9.4 War-Driving, -Walking, -Flying, and -Chalking

War-driving is the common term for unauthorized or covert wireless network reconnaissance. WLAN utilities (sniffers) are now using airborne tactics, detecting hundreds of WLAN access points from private planes cruising at altitudes between 1,500 and 2,500 feet. Recently, a Perth, Australia-based "war flier" reportedly managed to pick up e- mails and Internet Relay Chat (IRC) conversations from an altitude of 1,500 feet [3].

WLAN war drivers routinely cruise target areas in cars that are equipped with laptops. The laptops are commonly equipped with a Wireless Network Interface Card (WNIC), an external high-gain antenna, and often even with a Global Positioning System (GPS) receiver. The wireless LAN card and GPS receiver feed data into freely available software such as NetStumbler or Kismet, both of which detect access points and SSIDs, which are correlated to their GPS- reported locations. War-driving gets a hacker even one step closer to the actual network through a practice known as war-walking. This has been made possible through a software variant of Net-Stumbler made especially for the PocketPC called MiniStumbler.

The term war-driving is a derivation of the term war-dialing , which was originally used to describe the exploits of a teenage hacker portrayed in the movie War Games (1983), where the teenager has his computer set up to randomly dial hundreds of phone numbers seeking those that connect to modems. In the movie, the teenager eventually taps into a nuclear command and control system. Since 1983, when the movie was released, there have been several well-publicized instances of hackers breaking into government facilities. None of these break-ins have, however, resulted in the compromise of nuclear codes ”that is where Hollywood ends and reality begins.

Recently, a hobbyist WLAN sniffer, alias Delta Farce, who claimed to be a member of the San Diego Wireless Users Group, purportedly conducted a war-flying tour of much of San Diego County in a private plane at altitudes ranging between 1,500 and 2,500 feet. According to his or her claims, Delta Farce detected 437 access points during the flight. These exploits were posted on the Ars Technica Web site [4]. Delta Farce reported that NetStumbler software had indicated that only 23 percent of the access points detected during the trip had even the simplest form of security, Wired Equivalent Privacy (WEP), enabled. The trip also showed that the range of 802.11b WLAN signals, which radiate in the 2.4-GHz unlicensed frequency band , is far greater than what manufacturers report. Delta Farce said he was able to detect wireless access points at an altitude of 2,500 feet, or about five to eight times the 300- to 500- foot range of WLANs used in a warehouse or office.

The legality of such exploits depends on where and what is done. There are federal and state laws against network intrusion and also against intercepting communications between two or more parties. Through the use of NetStumbler, Kismet, Airopeek (a spectrum analyzer), or a variety of other tools, virtually anyone can drive through a city or neighborhood and easily locate wireless networks. Once a WLAN is located, these tools will show the SSID, whether WEP is being used, the manufacturer of the equipment, IP subnet information, and the channel the network is using. Once this information is obtained, an adversary can either associate and use DHCP or make an educated guess of the actual static IP network address. At the very least, the unauthorized access will result in free Internet access. By using simple auditing tools, an adversary can now scan the network for other devices or use a VPN connection from the gateway into a corporate network. Using the trace route utility on any Windows computer can quickly give more information on a particular network connection. A trace route displays and resolves the name of all the hops between your computer and that of another host (e.g., a Web server). Trace routing provides the attacker a way to find out where he is logically located on the Internet once connected to a WLAN.

Sometimes an adversary will have a little help from war-chalkers who have already mapped out the potential target. War-chalking refers to the practice and development of a language of signs used to mark sidewalks or buildings located near an accessible wireless network with chalk, notifying other war-drivers that a wireless network is nearby and providing specialized clues about the structure of the network. Such clues include knowing if the network is open or closed, whether WEP is enabled or not, the speed of the Internet connection, the azimuth and distance of the access point from the mark, and so on. Most of the symbols can be found on the Web at http://www.warchalking.org. The term war-chalking originated from the practice of war-driving and is essentially a way for hackers to help other hackers. If your network has been war-chalked, you can bet it has been hacked or, at the very least, simply borrowed for free wireless Internet access.

9.4.1 WLAN Audit and Discovery Tools

Hackers exploit vulnerabilities discovered when using various auditing tools. WLAN auditing tools are the weapon of choice for exploiting WLAN networks. Multipurpose tools that can be used for auditing and hacking into a WLAN are described in the following sections. Many protocol analysis and site survey tools are focused on finding WiFi compliant Digital Sequence Spread Spectrum (DSSS) networks. It should not be assumed that an unauthorized user is only going to use WiFi equipment to conduct reconnaissance and penetrate a network.

