Professional Documents
Culture Documents
* *
* The Definitive Guide To Wireless WarX'ing *
* ----------------------------------------- *
* v1.2.1 *
* *
* 09/04/02 *
* *
*************************************************
* *
* by Slayer *
* *
* Slayer@Kraix.com *
* *
*************************************************
* *
* www.KRAIX.com *
* *
*************************************************
Contents:
---------
I. Introduction
IX. Conclusion
X. Shameless Plug
**************************************************************************************
**************************************************************************************
------------------------------------------------
I. Introduction
------------------------------------------------
This is my first _real_ documentation, so please...no flaming or anything.
I put this together because I have been receiving a lot of emails and such
regarding wireless networks. Everyone wants to know, what it is, how to do that,
where to get this, is this legal...the list is huge. So instead of constantly sending
out a bunch of small answers, I'm writing this paper to help you learn as much
as possible. Side Note: Keep in mind that I am not an *expert* in this area. I did
not design the 802.11x standard or anything. I've just done a lot with it :o).
------------------------------------------------
II. Types of Wireless Networking
------------------------------------------------
As you may have already figured out, there are a few different wireless types out
there; 802.11a/b, BlueTooth, Radio Freq, and IrDA are to name a few. There
really isn't
a standard yet, because everyone thinks that their idea is the best, and they're
pretty
stubborn about it. Basically though, each type of wireless networking has it's ups
and
downs. I'll try to give you a brief overview of the ones that I know of.
1. 802.11a (that's an "A" after the numbers) - This is probably going to be the
new
standard for home and small office networking. I'm not too sure yet if it'll surpass
802.11b, but hey...time will tell. 802.11 was the first wireless protocol to come
out,
and i believe it would run at about 1-2Mbps (don't quote me on that). A little while
later
802.11b came out, and it was faster, so people moved over to adopt that one.
Now, .11a has
been redone so that it's even faster than .11b. .11a now runs at 54Mbps in the
5Ghtz band
and it uses what is called the "orthogonal frequency division multiplexing
encoding
scheme," (trust me, I couldn't make that up ;). If you want to learn more about
OFDM,
go run a Google on it, because I'm not going to go into it, all I'll mention is that it's
more secure than WEP (Ha, "secure" and "WEP" shouldn't even be in the same
sentence).
Range on these devices will vary, but you should be able to get about 300ft. from
an
access point.
2. 802.11b (that's a "B" after the numbers) - .11b was the next revelation in
wireless
technology after .11 and before .11a. It is now commonly referred to as Wireless
Fidelity or "WiFi" (pronounced like SciFi). .11b has a thoroughput of 11Mbps, and
can fall
back to 5.5Mbps, 2Mbps, and 1Mbps. All that means is that as the signal gets
degraded (or farther away), your connection will drop to these levels. Right now,
.11b is more-so the
standard of wireless networking. There are more wireless LAN's and WAN's
running .11b than
any other architecture. Because of this, you will find more tools, and uses with
this.
When people are out there WarX'ing, this is the protocol that they're using.
(WarX'ing
is described later on.) It's primary security encryption is Wired Equivalent Privacy,
or WEP for short. WEP can be used in 64bit or 128bit forms. All prism 1 cards
can utilize
WEP 64bit, but you'll need a Prism 2 card to use 128bit. But either way, I would
strongly recommend that you do NOT rely solely on this, bad bad idea. Once
again, I'm not
going into how WEP works (or doesn't work). Google it if you're interested.
Range on
these devices will vary, but you should be able to get about 300ft. from an access
point.
3. BlueTooth - BlueTooth is a wireless type for short range devices. You can get
about 10
meters (that's about 30ft) away before you lose connection. Of course, that's in
lab
results. Real world, you can get about 25-ish, but hey who's counting ;).
Anyways,
BlueTooth is being integrated into a lot of portable devices for use of Sync'ing
things
together. Such devices are handhelds (Compaq's iPaq), phones (Sony-Ericsson),
and
other little gadgets. It's really a way to replace IRDa, and in that way it's
beneficial.
BlueTooth generally has a transfer rate of about 1Mbps. That's not too bad,
considering
that it's only syncing, or passing streaming media. Leeching news groups with
it...no.
