WarDriving v2.0





The concept of "wardriving" is simple: You need a device capable of receiving an 802.11b signal, a device capable of locating itself on a map, and software that will log data from the second when a network is detected by the first.

You then move these devices from place to place, letting them do their job. Over time, you build up a database comprised of the network name, signal strength, location, and ip/namespace in use. You may even log packet samples and probe the access point for data available via SNMP.





Peter Shipley has popularized the concept of "wardriving" through his current research. SecurityFocus has posted a commentary on the project.



Shipley's work relies on relatively bulky devices such as notebook computers and external GPS devices. There's really no need to use such obvious devices, however. The technology exists today to build an easily-concealable device that can be used in wardriving, war-strolling, and similar exercises in which a person might wonder what's buzzing around her head in the 2.4GHz range.



The solution I propose exists today, and could be put together for just over US$1,000. It consists of:



Total cost: $1144.80.




Of course, I didn't try to find the lowest price on any of these items, and the GPS solution I included is one of the more expensive ones. If you wish, you could opt for a serial-based GPS solution (~$100-200) and the single-slot PCMCIA sleeve (~$100), and find a better price on the WaveLAN card, bringing the total down to around $700. Alternately, you can dispose of the GPS altogether at the cost of losing location information. You could also opt for the superior Cisco Aironet cards; specifically, the Cisco AIR-LMC352, if you can find it. There's a version of the external antenna listed above that fits these cards as well.




UPDATE!
I've actually had this equipment laying around for a while, but I haven't had time to take pictures of it. Below are three photos of my current setup: A Compaq iPaq 3650 running familiar Linux, a Pharos GPS, a dual PCMCIA sleeve, a Lucent WaveLAN Gold PCMCIA 802.11b card, a MIG24WAVE antenna, and a CMS 2GB PCMCIA hard drive (I'm working on doing WEP cracking using this setup now).


First, the components:


Warstrolling pieces 



       CMS 2GB hard drive: USD$329.00

Compaq dual PCMCIA sleeve: USD$214.95

               Pharos GPS: USD$249.95

                iPaq 3650: USD$399.95

                MIG24WAVE: USD$ 55.00

               ----------------------

                    TOTAL:   $1248.85




And now, everything put together:

Warstrolling unit



Finally, a side view (the dual PCMCIA sleeve is a bit thick):

Side view



Here are a few pictures of my just-completed homebrew Yagi:

Pringles-can Yagi antenna



The overall length is 36", and is built with 1/4-wave elements:

Antenna with elements exposed



Here's a close-up of the actual antenna elements and the end cap they're attached to. I used nail polish to fix the nuts in place:

Close-up of elements




Update: I've received several requests for instructions to build this antenna. I don't have any instructions written up, but I used this page and this page as references for the construction.




In a week or so I'll have a separate page up detailing the construction and performance of this puppy.





I'll also be posting pictures of my other two warstrolling rigs: My Libretto 50ct running OpenBSD, and my developer's version Sharp Zaurus running Embedix Linux. I should be bringing all of these to RubiCon 2002 for my talk on Warstrolling.





Together with some quickly cobbled-together software either native to the WinCE environment, or written for one of the variants of Linux that now run on the iPaq handheld, you can accomplish everything Peter Shipley has to date, and more. Even better, you'd achieve penetration Peter can't, because Peter isn't allowed to drive his Saturn into building lobbies, meeting rooms, hallways, common areas, and so forth.



Note: The Lucent card cannot run in 802.11b promiscuous mode with firmware rev. 6.04 or above. However, it is known that the Cisco Aironet 340 and the Symbol Technologies Spectrum24 Model 4121 will run in promiscuous mode, and can be used in the manner described above. Earlier firmware revisions on the Lucent cards should allow for 802.11b promiscuous mode operation.





August 14, 2001:
Until I've completed work on the platform described above, I've been playing around with an old Libretto 50CT of mine running OpenBSD 2.9, along with an old Lucent WaveLAN Gold card (4.x firmware). I was trying to use the approach in the code below with the Cisco 352 card, but ancontrol doesn't work the same way wicontrol does, and the an driver doesn't seem as willing to "roam" as the wi driver is. Of course, my ultimate goal is to just grab the encapsulated 802.11 beacons; as I said, it's a work-in-progress.


Anyway, this afternoon I decided to log traffic on my drive home from work. I did this without any external antenna; I merely put the Libretto on my dash and headed home. Now, I want to point out that I live extremely close to my office. The distance is just a bit over 2 miles -- total drive time, about 5 minutes. The route is outlined in red on the map.


Granted, I do live in the heart of Silicon Valley, and I regularly drive past companies like NAI, Nortel, Transmeta, Intel, and Cisco even on this short stretch of road. Still, I was a bit surprised by the results: 10 802.11b networks (including the one at my home and the other at my office). Even more surprising is the fact that 3 of them use no WEP whatsoever. If you exclude the two networks over which I have control, almost half of the networks I saw were wide open...and one of them belongs to a well-known security company. Here is the raw data, excluding my work and home networks (note: The 4th entry has an obscured SSID. I did this because the SSID names the company controlling the network): 




    SSID              MAC             WEP?