NetStumbler

One of the most popular discovery tools is a free Windows-based software utility called NetStumbler. This tool is usually installed on a laptop computer. War-drivers, war-walkers, war-flyers, and war-chalkers commonly use NetStumbler to locate and interrogate WLANs. NetStumbler's popularity stems from its ease of use and wide support of a variety of network interface cards (NICs). Other networking tools can be used to gain unauthorized access to a WLAN. Once NetStumbler finds an access point, it displays the MAC Address, SSID, access point name, channel, vendor, security (WEP on or off), signal strength, and GPS coordinates if a GPS device is attached to the laptop. Adversaries use NetStumbler output to find access points lacking security or configured with manufacturer's default settings. Although WEP has exploitable vulnerabilities, a time investment is required to break WEP, and unless the adversary has specifically targeted your facility, he or she will normally take the path of least resistance and go after the more easily accessible open networks that are found everywhere.

MiniStumbler

MiniStumbler has the same functionality as NetStumbler but is designed to run on the PocketPC platform. It can operate from a very small plat-form, which makes it popular for use in war-walking. The ability to war-drive a wireless network with a handheld device placed in one's pocket makes MiniStumbler a valuable addition to any adversary's war chest.

Kismet

Kismet is an 802.11 wireless network sniffer. As described on the Kismet Web site [5], it differs from a normal network sniffer (such as Ethereal or tcpdump) because it separates and identifies different wireless networks in the area. Kismet works with any 802.11b wireless card capable of reporting raw packets (rfmon support), which includes any prism2-based card (e.g., Linksys, D-Link, RangeLAN), Cisco Aironet cards, and Orinoco-based cards. Kismet supports the WSP100 802.11b remote sensor by Network Chemistry and is able to monitor 802.11a networks with cards that use the ar5k chipset. Kismet runs on the Linux operating system and has similar functionality to NetStumbler, but with a few additional features. Kismet's basic feature set includes the following:

Airsnort-compatible logging
Channel hopping
Cisco product detection via CDP
Cross-platform support (handheld Linux and BSD)
Detection of default access point configurations
Detection of NetStumbler clients
Ethereal/tcpdump compatible file logging
Graphical mapping of data ( gpsmap )
Grouping and custom naming of SSIDs
Hidden SSID decloaking
IP blocking protection
Manufacturer identification
Multiple packet source
Multiplexing of multiple capture sources
Runtime decoding of WEP packets
Support for multiple clients viewing a single capture stream

AiroPeek NX

AiroPeek NX is a Windows-based wireless sniffer from WildPackets. It has the capability to capture and decode packets simultaneously . Although AiroPeek can do on-the-fly decryption of WEP keys, it doesn't actually crack WEP; you must supply the valid keys [6].

Sniffer Wireless

Sniffer Wireless [7] is a Windows sniffer from Network Associates. It doesn't decode packets on the fly. You must stop sniffing before you can decode in this mode. It can decode a very large number of protocols at near-wire speeds. It also has the ability to spot rogue APs.

9.4.2 Network Discovery Tools

Management software packages such as What's Up Gold (http://www.ipswitch.com), SNMPc (http://www.castlerock.com), and Solarwinds (http://www.solarwinds.net) each contain specialized discovery tools that use the Simple Network Management Protocol (SNMP) to map their way through an enterprise. If an adversary gains access to a WLAN and steals certain SNMP strings, the attacker can then begin creating a map of the entire extended network. An insecure wireless segment that exists within an enterprise environment that has distributed WLANs can cause an otherwise secure wired network to become insecure. This is another example of the huge security risks posed by implementation and use of WLANs.

9.4.3 Networking Utilities

In order to find out what resources are available on a network, most intrusion attempts begin with a scan of the network. To gather information, the client needs to obtain a valid IP address, either through DHCP assignment or by statically assigning a valid IP address. The next logical step for the hacker is to use a network utility such as WS-Ping ProPack (http://www.ipswitch.com) or NetScan Tools professional (http://www. netscantools .com) that can perform functions such as ping sweeps (pinging every IP address in a subnet looking for active nodes), port scans for defined ports (FTP, POP3, SMTP, NET-BIOS), and computer name resolution (Accounting, Human Resources, Sales, Marketing). Once these tasks are performed, more detailed probes can be accomplished with tools such as LANGuard.

Once access point scans are accomplished using NetStumbler, and ping sweeps are accomplished with networking utilities, the IP addresses of the access points can be determined by comparing the laptop's ARP cache against NetStumbler results. The ARP cache on the laptop is viewed by opening a command prompt window and typing "arp-a." This command will return the IP addresses and MAC addresses of every node detected on the network.