the network troubleshooting features familiar to EtherPeek. In
addition,
AiroPeek quickly isolates security problems, fully decodes 802.11b WLAN
protocols, and
analyzes wireless network performance with accurate identification of signal
strength, channel and data rates.

Homepage: http://www.wildpackets.com/products/airopeek
Download: http://www.wildpackets.com/demo_buy/demos/apw (DEMO)

17. Stumbverter - Windows 2000, 9X, ME, XP

StumbVerter is a standalone application which allows you to import

NetStumbler's summary
files into Microsoft's MapPoint 2002 maps. The logged WAPs will be shown with
small icons,
their color and shape relating to WEP mode and signal strength. As the AP icons
are created
as MapPoint pushpins, the balloons contain other information, such as MAC
address, signal
strength, mode, etc. This balloon can also be used to write down useful
information about
the AP, notes, etc.

Homepage: http://www.sonar-security.com/
Download: http://www.sonar-security.com/files/StumbVerter_V010_full.zip
18. AP Scanner - Mac

AP Scanner is a small Macintosh-only application that will detect all in-range

open 802.11
wireless network access points. It will show you a pretty little graph and show
potential
channel conflicts.

Homepage: http://homepage.mac.com/typexi/Personal1.html
Download:
http://homepage.mac.com/typexi/.cv/typexi/Public/AP%20Scanner%201.0%20Di
st.sit-link.sit

19. SSID Sniff - Linux

A nifty tool to use when looking to discover access points and save captured
traffic. Comes
with a configure script and supports Cisco Aironet and random prism2 based
cards.

Homepage: http://www.bastard.net/~kos/wifi/
Download: http://www.bastard.net/~kos/wifi/ssidsniff-0.36.tar.gz

20. Wavemon - Linux

wavemon is a ncurses-based monitoring application for wireless network

devices. It currently works under Linux with the Lucent Orinoco cards.

Homepage: http://www.jm-music.de/projects.html
Download: http://www.jm-music.de/wavemon-current.tar.gz

21. AirTraf - Linux

AirTraf is a package with many features. On a basic level, it performs packet

capture/decode in the 802.11b wireless level. It gathers and organizes packets
captured
over the air based on the type of traffic (management, control, data), according to
the
dynamically detected access points (in case there are multiple in a given area),
and
performs bandwdith calculation as well as signal strength information on a per
wireless
node basis. It determines the SSID of access points, the channel it is operating
under, the
number of wireless nodes connected to the access point of interest, the overall
load on the
access point, as well as the bandwidth utilized by all connected wireless nodes.
And as of
AirTraf-0.3-1beta, AirTraf is database-aware, meaning that multiple sniffers can
be polled
via a central polling server periodically to gather up2date information, and saving
the
information for long-term load analysis over periods of days, weeks, months, and
even
years. The other feature of AirTraf includes tracking of access related activity
generated
in the area, it tracks all probe/authentication/association requests made to a
given access
point, and by observing access point's reaction, make a judgment as to the
nature of
activity, and determine whether the activity is hostile or friendly. (currently fairly
unstable, and being worked on)

Homepage: http://airtraf.sourceforge.net/index.php
Download: http://prdownloads.sourceforge.net/airtraf/airtraf-0.5.0.tar.gz

22. AirJack - Linux

AirJack is a nifty tool that will let you take over a connection to a WLAN. Short-
short
version: You DOS the AP filling it with forged ARP packets confusing the hell out
of
the AP causing it to dump. Then the clients start to look for a new AP, because
they lost
their connection. What the find is your box as the AP, and then when the real AP
comes
back, you're the middle man. Get it?

Homepage: http://802.11ninja.net/
Download: http://802.11ninja.net/airjack-v0.6.2-alpha.tar.bz2

------------------------------------------------
V. Wireless White Papers
------------------------------------------------
After spending a couple days scouring the net for information on wireless
networking
and other such topics. I have come across a few white papers that I have found
to be
useful or interesting. White papers are documents that are instructional or
informative. This document that I am writing can be considered a white paper.
The following
are links and brief descriptions of each white paper that I found. Some are HTML
files,
PDF documents, and even PowerPoint slides from different conventions.

