Tools of the Trade or What Do I Need?

Figure 1.6: A Typical PDA WarDriving Setup

As with the laptop setup, the PDA setup requires additional equipment in order to be successful:

• A PDA with a data cable

• A wireless NIC Card

• An external antenna

• A pigtail to connect the external antenna to the wireless NIC

• A handheld global positioning system (GPS) unit

• A GPS data cable

• A null modem connector

• A WarDriving software program

Similar to the laptop configuration, the software package you choose will affect your choice of PDA. MiniStumbler, the PDA version of NetStumbler, works on PDAs that utilize the Microsoft Pocket PC operating system. The HP/Compaq iPAQ is one of the more popular PDAs among WarDrivers that prefer MiniStumbler. WarDrivers that prefer to use a PDA port of Kismet are likely to choose the Sharp Zaurus since it runs a PDA version of Linux. There are also Kismet packages that have specifically been designed for use on the Zaurus.

Choosing a Wireless Network Interface Card

Now that you have chosen either a laptop or a PDA to use while WarDriving, you will need to determine which wireless NIC card to use. Most of the wireless networks that are currently deployed are 802.11b networks. You will find more access points if you use an 802.11b NIC. 802.11g access points, which transfer data at nearly five times the speed of 802.11b (54 MBps as opposed to 11 MBps) are gaining popularity and it is likely that an 802.11g card will soon supplant an 802.11b card as the favorite of WarDrivers. This is not likely to happen, however, until WarDriving tools catch up and offer more extensive 802.11g support. In addition to increased speed, the 802.11g standard supports WiFi Protected Access (WPA) encryption. Once effectively deployed, WPA will help to improve the overall security posture of wireless networks. Some 802.11a cards are currently supported by WarDriving software under certain conditions. These conditions will be discussed throughout the book; specifically in Chapters 2 through 6.

As a general rule, 802.11a (or any 802.11a/b/g combo) cards are not recommended for WarDriving. This is because 802.11a was broken into three distinct frequency ranges: Unlicensed National Information Infrastructure (UNII)1, UNII2, and UNII3. Under Federal Communications Commission (FCC) regulations, UNII1 cannot have removable antennas. Although UNII2 and UNII3 are allowed to have removable antennas, most 802.11a cards utilize both UNII1 and UNII2. Because UNII1 is utilized, removable antennas are not an option for these cards in the United States.

When Kismet and NetStumbler were first introduced, there were two primary chipsets available on wireless NICs: the Hermes chipset and the Prism2 chipset. Although there are many other chipsets available now, most WarDriving software is designed for use with one of these two chipsets. As a general rule NetStumbler works with cards based on the Hermes chipset. Kismet, on the other hand, is designed for use with cards based on the Prism2 chipset. This is not a hard and fast rule since some Prism2 cards will work under NetStumbler in certain configurations. Also, with appropriate Linux kernel modifications, Hermes cards can be used with Kismet.

Types of Wireless NICs

In order to WarDrive, you will need a wireless NIC. Before purchasing a wireless card, you should determine the software and configuration you plan to use. NetStumbler (see Chapters 2 and 3) offers the easiest configuration for cards based on the Hermes chipset (for example, ORiNOCO cards). NetStumbler offers support for the following cards:

• Lucent Technologies WaveLAN/IEEE (Agere ORiNOCO)

• Dell TrueMobile 1150 Series

• Avaya Wireless PC Card

• Toshiba Wireless LAN Card

• Compaq WL110

• Cabletron/Enterasys Roamabout

• Elsa Airlancer MC-11

• ARtem ComCard 11Mbps

• IBM High Rate Wireless LAN PC Card

• 1stWave 1ST-PC-DSS11IS, DSS11IG, DSS11ES, DSS11EG

• Some Prism2-based cards will work under Windows XP.

