War Driving SecureSD Fall 2004 Tuesday, November 16th 2PM-3:30PM

War Driving

SecureSD Fall 2004Tuesday, November 16th

2PM-3:30PM

War DrivingTuesday 11/16, 2PM-3:30PM

Lee Barken, CISSP, MCP, CCNA, CPACo-Director, STAR Center, San Diego State University

http://starcenter.sdsu.edu

President, SoCalFreeNet.orghttp://www.SoCalFreeNet.org E-mail: barken@mail.com

Why are we here?

You are here

Why Do People War Drive?

Antenna Basics

Understanding the Protocol

Wardriving Tools & Techniques

Why are we here?

You are here

Code of Ethics for Security Professionals Act with honesty, integrity and professionalism at all times.

Personal curiosity is not an excuse to break the law.

Respect the power of information and be willing to share your knowledge for the advancement of the security field and the protection of society.

Honor and maintain the confidentiality of all client information that may be discovered during the course of an engagement.

Remember that even the smallest appearance of impropriety may result in damage to your reputation and the credibility of our profession.

If a little voice in your head tells you that you might not be doing the right thing—listen to that voice.

Because it’s fun

To learn about wireless technology

Looking for a place to check e-mail

Defending our network/Look for rogue APs

To gain unauthorized access / launch attacks / other criminal activity

Why Do People War Drive?“Good guys and not so good guys”

Why Do People War Drive?World Wide War Drive 4

W W W D 4 June 12-19, 2004

Total APs found: 228,537

No WEP: 140,890 (61.6%)

Default SSID: 71,805 (31.4%)

Why Do People War Drive?World Wide War Drive 4

In San Diego……. 2 people

Total APs found: 19,148

No WEP: 11,962 (62.47%)

Default SSID: 7,769 (40.57%)

Antenna BasicsAntennas do not “amplify” the signal– they merely “focus” the energy in a particular direction.

Images courtesy:”Designing a Wireless Network”, Syngress Publishing.

Antenna BasicsAntennas - Isotropic

Isotropic antenna: A hypothetical antenna that radiates or receives equally in all directions. Note: Isotropic antennas do not exist physically but represent convenient reference antennas for

expressing directional properties of physical antennas.

Antenna BasicsAntennas - Omni

5 dBi“Magnetic

Mount”

9 dBi20 inches long

15.4 dBi70 inches long

Antenna BasicsAntennas – Patch, Panel, Sector

16.5 dBiBeam Width:

95 Degrees (H),7 Degrees (V)

19 dBi15.5 inches

square, 1.25 inches thick, 18 degree beam

9.3 dBi4.5 inches square,60 degree beam

Antenna BasicsAntennas – Parabolic Grid

24 dBi8 degree beam width,

42” X 24”

Antenna BasicsAntennas – Yagi

12 dBi16 inches long

14 dBi

14.5 dBi18 inches long

Antenna BasicsAntennas – Phased Array

Antenna BasicsAntennas – Pringles Can

Understanding the ProtocolAssociation

“Open Network” “Closed Network”

(For simplification, I’m leaving out the “authentication” step in this presentation)

Understanding the Protocol“Open Network”

Client Access PointManagement Beacon

Client Access PointAssociation Request

Client Access PointAssociation Response

Understanding the Protocol“Closed Network”

Client Access PointProbe Response

Client Access PointAssociation Request

Client Access PointAssociation Response

Client Access PointProbe Request

What’s the problem with RF? Wireless signals

don’t STOP at your walls.

Wi-Fi is like putting an Ethernet jack in your parking lot.

San Francisco – Peter Shipley

http://www.dis.org/filez/openlans.pdfImage courtesy: Computerworld

What’s the problem with RF?

http://www.dis.org/filez/openlans.pdf

Wardriving: Tools & Techniques

“Wardriving” “Access Point Discovery” “Lan Jacking” “WLAN Mapping” etc.

War Games, 1983 movie introduced “War Dialing”.

Wardriving Trivia

Images Courtesy: http://www.warchalking.org

WarChalking

Images Courtesy: http://www.arstechnica.com/wankerdesk/3q02/warflying-1.html

WarFlying?

Images Courtesy: http://208.151.246.210/pictures/PersonalTelco/

WarStrollering?

Images Courtesy: http://208.151.246.210/pictures/PersonalTelco/

Image courtesy: http://www.catalina42.org/war-sail/

WarSailing?

Wardriving: Tools & TechniquesWhat’s next?

Discovering Wireless Networks

Easy! Just listen for Management Beacons. (or send probe requests with SSID set to the word “any”)

“Open Network”

SSID = defaultAttacker

Management Beacon

You must get “lucky” and catch a legitimate association.

“Closed Network”

SSID = ???

Attacker

Wireless Client Probe Response

Probe Request

Association Request

Association Response

Discovering Wireless Networks“Closed Network”

SSID = ???

Attacker

Wireless Client

Associated

Disassociate

or… if you get impatient… spoof a disassociate frame

“Closed Network”

SSID = ???

Attacker

Wireless Client Probe Response

Probe Request

Association Request

Association Response

ADMtek Abocom Accton Addtron Belkin D-Link Hawking Tech SMC 3Com Trendware Xterasys

Aironet (Cisco) Cisco Xircom

Atheros Accton Actiontec D-Link Enterasys GemTek IBM

Wardriving: Tools & TechniquesHardware – Wireless NIC Chipsets

Atheros (cont.) Intel Linksys Netgear Philips Proxim Senao/Engenius SMC 3Com Z-com

Atmel Accton Actiontec Dell Belkin Cnet Compaq D-Link GemTek Hawking Tech Intel

Atmel (cont.) Intel Linksys Netgear SMC 3Com Trendware Z-com

Broadcom Apple Belkin Buffalo Dell GemTek Linksys Microsoft Motorola Trendware

Orinoco Apple Buffalo

A very complete list: http://www.linux-wlan.org/docs/wlan_adapters.html.gz

Orinoco (cont.) Compaq D-Link Dell Enterasys HP Lucent/Agere Proxim Sony 2Wire

Prism Abocom Accton Actiontec Belkin Buffalo Compaq D-Link Dell Gateway GemTek

Prism (cont.) Hawking Tech Intel Linksys Netgear Proxim Senao/Engenius SMC 3Com Trendware US Robotics Z-com

Realtek Abocom Accton Belkin Bromax D-Link Linksys Netgear Zonet

Wardriving: Tools & TechniquesHardware – Wireless NIC Chipsets

Hermes (Lucent) Orinoco Toshiba Cabletron Dell Compaq WL110 IBM Apple

Prism (Intersil) Dlink Linksys SMC Addtron Compaq WL100 Netgear Gemtek Zoom Samsung Senao

Airo (Cisco) Cisco Xircom Dell

Wardriving: Tools & TechniquesHardware – Pigtails

Wardriving: Tools & TechniquesHardware – Antennas

Wardriving: Tools & TechniquesHardware – GPS

Wardriving: Tools & TechniquesSoftware – Netstumbler

http://www.netstumbler.com FREE Notebook & PDA Version Windows 2000, XP Orinoco, Prism Chipset “Most” Cards Work w/XP

(YMMV) GPS Support

Wardriving: Tools & TechniquesSoftware – APSniff

http://www.bretmounet.com/apsniff

FREE Notebook Version Windows 2000 Only Prism Chipset

Wardriving: Tools & TechniquesSoftware – Aerosol

http://www.stolenshoes.net/sniph/aerosol.html

FREE Notebook

Version Windows Prism &

Hermes Chipset

Wardriving: Tools & TechniquesSoftware – Pocket Warrior

http://www.pocketwarrior.org FREE PDA Version PocketPC 2002 (ARM, SH3,

MIPS) Prism Chipset

Wardriving: Tools & TechniquesSoftware – Wireless Security Auditor (IBM)

http://www.research.ibm.com/gsal/wsa

“Research Prototype” (not released)

Notebook & PDA Version Linux Cisco, Prism 2 Chipset

Wardriving: Tools & TechniquesSoftware – Kismet

http://www.kismetwireless.net FREE Notebook & PDA Version Linux Cisco, Prism, ADMTek, TI,

Atheros, Orinoco Chipset GPS Support

Wardriving: Tools & TechniquesSoftware – dStumbler

http://www.dachb0den.com/projects/bsd-airtools.html FREE Notebook Version *BSD Prism 2 Chipset

Wardriving: Tools & TechniquesSoftware – AirMagnet

http://www.airmagnet.com $3,495 MSRP Notebook & PDA Version Windows, PocketPC Only works with bundled

WLAN card

Wardriving: Tools & TechniquesSoftware – Stumbverter

http://www.sonar-security.com

FREE Imports Data from

NetStumbler Requires Microsoft

MapPoint 2002 Windows

Wardriving: Tools & TechniquesAll-in-one bootable CD’s

WarLinux

(http://sourceforge.net/projects/warlinux) WarBSD

(http://digiflux.org/warbsd/) Knoppix

(http://www.knopper.net/knoppix/index-en.html)

Wardriving: Tools & TechniquesWireless Packet Sniffers

Ethereal (http://www.ethereal.com) Packetyzer (http://www.packetyzer.com) WildPackets – Airopeek (http://www.wildpackets.com) Finisar – Surveyor Wireless (http://www.finisar.com) Network Associates – Sniffer Wireless (http://www.sniffer.com)

Wardriving: Tools & TechniquesWireless Packet Sniffers

PDA Version: Airscanner (requires Pocket PC 2002)

http://airscanner.com/downloads/sniffer/sniffer.html

Wardriving: Tools & TechniquesVehicles

Wardriving: Tools & TechniquesWardriving “Built-In” to XP?

Source:http://www.infoworld.com/articles/op/xml/02/07/22/020722opcurve.xml

Snippet:For all his success at bringing Microsoft's warring constituencies together, there are still things beyond Bill and Steve's control. "I was in a hotel in Sun Valley last week that was not wired," Ballmer recalls. "So I turned on my PC, and XP tells me there is a wireless network available. So I connect to something called Mountaineer.

"Well, I don't know what that is. But I VPN into Microsoft. It worked! I don't know whose broadband I used," he chuckles. "I didn't see it in Bill's room. I called him up and said, 'Hey, come over to my room.' So soon everyone is there and connecting to the Internet through my room."

1. Obey traffic laws. It's your community too, the traffic laws are there for everyone's safety, besides, doing doughnuts at 3am gets unwanted attention from the authorities.

2. Obey private property and no-trespassing signs. Don't trespass in order to scan an area. That's what the directional antenna is for :) You wouldn't want people trespassing on your property would you?

3. Don't connect. The vast majority of AP's out there were not intended by their owners to be accessed by you, even if they configured it so you could access it if you wanted to. There is much legal question as to the trouble you can get into for accessing a network through a misconfigured AP. Also it's a matter of respect, you wouldn't want people rooting through your computers just because you happened to make a mistake, so don't do it to them.

4. Don't use your data for personal gain. Share the data with like-minded people, show it to people who can change things for the better, but don't try and make any money or status off your data. It's just wrong to expect these people to reward you for pointing out their own stupidity.

5. Don't warchalk Other peoples networks. Only chalk your own if you want to indicate your willingness to share access. If you chalk some strangers network, it dilutes the use of the symbols to indicate free access. If you’re a business and you have a public AP and a non-public one, indicate with the open one, but also indicate the closed one with the closed symbol, differentiating them so people know the difference.

6. Be like that hiker motto; 'Take only pictures, leave only footprints'. Stumblers should 'Take only SSID's, leave only tire marks'. Leaving tire marks by not loitering and moving on is better than leaving a log entry by doing something stupid.

Stumbler Code of Ethics v0.1

These are by no means rules that must be followed, but they are a collection of suggestions for safe, ethical, and legal stumbling. I encourage you to follow them.http://www.renderlab.net/projects/wardrive/ethics.html By Renderman, Render@Renderlab.net

Disabling TCP/IPhttp://www.worldwidewardrive.org/nodhcp.html

Wireless signals don’t stop at your walls Use an omni antenna When choosing a WLAN card:

– What chipset does it use?– Is there an external antenna connector?

Use Netstumbler/Kismet/dStumbler– Or, a protocol analyzer

Don’t forget to unbind your TCP/IP stack!!!

Summary

Questions?Lee Barken, CISSP, MCP, CCNA, CPA

Co-Director, STAR Center, San Diego State Universityhttp://starcenter.sdsu.edu

War Driving SecureSD Fall 2004 Tuesday, November 16th 2PM-3:30PM

Documents

Ravenhill Thanksgiving Dinner Thursday, November 16th · OPEN HOUSE Ravenhill Opens @4:30pm for Dinner/Latenight @ 8:30pm Ravenhill Closes @8:30pm NO LATENIGHT Ravenhill Thanksgiving

SLOT 1 June 27 2pm-3:30pm - Fondation ITSRS · SLOT 1 – June 27 – 2pm-3:30pm ORAL PRESENTATIONS 1.1 IMPLICATIONS OF ETHICAL DILEMMAS FOR TEACHING SW Chaired by Hakan Acar Aging

