Wireless Attacks ~ War Driving

written by: Brian Rodrigues; article published: year 2006, month 08;


In: Categories » Electronics and communication » Wireless and mobile computing » Wireless Attacks ~ War Driving

When a surveillance attack is either impossible or too difficult, war driving is an effective alternative. In many situations, war driving follows and adds information to a prior surveillance attack. Conversely, the information obtained from random war driving often leads to a surveillance attack on a discovered location.

The term war driving is borrowed from the 1980s phone hacking tactic known as war dialing. War dialing involves dialing all the phone numbers in a given sequence to search for modems. In fact, this method of finding modems is so effective that it's still in use today by many hackers and security professionals. Similarly, war driving, which is now in its infancy, will most likely be used for years to come both to hack and to help secure wireless networks.

War driving first became popular in 2001. At that point, tools for scanning wireless networks became widely available. The original tools used by war drivers included the basic configuration software that comes with the WNIC. However, this software was not designed with war drivers or security professionals in mind and thus was not very effective. This created the need for better software. Nevertheless, war drivers have not abandoned the use of the WNIC software all together—in fact, it still serves as a useful complement to modern advanced software.

Why do we need ethical war drivers? Many large corporations have stated that they are not worried about their wireless networks because they would be able to see the attacker in the parking lot and have onsite security pick them up. The problem with this line of thinking is that the wireless networks can, and usually do, extend well past the parking lot. Keep in mind that this is a wireless technology, and unlike standard wired networks, the wireless data packets are not limited by the reach of Cat5 cable. In fact, wireless networks using standard devices and aftermarket antennas have been known to extend over many miles. Knowing this, an attacker can be much farther away than your parking lot and still access your network.

War driving itself does not constitute an attack on the network, and many authorities feel that it does not violate any law. However, this assumption has yet to be tested in the United States court system, and if it ever is, it will be difficult to rule against the war driver.
Specifically, when an attacker is war driving, she is usually on some type of public property, and could even be mobile in some type of car or bus. The software on her computer allows her to capture the beacon frames sent by access points about every 10 milliseconds. Access points use this beacon to broadcast their presence, and to detect the presence of other access points in the area. Clients also use the beacon frames to help them determine the available networks in their office. In fact, Microsoft's Windows XP can give you a list of wireless networks using these beacon packets.

One of the best-known war driving software packages is called NetStumbler, and is available free from its kind author Marius Milner at http://www.netstumbler.com. NetStumbler examines the beacon frames and then formats them for display. Interestingly, it takes care not to make the raw beacon frames available to the user. The following list shows some of the information that's gathered by NetStumbler and made available based on the beacon frames:

  • Basic Service Set ID (BSSID)
  • WEP-enabled or not
  • Type of device: AP or peer
  • MAC address of wireless device
  • Channel device was heard on
  • Signal strength of device
  • Longitude and latitude (if using a GPS)

At no time are actual data frames or any management frames captured or made available to the user of the software. Many Access Points have the ability to be configured in a stealth mode, thus "disabling the beacon" as one of their options. In reality, the beacon frame is still sent every 100 milliseconds—only the SSID has been removed. This setting is also sometimes known as disabling the broadcast SSID option. If a network administrator has done this, NetStumbler will not detect the presence of the network. However, wireless network sniffers (AiroPeek, Sniffer) will still detect these wireless networks. To review:

  • A war driver receives a broadcast frame sent by an access point or a peer.
  • Only the broadcast frame header is formatted and displayed to the war driver.
  • No data or management frames are captured or displayed to the war driver.

Some would question how this is different from wired sniffers that allow you to capture any packets on a network as long as only the header is read. The Federal Communication Commission laws regarding the reception of transmitted signals have been amended several times to include new technologies. If you are interested in the legal aspects, make sure to read the Electronic Communications Privacy Act (ECPA). Grove Enterprises Inc. has created an easy-to-read layperson's version called the Listener's Lawbook (http://www.grove-ent.com/LLawbook.html). Prior to starting your career in ethical war driving, make sure to brush up on all the relevant laws in your area.