Kismet (described in detail in Chapters 4 through 6) works with both Prism2- and Hermes-based cards. However, most Linux and BSD distributions require kernel and driver patch modifications and recompiles in order for Hermes-based cards to enter monitor mode as required by Kismet. Kismet offers support for the following cards:

• Cisco

  1. Aironet 340

  2. Aironet 350

• Prism 2

  1. Linksys

  2. D-Link

  3. Zoom

  4. Demarctech

  5. Microsoft

  6. Many others

• ORiNOCO

  1. Lucent ORiNOCO-based cards such as the WaveLAN

  2. Airport

• AIRPORT

  1. Airport cards under Mac OS X using the Viha drivers

• ACX100

  1. Dlink 650+

In order to maximize your results, you will want a card that has an external antenna connector (Figure 1.7). This will allow you to extend the range of your card by attaching a stronger antenna to your WarDriving setup.

Figure 1.7: ORiNOCO External Antenna Connector

Many WarDrivers prefer the ORiNOCO Gold 802.11b card produced by Agere or Lucent (see Figure 1.8) because it is compatible with both Kismet and NetStumbler and because it also has an external antenna connector. This card is now produced by Proxim and no longer uses the Hermes chipset, nor does it have an external antenna connector. The Hermes-based card is still available; however, it is now marketed as the “ORiNOCO Gold Classic.”

Figure 1.8: The ORiNOCO Gold Card

I highly recommend the ORiNOCO Gold (now the Gold Classic) card. This card is outstanding for both everyday use and for WarDriving. Also, as previously noted, this card can be configured for use in both NetStumbler and Kismet. This is particularly useful when using a laptop computer that is configured to dual boot both Linux and Windows. This allows you to utilize the wireless NIC in both operating systems as well as most common WarDriving software in both environments without having to change hardware.

Other Cards

Cisco Aironet 350 Series (see Figure 1.9) cards provide a unique functionality in that some models are available with two external antenna connectors. This is particularly useful in areas with tall buildings because you can attach two directional antennas and manually sweep them up and down buildings on both sides of the road at the same time. (Note: this will probably require two passengers to operate the antennas.)

Figure 1.9: Cisco Aironet 350 Series Card with Dual MMCX Connectors

The “store bought” cards that you find at most major retailers (Linksys, SMC, and so forth) are generally not good cards to use while WarDriving because they do not have external antenna connectors. Most of these cards are based on the Prism 2 chipset (see Figure 1.10).

Figure 1.10: A Prism2-Based Card

A slightly out-of-date, but still useful listing of wireless NICs, and the chipsets they use was put together by Seattle Wireless and can be found at: www.seattlewireless.net/index.cgi/HardwareComparison.

External Antennas

In order to maximize the results of a WarDrive, an external antenna should be used. An antenna is a device for radiating or receiving radio waves. Most wireless network cards have a low power antenna built in to them. An external antenna will increase the range of the radio signal detected by the wireless network card. Many different types of antennas can be used with wireless NICs: parabolic antennas, directional antennas, and omni-directional antennas are just a few. Because of their size, parabolic antennas (see Figure 1.11) are not overly practical antennas for WarDriving.

Figure 1.11: A Parabolic Antenna Isn’t Good for WarDriving

Many WarDrivers use either an external omni-directional antenna or an external directional antenna in conjunction with their wireless network card. Both of these are available in many different sizes and signal strengths. There are many factors that need to be considered when determining what type of antenna to use. This book will not cover specific in-depth details on radio and antenna theory, but will provide some basic information on how antennas work. There are numerous references both online and in print that go into radio and antenna theory in depth.

There are some basic terms you should understand when determining what type of antenna should be used while WarDriving:

• Decibel (dB) A decibel is the unit of measure for power ratios describing loss or gain, normally expressed in watts. A decibel is not an absolute value—it is the measurement of power gained or lost between two communicating devices. These units are usually given in terms of the logarithm to Base 10 of a ratio.

• dBi value This is the ratio of the gain of an antenna as compared to an isotropic antenna. The greater the dBi value, the higher the gain. If the gain is high, the angle of coverage will be more acute.

• Isotropic antenna An isotropic antenna is a theoretical construct that describes an antenna that will radiate its signal 360 degrees to cover the area in a perfect sphere. It is used as a basis by which to describe the gain of a real antenna.

• Line of sight Line of sight is an unobstructed straight line between two transmitting devices. You will most often see the need for a line of sight path for long-range directional radio transmissions. Due to the curvature of the earth, the maximum line of sight for devices not mounted on towers is six miles (9.65 km).

