Wireless
hacking or war driving is possible because of the inherent
flaws in the 802.11 protocol. 802.11b protocol will
receive any signal that is within its broadcast range.
This is means that any network card that is within
the 18 - 30 foot radius of a wireless access point,
will in theory able to access the network from which
the point is set up. Currently there are number of
different methods of preventing access to wireless network.
One is through
using wireless encryption protocol or WEP, as we will
show within this article this form of security is not
the only answer. Wireless encryption protocol encrypts
the packets that the network sends out, if a person
does not have the specific wireless encryption protocol
key than in theory they will be unable to access the
data. Unfortunately do through enough analysis of
air traffic it can be guessed by certain software products.
Another method
is by using a radius server, this server acts as if
a domain controller for a wireless network.. A combination
of both of these security measures provides the tightest
form of security.
The question
you may be asking yourself is, "why would someone want
to do this?". The first and most innocent reason is
simply to gain free Internet access. The second is
to use your network as a jumping point to commit other
computer crimes. Their identity will then be hidden
behind your network, escaping prosecution.
Following are
the tools and most computer criminals are using:
- airsnort
- Kismet
- scanchan
- arpping
The computer
criminals will use these tools, to break the encryption
on your network and gain access to the network and its
bandwidth. Here is where you can find copies of these
tools.
- airsnort http://airsnort.shmoo.com/
- Kismet http://www.kismetwireless.net/
- scanchan http://team.vantronix.net/reyk/prism2/
- arpping http://busybox.net/cgi-bin/cvsweb/udhcp/?sortby=file#dirlist
Now technically,
you could try war driving at this moment. But, you
must remember that the distance wireless LAN's capable
of broadcasting, is relatively short distance; approximately
about 18 feet to 30 feet with a normal consumer base
product.
So , to increase
the effectiveness of our audit policy, we will add an
additional antenna to our wireless LAN card. Not every
car that's available market is ready to have an external
antenna attached. So some cards will require a bit
of soldering and other modifications. But, to save
use of the trouble try purchasing a car that as the
capability of attaching an external antenna. Here
are some additional resources for finding cards that
fit this bill.
Goto: Seatlewireless.net
Now that you
have one of these cards, you'll now be able to purchase
something called "pigtail". This will allow you to
connect the small usually proprietary connector on the
card to an actual external antenna.
They may hear
the Internet rumors, about building and antenna and,
from a Pringles can. But, is not the best way to do
it. A Pringles can wasn't no way me to actually be
an antenna in the amount of metal that's actually contained
in it is not the best way to focus the wireless LAN
frequency onto the actual antenna receptor. If you
going to have the most effective method for doing is,
used actually just purchase an antenna from a local
store. You can find this type of antenna at your local
electronic store, usually a specialty store like RadioShack
(not the best place to look, but most common) the best
bet would actually be a ham radio shop, but these are
usually a rarity in some areas.
Now the question
I usually get is, "can I use my cars antenna?" The
answer to that one is no, antennas are designed to capture
the frequency of the signal they are designed for.
For example: radio waves are long waves as the fact
that a radio antenna is a long thin design. Wireless
LAN waves are very tight and fast so the antenna has
to be thin and long. This also means that the wireless
LAN antenna is a directional antenna, so this means
you have to face the antenna towards the source.
Now let's begin
tracking down Roque signals.
The first thing
to do in any type a security audit, is to take a look
at the area that you're trying to secure. Is your
area low to the ground? Or, is it in a skyscraper
or other type of tall building. You need to take this
into consideration because of the differences in the
support structure of the building. Obviously, a skyscraper
is going to have more steel in the support structure,
the line building. Also depending of a little floor
you're on the actual range of your wireless LAN may
not even reach the ground levels. If you're on a low-lying
structure will have more of an area cover.
Let's start
with a low-lying area wireless LAN audit first. Get
your gear and hop into the car. Now an additional
piece of equipment would be a DC power inverter. This
will let you run your laptop off of the car battery.
First drive the pattern of traffic frequently followed
at the different times a day. This will establish the
most common points that a criminal would use access
the network. So it is usually the first place that
I would try to pick up the signal from your wireless
LAN.
Someone to
have the laptop up and running start of netStumbler
and crank up the soundcard. As you drive around you'll
notice that net Stumbler will beep when it runs into
a wireless LAN signal. First thing you should take
notice of is it the wireless LAN signal is W. E. P.
encrypted. This will show up as a lock icon on net
Stumbler. This means that the wireless connection
is not exactly open. If it shows up without a lock
this means that the wireless LAN is completely open,
a person could merely just configure their wireless
LAN card to DHCP and connect to the network. Now some
wireless LANs are not set up for DHCP. In this case
of the people would have to configure their card to
use an unused IP. All that is needed to do that is
a little bit of guesswork. Which is a lot easier than
you would think, especially since most networks use
the normal private 192.168 network address scheme.
If the connection
does have W. E. P. enabled, then you can use air snort
to collect W. E. P. data, which after about 1 GB of
collect data the software program would be able to break
the encryption algorithm.
They would
then take the resulting key, and configure it to be
used by their neck card, this will allow them to then
access the encrypted network traffic.
Now criminals
use a multitude of methods to prevent administrators
from noticing them on the new network. One way is
that they set up a firewall on the laptop, which has
all of the incoming ports blocked to their machine.
This to prevent their machine from showing up on a
networks can, especially if the scan used ping to determine
if there is a computer answering at that IP address.
Most good scanning software can scan a network without
using paying. This merely causes the scan to take
any extreme amount of time. But, a good network administrator
should always supplement their normal scanning routine
with a non ping based solution and
I hope all
of this information helped you out. I am in no way
an experienced columnist, so please excuse the inevitable
bad grammar, and run on sentences. If you have any
questions give free to contact me.
Blake Wiedman
gso.gsecur @ gmail.com
|
