WiFi Beginner's section, a thread for starting wardrivers

DON'T post new tutorials here! Please use the "Pending Submissions" board so the staff can review them first.
Post Reply
User avatar
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
Location: Michigan USA

WiFi Beginner's section, a thread for starting wardrivers

Post by DNR »

This topic has been UPDATED by Topic #7801 "Wardriving 2009 by DNR

various sources used to compile this.
WiFi Signal strength facts

When searching for a wireless card, people often want to find one with the best range. Most often, this decision is solely limited to the transmit power of the card. While transmit power is one factor in determining range, there are others that ought to be considered when determining overall range.

As 802.11b/g uses 2.4 ghz, which operates like any other radio frequency signal, we can use the basics of RF signal propagation to determine range. There are five basic components which effect signal propagation:

*Transmit power
*Transmit antenna gain
*Frequency and distance (path loss)
*Receiving antenna gain
*Receiver sensitivity

There are other factors which effect signal loss as well: cable losses, RF opaque materials in the signal path, etc.

Because wireless communication is a two way process, we may also have to include the same five factors in reverse. While 'transmit power' referred to your wireless card, on the return trip 'transmit power' refers to the access point. Likewise, 'receiver sensitivity would refer to your card as opposed to the access point, and so on.

The point of this post is to demonstrate that your 250mw or 300mw or 600mw card may have significant power out, but that is only one of the factors that determine range.

This is meant to be a very basic primer in wireless ranging. There are very detailed range equations out there. If you're interested, Google "Friis transmission equation" and go from there.
Environmental conditions have a serious affect on propagation too.

During the early morning or very late at night propagation is at its best and attenuation is at it's lowest; damp and humid conditions help the signal propagate even further.

If you get intermittent connectivity with an AP during the day, try again at night or in the morning and chances are you will get a workable signal. If the air is damp or the ground is wet maybe due to rain or dew then your further your chances even more of getting a workable signal . Attenuation can be reduced by up to 45% on a damp cold morning/night.

If it is a dry hot day and you are in a busy area then anything up to +60% attenuation is possible.

(Although this does still apply somewhat if the AP is in your own house, it obviously applies more if the AP you are trying to associate with is in another building or similar)

Just because you can receive a signal from an AP does not mean you can send to it, as APs usually have a lot more range than a wireless adaptor.

Wireshark PDF, a good tut for learning about wifi technology too.


WiFi Tools video tut

http://www.irongeek.com/i.php?page=vide ... mode=print

Other Wifi Tools, quick list

Most serious hackers and network auditors use the open-source operating system Linux as the platform from which they launch attacks and perform analysis. This section highlights some of the more popular tools, mostly Linux, that can be used to search out and hack wireless networks.

The home page for the free cracking application, AirSnort, plainly states, "AirSnort is a wireless LAN (WLAN) tool which recovers encryption keys." AirSnort operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. In even more simplistic terms, AirSnort is a program that listens to the wireless radio transmissions of a network and gathers them into a meaningful manner. After enough time has passed (sometimes in a matter of hours) and data are gathered, analytical tools process the data until the network security is broken. At that point everything that crosses the network can be read in plain text.

The authors of this fully functional encryption-cracking tool have maintained from the first days of release it would expose the true threats of WEP encryption. Jeremy Bruestle, one of two lead programmers for the project, has truly recognized the inherent dangers of WEP. He states during an interview in 2001, “It is not obvious to the layman or the average administrator how vulnerable 802.11b is to attack. It's too easy to trust WEP.” AirSnort is not the only open-source tool used for wireless cracking but the first publicly recognized freeware to put the power of an intellectually skilled-criminal into the hands of a neighbor, who just got the cheapest deal from the local ISP.

WEPcrack, simultaneously being developed along with AirSnort, is another wireless network cracking tool. It too exploits the vulnerabilities in the RC4 Algorithm, which comprise the WEP security parameters. While WEPcrack is a complete cracking tool, it is actually comprised of three different hacking applications all of which are based on the development language of PERL. The first, WeakIVGen, allows a user to emulate the encryption output of 802.11 networks to weaken the secret key used to encrypt the network traffic. Prism-getIV is the second application that will analyze packets of information until ultimately matching patterns to the one known to decrypt the secret key. Thirdly the WEPcrack application pulls the two other beneficial data outputs together to decipher the network encryption.