Using this standard to sync devices, or to get rid of wires is a great idea, but I
don't
see us buying a can of Jolt out of a machine with our phone anytime soon. So
far, the best
ways that I've seen this protocol being used are in PDA's for syncing, and in the
new
Sony-Ericsson T68i cell phone that uses a wireless (BlueTooth) handsfree
headset.
I want one sooo bad. I'd even be willing to write s review about it if someone
donated
one to me (hint, hint, :o).
4. Radio Frequencies - Cell Phones. This is how they work, by using alternating
encrypted radio frequencies. I could write an entire thesis on this alone, but I'm
not.
All I'm going to tell you is that Cell Phones use them :). Phreaking is not my
expertise
at all, and I'm not about to begin to talk about something that I don't know enough
about.
5. IrDA - Infrared Data Association. Basically, the stuff you're remote controls
use.
It's using a beam of light that we can't see to send a signal. The restrictions on
this
are enormous, but hey...it works. IrDA is used a lot in Cell Phones, PDA's
(especially
Palm's, I think they were the first to use it, but I could be wrong), laptops, wireless
mice/keyboards; the list goes on and on. The major downfalls for IrDA are
distance and
line-of-sight. IrDA can only go about 1-2 meters and doesn't work unless there is
a direct
line-of-site. It's nice to sync your palm or your phone with your contact list on your
laptop without wires and all, but if your cat lays down between the two, end of
connection.
BlueTooth is starting to replace the uses for IrDA, because it can go farther, more
secure,
does not need line-of-site, and it's a lot faster. IrDA has a transfer rate of about
75Kbps (that's a "K", not an "M").
------------------------------------------------
III. Wireless Networking Hardware
------------------------------------------------
For IrDA, BlueTooth, and Radio Frequencies, the hardware is basically built into
the
devices that's going to use it. There are a couple peripherals that you could buy,
but
they're not worth going into. I'm basically going to cover 802.11a/b hardware. The
same
type of hardware exists for both standards unless otherwise noted.
1. Wireless Routers - This is the most important piece of wireless technology that
you
will but when setting up a LAN or WAN. You must make sure that it's of the right
archetecture, chipset (Prism 1 or 2), and that it has all the features that you need.
For home use, you shouldn't spend over $200, unless you want some high-end
stuff, or
you're delving into the .11a world (.11a is a little more expensive). Pretty much
every manufacture and their brother are making wireless routers. Linksys, 3com,
Belkin,
Intel, Cisco, Billy-Ray-Joe (just kidding). I personally use Belkin, and I haven't
had any
problems, but I would recommend that you buy a name-brand router. Remember,
you get what
you pay for. Remember that when you're looking at a Linksys $150 router on sale
with 8
mail-in rebates from Best Buy.
2. Access Points - These are very useful in larger offices, or houses. They will
relay
the signal to extend your coverage. It acts kind of like a wireless hub. These are
also
made by all the same people that make the routers, and I suggest that if you
purchase
an access point, that you get the same brand as your router. Less likely to have
compatibility issues.
3. Wireless NIC's - Um, it's a NIC (Network Interface Card) that's wireless. I think
that
this one is pretty self-explanitory. One idea though, is that instead of buying a
wireless
NIC, buy a PCI card that has a slot to insert a PCMCIA, or PC card, into it. These
cards
shouldn't cost more than $20, and you can use the PC card for more stuff.
4. Wireless PCMCIA (PC Cards) cards - These are the cards that go into your
laptops, or
other portable devices. There are two different architectures for these cards,
Prism 1 and
2. 1 supports 64bit and 2 supports 128bit encryption. Almost all the cards are
Type 2
cards (in relation to the thickness). In my opinion, the best cards out there right
now
are the Orinoco Gold cards. You can get them online for about $80.
5. Antennas - You can purchase, or make, external antennas that will increase
your signal
strength and distance. The most common form is called a Yagi (Like from Karate
Kid, jk).
These are sold all over the place online, and there are plans out that that show
you
how to build them from a scratch using a Pringles can and Radio Hack parts
(Great way
to disguise it for WarX'ing). One piece of hardware that you'll most definitely need
is
called a Pig Tail. This is a wire that will connect from your wireless card (on
the antenna) to a thick coaxial cable or cable connector. The little piggies cost
about
$20.
