Discussion in 'OT Technology' started by fade, Nov 26, 2003.
anyone wanna talk about it? i have some questions
Go for it!
I haven't tried it (yet). Its like dumpster diving. It requires a little bit of work, effort, and creativity, but the results can be cool and interesting.
Since I just got a new notebook, I've been having fun playing with the Cisco Aironet 350 card my friend is loaning me. He's telling me thats nothing and has an Orinoco (sp?) card several external antennas (not to be used at the same time). I've also got a GPS unit so I think we're going to try wardriving either tonight or sometime this weekend.
Of special note: its illegal to access someones wireless network if you do it in PA (does it make wardriving illegal? probably only if you get caught). I'd chalk this law up to one of the more retarded ones, but whatever.
On another note: I haven't been much of a hardware guy so I have no clue on the "best hardware setups" for this activity (my friend is nicely equiped and is a HAM operator as well so he knows whats up - he's been on fox hunts which is kind of like wardriving).
War driving is a blast. A good friend of mine (WannaZ06 on OT) and I have gone a few times and have gotten into a few networks. It's interesting how many people leave their router information default. The best is enabling remote administration on the router and grabbing their external IP. That's fun the next day.
I think I've said too much...
We're more of the caliber of looking around. We'll probably be more on a mapping quest then a hunt for digging out info.
What is fun is this is so new, wardriving can exist. I'd predict there will be a time when it won't be much fun.
Case in point: I was at the University of Akron last night. Brought along Net Stumbler for some network discovery. I know U.A. has 500+ WAPs (well, I did until last night - they're up to 750+). I didn't find anything in the main library. I went and talked with the computer help desk and found they have things locked down pretty nicely. I had another post that mentioned they required a particular card - well it ended up being the Cisco Aironet 350. Its required because they use LEAP for authentication and the Aironets can do it. But their WAPs do not advertise the SSID so if you're just browsing around, you won't find their network (I did find some clients that were connected to their network).
If they are using LEAP, you wouldn't get anywhere anyaways even if you knew the SSID. You would have to have the proper certificates on your unit and the right credentials on their Authentication Server...
Still interesting to see whats out there. Just don't do anything your not supposed to do. As far as I know, it is up to the owner to secure their network. If you have to change anything to access it, you are breaking the law. BUT... If their AP is wide open and nothing is needed to access it (ie. completely open access point) it is not against the law...
whats so special about war driving, finding out networks with Network Stumbler and depending on the networks encryption and ssid, you either get in or you dont
dont see anything special about it
Who cares about finding restricted AP's, unless you plan to be up to no good. It is nice to know where completely open AP's are in your area though. I know that I can now check my e-mail and browse the web when I am at the dentists office because someone in the area has an open AP... Not the dentist because I asked them to see if they were that ignorant.
I use Netstumbler when doing site surveys for WLAN installations too. You need to know if there are other WLAN's in the area and what channels they are configured to use to be able to configure your network to experience the least amount of interference. Tons of very legal and helpful uses but I won't get into those...
so, if one person did stuble upon an access point and used it, could they be traced at all? (sorry im a noob with networks and stuff)
I've used netstumbler around the house, I can pick up two of my neighbors networks. I only get about a 10% signal so its not strong enough to connect to with my cheap card. I haven't tried driving around with it yet, i'll get around the that eventually.
I leave mine default, but hopefully by setting it to use just the identified MAC addresses, I'm safe. As long as no one is stealing my bandwidth for illegal reasons, I don't care. Also I assume just because they have access to the network bandwidth, it doesn't necessarily mean they have access to your computer and files, correct?
i always have 2 SSID i can find with net stumbler, encryption is on, 1 ssid is blank lol, anyway i can connect 2 them :evil:
Traced? Not really. They can easily tell if someone else is using their router, if they know what they are doing. It takes decent hardware and a spectrum analyzer to "track you down". And even then they are only gonna get close. If their AP is open, their fault. I just wouldn't do anything real stupid and don't worry about it. Just hope their never find out and ya got more free bandwidth.
Leaving you AP at defaults is reallly not smart. As said previously, I think, where will any "illegal" activities be tracked back to if done on your network??? Your IP. And using an excuse like "I didn't know" is pretty hard to prove.
Not to go on a tangent... But I am moving into WLAN Security as I see that as a good temporary future for IT... A few certs can't hurt. Don't know. Maybe it is a waste of time or only a pipe dream but it is fun readin and learnin...
Blah blah blah. I'll stop rambling.
For me, the fun is partly knowing you're doing something you shouldn't be. Also the fact that some people keep their hidden c share on without a user password. You'd be surprised how many filesystems you can checkout while war driving. This assumes you're downtown of course. You can sit in front of an appartment building and nobody is the wiser.
so if they do track it down, how would they even figure out what computer or where the computer is? wouldnt the IP be given under their network?
Yes, the IP would be traced back to the hacked network. But I guess the only way it could be tracked back to the hacker is to log any Mac address (since it's unique) which gains access to your network. Even then you wouldn't be able to track it back to the hacker seeing as there is no "master" list of Mac addresses to people who own them. 99% of the public isn't concerned enough to log Mac addresses and such. So to answer your original question, no, you could not be tracked down if you hacked into someone's wireless network and performed some illegal deed.
LEAP doesn't use certificates; it uses username/password authentication.
Yup - username/password and domain was required for my U. Akron access.
Balzz: Clever routing! I checked my apartment and I haven't found any AP actively broadcasting their SSID. But from a WAP security standpoint, what do you recommend in terms of config? I've only got a Linksys 802.11b WAP/router. I've got WEP enabled at 128bit, but now I'm thinking I should spend a few minutes and just add the one MAC address to it and restrict all others - for safety. Thoughts?
a friend and I did a bit of this around a local country club, interesting to see how 'upstanding' members of the club were, if you catch my drift
how would i go about snatching their APs if i have their ssids?
Wow - just woke up from a night of wardriving. I feel bad because I overwrote our Net Stumbler log, but I had created another one for the drive home from my friends house (55 APs, 32 unsecured).
We had some technical difficulties at first due to XP and Net Stumbler not playing nicely together, but we worked around that.
We pulled into a parking lot to explore an unsecured AP and after 2 minutes one of my friends looks over and comments to me, "is that a cop?" I look over and it was a cop sitting there with all his lights off except for the radar gun. We quickly backed out and found another spot. Later in the evening we were on an empty road doing 35mph in a 35mph zone and had a cop fly up on us with full lights going. We pulled over trying at the same time trying to think up excuses for all the gear, but lucky he was in some hurry for something else.
We found one of our friend's neighbors has better reception on their AP then he does (and he said he's got an amp on his). And they have NO security on their network.
I'm going to try plotting the lat/long coordinates on a map - if it works, I'll post a link...
Here's a map, but I'm going to see about zooming in:
That brings back some memories. I need to get a group together and go again.
More maps - PHP generated. SSIDs and dots in red are WEP secured. Green ones are not.