Kismet is an extremely useful tool that supports more of an intrusion detection approach to the wireless security. However, Kismet can be used to detect and analyze access points within range of the computer on which it is installed. Among many other things, the software will report the SSID of the access point, whether or not it is using WEP, which channels are being used, and the range of IP addresses employed. Other useful features of Kismet include de-cloaking of hidden wireless networks, and graphical mapping of networks using GPS integration.

Ethereal is a pre-production network capturing utility. Currently capable of identifying and analyzing 530 different network protocols, Ethereal can pose a substantial threat through the discovery and detection of any network communication. One of many network analyzers, this application arguably does the most comprehensive job of seeing and recognizing everything that goes by its sensor.

Known as a packet injection/reception tool, Airjack is an 802.11 device driver is designed to be used with a Prism network card (mainly Linux hardware). Other names include wlan-jack, essid-jack, monkey-jack, and kracker-jack. This tool was originally used as a development tool for wireless applications and drivers to capture, inject, or receive packets as they are transmitted. It’s a fundamental tool used in DoS attacks and Man-in-the-Middle attacks. Its capabilities include being able to inject data packets into a network to wreck havoc on the connections between wireless node and their current access point. A common hacking use for this tool is to kick everyone off of an access point immediately, and keep them logged off for as long as you like. Without the Layer-1, frame level authentication on all 802.11a/b/g networks, a computer running Airjack would passively assume the identity of an access point and then once inside of the channel of communication between node and AP, Airjack would begin sending dissociate or deauthenticate frames sequentially at a high rate. The users’ networks network cards interpret this as their AP and they drop their connection.

HostAP is really nothing more than a firmware for Prism cards to act as an access point in any environment. With multiple scanning, broadcasting, and management options, HostAP can lure disconnected clients into a connection with the HostAP user’s computer and engage into whatever activities suitable to that situation. This is a very common tool used with growing compatibility where it will be ubiquitous with any Open Source OS in the near future.

Dweputils is not one application but a set of applications that together comprise a larger threat to wireless networks of any character. Dweputils is a set of utilities that can completely inspect and lock-down any WEP network. Dwepdump is a packet-gathering tool, which provides the ability to collect WEP encrypted packets. Dwepcrack then gives you the power to deduce WEP keys with a variety of frequently employed technique. Finally dwepkeygen, a 40-bit key generator, can creates keys that aren't susceptible to the Tim Newsham 221 attack with a variable length seed.

AirSnarf is an access point spoofing tool based off the simplest way to dupe users into handing over their sensitive information to rouge hackers. Quite simply this application mimics a legitimate access point. The method of attack is broken down into recreating an identical logon webpage that would normally be displayed by the AP. The user is bumped off the network and forced to re-login or is caught before they login the first time. The simple trick convinces them into voluntary sending their login information to the hacker who can then use it at their disposal. It is extremely simple yet effective.

All the details of the AP connection are legitimate to the unsuspecting user within their network configuration. They never realize this has happened in some cases as you then authenticate them to the network and allow them to pass through your computer.

This is the primary tool available for Windows users to detect 802.11 networks. It does not have any cracking tools that are inherent in the software package but can be used in conjunction with numerous other tools to find and hack a wireless network. NetStumbler is perhaps the least dangerous application discussed here, but the first challenge of any hack is finding where and what you are hacking.

Also referred to as the “aRe yoU There” network tool, THC-RUT, combines detection, spoofing, masking, and cracking into the same tool. Many see it as the, “first knife used on a foreign network” boasting its brute force all-in-one capabilities. Resources in the tool included spoofing Dynamic Host Configuration Protocol (DHCP), Reverse Address Resolution Protocol (RARP), and Bootstrap Protocol (BOOTP) requests.

Hotspotter is another rouge access point tool that can mimic any access point, dupe users to connecting, and authenticate with the hacker’s tool. This, again, is done with a deauthenticate frame sent to a MS Windows XP user’s computer that would cause the victim’s wireless connection to be switched to a non-preferred connection, AKA a rouge AP. This sort of trick is a passive approach that seeks to identify the probe frame sent by any Windows XP machine looking for its preferred network containing exploitable information.

