Warwalking in
A Wireless Walk Through
Published in 2600: The Hacker Quarterly, Fall 2004 – Volume Twenty-One, Number Three
Sam Nitzberg
http://www.iamsam.com
Introduction
I was in
This paper describes a casual approach to wireless sniffing. No special antennas, amplifiers, or locations were used in this study. An example of another approach to wireless sniffing was exhibited by the man at the conference who brought a notebook with a large, tripod-mounted directional antenna with 25db gain , along with an rf-amplifier. This is a more of a “point and shoot” approach to identifying wi-fi access points.
If you are going to walk with a wireless scanner, you may be surprised at just how quickly your batteries will be consumed. You have two obvious options: (1) carry extra batteries or a charger, or (2) select appropriate options for your wireless scanner to slow the scan rate.
Data Aquisition
MiniStumbler is the Pocket PC version of NetStumber. It provides the following information on your PDA.
Type (Infrastructure or Ad-Hoc)
BSSID / MAC address
Time
Signal-Noise-Ration, Signal Strength, Noise
Name
Flags
Chanelbit
Beacon Interval
Data Rate
Last Channel
The NetStumbler FAQ outlines the values that lead to the value for the Flag field. The Flag field provides 802.11 capability information in Hex; it is also documented in the 802.11b specifications:
0001 ESS ("Infrastructure")
0002 IBSS ("Ad-Hoc")
0004 CF-Pollable
0008 CF-Poll Request
0010 Privacy ("WEP")
0020 Short Preamble
0040 PBCC
0080 Channel Agility
FF00 Reserved
The Flag value is calculated by performing binary And operations on the appropriate entries from the above list.
If you have a GPS card for your PDA, it will also record latitude and longitude. Using this information, you can revisit any access points that you find. Be prepared – the GPS will put an additional drain on your battery. Some PDAs, such as the Ipaq, can utilize an expansion slot to accept cards CF (compact flash cards); these expansion slots may also provide an additional battery to help reduce the impact of the GPS card on the battery.
Lies, Damned Lies, and Statistics
I grabbed the MiniStumbler output, and coalesced it a bit. The manipulation of the data was much more efficient on my regular PC than on the Pocket PC with its more limited tools. I removed repeat entries (some of which were identical, other than time stamps or some rather minor data elements). I had also saved the data from MiniStumbler as time passed under different filenames. The data was reduced from almost 300 data points down to 86.
Points discovered: 86
Ad-Hoc 7
WEP Encrypted: 21 (24%)
Just because a wireless access point is not using WEP encryption does not mean that it is open. Accessing some access points will result in a “splash” screen, requesting a user name and password. Others may be using a different encryption system (such as AES). Also, if the infrastructure behind the wireless access point was designed properly, any wireless user will not be dropped directly into a corporate or enterprise network – wireless users would be permitted via virtual private networking mechanisms into a segregated subnet, with appropriate access restrictions, and suitable cryptography.
A few notes
No law forbids the identification of wireless access points. The truth of the matter is that many wireless access points reside on networks that are poorly configured, may use default passwords or configurations, and may expose their enterprises to harm. However, establishing connections through wireless access points without authorization, or attempting to penetrate interior networks could result in violations of several laws, including those relating to unauthorized access or use of computing facilities and resources, interception of communications, theft of trade secrets, and theft of services.
With much of the law relating to wireless technologies still being on virgin ground, I can not recommend connecting to any wireless networks (encrypted or not), without authorization. I will note that no attempt was made to actually connect to any of the wireless networks identified herein.
Conclusions
Some points of interest stand out. Locations using multiple wireless routers with the same or related names and different MAC addresses represent larger facilities with a broader footprint, or at least facilities with a larger investment in their wireless presence. Access point names often reveal their purpose or location – “bedroom” is likely residential; Wireless4Kerry appears to be politically affiliated. Curiously, if you did not use GPS gear, but know the path that you traversed, you can follow the timeline to retrace your path and correlate it to the presence of the wireless access points’ coverage areas.
You can find web sites with great collections of already identified wireless access points. However, in experimenting with the tools and equipment for wireless scanning in an urban setting, you can learn much about the nature of these tools and their application. You can also look at their output and draw your own inferences – what kinds of networks are present and what are their purposes?