1. Wireless LAN Security : 802.11b and Corporate Networks - A white paper

written by the
company Internet Security Systems.

Link: http://documents.iss.net/whitepapers/wireless_LAN_security.pdf

2. Wireless HOWTO for Linux - This is a pretty informative guide on how to get
your
Linux box up and running for a wireless LAN. Remember that these are just
guidelines,
and that you'll have to make changes depending on your card, distro, and box.

Link: http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-
formats/html_single/Wireless-HOWTO.html

3. Hacking the Invisible Network : Insecurities in 802.11x - A nice long white

paper
written by iDEFENSE. This document goes into great detail as to the
vulnerabilities
of wireless networking, I'm talking binary here.

Link: http://www.net-security.org/dl/articles/Wireless.pdf

4. Cracking WEP Keys : Applying Known Techniques to WEP Keys - This is a

Power Point
slide presentation from @Stake about how to go about cracking WEP keys, and
the
logistics behind it. If you're new to WEP, I recommend it for a quick overview.

Link: http://www.lava.net/~newsham/wlan/WEP_password_cracker.ppt
5. The Need for a 802.11 Wireless Toolkit - This is a PDF white paper written by
a guy
from @Stake that was presented during the Black Hat Briefings in July of 2002.

Link: http://www.packetfactory.net/projects/radiate/802.11_toolkit-2.0.pdf

6. Wireless LAN Security - Here is an excellent white paper in HTML format that
describes everything that you need to know about wireless security, it's
vulnerabilities,
methods of attack, and much more.

Link: http://www.packetninja.ca/starrrt.html

7. Linksys BEFVP41 VPN Router to OpenBSD IPSec Server + Wireless Mini

HOWTO - This document
describes how to use the Linksys BEFVP41 VPN Router as a VPN Client to an
OpenBSD IPSec
Server.

Link: http://ruff.cs.jmu.edu/~beetle/download/befvp41.html

8. SSID Defaults - Here is a TXT file that lists most of the manufactures default
SSID's,
default password login pairs, channels, and some other useful tidbits.

Link:
http://www.wi2600.org/mediawhore/nf0/wireless/ssid_defaults/ssid_defaults-
1.0.5.txt

9. What's Up With WEP - Here's a quick read from IBM on how WEP works and
other things
WEP. There are some pictures that should help you out if you're reading
impaired >:)

Link: http://www-106.ibm.com/developerworks/library/s-wep/?article=wir

10. Default List of Passwords - I think this one is pretty self-explanatory. It's a
huge
list of default password and login settings for routers, firewalls, and everything
else.
If I were you, I would save this list, because who knows how long it'll stay here.
Link: http://www.aaws25.hemscott.net/Default%20password%20list.htm

------------------------------------------------
VI. Wireless Web Sites
------------------------------------------------
I have compiled a list of my favorite 10 wireless web sites and list them here for
you.
Most of these sites all deal within a specific area of wireless, but there is some
overlap. You'll just have to go there and check it out!

1. Netstumbler.com - The home of probably the most famous wireless tool on the
net. Not
only that, but they have current wireless news and events, a forum, geographical
WLAN
locations, and more. Definitely a must.

Link: http://www.netstumbler.com

2. Milehigh Wireless - If you live in the Denver area, this is the perfect site for
you.
They talk about their free coverage ideas, and more.

Link: http://www.milehighwireless.net/wiki-moinmoin/moin.cgi

3. Wireless LAN 802.11x - Technical Information and Software in German and

English -
Wow, what a long ass name. You will find a ton of links to software, sites,
HOWTO's, and
a ton of other stuff here. Hey and if your German, you're all set.

Link: http://www.monolith81.de/software_linux.htm

4. PersonalTelCo - Here's a nice page about WarDriving with some helpful links.
There are
some other sites in this page relating to wireless stuff, but they may be hard to
find.

