How NetStumbler and MiniStumbler Work

 < Day Day Up > 



Both NetStumbler and MiniStumbler are active wireless network detection applications (see the sidebar “‘Active’ versus ‘Passive’ WLAN Detection” for more details). NetStumbler does not passively listen for, or receive, beacons.

At the default rate of approximately once per second, NetStumbler sends out a Probe Request frame, and then listens for any responding Probe Response data frames from access points or ad-hoc networks that are in range. In simple terms, the request is an electronic “Hello! Is anyone there?” while the Probe Response is the answer to that question. When it answers, the access point (AP or peers in an ad-hoc network) responds with certain information such as the wireless network name, called the Service Set Identifier (SSID) and Machine Access Code (MAC) numbers. The response is the 802.11 equivalent of: “Oh, hello! I’m here! My MAC is 00:00:00:00:00:00 and my SSID is MySSID.” If the request receives any response, then NetStumbler logs the information and reports it to the user via the interface.

start sidebar
Tools & Traps…
“Active” versus “Passive” WLAN Detection

NetStumbler is an “active” wireless network detection application. This means the program takes a specific action to accomplish the WLAN detection. The action is to send out a specific data probe called a Probe Request. The Probe Request frame and the associated Probe Response frame are part of the 802.11 standard. Applications that employ the “passive” detection procedure do not broadcast any signals. Instead, these programs listen to the radio band, waiting to hear any 802.11 traffic that may be within range of the wireless card, but do not initiate such traffic on their own. Much like the Windows versus Linux debate, the proponents of both detection methods at times get involved in intense debates over which method is better. Suffice it to say, both approaches have their good and bad points. Therefore, tools using both techniques deserve their proper place in your WarDriving toolkit.

end sidebar

If it detects an infrastructure wireless LAN, NetStumbler will then request the AP’s name, if it uses the ORiNOCO or Cisco naming convention. When it finds an ad-hoc WLAN, it will request the names of all the peers it sees if they behave like an ORiNOCO or Cisco access point.

In addition, the interface of NetStumbler provides filtering and analysis tools for the user. These tools allow the user to filter out the number of access points and WLANs based on criteria such as those networks that are using encrypted traffic.

Wireless Ethernet Cards that Work with NetStumbler and MiniStumbler

To use NetStumbler or MiniStumbler, you need a wireless Ethernet card. There are a wide variety of makes and models available, and every day new models are released, so the question becomes: Which ones work with NetStumbler? Generally, the best cards are those that use the Hermes chipset. Primarily, this refers to the ORiNOCO Gold or Silver “Classic” cards or “re-badged” versions of those cards. The big disadvantage to these cards, however, is that they only work with 802.11b data. “Re-badges”, are made by manufacturers such as ORiNOCO, but sold under another brand name, such as Dell. The marking decals or “badge” is changed to reflect the new brand, hence the term “re-badge.” Table 2.1 contains a list of the Hermes cards. Most of these are re-badged ORiNOCO brand cards.

start sidebar
Damage & Defense…
Disabling the Beacon

NetStumbler transmits a “Broadcast Request” probe to discover the WLAN. Most access points will respond to a Broadcast Request by default. When it responds, the AP transmits its SSID, MAC number, and other information. However, many brands and models of AP allow this feature to be disabled. Once an AP ceases to respond to the request, NetStumbler can no longer detect it. If you don’t want your wireless LAN to show up on the screen of another NetStumbler user, disable the SSID broadcast on your access point. Check your AP manual for “Disable SSID Broadcast”, “Closed SSID,” or similar features.

The one caveat to this is if the SSID that the WarDriver enters for NetStumbler happens to have the same SSID as your network, then your AP will still respond to the probe. This is another good reason to change the default SSID. This material will be further described in Chapter 10 (Basic Wireless Network Security).

end sidebar

Table 2.1: Common Hermes Chipset Cards

Lucent Technologies WaveLAN/IEEE (Agere ORiNOCO)

Dell TrueMobile 1150 Series (PCMCIA and mini-PCI)

Avaya Wireless PC Card

Toshiba Wireless LAN Card (PCMCIA and built-in)

Compaq WL110 Cabletron/Enterasys Roamabout

Elsa Airlancer MC-11

ARtem ComCard 11Mbps

IBM High Rate Wireless LAN PC Card

1stWave 1ST-PC-DSS11IS, DSS11IG, DSS11ES, DSS11EG

NetStumbler 0.4.0 also has expanded support for the following types of cards: 802.11a cards, 802.11a/b dual-mode cards, and 802.11a/b/g tri-mode cards (all based on the Atheros chipset), and 802.11b cards based on the Intersil Prism, Atmel, Broadcom, and Centrino chipsets.

The ORiNOCO cards still offer one major advantage that many other brands and models of cards do not have: An external antenna connection. While it is possible to perform a hardware hack and add a connector to almost any card, it is much easier for the user and the card to use a connector installed by the manufacturer.

MiniStumbler 0.4.0 will work with the built-in WiFi of the Toshiba e740. In the CompactFlash (CF) format, the Dell TrueMobile 1180 and the Buffalo AirStation WLI-CF-S11G both work. The D-Link DCF-650W CF format will function if the Buffalo CF driver is used with it. In the PC form factor, these cards will work: the Proxim/Agere ORiNOCO (also known as the Lucent WaveLAN/IEEE), the Compaq WL110, the Dell TrueMobile 1150 (using the ORiNOCO driver), the Buffalo Airstation WLI-PCM-L11GP (also using the ORiNOCO driver), and the Senao NL-2511CD. For those cards using the ORiNOCO driver, version 7.x or later of the driver must be used.

Note 

One caution about the ORiNOCO cards: In mid-2003 the Proxim company, which produced a rival brand of wireless cards, purchased the ORiNOCO line. They then began a new line of cards, utilizing a new chipset, but calling them ORiNOCO Silver and Gold. This caused much confusion among wireless users, as many applications and hardware (including some ORiNOCO brand Access Points) were not working correctly with the new cards. The older cards quickly became know as the “Classics” by those involved in wireless networking. If you are going to be purchasing an ORiNOCO card, make sure you get the correct model numbers. Model 8410 is for the “Classic” Hermes-based cards (FCC ID: IMRWLPCE24H), while the new cards are marked as Model 8420 (FCC ID: IMRPC2411B). Aside from the different model numbers, the newer cards are marked with a logo of waving businessman, and display the name “Proxim” in addition to the name ORiNOCO. At the antenna end of the card, which extends out of the laptop, they are also marked “Proxim.”
Fortunately, NetStumbler and MiniStumbler 0.4.0 do work with the new cards, so WarDrivers can now use either the new cards or the “Classics.”

New cards and chipsets are coming out all the time, and users naturally want to know if they will work with NetStumbler. The answer is a definite “maybe.” It depends on the chipset, operating system, and the drivers. Users of Windows 95, Windows 98, and Windows ME are only able to use the wireless cards listed in the README file, which are mostly Hermes chipset cards. Users of Windows 2000 or XP may use cards based on other chipsets. Usually, this will require use of the Network Device Interface Specification (NDIS) version 5.1 drivers. However, sometimes these card and driver combinations will not work with NetStumbler at all. Other times, users report initial success using a particular card, only to find it later fails for some unknown reason. Additionally, most users of NDIS 5.1 say that some of the features of NetStumbler do not work properly. More information about this is detailed in Chapter 3. According to the README file, Windows NT 4.0 has not been tested with NetStumbler, and is therefore not recommended as an OS. However, at least one user on the NetStumbler discussion forums http://forums.netstumbler.com reported that NetStumbler works with WinNT 4.0 and Service Pack 5.

Minimum System Requirements

There are no official minimum system requirements for NetStumbler. However, the executable file of Version 0.4.0 is only 532KB in size. With the program and ancillary files consuming only 2 megabytes of disk space, the whole package is rather tiny by today’s standards. Obviously, you will need a PC. Most WarDrivers prefer a laptop or micro PC such as a Libretto, although some hardy individuals have been known to equip their vehicles with full-size tower systems.

Some members of the NetStumbler forums have setups that are rather minimal in terms of computing power. The lowest end system I personally know of is a 75MHz Pentium I with 16MB of RAM, running Window95. My personal “stumbling rig” is an IBM ThinkPad, Model 355CD. It is a 100MHz Pentium I, with 16MB of RAM, and is running Windows98SE. While not quite ready for a PC museum, it is hardly state-of-the-art. There are few programs produced within the last five years that this machine could comfortably run, yet it handles “stumbling” just fine.

To run MiniStumbler, you must have a handheld or mobile device running Windows Handheld PC 2000, Pocket PC 3.0, or Pocket PC 2002. Windows Pocket PC 2003 is not yet supported. If a PC Card or Personal Computer Memory Card International Association (PCMCIA) wireless card is to be used with the handheld, then an expansion pack or other device capable of attaching the card to the mobile device is required.

The one option that most WarDrivers use is the Global Positioning System (GPS) satellite receiver. These devices determine your position on the earth by triangulating off satellite signals. Both NetStumbler and MiniStumbler will talk to many GPS receivers via a serial link, and record the location of a wireless network based on the data from the GPS.

The second optional device that most WarDrivers have is an external antenna for their vehicle. These come in a variety of shapes, sizes, and power gain levels. In addition to a laptop (or handheld) PC, wireless card, and the optional GPS and antenna, you will likely need different cables, power supplies, and adapters to successfully conduct a WarDrive. Those items will be covered in detail in Chapter 3.



 < Day Day Up > 



WarDriving(c) Drive, Detect, Defend(c) A Guide to Wireless Security
Special Edition Using Macromedia Studio 8
ISBN: N/A
EAN: 2147483647
Year: 2006
Pages: 125

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net