Omni-Directional Antennas

As the name indicates, omni-directional antennas “see” in all directions at once. An omni-directional antenna is best used when driving alone, and can be purchased for $50.00 and up depending on the gain and mounting mechanism. One common misconception is that the stronger the gain of the antenna, the better your WarDriving results will be. This is not entirely true, however. The important thing to understand from the preceding definition of dBi value is the last sentence: “If the gain is high, the angle of coverage will be more acute.” Because the signal of an omni-directional antenna is shaped roughly like a donut, the higher (or larger) the gain, the “shorter” the donut. The opposite is true as well. A smaller gain antenna has a “taller” donut.

Figure 1.12 shows the signal donut of a 5 dBi gain omni-directional antenna (see Figure 1.10) compared to that of an 8 dBi gain omni-directional antenna. The signal donut of the 5 dBi is taller than the signal donut of an 8 dBi gain omni-directional antenna. This is illustrated in the side view. What this means is that although it has a “weaker” signal, as indicated in the overhead view, a 5 dBi gain omni-directional antenna is likely to provide better results in a neighborhood with tall buildings such as an urban downtown area. Also, because these antennas rely on line-of-sight communication, a 5 dBi gain antenna works very well in residential areas where homes and other buildings provide obstructions between your antenna and any wireless access points.

Figure 1.12: Signal Donut Comparison of 5 dBi and 8 dBi gain Omni-Directional Antennas

Another advantage of the 5 dBi gain antenna is that many are available with a magnetic base. This means that you can simply put it on the roof of your car and the magnet will hold it in place while driving; no additional mounting brackets are required.

Figure 1.13: An 8 dBi Gain Omni-Directional Antenna

Figure 1.14: A 5 dBi Gain Magnetic Mount Omni-Directional Antenna

Regardless of the dBi gain antenna you use, an omni-directional antenna is usually going to be the best choice for WarDriving. This is primarily because it radiates its signal in all directions at once. Because these antennas do rely on line-of-sight communications, it is not necessary to continually sweep the antenna in the direction of potential access points in order to discover them. There are, however, situations where a directional antenna is more effective.

Directional Antennas

Directional antennas also rely on line of sight to transmit; however, unlike omni-directional antennas, they can only “see” in the direction they are pointed. Directional antennas are excellent for use in areas with tall buildings. From a stationary position near the base of the building, you can sweep the antenna up and down the length of the building and detect access points that would have been missed with an omni-directional antenna. Additionally, directional antennas can have a much stronger dBi gain in a shorter (not necessarily smaller) package. For example, a 14.5 dBi gain directional antenna, as shown in Figure 1.15, is just slightly longer than the 8 dBi gain omni-directional antenna shown in Figure 1.13, but has a significantly stronger dBi gain.

Figure 1.15: A 14.5 dBi Gain Directional Antenna

There are several types of directional antennas such as yagis, parabolic grids, and so forth. However, the most commonly used antenna is the yagi antenna since these can be purchased relatively inexpensively and provide a large dBi gain.

One of the most fun things you can do is build your own antenna. With a small investment (usually less than $10), you can build a very strong directional antenna. Although this will probably not be an antenna that you will use extensively for WarDriving, taking the time and effort to build your own antenna can teach you many concepts of antenna theory that will be very useful when determining the type of antenna you want to use while WarDriving.

There are a number of online resources that detail the step-by-step methodology for building a “homebrew” antenna. Probably the best is Rob Flickenger’s guide at www.oreillynet.com/cs/weblog/view/wlg/448.

The first thing you will need is a hollow cylindrical object such as a Pringles can (emptied of course), a coffee can, an old soup can, or anything with a similar shape. This will provide the housing for the second piece of the antenna, the collector rod. You will need to build the collector rod from parts you can purchase at any Radio Shack.

The most interesting part of the process is determining the length of the collector rod. This is where you will learn the most. The basic formula is:

• W = 3.0 * 10^8 * (1 / LEF) * 10^-9

  In this equation, W is the wavelength frequency and LEF is the Low End Frequency of the channel the antenna should transmit on. Because 802.11b transmits in channels 1–11 of the 2.4 GHz spectrum, if you use the channel 1 LEF of 2.412 and the channel 11 LEF of 2.462, you can determine both the longest (channel 1) and shortest (channel 11) rod you will need. Unless you want the antenna to specifically work on one channel, a much more exacting process, you can keep your rod length between these two values.

  After you have determined the longest and shortest wavelength, simply cut your rod to a quarter of those values. In the case of a 2.4 GHz antenna, you will want to keep your rod between 1.2” and 1.22”. Once the rod is cut, it is merely a matter of assembling the components and trying it out. (See Figure 1.16.)

  
  Figure 1.16: The Pringles “Cantenna”

  Before attempting to make your own antenna, you should be aware of the risks involved. An improperly constructed antenna could destroy any equipment you connect it to. Also, if your antenna rod lengths are calculated incorrectly, you could transmit outside of the allowable 2.4 GHz spectrum and find yourself on the wrong side of an FCC investigation.

Connecting Your Antenna to Your Wireless NIC

In order to connect your antenna to the external antenna connector on your wireless NIC you will need the appropriate pigtail cable (see Figure 1.17). Most antennas have an N-Type connector but the wireless NIC usually has a proprietary connector. When you purchase your card you should verify with either the retailer or the card manufacturer what type of external antenna connector is built into the card.

Once you have identified the type of external connector your card has, you will need to purchase a pigtail that has both the correct connection for your card as well as the correct N-Type connector. Some antennas ship with male N-Type connectors and others ship with female N-Type connectors. Because the pigtails are expensive (around $30) you should verify whether your antenna has a male or female connector, and purchase the opposite connection on your pigtail. For instance, if you purchase a 5 dBi magnetic mount omni-directional antenna with a female N-Type connector for use with your ORiNOCO Gold card, you will need a pigtail that has a Lucent proprietary connector as well as a male N-Type connector. This will allow you to successfully connect your antenna to your wireless NICs external antenna connector. Since you may have multiple antennas with both male and female N-Type connectors, it might also be a good idea to purchase barrel connectors that will allow you to attach your pigtail to either a male or female N-Type Connector.

Figure 1.17: Pigtail for Use with ORiNOCO Cards and N-Type Barrel Connectors

Global Positioning System (GPS)

Most WarDrivers want to map the results of their drives. To do this, a portable GPS capable of National Marine Electronics Output (NMEA) is required. Some WarDriving software supports other proprietary formats (such as Garmin). For instance, NetStumbler supports the Garmin format. The Garmin format “reports” your current location to your software every second, whereas NMEA only reports your location once every two seconds. Using the Garmin format increases the accuracy of the access-point locations. Unfortunately, Kismet (and other WarDriving software) only supports NMEA output. By purchasing a GPS capable of NMEA output, you provide yourself with the flexibility to switch between WarDriving software without requiring additional hardware.

When choosing a GPS, several factors should be considered. As mentioned earlier, making sure it is capable of NMEA output is a must. It is also important to find out which accessories come with the GPS unit. For instance, there are several models in the Garmin eTrex line of handheld GPSs. The base model, simply called the eTrex (see Figure 1.18) retails for about $120. This unit has all of the functionality required for a WarDriver and is capable of NMEA output. When you compare this to the eTrex Venture, which retails for $150, the initial indication would be to go with the cheaper model. However, once the accessories included with these two are looked into, you will notice that the Venture comes with the PC Interface cable, whereas the base model doesn’t. Because this cable costs about $50, the Venture is a better purchase. In addition to the PC Interface cable, you get additional functionality with the Venture that, while not required for WarDriving, can be fun to play with, all for $20 less.

Figure 1.18: The Garmin eTrex Handheld GPS

You should also determine if your laptop computer has a serial port. Most PC Interface cables have a serial interface. If your laptop doesn’t have a serial interface, you can purchase a serial to Universal Serial Bus (USB) cable for use with your GPS.

In order to use your GPS with a PDA, you will need a null modem connector and the proper connection cables for your PDA. The proper configuration for this setup is PDA | Proprietary connector/serial conversion cable | Null Modem Connector | GPS PC Interface cable. This setup is depicted in Figure 1.19.

Figure 1.19: PDA GPS Cable Connections