Link: http://www.personaltelco.net/index.cgi/WarDriving
5. WarChalking.org - The official WarChalking homepage. The Blogging system
here is pretty
cool. It allows anyone to write stories relating to Warchalking, and then the story
is
rated among other warchalkers as to whether or not it gets published. You'll find
some cool stories, pictures, and other misc. stuff here.

Link: http://www.warchalking.org/

6. Wardriving.com - I think this one is pretty self-explanatory. This site is devoted

entirely to Wardriving. Just go to it, I know you're going to.

Link: http://www.wardriving.com

7. WirelessCloud - WirelessCloud is a southern California based organization

that is set
out to provide free 802.11 access. I wish them luck!

Link: http://www.wirelesscloud.net/wirelesscloud/index.htm

8. Sputnik - These guys have made a couple different products that are very
useful in the
wireless industry. They also have some news articles relating to wireless, but
they don't
get updated too frequently.

Link: http://www.sputnik.com/

9. NYCWireless - Ah, my hometown organization. These guys rule. They are

another org out
there that's trying to get free 802.11 access through-out New York City. They
have already
done a lot in the city, covering a lot of areas, and parks in the city. They've been
featured on TechTV for a game they invented, and they also hold monthly
meetings to go
over new stuff. Everyone's invited and it's always free. Even if you don't live in
NYC,
you need to check these guys out.

Link http://www.nycwireless.net/
10. War Strolling and Cabbing - Here's another NYC based guy that's going
around
Manhattan and mapping out the wireless networks. Using MacStumbler, it looks
like
he's getting a large area pretty covered. Doesn't look like he's doing any chalking
though, so you'll have to check out the site to find the networks.

Link: http://www.joemaller.com/wifi/

------------------------------------------------
VII. WarX'ing (Why you're reading this :)
------------------------------------------------
1. The first question that's probably in your head is, "What the hell is 'WarX'ing'".
Well
it's pretty simple. Right now there are many different types of Wireless scanning
going
about. You have WarDriving, WarChalking, WarStrolling, WarBoating, WarFlying,
the list
is endless. Because of this, I've adopted the term WarX'ing; the "X" is the
variable
for the different kinds. No matter what mode of transportation you use, you're
doing the
same thing...scanning. So instead of all these terms, I've decided on one simple
term that
covers them all. Judging by the context of the document, story, or whatever; I
think you'll
be able to figure out if they were on foot, or in a car.
The prefix "War" originally came from the good-ole days of BBS'ing. To find a
modem on the
other end of a phone line, you would do what is called WarDialing. Think of this
as a
primitive IP scan. You'd enter in a set of phone numbers to dial (ex. 555-1000 -
555-1100 )
and then the WarDialing program calls each number in the list to see if there's a
modem
at the other end, and then either makes a note of it, or tries to connect. I think
you
can see the connection here. For those of you that have no clue what WarX'ing
(WarDriving/chalking/strolling/etc) is, I will go into more detail about each area
below.

2. WarDriving - WarDriving is the act of scanning for wireless networks with a

mobile
device while driving around in a car. The most common form is when you take a
laptop
into a car and then turn on a stumbler to detect the networks. As the open
networks appear
you can either continue on, and make a list or a map, or pause to look around
their
network.

3. WarChalking - WarChaliking is the act of labeling a discovered network so that

other
WarX'ers can easily notice an open network and the details about it. The idea
most likely
originated from the old-school hobo chalking symbols. It's just a guess. If you go
to
Warchalking.org, they have a little cheat-sheet to help you out on how to draw
out
everything (CheatSheet:
http://www.blackbeltjones.com/warchalking/warchalking0_9.pdf). I
will attempt to draw out what the symbols are with my wonderful ASCII art skills.
:)

---------------------------------------
Open Node: SSID
)(
BW

Closed Node: SSID

()

WEP Node: SSID AC

(W)
BW

BW = Bandwidth and AC = Access Contact.