------------------------------------------

tsunami        00:40:96:33:e5:d5       N

MHW            00:04:5a:d1:65:bd       Y

nglan          00:30:ab:06:53:3d       N

*o*t*lSurfer   00:20:d8:01:50:99       Y

EPIC_CH1       00:40:96:25:84:8d       Y

kazoo          00:02:2d:0f:cb:2e       N

Yosemite       00:50:18:06:fd:16       Y

Points West    00:60:1d:21:8d:67       Y


August 15, 2001: Well, I decided to take a slightly different route to work this morning (outlined in green on the map to the left). This is the second of three possible routes I can take to get to work, without taking deliberate detours through unnecessary side streets. This particular trip took me through mostly residential areas, with some commercial build-up (Sun, Level 3, Intel, Cisco, etc.).



Again, I was surprised by my findings: 8 802.11b networks, including 5 which were not seen yesterday. Of those 5 new networks, 4 of them are accessible without WEP. I used the same method and code I used yesterday afternoon: Libretto on the dash of my car, no external antenna, and normal driving speed (around 40-50MPH). Below is the raw data. Notice that on this run, I found two networks -- avalon and default -- which are operating in "mixed" mode, allowing association with or without WEP: 




    SSID              MAC             WEP?

------------------------------------------

Points West    00:60:1d:21:8d:67       Y

Yosemite       00:50:18:06:fd:16       Y

kazoo          00:02:2d:0f:cb:2e       N

avalon         00:90:4b:08:20:25       Y

avalon         00:90:4b:08:20:25       N

default        00:90:4b:08:51:d2       Y

default        00:90:4b:08:51:d2       N

linksys        00:04:5a:0f:0f:c4       N

jhagel         00:90:4b:08:52:c1       Y

f10ff4AnaNet   00:60:1d:f1:0f:f4       N

August 15, 2001 (afternoon): I took a third route home today, illustrated on the map to the left, outlined in blue. I cheated in the last block, and detoured around a side street so I could approach my abode from the opposite direction. This trip took me right past Intel, Sun, Cisco, and more residential areas, and put me on an expressway for a few minutes. Once again, I'm shocked by the results (you'd think I'd expect this by now, wouldn't you?): I found seven new 802.11b networks (as well as 5 that I'd seen in the previous two trips), and this time they were all accessible without using WEP.



Notice that there are several networks that haven't bothered to change
their SSID from the preset "default" string, and that some guy named
Mark is advertising his existence as well as the hardware he's using.
The preset strings really bother me, because most access points are
SNMP-manageable, and some have default SNMP private community keys
as well. All an attacker would need to do is use the OUI database to
identify the manufacturer based on the MAC address, and then find
a manual for the product. With this information, one could not only
make use of an open access point, one could take it over, locking out
the legitimate users. 


    SSID              MAC             WEP?

------------------------------------------

MHW            00:04:5a:d1:65:bd       Y

demolab        00:20:d8:01:72:bd       N

default        00:90:d1:00:f8:35       N

sliders        00:40:96:35:1d:0f       N

default        00:90:4b:08:51:d2       Y

default        00:90:4b:08:51:d2       N

Mark's AirPort 00:60:1d:1e:4f:fa       N

tsunami        00:40:96:25:98:83       N

default        00:40:05:de:25:23       Y

default        00:40:05:de:25:23       N

tsunami        00:40:96:46:9d:6c       N

avalon         00:90:4b:08:20:25       N

kazoo          00:02:2d:0f:cb:2e       N

Yosemite       00:50:18:06:fd:16       Y





I'd like to point out a few things about the code I'm using. It does not currently log latitude/longitude, since I've yet to bother attaching a GPS. It does not discover via packet capture any information about network topology or naming conventions; that's high on my list of things to play with. It does not check for DHCP servers; again, this is high on my list of things to add. Finally, it does not check to see if MAC-based access control is in place.



The point I'm trying to communicate by saying all that is this: Just because I can see these networks does not necessarily imply that I can use these networks; I haven't collected the data necessary to make that determination. 802.11b beacon frames are available regardless of the protections put in place on the network, and the code I'm using is a crude method of getting at the data in those frames. When I'm done with my work, I'll make available code that collects data directly from the beacon frames themselves, and pairs that information with the data I listed as necessary above. With that information in hand, it will be possible to build a list of 802.11b access points that are not only visible, but actually useable by passersby with little or no effort. This will more accurately reflect the security risks of each network.






In the coming days, I am going to attach a GPS and try Shipley's code, so I can more accurately pinpoint the systems I'm observing. The one drawback to this with the Libretto is that I'll be forced to use the docking adapter, which increases the size of my current platform. Without a GPS, I can carry the entire Libretto running the sniffing software in a vest pocket or pants pocket, if the pocket is large enough.






Known 802.11b vulnerabilities:


  • WEP key resuse allowing for brute-force attacks and known plaintext attacks
  • Spoofing of MAC when MAC-level access control is in use
  • Certain access points have poor control over the SNMP private community string
  • 802.11b beacon broadcasts SSID, making access control via SSID moot
  • WEP has been cracked in its entirety; it is now possible to recover the keys used to encrypt the cypher streams. (see wepcrack and airsnort for code that implements the WEP attack detailed in the Fluhrer, Mantin, and Shamir paper. PostScript version available here.)

  • Links to a number of papers about 802.11 security vulnerabilities





Code and links: