There are several approaches to locating a wireless network. The most basic method is a surveillance attack . You can use this technique on the spur of the moment, as it requires no special hardware or preparation. Most significantly, it is difficult, if not impossible , to detect. How is this type of attack launched? You simply observe the environment around you.
Here's an exercise: Whenever you enter a location, whether it's new or very familiar to you, simply open your eyes and search for signs of wireless devices. Also, just because there were not any devices there last week, doesn't mean there won't be any today or tomorrow. See Table 7.1.
Table 7.1. Wireless Network Reconnaissance
This might sound basic, but it is still an effective method of reconnaissance. In some cases, you can even find out what type of access point is being used, because many companies place devices in clear view. You can even talk to employees that are using wireless devices and ask a few simple questions about them. They probably won't be able to give you much usable information, but they might be able to confirm the existence of a wireless network. Be careful when talking to employees and asking questions, as you do not want to tip anybody off to a potential attack.
Even when performing a legitimate security audit of your own network, you still must have prior written permission from your company's management, and you must always obey all local and regional laws.
For example, we took the accompanying pictures (Figures 7.3 “7.10) during one such surveillance attack.
Figure 7.3. Antenna and access point found on a surveillance attack.
Figure 7.4. Antennas found on a surveillance attack.
Figure 7.5. Antenna found on a surveillance attack.
Figure 7.6. Access point found on a surveillance attack.
Figure 7.7. Antennas found on a surveillance attack.
Figure 7.8. Access point found on a surveillance attack.
Figure 7.9. Access point and antennas found on a surveillance attack.
Figure 7.10. Access point mount found on a surveillance attack.
We took the pictures in Figures 7.3, 7.4, and 7.5 at a nationwide coffee shop chain. In Figure 7.3, you can see a clear shot of the two antennas and the access point. Figures 7.4 and 7.5 demonstrate antenna installations at two different locations. From these pictures, based on our experience we know that they are using an approximately 8-dBi omni-directional antenna for their various installations.
We took Figure 7.6 at a nationwide discount shoe store chain. All of their locations across the nation are set up with similar configurations. In this picture, you can clearly see the access point, as well as both antennas. Here the company has only chosen to install one 8-dBi antenna, and left the other one attached to the access point.
We took Figures 7.7 and 7.8 at a nationwide hardware store chain. The antennas in Figure 7.7 are located outside, and are connected to the access point in Figure 7.8 inside. This access point was difficult to miss with the large orange label that reads "AP 10."
Figures 7.9 and 7.10 were taken in a nationwide grocery store chain. You can see (Figure 7.10) the mounting bracket where an access point will be placed; it looks like the antenna is already installed just to the right.
As you can see, the business use of access points is proliferating. APs are routinely found not only in small businesses and homes , but also in large retail chains. However, the fact that you can see a company's access point does not necessarily mean that an attacker will be able to connect to it. He must obtain additional information before he can gain access or attack the network. In addition, a surveillance attack is not always the best option for discovering a wireless network. Because a surveillance attack is extremely targeted , an attacker can go days without seeing anything. In addition, this type of attack is unavailable if the attacker does not have physical access to the premises. Because of this, hackers developed a new method of discovery known as war driving.