19
Wardriving Wardriving 7/29/2004 7/29/2004 The “Bad Karma Gang” The “Bad Karma Gang”

Wardriving

Embed Size (px)

DESCRIPTION

Wardriving. 7/29/2004 The “Bad Karma Gang”. Agenda. Introduction to Wardriving The Tools of Wardriving Wardriving Green Lake. Definition : Driving through a neighborhood with a wireless-enabled notebook computer in search for wireless access points (APs) Purpose : - PowerPoint PPT Presentation

Citation preview

Page 1: Wardriving

WardrivingWardriving

7/29/20047/29/2004

The “Bad Karma Gang”The “Bad Karma Gang”

Page 2: Wardriving

AgendaAgenda

Introduction to Wardriving

The Tools of Wardriving

Wardriving Green Lake

Page 3: Wardriving

What isWhat is War DrivingWar Driving??

DefinitionDefinition:: Driving through a neighborhood with a wireless-Driving through a neighborhood with a wireless-

enabled notebook computer in search for wireless enabled notebook computer in search for wireless access points (APs)access points (APs)

PurposePurpose: : Analyze Analyze Wireless LANsWireless LANs & show which APs are open & show which APs are open

ProductProduct:: Wireless Access Point MapWireless Access Point Map

OriginOrigin:: ““War dialingWar dialing””

Page 4: Wardriving

Some Results of War DrivingSome Results of War Driving

-Source: Wigle.Net-

-WiFiMaps.com-

Nui’s House

Access pointWWWD4 (World Wide War Drive)

June 12-19 , 2004300,000 APs submitted worldwide

32.2%

67.8%

0.0% 20.0% 40.0% 60.0% 80.0%

protectednetw orks

unprotectednetw orks

Wireless Internet Security Awareness -152 networks audited-

Wireless Access Point Maps

Nowel & Budge

WiGLE

Page 5: Wardriving

Legal BackgroundLegal Background

ActivityActivity LegalityLegality LawLaw

Scan access pointsScan access points Not illegalNot illegal

Intentional access of a computer Intentional access of a computer without authorizationwithout authorization

IllegalIllegal Computer Fraud and Computer Fraud and Abuse ActAbuse Act

Alteration of communication on Alteration of communication on ISP network without authorizationISP network without authorization IllegalIllegal

Electronic Electronic Communications Communications Protection ActProtection Act

Interception of communications Interception of communications as they’re going through the airas they’re going through the air IllegalIllegal

Wiretap ActWiretap Act

Page 6: Wardriving

FootprintingAddress range,

namespace acquisition

ScanningFind promising points of entry

Anatomy of a Hack(Hacking Exposed 4th Edition)

EnumerationFind user accounts

and poorly protected shares

Gaining AccessInformed attempts to access target

Escalating PrivilegeGain complete

control of system

War driving Process

PilferingGain access to trusted systems

Covering TracksHide system privileges

Creating Back DoorsEnsure ability to

regain access at will

Denial of ServiceCreate ability to disable target

Legal Illegal

Page 7: Wardriving

Possible Risks Possible Risks

War driving = not illegalWar driving = not illegal

Beyond war driving = illegalBeyond war driving = illegal Encryption key crackingEncryption key cracking Free internet accessFree internet access Identity exposure and theftIdentity exposure and theft Network resource utilizationNetwork resource utilization Data theftData theft Denial-of-serviceDenial-of-service Other hacking activitiesOther hacking activities

Confidentiality

Integrity

Availability

Page 8: Wardriving

GPS Mouse

Notebook computer

Power Cable

GPS SoftwareDisplay

802.11 network sniffing software (e.g.

Netstumbler)

Text to speech software

"new network found. ssid is thd-

wireless. channel 6. network open."

Typical Wardriving Setup

Page 9: Wardriving

Netstumbler Screenshot

Page 10: Wardriving

For the thrifty and adventurous wardriver…Build a “Cantenna”

http://www.turnpoint.net/wireless/cantennahowto.html

Page 11: Wardriving

Protection of Wireless Networks

• Use Wired Equivalency Privacy (WEP)Network card encrypts “payload” using RC4 cipherReceiving station decrypts upon arrivalOnly works between 802.11 stations.

No longer applies once payload enters wired side of network

Users should change default password and Service Set IdentifierUsers should change keys often

• Physically locate access point to avoid “spilling” signal off premises

• Install hardware or software firewall

• Use passwords for sensitive folders and files

• Users should perform wardriving test

Page 12: Wardriving

Experiment: War Driving SeattleExperiment: War Driving Seattle

* Doonesbury, December, 2002.

Page 13: Wardriving

Wardriving: Been there, done that?Wardriving: Been there, done that?

* “War Kayaking”, Summer, 2003.

Page 14: Wardriving

War Driving ExperimentsWar Driving Experiments

Page 15: Wardriving

Experiment 1: Open doorExperiment 1: Open door

Opened SBG1000 Opened SBG1000 wireless Internet wireless Internet gatewaygateway

Meant to disable 16 Meant to disable 16 bit encryptionbit encryption

Discovered traffic in Discovered traffic in logs when home logs when home computers offcomputers off

Page 16: Wardriving

Experiment 2: Tools of the tradeExperiment 2: Tools of the trade

+ + = Access

Page 17: Wardriving

My house

Results: Access GainedResults: Access Gained

Page 18: Wardriving

ResultsResults

29 Available networks 29 Available networks in 2 short hours in 2 short hours All available from All available from parked car on parked car on crowded streetscrowded streetsColorful names for Colorful names for wireless routerswireless routers hotstuff, red libre, hotstuff, red libre,

eatshitanddieeatshitanddie most use most use

manufacturer namemanufacturer name

Only 3 required a key Only 3 required a key of any kindof any kind

Page 19: Wardriving

TThe “Bad Karma Ganghe “Bad Karma Gang””

-Social Engineer Alumni Relations-

Discussion