---------------------------------------

These three symbols are the ones from the little cheat-sheet. These are very
adequate, but
I propose a more detailed symbol for open nodes, because there's just more to
know.

Proposed Symbol For Open Nodes:

 SSID This will show (1) an open node, (2) the SSID, (3) CHannel, (4)
BandWidth,
CH )( ST (5) signal STrength, 1-3 depending, (5) and that the defaults have
been
BW changed. Signal strength: 1 = Not Good, 2=Good, 3=Excellent.

SSID This will relay the same info as the one above, but the colons (:) will
CH:)(:ST signify that the router is using default settings.
BW

With the use of these more enhanced symbols, fellow WarX'ers will know a lot
more about
the Node at hand, and whether or not it's worth it to stop and connect. After
running
into many )('s that have poor quality, or non-default settings, I feel that this could
really help out everyone in the community, if we just took an extra 2 seconds.

4. WarStrolling - WarStrolling is just like WarDriving and all the other one's
expect that
you do your scanning on foot. You can either carry around a laptop or a handheld
to detect
the networks. By WarStrolling, you will have more time to delve into the networks
that
you stumble into, but you are also a lot more noticeable carrying around a laptop.
If you
have a handheld (like an iPaq) on the other hand, you will go unnoticed, but you
can't do
as much. If you're going WarStrolling, I would suggest that you use MiniStumbler
from
www.netstumbler.com. See the tools section in this white paper.

5. Examples on WarX'ing - I'm going to go over two different scenarios on how

you can begin
WarX'ing today. The first one is the most common, WarDriving.
If you are a beginner WarX'er you might have to do a little research on the net
about
certain things, but I'll try to go into as much detail as possible. The first thing that
you are going to need is a laptop. Nothing fancy really. If you are going to run a
Windows OS, I would recommend Windows 2000. XP will really piss you off once
you find out
that it doesn't like to let go of an AP after it finds one! If you're going to run a
flavor of Linux, make sure that it's a current kernel and that you will have the
drivers
ready to get it to use your wireless card, it can be a real pain in the ass at first,
but
well worth it in the long run. This brings us to our next piece of hardware, a
wireless
PCMCIA (or PC Card) card. Prism II if possible, but not required. Make sure that
it
802.11b (That's a "B"). If you use an "A" card, you won't pick up shit because the
tools
are for "B". Another thing that I would recommend (but is not necessary) is a DC
to AC
converter. This is a little box that will convert your car's cigarette lighter socket
into
an AC socket, so you can get juice for your laptop from your car. Just make sure
that it
will supply enough wattage to power it. Now load up your laptop with your
favorite tools,
and hit the road! I will once again empower my ASCII art skills to make a little
diagram:

Windows WarX'ing Box Linux WarX'ing Box

-------------------- ------------------
OS - Windows 2000 (NO XP*) OS - Favorite Compatible Flavor
(Debian)
Wireless PCMCIA Card (Prism II*) Wireless PCMCIA Card (Prism II*)
AC/DC Power Converter* AC/DC Power Converter*
NetStumbler Kismet
Favorite Port Scanner* Favorite Port Scanner*
Windows Share Exploiter* Favorite Exploits*
GPS Unit* GPS Unit*
White Lightning Jolt Cola :) WEPCrack*
AirSnort*
FakeAP*
* optional THC-RUT*
SSIDSniff*
AirJack*
Cherry Bomb Jolt Cola >:)

My Setup
--------------------
Dell Inspiron 4000 Laptop
Debian Linux
Orinoco Gold Hermes PCMCIA Card
40 watt AC/DC converter
Kismet
 nmap
Exploits to test my *own* network >:)
No GPS (i don't care)
WEPCrack
AirSnort
FakeAP (for home use really)
THC-RUT
THC-Wardrive
SSIDSniff
AirJack
AirMonkey
Cherry Bomb & White Lightning Jolt Cola :)
I'm also currently building my own portable yagi.