|
( SSID ) |
Type |
( BSSID ) |
Time (GMT) |
[ SNR Sig Noise ] |
Flags |
Channelbits |
LastChannel |
|
|
|
|
|
|
|
|
|
|
( Verizon Wi-Fi ) |
BSS |
( |
|
[ 36 185 149 ] |
1 |
80 |
7 |
|
( Verizon Wi-Fi ) |
BSS |
( |
|
[ 100 249 149 ] |
1 |
2 |
1 |
|
( Verizon Wi-Fi ) |
BSS |
( |
|
[ 12 161 149 ] |
1 |
8 |
3 |
|
( Verizon Wi-Fi ) |
BSS |
( |
|
[ 33 182 149 ] |
1 |
400 |
10 |
|
( Verizon Wi-Fi ) |
BSS |
( |
|
[ 100 249 149 ] |
1 |
4 |
2 |
|
( Verizon Wi-Fi ) |
BSS |
( |
|
[ 9 158 149 ] |
1 |
10 |
4 |
|
( Verizon Wi-Fi ) |
BSS |
( |
|
[ 18 167 149 ] |
1 |
4 |
2 |
|
( Verizon Wi-Fi ) |
BSS |
( |
|
[ 51 200 149 ] |
1 |
200 |
9 |
|
( Verizon Wi-Fi ) |
BSS |
( |
|
[ 42 191 149 ] |
1 |
200 |
9 |
|
( surfhere ) |
BSS |
( |
|
[ 78 227 149 ] |
1 |
2 |
1 |
|
( emenities ) |
BSS |
( |
|
[ 66 215 149 ] |
1 |
40 |
6 |
|
( surfhere ) |
BSS |
( |
|
[ 45 194 149 ] |
1 |
2 |
1 |
|
( surfhere ) |
BSS |
( |
|
[ 30 179 149 ] |
1 |
2 |
1 |
|
( Applebees ) |
BSS |
( |
|
[ 27 176 149 ] |
1 |
20 |
5 |
|
( STSN ) |
BSS |
( |
|
[ 39 188 149 ] |
1 |
800 |
11 |
|
( emenities ) |
BSS |
( |
|
[ 42 191 149 ] |
1 |
40 |
6 |
|
( STSN_Conf ) |
BSS |
( |
|
[ 12 161 149 ] |
1 |
800 |
11 |
|
( STSN_Conf ) |
BSS |
( |
|
[ 9 158 149 ] |
1 |
800 |
11 |
|
( STSN_Conf ) |
BSS |
( |
|
[ 15 164 149 ] |
1 |
2 |
1 |
|
( Colubris Networks ) |
BSS |
( |
|
[ 9 158 149 ] |
21 |
400 |
10 |
|
( SkolerNet ) |
BSS |
( 00:06:25:66:d5:cc ) |
|
[ 48 197 149 ] |
11 |
40 |
6 |
|
( linksys ) |
BSS |
( 00:06:25:6d:61:41 ) |
|
[ 18 167 149 ] |
1 |
40 |
6 |
|
( puppypower ) |
BSS |
( |
|
[ 33 182 149 ] |
1 |
40 |
6 |
|
( kriswall ) |
BSS |
( |
|
[ 18 167 149 ] |
1 |
40 |
6 |
|
( Bill ) |
BSS |
( |
|
[ 21 170 149 ] |
1 |
10 |
4 |
|
( AIR_PS ) |
BSS |
( |
|
[ 42 191 149 ] |
11 |
200 |
9 |
|
( linksys ) |
BSS |
( |
|
[ 24 173 149 ] |
1 |
40 |
6 |
|
( holla ) |
BSS |
( |
|
[ 6 155 149 ] |
11 |
800 |
11 |
|
( NETGEAR ) |
BSS |
( |
|
[ 12 161 149 ] |
21 |
8 |
3 |
|
( NETGEAR ) |
BSS |
( |
|
[ 6 155 149 ] |
21 |
800 |
11 |
|
( NETGEAR ) |
BSS |
( |
|
[ 39 188 149 ] |
21 |
800 |
11 |
|
( NETGEAR ) |
BSS |
( |
|
[ 15 164 149 ] |
21 |
800 |
11 |
|
( cupid ) |
BSS |
( |
|
[ 48 197 149 ] |
1 |
40 |
6 |
|
( tmobile ) |
BSS |
( |
|
[ 84 233 149 ] |
1 |
40 |
6 |
|
( Apple Network f187c4
) |
BSS |
( 00:0a:95:f1:87:c4 ) |
|
[ 27 176 149 ] |
1 |
400 |
10 |
|
( Showport ) |
BSS |
( 00:0a:95:f3:5f:67 ) |
|
[ 18 167 149 ] |
11 |
400 |
10 |
|
( broadway ) |
BSS |
( 00:0a:95:f5:de:a1 ) |
|
[ 6 155 149 ] |
11 |
2 |
1 |
|
( aleakala ) |
BSS |
( 00:0c:41: |
|
[ 6 155 149 ] |
11 |
40 |
6 |
|
( linksys ) |
BSS |
( 00:0c:41:41:2c:c2 ) |
|
[ 18 167 149 ] |
1 |
40 |
6 |
|
( JATA ) |
BSS |