------------------------------------------------
IV. Wireless Software (Tools)
------------------------------------------------
With the recent explosion of the wireless networking community, there has been
a shadow
within the software field. Recently it seems like there is a new wireless tool that
comes
out every day. I have tried to put together a list of tools, and their links, of what I
think are probably the most useful. If I've used it before, or I know about it, I'll try
to give a description about it also.
I have to say that these are by far the most widely used
and proven wireless discovery tools on the net. Netstumbler will use your
wireless card
to detect all the wireless networks in the area. It will return the WLAN's SSID,
channel,
WEP or not, signal strength, and more! The GUI is insanely easy to use. Hell,
even a
L337 H4X0R could use this :). Two features that I really like are it's ability to
modify
the refresh rate of the scan, and that you can hook up a GPS unit to it to track
your
exact coordinates. You can then save this to a file and upload it to their server to
add
to their ever-expanding map of WLANs. MiniStumbler is the same as
NetStumbler, except
that it's for the iPaq handheld (oh the possibilities!).
Homepage: http://www.netstumbler.com
Readme: http://www.stumbler.net/readme/readme_0_3_30.html
Download: http://www.netstumbler.com/download.php?op=getit&lid=22
(NetStumbler)
Download: http://www.netstumbler.com/download.php?op=getit&lid=21
(MiniStumbler)
2. Kismit - Linux
Homepage: http://www.kismetwireless.net
Download: http://www.kismetwireless.net/code/kismet-2.4.6.tar.gz
3. WEPCrack - Linux
WEPCrack is an open source tool for breaking 802.11 WEP secret keys. This
tool is is an
implementation of the attack described by Fluhrer, Mantin, and Shamir in the
paper
"Weaknesses in the Key Scheduling Algorithm of RC4". WEPCrack was the first
publicly
available code that demonstrated the attack.
Homepage: http://wepcrack.sourceforge.net/
Download:
http://sourceforge.net/project/showfiles.php?group_id=32993&release_id=49357
4. AirSnort - Linux
AirSnort is a wireless LAN (WLAN) tool which recovers encryption keys. AirSnort
operates by
passively monitoring transmissions, computing the encryption key when enough
packets have
been gathered. AirSnort requires approximately 5-10 million encrypted packets to
be
gathered. Once enough packets have been gathered, AirSnort can guess the
encryption
password in under a second.
Homepage: http://airsnort.shmoo.com/
Download: http://prdownloads.sourceforge.net/airsnort/airsnort-
0.2.1.tar.gz?download
5. Fake AP - Linux
Homepage: http://www.blackalchemy.to/Projects/fakeap/fake-ap.html
Download: http://www.blackalchemy.to/Projects/fakeap/fakeap-0.2.tar.gz
Homepage: http://researchweb.watson.ibm.com/gsal/wsa/
Download: Can't get it :( . If you can, email me!
7. THC-WarDrive - Linux
THC-WarDrive is a tool for mapping your city for wavelan networks with a GPS
device while
you are driving a car or walking through the streets. It is effective and flexible, a
"must-download" for all wavelan nerds.
Homepage: http://www.thehackerschoice.com
Download: http://www.thehackerschoice.com/download.php?t=r&d=wardrive-
2.3.tar.gz
8. THC-RUT - Linux
THC-RUT (aRe yoU There) is a local network discovery tool developed to brute
force its way
into wvlan access points. It offers arp-request on ip-ranges and identifies the
vendor of
the NIC, spoofed DHCP, BOOTP and RARP requests, icmp-address mask
request and router
discovery techniques. This tool should be 'your first knife' on a foreign network.
Homepage: http://www.thehackerschoice.com
Download: http://www.thehackerschoice.com/download.php?t=r&d=thcrut-
0.1.tar.gz
9. MacStumbler - Mac OS X
Homepage: http://homepage.mac.com/macstumbler/
Download: http://homepage.mac.com/macstumbler/MacStumbler-06b.tgz
(binary)
Download: http://homepage.mac.com/macstumbler/06b-source.tgz (source)
Homepage: http://www.dachb0den.com/projects/bsd-airtools.html
Download: http://www.dachb0den.com/projects/bsd-airtools/bsd-airtools-v0.2.tgz
Download: ftp://ftp.dachb0den.com/pub/projects/bsd-airtools/bsd-airtools-v0.2.tgz
Homepage: http://prismstumbler.sourceforge.net/
Download: http://www.monolith81.de/download/prismstumbler-0.5.0.tar.gz
Homepage: http://chocobospore.org/mognet/
Download: http://www.monolith81.de/download/Mognet-1.14.tar.gz
A new linux distribution for Wardrivers. It is available on disk and bootable CD.