The GPS device is used to map out the coordinates of the located WLAN's. You
can then
upload them to a central server (like netstumbler.com) and add them to the ever
growing
map, or you can download a program like Stumbverter and make your own
maps.
You are obviously going to be able to do a lot more with a linux box, but not
everyone
is leet (i just wanted to use that word) enough to do so. I would also like to point
out that there is not an * after Jolt. This is a necessity because the best time to
go
strolling around is at 3 in the morning when Joe Shmoe is asleep with is router
and
cable modem on :).
Once you are on a network, there is an endless possibility of the things you can
do.
I'm not even going to go into them, but from the list above, and with some
common sense,
I think you can figure it out.
A little side note (this should be obvious), make sure that your box is set to
DHCP,
because if it's not, you'll never connect to the network, unless you're lucky
enough to be
set to the same class and subnet. If you need help setting up your Linux box with
a
wireless card, go to the white papers section of this doc, there's a couple links
there
that should help you out.

The other area that you could dive into is WarStrolling. In this example, I'll tell you
how to do the equivalent of above, but with a handheld. Pop this badboy in your
pocket
and start walking around! You will need 4 things to WarStrole, (1) Handheld PDA
that either
has a built in 802.11b device, or one that is capable of adding one to it, (2) a
PCMCIA
card adapter for your handheld (if needed), (3) a PCMCIA Wireless 802.11b
card, (4) and
stumbling software. I've heard of a couple people porting a version of linux to
their
iPaq's and then running linux programs on it, but I don't have any experience in
this.
I'll show you the setup which I use:

My WarStrolling Setup
---------------------
Compaq iPaq 3950
Compaq iPaq PC Card Expansion Paq Plus (includes an extra battery!)
Orinoco Gold Hermes PCMCIA Card (Same one from my laptop)
MiniStumbler
Original Jolt Cola (It's hot out :)

That's it. I just turn it on and drop it into my pocket. While walking around NYC,
catching
open WiFi networks is like finding Ford in Detroit. You could also port over some
network
tools to play with while looking for networks, but I generally don't add anything
fancy.
There is an alternative to the PC cards though. For the handhelds, you could buy
a compact
flash adapter (if you need it), and then purchase a compact flash 802.11b card.
They're
not as strong as the PC cards, and some won't be recognized, but it is possible.
The
two major benefits to these cards over PC cards is that they are a lot smaller,
and they
take less power to use.

6. Something to Think About - When I first started, I was thinking, wow...I'm

virtually
undetectable, and even if they do notice I'm on their network, they could never
find
me. Well, after breaking into my own network, I found out that is very, very
wrong. So
I'm here to give you a couple pointers that should help you out.
 - Change your computer name to something like "IISMonitor", "WorkStation5", or
something
else that's inconspicuous. If a net admin sees a box on his network labeled
"Ul7R4 L337 H4X0R", he's going to wonder.

- If you're running a Linux box, spoof your MAC address. When you connect to a
WiFi LAN,
you will broadcast your MAC address to the router, so don't give them your real
one.
If you're running Windows, I'm sorry but I currently don't know how to spoof
MAC
addresses on a Windows box...I don't know if it's even possible.

- Don't sit in one place for too long. Just like cell phones, it is possible to
triangulate your position. I was talking to a guy out in California that's working
on a Stumbler detector. Basically it consists of three Honeypot WiFi routers set
up in a triangle. When you walk inside the boundary...BAM, he's got ya.

- Use your head, don't sit outside a large corporate office at 3 in the morning with

a custom spray-painted laptop that says "H4X0r" all over it. These places do
have
security, and you'll stick out like a soar thumb.

- Don't do anything destructive. There's no point in formatting a poor guys

machine
just because he doesn't know as much about computers as you do. Just think
about if
you formatted a Doctors machine with some really important shit on it. You
talking
about real peoples lives here. Changing an SSID to "SpreadEgl", or leaving a
note on
his desktop telling him how to secure his stuff...eh, that's borderline.

