Embed Size (px)
Citation preview
Flying the Front Range:Flying the Front Range:Detecting Wireless NetworksDetecting Wireless Networks
Dr. Stephen C. HayneDr. Stephen C. HayneProfessorProfessor
Computer Information SystemsComputer Information Systems
Steve H., Sean I., Jesse C., Steve H., Sean I., Jesse C., Travis M., Travis R.Travis M., Travis R.
Why We Did ItWhy We Did It►Gauge wireless network usageGauge wireless network usage
Analyze packet capturesAnalyze packet captures Attempt to ID wISPs, long-haul 802.11, A,B,G Attempt to ID wISPs, long-haul 802.11, A,B,G
WAPsWAPs Encryption, usage, demographic statisticsEncryption, usage, demographic statistics
►Compare GPS recordings in car vs. planeCompare GPS recordings in car vs. plane►Compare Kismac, Netstumbler and Compare Kismac, Netstumbler and
KismetKismet►Compare antennae Compare antennae
WarDrivingWarDriving►ToolsTools
Windows XP, NetstumblerWindows XP, Netstumbler
►Areas Covered Areas Covered Loveland, Windsor, Ft. Collins, LaporteLoveland, Windsor, Ft. Collins, Laporte
►Hypothesis & GoalHypothesis & Goal Driving would more accurately locate Driving would more accurately locate
WAPs than flyingWAPs than flying Provide baseline for comparing flight Provide baseline for comparing flight
datadata
WarDriving ResultsWarDriving Results
► Ft. CollinsFt. Collins 3112 WAPs 3112 WAPs
foundfound
WarDriving ResultsWarDriving Results
► WindsorWindsor 315 WAPs found315 WAPs found
WarDriving ResultsWarDriving Results
► LovelandLoveland 520 WAPs 520 WAPs
foundfound
WarFlyingWarFlying►ToolsTools
Windows XP, Orinoco Windows XP, Orinoco Gold PC Card, Gold PC Card, Netstumbler v 4.0, Netstumbler v 4.0, Lucent 5.5dBi Lucent 5.5dBi omnidirectional antennaomnidirectional antenna
Apple Powerbook, Apple Powerbook, Compaq WL110 PC Card, Compaq WL110 PC Card, Kismac v .11b, Cisco Kismac v .11b, Cisco 12dBi omnidirectional 12dBi omnidirectional antennaantenna
Cessna CenturionCessna Centurion
FlyingFlying
FlyingFlying
Antenna ComparisonAntenna Comparison
WarFlying ResultsWarFlying Results
►Kismac found 2251 802.11x networksKismac found 2251 802.11x networks After crashing, losing 1280 WAP locationsAfter crashing, losing 1280 WAP locations Included computers in ad-hoc mode, Included computers in ad-hoc mode,
computers probing (Netstumbler), WPA, WEP, computers probing (Netstumbler), WPA, WEP, A/B/G networks, hidden SSIDsA/B/G networks, hidden SSIDs
►Netstumbler found 1012 networksNetstumbler found 1012 networks►1 hour of flying at +-1500 ft. produced 1 hour of flying at +-1500 ft. produced
similar amount of data as 24 hours of similar amount of data as 24 hours of drivingdriving
►Kismac tends to find 1.5 to 2x more WAPs Kismac tends to find 1.5 to 2x more WAPs than Netstumblerthan Netstumbler
WarFlying ResultsWarFlying Results► Circled RockwellCircled Rockwell
Attempted to use Rockwell WAPs to access a Attempted to use Rockwell WAPs to access a web pageweb page
Also used this data to compare GPS locationsAlso used this data to compare GPS locations
WarFlyingWarFlying
Circling Rockwell picking up 802.11 traffic at 1500’
Signals travel much further vertically than horizontally
WarFlyingWarFlying
Circling my house trying to connect and load a web page
WarFlying ResultsWarFlying Results►GPS Location Data ComparisonGPS Location Data Comparison
Surprisingly similar between car and planeSurprisingly similar between car and plane Left map is from Kismac, Right is from NetstumblerLeft map is from Kismac, Right is from Netstumbler In the car alleycat-2 found on College Ave. between In the car alleycat-2 found on College Ave. between