It's
mainly intended use is for systems administrators that want to audit and evaluate
their
wireless network installations. Should be handy for wardriving also. I hope you
have a lot
of CDs ready for this one. One guy took a pic of all the CDs he went through just
to get
this thing to work, there had to been at least 20 of em! But hey, in the end he got
it!
Homepage: https://sourceforge.net/projects/warlinux/
Download: http://prdownloads.sourceforge.net/warlinux/warLinux.iso?download
Homepage: http://www.remote-exploit.org
Download: http://www.remote-
exploit.org/modules.php?name=Downloads&d_op=getit&lid=25
15. WaveStumbler - Linux
WaveStumbler is console based 802.11 network mapper for Linux. It reports the
basic AP
stuff like channel, WEP, ESSID, MAC etc. It has support for Hermes based cards
(Compaq,
Lucent/Agere, ... ) It still in development but tends to be stable.
Homepage: http://www.cqure.net/tools08.html
Download: http://www.cqure.net/tools/wavestumbler-1.2.0.tar.gz
16. AiroPeek - Windows 98, ME, 2000, XP (COMMERCIAL $1495 for 1 year!)
Homepage: http://www.wildpackets.com/products/airopeek
Download: http://www.wildpackets.com/demo_buy/demos/apw (DEMO)
Homepage: http://www.sonar-security.com/
Download: http://www.sonar-security.com/files/StumbVerter_V010_full.zip
18. AP Scanner - Mac
Homepage: http://homepage.mac.com/typexi/Personal1.html
Download:
http://homepage.mac.com/typexi/.cv/typexi/Public/AP%20Scanner%201.0%20Di
st.sit-link.sit
A nifty tool to use when looking to discover access points and save captured
traffic. Comes
with a configure script and supports Cisco Aironet and random prism2 based
cards.
Homepage: http://www.bastard.net/~kos/wifi/
Download: http://www.bastard.net/~kos/wifi/ssidsniff-0.36.tar.gz
Homepage: http://www.jm-music.de/projects.html
Download: http://www.jm-music.de/wavemon-current.tar.gz
Homepage: http://airtraf.sourceforge.net/index.php
Download: http://prdownloads.sourceforge.net/airtraf/airtraf-0.5.0.tar.gz
AirJack is a nifty tool that will let you take over a connection to a WLAN. Short-
short
version: You DOS the AP filling it with forged ARP packets confusing the hell out
of
the AP causing it to dump. Then the clients start to look for a new AP, because
they lost
their connection. What the find is your box as the AP, and then when the real AP
comes
back, you're the middle man. Get it?
Homepage: http://802.11ninja.net/
Download: http://802.11ninja.net/airjack-v0.6.2-alpha.tar.bz2
------------------------------------------------
V. Wireless White Papers
------------------------------------------------
After spending a couple days scouring the net for information on wireless
networking
and other such topics. I have come across a few white papers that I have found
to be
useful or interesting. White papers are documents that are instructional or
informative. This document that I am writing can be considered a white paper.
The following
are links and brief descriptions of each white paper that I found. Some are HTML
files,
PDF documents, and even PowerPoint slides from different conventions.
Link: http://documents.iss.net/whitepapers/wireless_LAN_security.pdf
2. Wireless HOWTO for Linux - This is a pretty informative guide on how to get
your
Linux box up and running for a wireless LAN. Remember that these are just
guidelines,
and that you'll have to make changes depending on your card, distro, and box.
Link: http://www.ibiblio.org/pub/Linux/docs/HOWTO/other-
formats/html_single/Wireless-HOWTO.html
Link: http://www.net-security.org/dl/articles/Wireless.pdf
Link: http://www.lava.net/~newsham/wlan/WEP_password_cracker.ppt
5. The Need for a 802.11 Wireless Toolkit - This is a PDF white paper written by
a guy
from @Stake that was presented during the Black Hat Briefings in July of 2002.
Link: http://www.packetfactory.net/projects/radiate/802.11_toolkit-2.0.pdf
6. Wireless LAN Security - Here is an excellent white paper in HTML format that
describes everything that you need to know about wireless security, it's
vulnerabilities,
methods of attack, and much more.
