Wardriving HOWTO (Un-official) Fred fred@wardriving.com $Revision: 1.0 $Date: 2002/04/09 01:51:14 This document functions as a starting guide to exploring wireless networks, from a legal, ethical and security point of view. I hereby claim absolutely no responsibility to which manner this information is used. Information is neither inherently good nor evil, but how people choose to use that information makes them good or evil. ___________________________________________________________________ This HOWTO is NOT OFFICIAL (yet) and differs from the Wireless Howto, but I strongly recommend reading it. http://www.linuxdoc.org ___________________________________________________________________ Table of Contents 1. Introduction & Background. 1.1 Introduction 1.2 Copyright 1.3 Wardriving.com 1.4 Other Resources 2. What do I need to go Wardriving? 2.1 Computers 2.2 Wireless Cards 2.3 Antennas 2.4 Why should I have a GPS Unit? 3. Why are people wardriving? 3.1 Is it legal? 3.2 What can be done to stop it? _____________________________________________________________________________ 1. Introduction & Background 1.1 Introduction The 802.11 networking standard, also known as, "Wireless Ethernet", WiFi, and Wireless LAN has become very popular with Internet users and Corporations looking for a cost-effective LAN extension that is easy to implement and provides reliable service. The most popular implementation (as of April 2002) is 802.11b. The 2.4Ghz range, 11Mb speed wireless LAN variety. 802.11b encompasses all of the aforementioned characteristics, yet poorly implements one of the most fundamental aspects of networking, the security. What is the point of providing this type of service to your employees or even your family if you cannot guarantee that their communications are secure. At least with a wireless phone, someone cannot drive by your house and rack up your phone bill. This is exactly the problem with Wireless Ethernet. People can drive, walk or other wise approach the area that the wireless equipment can transmit in, and share your internet access or connect to your computer. This process is known as "wardriving", or "LAN jacking". 1.2 Copyright Wardriving.com 2002. All rights reserved. Redistribution and use, with or without modification, are permitted provided that the name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. The author disclaims all warranties with regard to this document, including all implied warranties of merchantability and fitness for a certain purpose; in no event shall the author be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortuous action, arising out of or in connection with the use of this document. Windows is a Trademark of Microsoft Corp. Linux is a Trademark of Linus Torvalds All other trademarks are the property of their respective owners. 1.3 Wardriving.com Wardriving.com was started in April of 2001 following the news report of wardriving by Pete Shipley, and it's rise in popularity. The site is a one-man operation, it exists to further spread the knowledge about wireless security and relay news articles from various sources. It consists mainly of links and short writings on the subject. This HOWTO shall serve as an introduction to the activity known as "wardriving". For the beginner this will be a good source of starting information, but many links listed in the next section will also be very helpful. 1.4 Other Resources Here are links to other HOWTOs and relevant documents. The Linux Wireless LAN HOWTO http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/ The Wireless HOWTO http://www.ibiblio.org/pub/Linux/docs/HOWTO/Wireless-HOWTO The Linux Laptop HOWTO http://www.ibiblio.org/pub/Linux/docs/HOWTO/Laptop-HOWTO The Linux PCMCIA HOWTO http://www.ibiblio.org/pub/Linux/docs/HOWTO/PCMCIA-HOWTO NetStumbler - Windows and Hermes based wireless cards http://www.netstumbler.org/index.php 2 What do I need to go Wardriving? 2.1 Computers The minimum requirement is an easily transported computer, 486 or faster with a PCMCIA slot for the wireless card. The recommended configuration is a Pentium 233 or better Laptop with one free PCMCIA slot for the wireless card and a serial port for the GPS. The super-stealth configuration is a laptop or sub-notebook concealed within a backpack with antenna and GPS attached. A laptop is not required, if you have the space and capacity to take a full-sized computer with you, then as long as you have a wireless card it will work. 2.2 Wireless Cards Wireless cards let your computer talk to other computers, much like an Ethernet card or a modem, just without the wires. Most 802.11b cards come in the PCMCIA form factor. Some regular 802.11 gear consisted of SSA's (Single Station Adapters) which acted as media translators between wireless and an Ethernet card. However the PCMCIA form is most popular. There are adapters to fit these cards into full-size computers through the PCI or ISA bus. Linux does work the ISA variety, Windows with both ISA and PCI. 2.3 Antennas