Plum and LaurelPlum and Laurel
WarFlying Results 2004WarFlying Results 2004Network TrafficNetwork Traffic
1.1. 18.0%18.0% 110 POP3 110 POP3
2.2. 10.5% 5190 AOL10.5% 5190 AOL
3.3. 10.0%10.0% 80 HTTP 80 HTTP
4.4. 9.0%9.0% 8 8 unassignedunassigned
5.5. 3.8%3.8% 443 443 HTTPSHTTPS
6.6. 3.8%3.8% 68 68 bootstrap bootstrap protocol protocol clientclient
7.7. 2.8%2.8% 137 137 NetBIOS NetBIOS Name Name ServiceService
8.8. 2.5%2.5% 25 25 SMTPSMTP
9.9. 2.3%2.3% 57586 57586
unassignedunassigned
10.10.1.8%1.8% 53 DNS53 DNS
Top 10 Protocol Captures as Percent of Top 10 Protocol Captures as Percent of TotalTotal
WarFlying Results 2004WarFlying Results 2004Network TrafficNetwork Traffic
►Plain POP3 instead of POP3 over SSL Plain POP3 instead of POP3 over SSL (port 995)(port 995) Bad end user educationBad end user education Actually captured full email with .xls Actually captured full email with .xls
attachment for well-known national home attachment for well-known national home furnishing store explaining contractual furnishing store explaining contractual problems & revisionsproblems & revisions
►High proportion of AOL trafficHigh proportion of AOL traffic Bad end user education ;-)Bad end user education ;-)
Summary 2004Summary 2004
►Out of 5,363 WAPs found (driving + Out of 5,363 WAPs found (driving + flying), we predicted 33% WEP, 66% non-flying), we predicted 33% WEP, 66% non-WEPWEP Found 1501 (28%) WEP, 3862 (72%) non-WEPFound 1501 (28%) WEP, 3862 (72%) non-WEP The ratios of 25-33% vs. 75-66% appear to be The ratios of 25-33% vs. 75-66% appear to be
common in every WEP / non-WEP comparisoncommon in every WEP / non-WEP comparison
►Few WPA access points are in use but will Few WPA access points are in use but will increaseincrease
Summary 2004Summary 2004
►Top 21 SSIDs in useTop 21 SSIDs in use We wanted the 21We wanted the 21stst
because it shows the because it shows the Poudre R-1 School Poudre R-1 School DistrictDistrict
The () represents The () represents “hidden” SSIDs“hidden” SSIDs
SSID Number Seenlinksys 1895default 665NETGEAR 369Hiddenssid 206wireless 175csu 164MSHOME 79ACTIONTEC 70() 60WLA 58home 49belkin54g 40no ssid 34SpeedStream 25digis-000 25Gateway 23tmobile 16123 15101 13homenet 12SST-PR-1 11
Summary 2004Summary 2004
► Identified some long haul connectionsIdentified some long haul connections LarinetLarinet
►Larimer county? Covered from Laporte to Ft. Larimer county? Covered from Laporte to Ft. CollinsCollins
High Plains AccessHigh Plains Access
► Identified some Wireless ISPsIdentified some Wireless ISPs DIGISDIGIS
►Could see plaintext traffic behind their NAT Could see plaintext traffic behind their NAT gatewaygateway
All 5,363 All 5,363 WAPs WAPs
Found inFound in20042004
Summary 2005Summary 2005
►One short flight (45m) found 2,256 One short flight (45m) found 2,256 WAPs WAPs 1062 (48%) encrypted1062 (48%) encrypted 1164 (52%) still 1164 (52%) still not not encryptedencrypted
►Ratio has changed from 25% Ratio has changed from 25% encrypted ! encrypted !
Summary 2005Summary 2005
► Top 10 SSIDs Top 10 SSIDs
linksys 474NETGEAR 172ActionTec 142default 100blank 26csu 23Belkin 22Home 22
Channel Distribution1 101 8%2 17 1%3 18 2%4 18 2%5 6 1%
6 600 50%7 14 1%8 22 2%9 99 8%10 28 2%
11 277 23%
Frequency Distribution802.11b = 40%802.11g = 60%
20052005
20062006
►Different AntennasDifferent Antennas
5 dB omni 13 dB 30° directional
20062006
Unencrypted Hidden/WEP WPA
Questions ?Questions ?