------------------------------------------------
VIII. Securing your WLAN
------------------------------------------------
There are some real simple steps to securing your WLAN, but most people don't
follow them.
The most common reason for a security hole in a WLAN is laziness. People
somehow feel
that whatever they're buying, it comes already secured. This is a BIG problem.
When you
purchase a new router, or firewall, they come with default settings and
passwords. If
you've read everything up to here, you would have seen a couple links to places
that
publish huge lists of default settings. This takes us to our first step.

1. Configuration - Like I just said, when you purchase a new wireless router, is
comes
with a default username/password, channel, and SSID. When an experienced
WarX'er is
tooling around, the first thing that (s)he'll notice is the SSID. If it's se to Linksys
(Linksys's default SSID) or tsunami (Cisco's default SSID), they know that there's
a real
good chance of breaking into that router. So rule number one is CHAGE YOUR
SSID. Keep
in mind that if you make it something like "Don't Even Try", you're just beggin to
get
hacked. Just use common sense. Next, change your username and password.
make your password
a non-dictionary word, more than 8 characters, alphanumeric and non-
alphanumeric symbols,
and don't match it to your SSID, that would defeat the purpose. You may say,
"Well no one
ever come in my apt but me, so I don't need a fancy password." Most wireless
routers have
a Web Administration menu. Once a hacker or WarX'er is on your network, all
they have to
do is type in your routers IP into a browser, and BAM, they have control of your
network.

2. WEP - Enable WEP, 128-bit if possible. I know that WEP can be cracked, and
that it's
not a magic answer to WiFi security, but it's just not worth the time and effort of
cracking a network with WEP enabled when there are two others in the same
area without it.
Think of it like The Club for your car. It's just a deterrent to tell the thief to take
the car next to your instead :).

3. MAC Filtering - Most WiFi routers will allow you to filter access to your WLAN
by
MAC address. You can add in the specific MAC addresses that you wish to
allow, and if a
requesting computer with an invalid MAC address wants it, it says "No". Yes,
there is a
way around this too (MAC Spoofing/MAC Brute Forcing), but once again...it's a
deterrent.

4. Fake AP - Go download the program called Fake AP. It's an excellent little
program
written by a couple drunk blackhats from DefCon last summer. This will flood the
air waves
with a ton of fake AP SSID's. This way a WarX'er will have a list of all these
bogus AP's
with yours hiding in there somewhere. It's like looking for Joe-Bob in Iowa, and
then
dropping Times Square around him.

5. Disable SSID Broadcasting - Some of the higher-end WiFi routers will allow
you to
disable the broadcasting of the SSID. This will help out a lot, because if a
WarX'er
can't connect to what it can't see. Of course there are ways to passively monitor
the
traffic to determine an SSID, but again...this is a deterrent. Are we catching the
pattern
here?

6. Power - This is by far the most secure way to keep WarX'ers out from your
network, WiFi
or not...turn the power off. Pretty simple huh? If you're not using your WLAN, turn
it off.
Not only will you save on power costs, but it's a sure bet on keeping people out
while
you're asleep or out getting drunk :).

------------------------------------------------
IX. Conclusion
------------------------------------------------
It's not really a conclusion, but more of me just saying good-bye. I really hope
that this
helps a lot of you out there and that maybe you even learned something. I just
feel that
after all these years of reading these white papers, I needed to return something.
So,
this is my contribution. If you would like to make any comments or suggestions,
please
email me at slayer@kraix.com . I will try to respond, but no guarantees.

------------------------------------------------
X. Shameless Plug
------------------------------------------------
If you're into photoshop, hacking, piercings, tattoos, or just misc cool stuff,
go to Kraix.com. There's a ton of stuff there for you, and I promise you'll love it.
There's no other site out there on the net like it. All PS tutorials are one of a kind,
not ripped from other sites, or ideas taken from other people, 100% originality.

www.KRAIX.com

The Definitive Guide To Wireless WarX'ing is Copyright 2002 by Kraix.com.

All Rights Reserved. Please email Slayer@Kraix.com for permission to publish.
This article is free to distribute in its current format, and unchanged.