Stumbling tools
In the methodology Kevin describes in his book, Hacking For Dummies (Wiley),
and in the OSSTMM and ISSAF methods discussed in Chapter 2, the first step
in ethical hacking is the same: reconnaissance. The best type of tool for reconnaissance
is wardriving software. Programs like NetStumbler and Kismet help
you find access points. Refer to Chapters 9 and 10 for more on the various
stumbling tools.
You got the sniffers?
Stumbling tools help you find the access points, but that’s not enough. You
need to peek into the transmitted frames. If the frames are unencrypted, of
course, then this is an easy task. But when the frames are encrypted, you
need to decrypt the frame before you can look at it. This type of decryption
software is generally called a sniffer.
Many freeware and commercial sniffer products are floating around out there.
Some run on Windows, and others run on Linux. Two of the more popular
sniffers are Ethereal and AiroPeek, which we cover in Chapter 8.
Picking Your Transceiver
Wireless Networks For Dummies (Wiley) provides information on the various
form factors for your clients. You have lots of options to choose from. Picking
your wireless network interface card or transceiver depends on the operating
system you choose. When NetStumbler and Kismet first came out, there were
two chipsets for wireless NICs: Hermes and Prism2. As a general rule, if you
decide to use NetStumbler, you want a card based on the Hermes chipset.
Kismet, on the other hand, works best with a Prism2 (Intersil) card. If you are
prepared to do a kernel modification, then Hermes cards will work with Kismet.
Determining your chipset
Don’t know whether you have a Prism2 chipset or a Hermes chipset? The following
PC Card manufacturers use the Prism2 chipset:
- 3Com
- Addtron
- AiroNet
- Bromax
- Compaq WL100
- D-Link
- Farallon
- GemTek
- Intel
- LeArtery Solutions
- Linksys
- Netgear
Further, if you have a Prism2 chipset, you may see a computer with antenna
icon in the System Tray.
The following PC Card manufacturers use the Hermes (Lucent) chipset:
- Nokia
- Nortel
- Samsung
- Senao
- Siemens
- SMC
- Symbol
- Z-Com
- Zoom Technologies
- 1stWave
- Agere/ORiNOCO/Proxim
- Alvarion
- Apple
- ARtem
- Avaya
- Buffalo
- Cabletron
- Compaq WL110
- Dell
- ELSA
- Enterasys
- HP
- IBM
- SONY
- Toshiba
Much like the Prism2 chipset, if you have a Hermes (Lucent) chipset, you will
see an icon in the System Tray.
To find information for your Hermes chipset, visit www.hpl.hp.com/personal/
Jean_Tourrilhes/Linux/Wireless.html and look for “orinoco.”
Buying a wireless NIC
When purchasing a wireless NIC, look for one that supports an external
antenna. Figure 4-13 depicts an ORiNOCO card with an external antenna connector
on the top. In this figure, the built-in antenna is the black plastic part
on the end.
The ORiNOCO Gold Classic card from either Agere or Lucent is a popular
card with wireless hackers because it has an external antenna connector
and works with both Kismet and NetStumbler. Take care when buying new
ORiNOCO cards. ORiNOCO is now owned by Proxim, which came out with
an ORiNOCO card not based on the Hermes chipset. The Hermes card is still
available, but it is usually sold as the ORiNOCO Gold Classic.
You can find a somewhat dated but useful comparison of the wireless cards
and their chipsets at Seattle Wireless: www.seattlewireless.net/index.
cgi/HardwareComparison.
Extending Your Range
Antennae are generally optional, but if you want to test the boundary of your
wireless signal, they are a must. Many companies that sell PC wireless NIC
cards also sell antennae. But many of these cards do not come equipped with
a jack to plug in the antenna. Many people have resorted to modifying these
PC cards to add jacks or soldering wires to the built-in antennas of their
cards. Check out eBay for examples.
Wave guide cantenna. Directional antennae are good for aiming at buildings across the street or
pointing to the top of a very tall building, but they are not really good for
wardriving. For wardriving, you want to get yourself an omnidirectional
antenna. Peter bought this 5 dBi antenna,which has a magnetic base
that can be attached to a car or cart, on eBay for
$5.95(!). At that price, you should buy several and give them as gifts.Omnidirectional antenna.
