War Driving

When a surveillance attack is either impossible or too difficult, war driving is an effective alternative. In many situations, war driving follows and adds information to a prior surveillance attack. Conversely, the information obtained from random war driving often leads to a surveillance attack on a discovered location.

The term war driving is borrowed from the 1980s phone hacking tactic known as war dialing. War dialing involves dialing all the phone numbers in a given sequence to search for modems. In fact, this method of finding modems is so effective that it's still in use today by many hackers and security professionals. Similarly, war driving, which is now in its infancy, will most likely be used for years to come both to hack and to help secure wireless networks.

War driving first became popular in 2001. At that point, tools for scanning wireless networks became widely available. The original tools used by war drivers included the basic configuration software that comes with the WNIC. However, this software was not designed with war drivers or security professionals in mind and thus was not very effective. This created the need for better software. Nevertheless, war drivers have not abandoned the use of the WNIC software all togetherin fact, it still serves as a useful complement to modern advanced software.

Why do we need ethical war drivers? Many large corporations have stated that they are not worried about their wireless networks because they would be able to see the attacker in the parking lot and have onsite security pick them up. The problem with this line of thinking is that the wireless networks can, and usually do, extend well past the parking lot. Keep in mind that this is a wireless technology, and unlike standard wired networks, the wireless data packets are not limited by the reach of Cat5 cable. In fact, wireless networks using standard devices and aftermarket antennas have been known to extend over many miles. Knowing this, an attacker can be much farther away than your parking lot and still access your network.

War driving itself does not constitute an attack on the network, and many authorities feel that it does not violate any law. However, this assumption has yet to be tested in the United States court system, and if it ever is, it will be difficult to rule against the war driver.

Specifically, when an attacker is war driving, she is usually on some type of public property, and could even be mobile in some type of car or bus. The software on her computer allows her to capture the beacon frames sent by access points about every 10 milliseconds . Access points use this beacon to broadcast their presence, and to detect the presence of other access points in the area. Clients also use the beacon frames to help them determine the available networks in their office. In fact, Microsoft's Windows XP can give you a list of wireless networks using these beacon packets.

One of the best-known war driving software packages is called NetStumbler, and is available free from its kind author Marius Milner at http://www.netstumbler.com. NetStumbler examines the beacon frames and then formats them for display. Interestingly, it takes care not to make the raw beacon frames available to the user . The following list shows some of the information that's gathered by NetStumbler and made available based on the beacon frames:

• Basic Service Set ID (BSSID)

• WEP-enabled or not

• Type of device: AP or peer

• MAC address of wireless device

• Channel device was heard on

• Signal strength of device

• Longitude and latitude (if using a GPS)

At no time are actual data frames or any management frames captured or made available to the user of the software. Many Access Points have the ability to be configured in a stealth mode, thus "disabling the beacon" as one of their options. In reality, the beacon frame is still sent every 100 millisecondsonly the SSID has been removed. This setting is also sometimes known as disabling the broadcast SSID option. If a network administrator has done this, NetStumbler will not detect the presence of the network. However, wireless network sniffers (AiroPeek, Sniffer) will still detect these wireless networks. To review:

• A war driver receives a broadcast frame sent by an access point or a peer.

• Only the broadcast frame header is formatted and displayed to the war driver.

• No data or management frames are captured or displayed to the war driver.

Some would question how this is different from wired sniffers that allow you to capture any packets on a network as long as only the header is read. The Federal Communication Commission laws regarding the reception of transmitted signals have been amended several times to include new technologies. If you are interested in the legal aspects, make sure to read the Electronic Communications Privacy Act (ECPA). Grove Enterprises Inc. has created an easy-to-read layperson's version called the Listener's Lawbook (http://www.grove-ent.com/LLawbook.html). Prior to starting your career in ethical war driving, make sure to brush up on all the relevant laws in your area.

War driving is typically performed while mobile in cars or buses. One very effective way to war drive a new city is to use public transportation or even a tour bus. Both offer a safe opportunity for you to work the computer and observe what's around youleaving the driving to someone else. Alternatively, many war drivers are outfitting their vehicles with various setups and antennas to allow for constant war driving (CAUTION: Not recommended while moving ). Figure 7.11 illustrates one of these mobile setups.

These types of setups are becoming more common as mobile electronics are falling in price and becoming popular. The following is a list of items commonly used for war driving (also see Chapter 1, "Wireless Hardware"):

• Wireless Network Interface Card (Lucent ORiNOCO cards recommended)

• Computer (laptops or PDAs work best)

• Copy of NetStumbler or ORiNOCO NIC software

• Power inverter

• External antenna

• GPS

The last three items are optional, and are not required for war driving. However, we do recommend them for academic researchers, law enforcement, and the military, as they will significantly improve the sensitivity and specificity of your research results.

