The Direct Approach

According to statistics from the third World Wide WarDrive, approximately one of every four access points currently deployed is in a default configuration. The default configuration means that there is no encryption enabled and the Service Set Identifier (SSID) has not been changed from the factory settings. The “direct approach” can be used to gain access to wireless networks in the default configuration. In short, the direct approach, in a nutshell, refers to “requesting” a connection to the access point. This is an extremely simple process in both Windows and Linux.

Accessing Wireless Networks Using the Direct Approach in Windows

In order to access a wireless network with a default configuration from a Windows machine, all that you need is a wireless client manager. The wireless client manager is the configuration software that either ships with the wireless card, or is built into the operating system (as is the case with Windows XP). This section details how to accomplish this with Windows XP’s built-in wireless connection manager, as well as using the ORiNOCO client manager in Windows 2000.

Windows XP

Windows XP is designed to make connecting to wireless networks achievable through a simple, four-step process:

1. Verify that the Wireless Zero Configuration Service is running.

2. Insert a wireless card.

3. Open the connection manager.

4. Choose a network to attach to.

The Wireless Zero Configuration Service starts by default in Windows XP; however, installing some programs can cause this service to be disabled or set to manual. To verify that the Wireless Zero Configuration Service is started, go to Start | Settings | Control Panel and then double-click Administrative Tools. This will open the Administrative Tools window (see Figure 9.1).

Figure 9.1: The Administrative Tools Window

Double-click the Services icon to open the Services window (Figure 9.2).

Figure 9.2: The Services Window

Verify that the Wireless Zero Configuration Service is started and set to Automatic, as shown in Figure 9.3.

Figure 9.3: The Wireless Zero Configuration Service

If the Wireless Zero Configuration Service does not show as “Started” and “Automatic,” right-click the service and choose Properties (see Figure 9.4). Set the Startup Type to Automatic, and then click the Start button to start the service.

Figure 9.4: The Wireless Zero Configuration Properties Window

Once the Wireless Zero Configuration Service is running, insert your wireless card. Windows XP will attempt to automatically determine the type of card and install the appropriate driver for it. You should have your driver available in case Windows XP cannot determine the correct driver for your card.

After Windows XP detects your card and installs the driver, Windows XP will inform you if there are available wireless networks in range (see Figure 9.5). Click this dialogue and the Wireless Network Connection properties dialogue will open. This window displays any wireless networks that are available (see Figure 9.6).

Figure 9.5: Networks Detected

Figure 9.6: Available Wireless Networks

Some networks may appear to be in a default configuration and accessible using the direct approach. This may not be the case. The Linksys access point shown in Figure 9.6 is an example of this situation. Although it has a default SSIS (Linksys) it also has Wired Equivalent Privacy (WEP) enabled. If the windows XP Wireless Network Connection window prompts for a “Network key,” then a WEP key is required.

Not all wireless networks that appear as “Available” are actually accessible using the direct approach. The steps needed to gain access to these networks are provided in the “Attacking Encrypted Networks” section later in this chapter.

Simply choose the network that you want to connect to and click Connect. Windows XP will inform you that the network doesn’t have encryption enabled and will ask if you still would like to connect (see Figure 9.7). Choose Yes and you have gained access to the network. Many networks will have a Dynamic Host Configuration Protocol (DHCP) server enabled that will configure your connection for use on the network/Internet. This will work with any network that has default settings. Additionally, if a network has had the SSID changed, but no other security measures have been taken, these steps will work in Windows XP.

Figure 9.7: A Final Warning

Windows 2000

The direct approach in Windows 2000 is in many ways easier than using Windows XP. One difference is that a third-party client manager is required. Accessing a wireless network with default settings in Windows 2000 is a simple, three-step process.

1. Installing a client manager

2. Inserting the wireless NIC

3. Configuring the client manager for use on default networks

The first step is installing a wireless client manager. This usually comes on the CD-ROM that came with your card. For this example, we will use the ORiNOCO client manager. The client manager that comes with your card may look slightly different, but the steps are basically the same.

Once the client manager is installed, insert your wireless network interface card (NIC) into an open Personal Computer Memory Card International Association (PCMCIA) slot on your laptop. Next, double-click the client manager icon on the bottom right of your Windows taskbar. This will open the client manager program (see Figure 9.8).

Figure 9.8: The Wireless Client Manager

From the menu, select Actions | Add/Edit Configuration Profile. This opens the Add/Edit Configuration Profile window (see Figure 9.9).

Figure 9.9: The Add/Edit Configuration Profile Window

Select the radio button next to the “Default” profile and click Edit Profile. This opens the options for editing the Default configuration profile. Make sure that the Network Name field is blank, as shown in Figure 9.10, and then click OK.

Figure 9.10: The Basic Configuration Tab

Continue to click OK to close each open window.

Using this configuration profile automatically connects to any wireless network with default settings, as shown in Figure 9.11.

Figure 9.11: A Connection Is Made

It really is as simple as that. If your network settings are configured to request a DHCP address (as they are, by default, with a new adapter) and the network you have connected to is providing DHCP addresses (as they are, by default), you now have access. Depending on the configuration of the wireless network, you can use the Internet or browse Windows shares on the network, for example. You have the same level of access as any authorized user of the wireless network.

Accessing Wireless Networks Using the Direct Approach in Linux

Gaining access to default wireless networks in Linux is an extremely simple process. After your wireless card is set up to work on your Linux distribution, there are only two steps.

1. Edit the wireless.opts file.

2. Reboot.

The first thing you need to do is edit the wireless options file located at /etc/pcmcia/wireless.opts. You will need to have Super User (root) privileges to do so. Change the directory to /etc/pcmcia and then open wireless.opts for writing.

root@roamer:/home/roamer# cd /etc/pcmcia root@roamer:/etc/pcmcia# vi wireless.opts

Scroll down and comment out any setting that you may have for your own network. To comment out a line in most Linux configuration files, simply place a pound sign (#) in front of the line you want ignored. Next, locate the line that reads:

# NOTE : Remove the following four lines to activate the samples below …

Remove the pound sign (#) from the next four lines so that it looks like Figure 9.12.

Figure 9.12: Commenting Lines in wireless.opts

Save your changes and then restart the PCMCIA services or reboot.

root@roamer:/etc/pcmcia# shutdown –r now

When the PCMCIA services start after the reboot, two short beeps will sound. If there is a default network in range, your system will gain access and connect to it.

Variation on the Direct Approach in Linux

Many default networks have a DHCP server set up automatically and will assign addresses in the 192.168.1.1–100 range. In rare cases, a wireless network is configured with default settings, but DHCP has been disabled. In order to access these networks, you will need to set your IP address manually. In Windows, this is accomplished by changing the Properties in the TCP/IP Settings. In Linux, this is done by using the ifconfig command.

root@roamer:/root# ifconfig eth0 192.168.1.69 netmask 255.255.255.0 root@roamer/root# route add default gw 192.168.1.1

In some cases, users have changed the IP range utilized by their wireless network. In these instances, you may have to experiment with the IP address and router settings until you find the correct one. For example, try setting your IP address to 192.168.2.222, 192.168.3.222, or something similar. It is a good idea to avoid addresses between 100 and 199 in the last octet (for example, 192.168.4.101) because these are more likely to already be in use. If you conflict with an address that is already in use, your access to the network is more likely to be noticed.

Linux users may have an advantage when trying to determine the IP address range in use. As Kismet (see Chapters 4–6 for more information on Kismet) monitors traffic, it will often detect the IP address range in use. Kismet usually needs time and several packets in order to determine the range, but it could take less time than trying to figure it out by guessing.