Link: http://www.packetninja.ca/starrrt.html
Link: http://ruff.cs.jmu.edu/~beetle/download/befvp41.html
8. SSID Defaults - Here is a TXT file that lists most of the manufactures default
SSID's,
default password login pairs, channels, and some other useful tidbits.
Link:
http://www.wi2600.org/mediawhore/nf0/wireless/ssid_defaults/ssid_defaults-
1.0.5.txt
9. What's Up With WEP - Here's a quick read from IBM on how WEP works and
other things
WEP. There are some pictures that should help you out if you're reading
impaired >:)
Link: http://www-106.ibm.com/developerworks/library/s-wep/?article=wir
10. Default List of Passwords - I think this one is pretty self-explanatory. It's a
huge
list of default password and login settings for routers, firewalls, and everything
else.
If I were you, I would save this list, because who knows how long it'll stay here.
Link: http://www.aaws25.hemscott.net/Default%20password%20list.htm
------------------------------------------------
VI. Wireless Web Sites
------------------------------------------------
I have compiled a list of my favorite 10 wireless web sites and list them here for
you.
Most of these sites all deal within a specific area of wireless, but there is some
overlap. You'll just have to go there and check it out!
1. Netstumbler.com - The home of probably the most famous wireless tool on the
net. Not
only that, but they have current wireless news and events, a forum, geographical
WLAN
locations, and more. Definitely a must.
Link: http://www.netstumbler.com
2. Milehigh Wireless - If you live in the Denver area, this is the perfect site for
you.
They talk about their free coverage ideas, and more.
Link: http://www.milehighwireless.net/wiki-moinmoin/moin.cgi
Link: http://www.monolith81.de/software_linux.htm
4. PersonalTelCo - Here's a nice page about WarDriving with some helpful links.
There are
some other sites in this page relating to wireless stuff, but they may be hard to
find.
Link: http://www.personaltelco.net/index.cgi/WarDriving
5. WarChalking.org - The official WarChalking homepage. The Blogging system
here is pretty
cool. It allows anyone to write stories relating to Warchalking, and then the story
is
rated among other warchalkers as to whether or not it gets published. You'll find
some cool stories, pictures, and other misc. stuff here.
Link: http://www.warchalking.org/
Link: http://www.wardriving.com
Link: http://www.wirelesscloud.net/wirelesscloud/index.htm
8. Sputnik - These guys have made a couple different products that are very
useful in the
wireless industry. They also have some news articles relating to wireless, but
they don't
get updated too frequently.
Link: http://www.sputnik.com/
Link http://www.nycwireless.net/
10. War Strolling and Cabbing - Here's another NYC based guy that's going
around
Manhattan and mapping out the wireless networks. Using MacStumbler, it looks
like
he's getting a large area pretty covered. Doesn't look like he's doing any chalking
though, so you'll have to check out the site to find the networks.
Link: http://www.joemaller.com/wifi/
------------------------------------------------
VII. WarX'ing (Why you're reading this :)
------------------------------------------------
1. The first question that's probably in your head is, "What the hell is 'WarX'ing'".
Well
it's pretty simple. Right now there are many different types of Wireless scanning
going
about. You have WarDriving, WarChalking, WarStrolling, WarBoating, WarFlying,
the list
is endless. Because of this, I've adopted the term WarX'ing; the "X" is the
variable
for the different kinds. No matter what mode of transportation you use, you're
doing the
same thing...scanning. So instead of all these terms, I've decided on one simple
term that
covers them all. Judging by the context of the document, story, or whatever; I
think you'll
be able to figure out if they were on foot, or in a car.
The prefix "War" originally came from the good-ole days of BBS'ing. To find a
modem on the
other end of a phone line, you would do what is called WarDialing. Think of this
as a
primitive IP scan. You'd enter in a set of phone numbers to dial (ex. 555-1000 -
555-1100 )
and then the WarDialing program calls each number in the list to see if there's a
modem
at the other end, and then either makes a note of it, or tries to connect. I think
you
can see the connection here. For those of you that have no clue what WarX'ing
(WarDriving/chalking/strolling/etc) is, I will go into more detail about each area
below.