After you have the necessary equipment, you can start searching for wireless networks. You can do this simply by driving the streets of your neighborhood or local business park. Heavily populated metropolitan areas are usually a good place to find several networks. Some of the networks you find might belong to individuals and might be connected to their local DSL or cable modem, whereas others might belong to major corporations. For example, while driving on one normal commute with our equipment inadvertently left on, we found that eight access pointsnone of which were running encryptionwere broadcasting an open invitation to the world. The worst part was that all eight access points were coming from the headquarters of a major financial institution.

To begin war driving using your vendor-provided ORiNOCO software, perform the following steps:

1. On a Windows-based computer, install and configure your Lucent WNIC.

2. Launch the ORiNOCO Client Manager (Figure 7.12).

   Figure 7.12. Configuring ORiNOCO with the Client Manager.

   

3. From the Actions menu select Add/Edit Configuration Profile (Figure 7.13).

   Figure 7.13. Editing the Configuration Profile.

   

4. Select the Default profile and click Edit Profile.

5. Set your Network Name (equivalent to the SSID) to ANY . This is a reserved name that tells the WNIC to associate with any SSID (Figure 7.14).

   Figure 7.14. Configuring the Network Name.

   

6. Now click on the Admin tab and select Network Assigned MAC Address. This setting allows you to spoof or modify your WNIC's MAC address. This way, when your WNIC registers with an access point, your real MAC address will not be seen. This is also handy if you are attempting to connect to a system that has restricted access based on the MAC address ( please see "Client-to-Client Hacking" later in this chapter for more information). Be creative with your MAC address, as in the example in Figure 7.15 using the MAC address BadF00D4b0b0 .

   Figure 7.15. Entering the MAC address.

   

With these settings, you will be able to detect the presence of various wireless networks, as demonstrated in Figure 7.16. After you establish an association, you will see the SSID ( zoolander ) and the MAC address of the access point. For more information about the association process, please see the "Client-to-Client Hacking" section later in this chapter.

If a Dynamic Host Configuration Protocol (DHCP) server is running on the access point, or requests are being forwarded onto the wired network, the target network might even assign you a valid IP address! For this to work, your computer must be configured for DHCP for both the IP address and domain name service (DNS) settings. As you will quickly discover, the capability to detect and log wireless networks using the ORiNOCO Client Manager is very limited; hence, additional capabilities are necessary. As mentioned previously, NetStumbler is one such product that has more powerful features.

Now let's get NetStumbler up and running:

1. Install and configure your WNIC using the vendor-provided software.

2. From a Windows-based computer, download and install the latest version of NetStumbler from http://www.netstumbler.com.

3. Connect your GPS to your COM port (optional).

4. Launch NetStumbler and click the green Play button at the top of the window.

At this point you can start driving around various residential and business areas. Remember that wireless networks are becoming ubiquitous, so there really is no limit as to where you can search. For example, several national hotel chains have open access points in their lobbies for guests to use. Similarly, national coffee shop chains and airports have MobilStar access points installed. If you have connected a GPS to your computer, you will also log the location of where you found the access point. Researchers can then output this data to a map, as seen in Figure 7.17, to help track the locations of the networks they have found.

Sometimes larger buildings , such as corporate headquarters, sit so far back on the property and are so large that even if you are using an external antenna, you will have a difficult time detecting the presence of the networks. In this type of situation, it's nice to have a handheld device such as the Compaq iPAQ with a wireless card in it. Using the iPAQ and a copy of miniStumbler (available from http://www.netstumbler.com), you can put the device in a jacket pocket and enter the building, walking through it floor by floor. As you are walking, miniStumbler is capturing the beacon frames from wireless networks that you might not be able to detect from the street. This is especially effective if you have access to the inside of a specific target office, say for a meeting or interview that you have previously scheduled. This method allows you to conceal the audit, and is a bit less distracting to your staff than walking around with a laptop and an antenna.

Think about the last time you saw somebody on an elevator or in a hallway working on a PDA. Did you guess that he might be war driving, or did you just assume he was checking to see when his next appointment was?

After you have gathered the information in NetStumbler or miniStumbler, you need to analyze and interpret the data. Figure 7.18 is an annotated screenshot of NetStumbler.

War driving is performed by all sorts of people. The various war drivers we have met are not the types of people you might expect to be checking out your networks. Most would picture high school kids out on the weekend searching for networks to hack. Granted, these types of people are out there, but the vast majority are older professionals who war drive as part of their legitimate network auditing duties . Over the next few years, more security professionals will add war driving to their regular network maintenance schedule. Unfortunately, more attackers will likewise use this method to detect your wireless network. Thus, it pays to be prepared.

Now that we have found our target wireless network, the actual attack begins.