For more information on antennae, we encourage you to check out Wireless
Networks For Dummies (Wiley). That book outlines in depth the different
types of antennae. You’ll even find links for building your own wave guide
antenna like that shown in Figure 4-16. That book provides information on RF
mathematics so you can interpret what dBi means.
Using GPS
While driving in an unfamiliar place, Peter’s family often asks, Where are we?
Until he got his global positioning system (GPS), he couldn’t always answer the
question with great precision. As an answer, “somewhere between the Colorado
border and El Paso” doesn’t cut it, especially when you get close to restricted
government areas. Now, with GPS, he can tell you the exact latitude and longitude.
That GPS device can help with your wireless hacking efforts as well.
Using your GPS system with your wardriving software can give you more
information. Remember, the hacker’s primary law is more information is
better. When you have to cover a large area in a short amount of time, the
GPS is essential. Otherwise, you may not find the access point again.
To use GPS with wardriving software, you get the GPS unit to output GPS
coordinates to the computer’s serial port. When you find a wireless access
point, Kismet and NetStumbler log the exact coordinates (down to a few feet)
of the effective range.
Make sure you get a serial or USB cable to connect to your workstation when
you buy your GPS device. If you are going to use the serial cable, ensure that
you have a serial port; otherwise you’ll need a serial-to-USB adapter. The
standard protocol for GPS is NMEA (National Marine Electronics Association),
which dumps your coordinates every 2 seconds to a serial port via a special
cable at 9600,8,N,1. If you use a Garmin GPS, you can use the Garmin format.
The Garmin eTrex Venture is nice for its size and cost (about $150). The
Garmin reports every second, compared to every 2 seconds for the NMEA
standard. However, Kismet supports only the NMEA format.
GPS units start at $100 and can run into the thousands. Peter purchased
Microsoft Maps & Streets 2005 with GPS for about $129. The GPS (shown in
Figure 4-16) labeled Microsoft is actually manufactured by Pharos, a wellknown
GPS vendor.
If you buy the Microsoft MapPoint software, you can take your output from
NetStumbler and dump it right into StumbVerter (www.michiganwireless.
org/tools/Stumbverter), which plots it on a map for you. You can then
take your output, massage it, and import it into your Maps & Streets GPS
device. Mapping Software Table lists some
common mapping applications and their support for wardriving.
Developer and Software GPS Interface Support? Import “Pushpins”? NetStumbler Support
DeLorme Street Atlas USA Yes Yes WiMap
DeLorme TopoUSA Yes Yes PERL script
DeLorme XMap Yes Yes PERL script
Microsoft MapPoint Yes Yes StumbVerter
Microsoft Streets and Trips Yes Yes PERL script
Signal Jamming
You can buy a transmitter and jam a signal, but jamming happens accidentally
as well. Real crackers may jam your signals to deny service to your legitimate
clients. The following can affect your signal:
1. Cordless phones can cause narrowband interference, which may mean you need to eliminate the source.
2. Bluetooth devices and microwave ovens can cause all-band interference, which may mean you need to change the technology or eliminate the source.
3. Lightning can charge the air, which may mean you need to ground and protect your equipment.
So, random interference can result in denial of service, but someone can do it
intentionally as well by using one of two types of RF jamming devices:
1. RF generators are rather expensive devices. You can get RF generators from companies like HP (www.hp.com) and Anritsu (www.anritsu.com).
2. Power signal generators (PSGs) are not as pricey. They are used to test antennae, cables, and connectors. You can get PSGs from YDI (www.ydi.com) and Tektronix (www.tek.com).
A variety of jammers are complete, standalone systems consisting of appropriate
antennae, energy sources, and modulation electronics, such as techniques
generators. But what causes interference is the effective radiated
power (ERP). You can use the jammer to disrupt the operation of electromagnetic
systems in either receiving or transmitting modes to reduce or deny the
use of portions of the electromagnetic spectrum.
You may want to test your wireless network to discover how susceptible it is
to signal jamming from outside your organization. If you plan to run missioncritical
applications over wireless networks, then you need to know whether
others can cause unplanned network outages.
Taken from:
Hacking Wireless Networks For Dummies®
Published by
Wiley Publishing, Inc.
111 River Street
Hoboken, NJ 07030-5774
www.wiley.com