---------------------------------------
Open Node: SSID
)(
BW
These three symbols are the ones from the little cheat-sheet. These are very
adequate, but
I propose a more detailed symbol for open nodes, because there's just more to
know.
SSID This will relay the same info as the one above, but the colons (:) will
CH:)(:ST signify that the router is using default settings.
BW
With the use of these more enhanced symbols, fellow WarX'ers will know a lot
more about
the Node at hand, and whether or not it's worth it to stop and connect. After
running
into many )('s that have poor quality, or non-default settings, I feel that this could
really help out everyone in the community, if we just took an extra 2 seconds.
4. WarStrolling - WarStrolling is just like WarDriving and all the other one's
expect that
you do your scanning on foot. You can either carry around a laptop or a handheld
to detect
the networks. By WarStrolling, you will have more time to delve into the networks
that
you stumble into, but you are also a lot more noticeable carrying around a laptop.
If you
have a handheld (like an iPaq) on the other hand, you will go unnoticed, but you
can't do
as much. If you're going WarStrolling, I would suggest that you use MiniStumbler
from
www.netstumbler.com. See the tools section in this white paper.
My Setup
--------------------
Dell Inspiron 4000 Laptop
Debian Linux
Orinoco Gold Hermes PCMCIA Card
40 watt AC/DC converter
Kismet
nmap
Exploits to test my *own* network >:)
No GPS (i don't care)
WEPCrack
AirSnort
FakeAP (for home use really)
THC-RUT
THC-Wardrive
SSIDSniff
AirJack
AirMonkey
Cherry Bomb & White Lightning Jolt Cola :)
I'm also currently building my own portable yagi.
The GPS device is used to map out the coordinates of the located WLAN's. You
can then
upload them to a central server (like netstumbler.com) and add them to the ever
growing
map, or you can download a program like Stumbverter and make your own
maps.
You are obviously going to be able to do a lot more with a linux box, but not
everyone
is leet (i just wanted to use that word) enough to do so. I would also like to point
out that there is not an * after Jolt. This is a necessity because the best time to
go
strolling around is at 3 in the morning when Joe Shmoe is asleep with is router
and
cable modem on :).
Once you are on a network, there is an endless possibility of the things you can
do.
I'm not even going to go into them, but from the list above, and with some
common sense,
I think you can figure it out.
A little side note (this should be obvious), make sure that your box is set to
DHCP,
because if it's not, you'll never connect to the network, unless you're lucky
enough to be
set to the same class and subnet. If you need help setting up your Linux box with
a
wireless card, go to the white papers section of this doc, there's a couple links
there
that should help you out.
The other area that you could dive into is WarStrolling. In this example, I'll tell you
how to do the equivalent of above, but with a handheld. Pop this badboy in your
pocket
and start walking around! You will need 4 things to WarStrole, (1) Handheld PDA
that either
has a built in 802.11b device, or one that is capable of adding one to it, (2) a
PCMCIA
card adapter for your handheld (if needed), (3) a PCMCIA Wireless 802.11b
card, (4) and
stumbling software. I've heard of a couple people porting a version of linux to
their
iPaq's and then running linux programs on it, but I don't have any experience in
this.
I'll show you the setup which I use:
My WarStrolling Setup
---------------------
Compaq iPaq 3950
Compaq iPaq PC Card Expansion Paq Plus (includes an extra battery!)
Orinoco Gold Hermes PCMCIA Card (Same one from my laptop)
MiniStumbler
Original Jolt Cola (It's hot out :)
That's it. I just turn it on and drop it into my pocket. While walking around NYC,
catching
open WiFi networks is like finding Ford in Detroit. You could also port over some
network
tools to play with while looking for networks, but I generally don't add anything
fancy.
There is an alternative to the PC cards though. For the handhelds, you could buy
a compact
flash adapter (if you need it), and then purchase a compact flash 802.11b card.
They're
not as strong as the PC cards, and some won't be recognized, but it is possible.
The
two major benefits to these cards over PC cards is that they are a lot smaller,
and they
take less power to use.
- If you're running a Linux box, spoof your MAC address. When you connect to a
WiFi LAN,
you will broadcast your MAC address to the router, so don't give them your real
one.
If you're running Windows, I'm sorry but I currently don't know how to spoof
MAC
addresses on a Windows box...I don't know if it's even possible.