LEAP stand for Lightweight Extensible Authentication Protocol, which is intellectual property of Cisco Systems, Inc. This is a broadly used protocol for authentication on Cisco Access points with inherent weaknesses. ASLEAP is able to use hashing algorithms to create brute force attacks to recover passwords, and actively deauthenticate users from the AP making them reauthenticate quickly to expedite the process of hacking. This is another tool in the arsenal of hackers with an ever-shrinking learning curve.

IKECrack is an open source IKE/IPSec authentication crack tool. It uses brute force dictionary based attacks searching for password and key combinations to Pre-Shared-Key (PSK) authentication networks. With repetitive attempts at authentication with random passphrases or keys this crack tool undermines the latest WiFi security protocol.

Just as it’s important to know how to utilize the aforementioned tools, it is important to know best practices on how to secure your Wireless Network Against these tools.

NetStumbler – Do not broadcast your SSID. Ensure your WLAN is protected by using advanced Authentication and Encryption.

Kismet – There’s really nothing you can do to stop Kismet from finding your WLAN, so ensure your WLAN is protected by using advanced Authentication and Encryption

Airsnort – Use a 128-bit, not a 40-bit WEP encryption key. This would take longer to crack. If your equipment supports it, use WPA or WPA2 instead of WEP (may require firmware or software update).

Cowpatty – Use a long and complex WPA Pre-Shared Key. This type of key would have less of a chance of residing in a dictionary file that would be used to try and guess your key and/or would take longer. If in a corporate scenario, don’t use WPA with Pre-Shared Key, use a good EAP type to protect the authentication and limit the amount of incorrect guesses that would take place before the account is locked-out. If using certificate-like functionality, it could also validate the remote system trying to gain access to the WLAN and not allow a rogue system access.

ASLeap – Use long and complex credentials, or better yet, switch to EAP-FAST or a different EAP type.

Ethereal – Use encryption, so that anything sniffed would be difficult or nearly impossible to break. WPA2, which uses AES, is essentially unrealistic to break by a normal hacker. Even WEP will encrypt the data. When in a Public Wireless Hotspot (which generally do not offer encryption), use application layer encryption, like Simplite to encrypt your IM sessions, or use SSL. For corporate users, use IPSec VPN with split-tunneling disabled. This will force all traffic leaving the machine through an encrypted tunnel that would be encrypted with DES, 3DES or AES.

Daniel V. Hoffman, CISSP, CWNA

Injecting into 802.11b network protocol

At Defcon 12 this year my cow-orkers and I brought along a little piece of code called "airpwn." Airpwn is a platform for injection of application layer data on an 802.11b network. Although the potential for evil is very high with this tool, we decided to demonstrate it (and give it its first real field trial) on something nasty, but harmless (compared to say, wiping your hard-drive)

Over the course of defcon, we fielded 7 different airpwn configurations to see how well it worked, and of course to watch as 31337 h4x0rz got goatse up in their mug. The configurations were:

HTTP goatse, 100% of the screen
HTTP goatse replacing all images
HTTP goatse as the page background via CSS
HTTP tubgirl replacing all images
HTTP "owned" graphic, replacing all images (eventually I felt bad about all the ass pictures)
HTTP javascript alert boxes, letting people know just how pwned they were
FTP banners (while this worked, nobody pays attention to FTP banners so we abandoned this quickly)

How does it work?
airpwn requires two 802.11b interfaces, one for listening, and another for injecting. It uses a config file with multiple config sections to respond to specific data packets with arbitrary content. For example, in the HTML goatse example, we look for any TCP data packets starting with "GET" or "POST" and respond with a valid server response including a reference to the canonical goatse image. Here's the configuration file used for this mode:

begin goatse_html
match ^(GET|POST)
ignore ^GET [^ ?]+\.(jpg|jpeg|gif|png|tif|tiff)
response content/goatse_html

and here is the content that we return when the match is triggered:
HTTP/1.1 200 OK
Connection: close
Content-Type: text/html

>note html code fuxored with xx to make it pass the forum screen re: codes, its simple html to figure out what was 'disabled' in the code by xx's<

