WardrivingWardriving

7/29/20047/29/2004

The “Bad Karma Gang”The “Bad Karma Gang”

AgendaAgenda

Introduction to Wardriving

The Tools of Wardriving

Wardriving Green Lake

What isWhat is War DrivingWar Driving??

DefinitionDefinition:: Driving through a neighborhood with a wireless-Driving through a neighborhood with a wireless-

enabled notebook computer in search for wireless enabled notebook computer in search for wireless access points (APs)access points (APs)

PurposePurpose: : Analyze Analyze Wireless LANsWireless LANs & show which APs are open & show which APs are open

ProductProduct:: Wireless Access Point MapWireless Access Point Map

OriginOrigin:: ““War dialingWar dialing””

Some Results of War DrivingSome Results of War Driving

-Source: Wigle.Net-

-WiFiMaps.com-

Nui’s House

Access pointWWWD4 (World Wide War Drive)

June 12-19 , 2004300,000 APs submitted worldwide

32.2%

67.8%

0.0% 20.0% 40.0% 60.0% 80.0%

protectednetw orks

unprotectednetw orks

Wireless Internet Security Awareness -152 networks audited-

Wireless Access Point Maps

Nowel & Budge

WiGLE

Legal BackgroundLegal Background

ActivityActivity LegalityLegality LawLaw

Scan access pointsScan access points Not illegalNot illegal

Intentional access of a computer Intentional access of a computer without authorizationwithout authorization

IllegalIllegal Computer Fraud and Computer Fraud and Abuse ActAbuse Act

Alteration of communication on Alteration of communication on ISP network without authorizationISP network without authorization IllegalIllegal

Electronic Electronic Communications Communications Protection ActProtection Act

Interception of communications Interception of communications as they’re going through the airas they’re going through the air IllegalIllegal

Wiretap ActWiretap Act

FootprintingAddress range,

namespace acquisition

ScanningFind promising points of entry

Anatomy of a Hack(Hacking Exposed 4th Edition)

EnumerationFind user accounts

and poorly protected shares

Gaining AccessInformed attempts to access target

Escalating PrivilegeGain complete

control of system

War driving Process

PilferingGain access to trusted systems

Covering TracksHide system privileges

Creating Back DoorsEnsure ability to

regain access at will

Denial of ServiceCreate ability to disable target

Legal Illegal

Possible Risks Possible Risks

War driving = not illegalWar driving = not illegal

Beyond war driving = illegalBeyond war driving = illegal Encryption key crackingEncryption key cracking Free internet accessFree internet access Identity exposure and theftIdentity exposure and theft Network resource utilizationNetwork resource utilization Data theftData theft Denial-of-serviceDenial-of-service Other hacking activitiesOther hacking activities

Confidentiality

Integrity

Availability

GPS Mouse

Notebook computer

Power Cable

GPS SoftwareDisplay

802.11 network sniffing software (e.g.

Netstumbler)

Text to speech software

"new network found. ssid is thd-

wireless. channel 6. network open."

Typical Wardriving Setup

Netstumbler Screenshot

For the thrifty and adventurous wardriver…Build a “Cantenna”

http://www.turnpoint.net/wireless/cantennahowto.html

Protection of Wireless Networks

• Use Wired Equivalency Privacy (WEP)Network card encrypts “payload” using RC4 cipherReceiving station decrypts upon arrivalOnly works between 802.11 stations.

No longer applies once payload enters wired side of network

Users should change default password and Service Set IdentifierUsers should change keys often

• Physically locate access point to avoid “spilling” signal off premises

• Install hardware or software firewall

• Use passwords for sensitive folders and files

• Users should perform wardriving test

Experiment: War Driving SeattleExperiment: War Driving Seattle

* Doonesbury, December, 2002.

Wardriving: Been there, done that?Wardriving: Been there, done that?

* “War Kayaking”, Summer, 2003.

War Driving ExperimentsWar Driving Experiments

Experiment 1: Open doorExperiment 1: Open door

Opened SBG1000 Opened SBG1000 wireless Internet wireless Internet gatewaygateway

Meant to disable 16 Meant to disable 16 bit encryptionbit encryption

Discovered traffic in Discovered traffic in logs when home logs when home computers offcomputers off

Experiment 2: Tools of the tradeExperiment 2: Tools of the trade

+ + = Access

My house

Results: Access GainedResults: Access Gained

ResultsResults

29 Available networks 29 Available networks in 2 short hours in 2 short hours All available from All available from parked car on parked car on crowded streetscrowded streetsColorful names for Colorful names for wireless routerswireless routers hotstuff, red libre, hotstuff, red libre,

eatshitanddieeatshitanddie most use most use

manufacturer namemanufacturer name

Only 3 required a key Only 3 required a key of any kindof any kind

TThe “Bad Karma Ganghe “Bad Karma Gang””

-Social Engineer Alumni Relations-

Discussion