- Don't sit in one place for too long. Just like cell phones, it is possible to
triangulate your position. I was talking to a guy out in California that's working
on a Stumbler detector. Basically it consists of three Honeypot WiFi routers set
up in a triangle. When you walk inside the boundary...BAM, he's got ya.
- Use your head, don't sit outside a large corporate office at 3 in the morning with
a custom spray-painted laptop that says "H4X0r" all over it. These places do
have
security, and you'll stick out like a soar thumb.
------------------------------------------------
VIII. Securing your WLAN
------------------------------------------------
There are some real simple steps to securing your WLAN, but most people don't
follow them.
The most common reason for a security hole in a WLAN is laziness. People
somehow feel
that whatever they're buying, it comes already secured. This is a BIG problem.
When you
purchase a new router, or firewall, they come with default settings and
passwords. If
you've read everything up to here, you would have seen a couple links to places
that
publish huge lists of default settings. This takes us to our first step.
1. Configuration - Like I just said, when you purchase a new wireless router, is
comes
with a default username/password, channel, and SSID. When an experienced
WarX'er is
tooling around, the first thing that (s)he'll notice is the SSID. If it's se to Linksys
(Linksys's default SSID) or tsunami (Cisco's default SSID), they know that there's
a real
good chance of breaking into that router. So rule number one is CHAGE YOUR
SSID. Keep
in mind that if you make it something like "Don't Even Try", you're just beggin to
get
hacked. Just use common sense. Next, change your username and password.
make your password
a non-dictionary word, more than 8 characters, alphanumeric and non-
alphanumeric symbols,
and don't match it to your SSID, that would defeat the purpose. You may say,
"Well no one
ever come in my apt but me, so I don't need a fancy password." Most wireless
routers have
a Web Administration menu. Once a hacker or WarX'er is on your network, all
they have to
do is type in your routers IP into a browser, and BAM, they have control of your
network.
2. WEP - Enable WEP, 128-bit if possible. I know that WEP can be cracked, and
that it's
not a magic answer to WiFi security, but it's just not worth the time and effort of
cracking a network with WEP enabled when there are two others in the same
area without it.
Think of it like The Club for your car. It's just a deterrent to tell the thief to take
the car next to your instead :).
3. MAC Filtering - Most WiFi routers will allow you to filter access to your WLAN
by
MAC address. You can add in the specific MAC addresses that you wish to
allow, and if a
requesting computer with an invalid MAC address wants it, it says "No". Yes,
there is a
way around this too (MAC Spoofing/MAC Brute Forcing), but once again...it's a
deterrent.
4. Fake AP - Go download the program called Fake AP. It's an excellent little
program
written by a couple drunk blackhats from DefCon last summer. This will flood the
air waves
with a ton of fake AP SSID's. This way a WarX'er will have a list of all these
bogus AP's
with yours hiding in there somewhere. It's like looking for Joe-Bob in Iowa, and
then
dropping Times Square around him.
5. Disable SSID Broadcasting - Some of the higher-end WiFi routers will allow
you to
disable the broadcasting of the SSID. This will help out a lot, because if a
WarX'er
can't connect to what it can't see. Of course there are ways to passively monitor
the
traffic to determine an SSID, but again...this is a deterrent. Are we catching the
pattern
here?
6. Power - This is by far the most secure way to keep WarX'ers out from your
network, WiFi
or not...turn the power off. Pretty simple huh? If you're not using your WLAN, turn
it off.
Not only will you save on power costs, but it's a sure bet on keeping people out
while
you're asleep or out getting drunk :).
------------------------------------------------
IX. Conclusion
------------------------------------------------
It's not really a conclusion, but more of me just saying good-bye. I really hope
that this
helps a lot of you out there and that maybe you even learned something. I just
feel that
after all these years of reading these white papers, I needed to return something.
So,
this is my contribution. If you would like to make any comments or suggestions,
please
email me at slayer@kraix.com . I will try to respond, but no guarantees.
------------------------------------------------
X. Shameless Plug
------------------------------------------------
If you're into photoshop, hacking, piercings, tattoos, or just misc cool stuff,
go to Kraix.com. There's a ton of stuff there for you, and I promise you'll love it.
There's no other site out there on the net like it. All PS tutorials are one of a kind,
not ripped from other sites, or ideas taken from other people, 100% originality.
www.KRAIX.com