War driving is typically performed while mobile in cars or buses. One very effective way to war drive a new city is to use public transportation or even a tour bus. Both offer a safe opportunity for you to work the computer and observe what's around you—leaving the driving to someone else. Alternatively, many war drivers are outfitting their vehicles with various setups and antennas to allow for constant war driving (CAUTION: Not recommended while moving).
These types of setups are becoming more common as mobile electronics are falling in price and becoming popular. The following is a list of items commonly used for war driving:

  • Wireless Network Interface Card (Lucent ORiNOCO cards recommended)
  • Computer (laptops or PDAs work best)
  • Copy of NetStumbler or ORiNOCO NIC software
  • Power inverter
  • External antenna
  • GPS

The last three items are optional, and are not required for war driving. However, we do recommend them for academic researchers, law enforcement, and the military, as they will significantly improve the sensitivity and specificity of your research results.

After you have the necessary equipment, you can start searching for wireless networks. You can do this simply by driving the streets of your neighborhood or local business park. Heavily populated metropolitan areas are usually a good place to find several networks. Some of the networks you find might belong to individuals and might be connected to their local DSL or cable modem, whereas others might belong to major corporations. For example, while driving on one normal commute with our equipment inadvertently left on, we found that eight access points—none of which were running encryption—were broadcasting an open invitation to the world. The worst part was that all eight access points were coming from the headquarters of a major financial institution.

NOTE

Remember that all the techniques in this article are available freely on the Web, and are well known to hackers and criminals. We are simply summarizing the information here so that honest administrators will at least have a fighting chance to protect their own networks. So grab your equipment and start legitimately auditing your own network—before someone maliciously does it for you!
To begin war driving using your vendor-provided ORiNOCO software, perform the following steps:

  • On a Windows-based computer, install and configure your Lucent WNIC.
  • Launch the ORiNOCO Client Manager
  • From the Actions menu select Add/Edit Configuration Profile.
  • Select the Default profile and click Edit Profile.
  • Set your Network Name (equivalent to the SSID) to ANY. This is a reserved name that tells the WNIC to associate with any SSID .
  • Now click on the Admin tab and select Network Assigned MAC Address. This setting allows you to spoof or modify your WNIC's MAC address. This way, when your WNIC registers with an access point, your real MAC address will not be seen. This is also handy if you are attempting to connect to a system that has restricted access based on the MAC. Be creative with your MAC address, using the MAC address BadF00D4b0b0.

With these settings, you will be able to detect the presence of various wireless networks. After you establish an association, you will see the SSID (zoolander) and the MAC address of the access point.
If a Dynamic Host Configuration Protocol (DHCP) server is running on the access point, or requests are being forwarded onto the wired network, the target network might even assign you a valid IP address! For this to work, your computer must be configured for DHCP for both the IP address and domain name service (DNS) settings. As you will quickly discover, the capability to detect and log wireless networks using the ORiNOCO Client Manager is very limited; hence, additional capabilities are necessary. As mentioned previously, NetStumbler is one such product that has more powerful features.
Now let's get NetStumbler up and running:

  • Install and configure your WNIC using the vendor-provided software.
  • Connect your GPS to your COM port (optional).
  • Launch NetStumbler and click the green Play button at the top of the window.

At this point you can start driving around various residential and business areas. Remember that wireless networks are becoming ubiquitous, so there really is no limit as to where you can search. For example, several national hotel chains have open access points in their lobbies for guests to use. Similarly, national coffee shop chains and airports have MobilStar access points installed. If you have connected a GPS to your computer, you will also log the location of where you found the access point. Researchers can then output this data to a map to help track the locations of the networks they have found.
Sometimes larger buildings, such as corporate headquarters, sit so far back on the property and are so large that even if you are using an external antenna, you will have a difficult time detecting the presence of the networks. In this type of situation, it's nice to have a handheld device such as the Compaq iPAQ with a wireless card in it. Using the iPAQ and a copy of miniStumbler (available from http://www.netstumbler.com), you can put the device in a jacket pocket and enter the building, walking through it floor by floor. As you are walking, miniStumbler is capturing the beacon frames from wireless networks that you might not be able to detect from the street. This is especially effective if you have access to the inside of a specific target office, say for a meeting or interview that you have previously scheduled. This method allows you to conceal the audit, and is a bit less distracting to your staff than walking around with a laptop and an antenna.

Think about the last time you saw somebody on an elevator or in a hallway working on a PDA. Did you guess that he might be war driving, or did you just assume he was checking to see when his next appointment was?

After you have gathered the information in NetStumbler or miniStumbler, you need to analyze and interpret the data.

War driving is performed by all sorts of people. The various war drivers we have met are not the types of people you might expect to be checking out your networks. Most would picture high school kids out on the weekend searching for networks to hack. Granted, these types of people are out there, but the vast majority are older professionals who war drive as part of their legitimate network auditing duties. Over the next few years, more security professionals will add war driving to their regular network maintenance schedule. Unfortunately, more attackers will likewise use this method to detect your wireless network. Thus, it pays to be prepared.