<htxx><hexx><titxx>pwned</titxx></hexx><boxx><h1>OPEN YOUR MIND -- TO
THE ANUS!!</h1><img sxx='http://goat.cx/hello.jpg' width='100%' height='100%'>

Each of the 7 modes mentioned previously varied in the configuration and content returned. In each case the poor user of the web browser was left feeling disgusted, afraid and/or confused. While I was busy operating airpwn at the laptop, my accomplices wandered the show-floor taking pictures and the occasional video of our victims. Links to our victims are at the top of the page.
In all honesty, the reaction to airpwn wasn't exactly what I had expected. When I was writing the code, I imagined that the second I turned airpwn on we'd hear immediate groans of disgust radiating out at the speed of light. In practice, airpwn's effect was simultaneously more private, and more full of personal drama. First off, the full-screen goatse seemed to be too powerful. The second it flashed on the screen, the savvy user would have the browser closed already. This made it incredibly difficult to actually catch the victims on film. Based on the logs generated by airpwn we would be hitting multiple people per second, but finding someone with goatse up on their screen was still a bit of a challenege.. Once we did find a victim, the results were pretty hillarious.. I had tears rolling down my cheeks on multiple occasions. The typical goatse reaction went something like this:

Open browser, see goatse, jump backwards a little
quickly close browser, take a breath
open browser, see goatse, close browser (faster this time)
scratch head, quit browser process, re-launch browser
see page indicating that goatse will load soon (page header, etc.) immediately close browser.
open up browser preferences, click all the tabs, look for the "no goatse" checkbox
clear the browser cache
open browser, see goatse, close browser
open network preferences, click on all the tabs, look for the "no goatse" checkbox.
disconnect from network, re-associate
open browser, see goatse, close browser
At this point, the less l33t people would generally give up and either 1) do something else or 2) look deep into goatse's anus with a 10-yard stare.. The more l33t victims would launch ethereal and try to figure out what was going on.. Eventually they would mumble something about "rogue APs" (WRONG!) or ARP poisoning (WRONG!) or DNS poisoning (WRONG!) and do something else..
After a few hours, it quickly became apparent that the image replacement mode was the only mode that would sustainable for long periods of time. The full-screen goatse amounted to a complete DoS of HTTP, which was just plain rude. The javascript injection (with dialog boxes talking about the victim being pwned) was by far the most distruptive. Most people (quite sanely) immediately turned off their laptops or whipped out ethereal in full COUNTERHACK mode. The goatse image mode was disruptive enough to be fully fucking hillarious, yet still left HTTP enough alone to be usable. I guess image-maps were the only things we truly broke with that mode (hint: click the anus!)

Overall, airpwn was just about the only reason why defcon was amusing this year.. Without airpwn I think I would have been mostly asleep and would have just IRCed the entire time.. If you want to play with airpwn yourself, an early alpha has been posted to sourceforge..



Making a Cantenna
good tut with illus.

http://www.wardrivingonline.com/equipme ... ntenna.htm


This is a Thread for new wifi neos and wardrivers. Stay on topic.

Last edited by DNR on 05 Oct 2009, 14:58, edited 2 times in total.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

User avatar
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 132
Joined: 22 Jul 2008, 16:00

Post by Insection »

Excellent guide.


User avatar
Posts: 2695
Joined: 29 Mar 2007, 16:00
Location: UK

Post by computathug »

Nice post there DNR with a lot of info i didn't know like the signal being much better in damp conditions. Good read and a good guide for anyone just starting to learn about wardriving.

Good work!!

User avatar
Posts: 1
Joined: 26 Feb 2010, 17:00

Post by kaufikaufi »


User avatar
On the way to fame!
On the way to fame!
Posts: 41
Joined: 30 Jan 2010, 17:00

Re: WiFi Beginner's section, a thread for starting wardrivers

Post by sun7 »


Great post DNR. Wireshark PDA is great for study. Im thinking of gettting a wireless Certification after my Network+ and this is good reading. Ill check out the other posts

User avatar
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
Location: Michigan USA

Re: WiFi Beginner's section, a thread for starting wardrivers

Post by DNR »

You have to get Wifi as a part of your security education - I am willing to bet that many small and medium sized businesses opened up their private networks with a poorly configured wireless design.

He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

Post Reply