Building EQ Committee Web Meeting November 13, 2018, 2pm‐3 ... library/communities... · Web Meeting November 13, 2018, 2pm‐3:30pm EST ... User Tip Email Blasts – The 3rd tip

INAUGURAL EVENT PROGRAM · Alhambra Ballroom — FACE Stage ... Human Significance in Art ... Reflection of a Spiritual Reality 2PM-2:30PM Closing Ceremony

ville.metis-sur-mer.qc.ca(418-730-7685, 414 De la Seigneuresse) Tuesday: 3pm — 5:30pm Wednesday : 9:30am — 2pm Thursday: 3pm — 5:30pm Friday: 10am — Ipm Saturday: 9:30am —

CRM 2016 Update 1 Mobile - PowerObjects · WEBINAR SERIES What’s New in CRM 2016 Update 1 June 7, 2pm - 2:30pm Field Service Enhancements in Spring 2016 June 9, 2pm - 3pm Introducing

€¦ · St. Patrick's Day Crafts (All Ages) 2pm — 3:30-6pm — 6:30pm Middle Grade Book Club (Grades 5-8) — 6:30pm Reading: All American Boys by Jason Reynolds and Brendan Kiely

Éy à{x Blessed Virgin Mary · Readings from St. Faustina’s Diary and a relic for veneration Confessions 12:30pm-2pm Divine Mercy Chaplet 2:30pm Benediction & Music 3pm Jesus,

PLACE 2PM-llPM DYNAMIC NEW INDIE ROCK BON TRIBUTE … · place 2pm-llpm dynamic new indie rock bon tribute classic noc.k covers 7:30pm-10pm 4pm-5pm 5:30pm-7pm bands pig roast the

BRIGSTOCK · 2018. 10. 16. · 16 Film Night, ^War Horse Village Hall, 7-30pm 19 Ladies Leisure Group, ^Xmas Decs, June Small Room, 1-30pm 21 Kurling, Village Hall, 2pm 28 Historical

12th—16th November 2018cghs.com.au/wp...of-Kindness-Week-Program-2018.pdf · 12th—16th November 2018 Date Event Time Location Monday 12th Kindness badge making 12—2pm Sale hospital

RICHMOND PUBLIC SCHOOL...Recorder Ensemble Choir Kindergarten Year 5 and 6 OC Verse Speaking Excelsior Awards & Packer’s Prize 12:40pm – 1:30pm Lunch 1:30pm - 2pm Path Opening

Community Connections Family Success Center 2017 Community... · Grocery Bingo: 4:30pm-5:30pm Recipe Exchange: 5:30pm-6:30pm 21 Make Your Own Soap: 1pm-2pm Bridgeball: 4pm-5pm 24

BIRMINGHAMc3155192.r92.cf0.rackcdn.com/ckeditor_assets/attachments/root/10… · Steak House ASIAN $$ 151 Main St • 205.444.1515 MON-THURS 11AM-2PM & 4:30PM-10PM · FRI 11AM-2PM

General Meeting 25-Jan-2011. 12pm-12:30pm: Business Meeting Ben Wasson 12:30-2pm: Engineering Meeting/Progress David Gitz Agenda

2:30 – 4PM; Fri.10:30AM – 12:30PM; 12:30 - 2PM2:30 – 4PM; Fri.10:30AM – 12:30PM; 12:30 - 2PM. Title: Please contact David Lovegreen, Volunteer Coordinator, at DLovegreen@CCFC-CT.org

CR@TE... · CHRISTMAS MARKET Doors open for the festivities 12pm – 2pm SANTA’S GROTTO Journey through the Christmas CRATE and meet Santa! 3:30pm CHRISTMAS CAROLS 4:30pm RAFFLE

February 13th to 16th - ausgocongress.com · Sunday 16th Feb 2020 9:00am to 11:30pm – Room 2: Round 4, Seniors & Handicap tournaments 9:00am to 11:30pm – Room 1: Round 4, Dan

January 2017 U3A Newsletter · 12th July 2017 A Nice Cup of Tea Tim Turner 13th Sept. 2017 In the Footsteps of the ... Meeting 1.30pm Table Tennis 2pm Needlework 2pm 16th January

Sessions |Tue, 09€¦ · Leveraging IoT & AI to Optimize Resources (1PM-1:30PM) Transitioning to NG Core Services & i3 Routing (1:30PM -2PM) 1PM –2PM Actionable Insights for Cybersecurity