Now that we have found our target wireless network, the actual attack begins.

legal disclaimer

1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service

Useful tools and features

Translate this article to...    Send this article to you or to a friend

Link to this article from your page   
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.

related articles

1. How Do I Share Pictures on the Web
A popular way to electronically share pictures these days is via online photo services that publish web page galleries of your images. Only a few years ago, setting up an online gallery was a cumbersome process requiring some knowledge of web page design. But easy-to-use online services such as Flickr have streamlined this process so that anyone with an Internet connection can publish photos. In addition to sharing pictures, these services allow you to write short captions, add titles, and even include "tags" that serv...

2. Wireless Attacks ~ Jamming (Denial of Service)
Denial-of-service (DoS) attacks are those that prevent the proper use of functions or services. Such attacks can also be extrapolated to wireless networks. To understand this, we must first consider how wireless 802.11b networks operate, and over what frequencies. Effectively attacking (or securing) a wireless network requires a certain level of knowledge about how radio transmitters, frequencies, and wavelengths work and relate to each other. In the United States, the FCC governs frequencies and their allocation. Devices...

3. Wireless Communication Platforms for LANS
Despite the prevalence of standards committees in the wireless industry, there is no single unifying standard. It is important for enterprises to consider all the aspects involved in mobile support while contemplating a strategy for mobile e-commerce. Some of the key criteria in choosing a wireless network specification include: Average size of transfers Number of devices in the wireless network Others Range of transmission Secur...

4. How To Get Photo Quality Prints
There are a variety of ways to get photo-quality prints from your digital images. You can make them yourself with a printer at home, or have a photo finisher do the work for you. Many camera stores offer photo finishing from digital images. Simply take in your memory card, order the prints, and pick them up the next day. This service is now available in most drugstore chains, too—instead of dropping off a roll of film while running your errands, you leave them your memory card instead. You can also order prints throu...

5. Wireless Privacy Protocols ~ WEP detailed
The Wired Equivalent Privacy protocol is incorporated as part of the IEEE 802.11b protocol. Actually, the standard only calls for 40-bit WEP, but almost all vendors offer up to 128-bit WEP. To secure data, WEP uses the RC4 algorithm to encrypt the packets of information as they are sent out from the access point or wireless network card. This is the same algorithm used in many other Internet applications that require security, such as Secure Sockets Layer (SSL). SSL is the most common protocol used by online stores to e...

6. Wireless Attacks ~ Rogue Access Points
Rogue access points are those connected to a network without planning or permission from the network administrator. For example, we know one administrator in Dallas who just did his first wireless security scan (war driving) on his eight-building office campus. To his surprise, he found over thirty access points. Worse, only four of them had authorization to be connected to the network. Needless to say, heads rolled. Rogue access points are becoming a major headache in the security industry. With the price of low-end ac...

7. Wireless Network Protocols ~ Advantages and Disadvantages of Bluetooth
There are various wireless communication protocols. These technologies range in scope from long distance WLANs to one-meter IrDA devices. Each of these technologies has its niche, as well as its attendant strengths and weaknesses. For example, WLANs enable the transmission of data up to several hundred feet, but often require manual configuration changes that are difficult to implement. On the other hand, IrDA permits a seamless connection between devices without the need for extra configuration. However, their usability is de...

8. Wireless Network Protocols ~ Understanding HomeRF and IrDA
About the same time WECA approved the 802.11 standard, several other types of wireless technologies were being introduced. Although a few have made a rather impressive niche in the Personal Area Network (PAN) market, the only other WLAN technology that came close to competing with 802.11 was HomeRF. Using the Shared Wireless Access Protocol (SWAP), HomeRF merges the 802.11 FHSS standard with the six voice channels based on Digital Enhanced Cordless Telecommunications (DECT). In other words, the home network included both ...

9. WLAN Broadcasting ~ MiniStumbler ~ a wireless network scanner
MiniStumbler is a very user-friendly wireless network scanner that listens for beacon signals coming from open and broadcasting WLANs. In addition, this program will provide a plethora of information that makes it very useful for both hackers and the security professionals. As you will see, MiniStumbler might be small, but it packs a load of power in its functionality. Installing MiniStumbler MiniStumbler is a basic one-file program that simply needs to be downloaded, unzipped, and placed in the My Documents sha...