Antennas are optional, but if you want to remain at a relatively safe distance or you simply cannot approach the effective area of the wireless access point, then they are a must. Many companies that sell cards, will also sell you an antenna, but many cards do not come equipped with a jack to plug an antenna in. So many have resorted to modifying cards to add jacks or soldering wires to the built in antennas of their cards. Those same people are building antennas from everything from Pringles cans to PVC pipe. These are mainly directional designs, more commonly know as "yagi" style antennas. They focus the 2.4Ghz wave, usually through a condenser, to an element specifically placed in the antenna. These designs can be quite complicated, so prior experience with HAM radio or antenna building would be a good idea. 2.4 Software While this HOWTO mainly focuses on Linux, there are wardriving tools available for Macintosh, Linux, BSD and Windows. There are many programs, these are just a few notable ones, check wardriving.com for others. Netstumbler is the most popular program for Windows and Lucent/Orinoco and other Hermes-based chipset wireless cards. (http://www.netstumbler.org) Airsnort is Linux program that breaks WEP encryption with Prism2 based chipset. (http://airsnort.shmoo.com/) Wellenreiter is a Linux sniffer that works with both Hermes and Prism2 cards. (http://www.remote-exploit.org) Ap Scanner is a Macintosh program (http://homepage.mac.com/typexi/Personal1.html) Mognet is Java based program, portable. (http://http://www.chocobospore.org/) 2.5 GPS:Why should I have a GPS unit? A question that I hear often. The GPS unit is used to output GPS coordinates to the computers' serial port. When you find a wireless LAN, many programs will log the exact coordinates (down to a few feet) of the effective range of that wireless LAN. The standard protocol is called NEMA, and will continuously dump to a serial port, via a special cable at 9600,8,N,1. This is an optional piece of equipment if you have a good memory or street signs to look at, but if you want to cover a large area in a short amount of time, or are doing this alone, they are essential. Most GPS units run from $100 on up to the thousands. The Garmin eTrex is nice for it's size and the 12V + Serial cable. 3. Why are people Wardriving? 3.1 Is it legal? There is no cut and dry answer to this question, but simply driving around a city searching for the existence of wireless networks, with no ulterior motive cannot be deemed illegal. However, if you are searching for a place to steal internet access, or commit computer crimes then the wardriving you performed was done in a malicious manner and could be treated as such in court. Don't forget in the US, simply receiving radio transmissions on the Cellular telephone frequencies (895-925 MHZ) is illegal, a similar law could be written to discourage this, but this isn't likely. As with any questionable activity, there are always two sides. Whether you agree or disagree with the whole practice makes no difference to me, but in the future, legal proceedings and violations may be related to wardriving. Technology is not bound to ethics. It is the application and use (or abuse) of that technology that brings ethics into it. To get back to the question this technology is not really new (802.11 IEEE Standard - 1997), but this is the peak of it's popularity. And at this peak it's good to get the kinks worked out, and the security of wireless Ethernet is a pretty huge kink. WEP(Wired Equivalent Privacy) uses up to 128-bit RC4 encryption, but it was implemented wrong, so now it makes no difference whether or not you use it, it's vulnerable. There are few built-in mechanisms that provide security, not broadcasting the ESSID is a start, but a sniffer can pick it up, anything else is left to other 3rd-party devices. 3.2 What can be done to stop it? This is also not an easy question, there are some answers, don't use it, wait for 802.11a, use tunneling or another authentication mechanism. If you have determined that the information that will be transferred between your computer and an access point will not contain any personal or confidential data, then there s no problem in using the technology. Although, being blind to the fact that anyone can share your network is no excuse when someone pilfers your credit card number or cracks their way into your computers and across the Internet. I haven’t made that decision, but I will not set up an access point on my internal network. As far as third party devices go, there are new technologies that are hardware-based and permit only certain authenticated hosts to use that connection, and provide separate encryption. There are also software solutions, from RADIUS, to PPPoE, PPTP, IPSec, and using a firewall in connection with any of these technologies will help. Placing the Access Point on a DMZ and using tunneling to encrypt and authenticate users is the securest solution, next to waiting for something better.