( 00:0c:41:73:32:9a ) |
|
[ 18 167 149 ] |
11 |
40 |
6 |
|
( appel ) |
BSS |
( 00:0c:41:86:93:5c ) |
|
[ 6 155 149 ] |
1 |
40 |
6 |
|
( linda ) |
BSS |
( 00:0c:41:8a:28:14 ) |
|
[ 12 161 149 ] |
1 |
40 |
6 |
|
( linksys ) |
BSS |
( 00:0c:41:9b:73:a0 ) |
|
[ 18 167 149 ] |
1 |
40 |
6 |
|
( kerncap ) |
BSS |
( 00:0c:41:b1:2e:9a ) |
|
[ 18 167 149 ] |
11 |
800 |
11 |
|
( linksys ) |
BSS |
( 00:0c:41:c8:41:83 ) |
|
[ 90 239 149 ] |
1 |
40 |
6 |
|
( YSK ) |
BSS |
( 00:0c:41:ca:ef:b1 ) |
|
[ 6 155 149 ] |
11 |
40 |
6 |
|
( 23training ) |
BSS |
( 00:0c:41:d7:f1:85 ) |
|
[ 15 164 149 ] |
11 |
40 |
6 |
|
( bedroom ) |
BSS |
( 00:0c:41:d7:f8:de ) |
|
[ 18 167 149 ] |
1 |
40 |
6 |
|
( MendesMountAP23 ) |
BSS |
( |
|
[ 24 173 149 ] |
1 |
2 |
1 |
|
( Theatertech ) |
BSS |
( 00:0d:93:82:bb:83 ) |
|
[ 18 167 149 ] |
11 |
400 |
10 |
|
( external ) |
BSS |
( 00:0d:ed:4c:f6:33 ) |
|
[ 12 161 149 ] |
21 |
10 |
4 |
|
( external ) |
BSS |
( 00:0d:ed:4c:fb:7d ) |
|
[ 18 167 149 ] |
21 |
800 |
11 |
|
( external ) |
BSS |
( 00:0d:ed:4c:fb:d6 ) |
|
[ 21 170 149 ] |
21 |
80 |
7 |
|
( external ) |
BSS |
( 00:0d:ed:4c:fb:e5 ) |
|
[ 12 161 149 ] |
21 |
8 |
3 |
|
( external ) |
BSS |
( 00:0d:ed:4c:fd:78 ) |
|
[ 9 158 149 ] |
21 |
80 |
7 |
|
( external ) |
BSS |
( 00:0d:ed:4c:fd:82 ) |
|
[ 15 164 149 ] |
21 |
10 |
4 |
|
( external ) |
BSS |
( 00:0e:d7:48:6b:2f ) |
|
[ 39 188 149 ] |
21 |
8 |
3 |
|
( external ) |
BSS |
( 00:0e:d7:48:6b:32 ) |
|
[ 30 179 149 ] |
21 |
8 |
3 |
|
( external ) |
BSS |
( 00:0e:d7:48:6b:34 ) |
|
[ 9 158 149 ] |
21 |
10 |
4 |
|
( external ) |
BSS |
( 00:0e:d7:48:6b:35 ) |
|
[ 12 161 149 ] |
21 |
80 |
7 |
|
( Wireless4Kerry ) |
BSS |
( 00:0f:3d: |
|
[ 15 164 149 ] |
31 |
40 |
6 |
|
( Wireless4Kerry ) |
BSS |
( 00:0f:3d: |
|
[ 15 164 149 ] |
31 |
40 |
6 |
|
( ARG ) |
BSS |
( 00:0f:66:18:7b:f1 ) |
|
[ 51 200 149 ] |
11 |
200 |
9 |
|
( linksys ) |
BSS |
( 00:0f:66:2b:85:83 ) |
|
[ 9 158 149 ] |
1 |
40 |
6 |
|
( BLUEFIN ) |
BSS |
( |
|
[ 69 218 149 ] |
1 |
40 |
6 |
|
( BLUEFIN ) |
BSS |
( |
|
[ 18 167 149 ] |
1 |
40 |
6 |
|
( Kamen Wireless 2 ) |
BSS |
( 00:30:65:02:6c:ab ) |
|
[ 39 188 149 ] |
1 |
800 |
11 |
|
( roykamen ) |
BSS |
( 00:30:65:03:76:77 ) |
|
[ 36 185 149 ] |
1 |
2 |
1 |
|
(
Digital-DNS-11/06/2001 ) |
BSS |
( 00:40:96:41:02:06 ) |
|
[ 15 164 149 ] |
31 |
40 |
6 |
|
(
Digital-DNS-11/06/2001 ) |
BSS |
( 00:40:96:41:c7:24 ) |
|
[ 12 161 149 ] |
31 |
800 |
11 |
|
( bmg.ist.nyc-bw1540 ) |
BSS |
( 00:40:96:52:fc:21 ) |
|
[ 18 167 149 ] |
31 |
40 |
6 |
|
( bmg.ist.nyc-bw1540 ) |
BSS |
( 00:40:96:55:df:6e ) |
|
[ 42 191 149 ] |
31 |
40 |
6 |
|
( bmg.ist.nyc-bw1540 ) |
BSS |
( 00:40:96:55:df:84 ) |
|
[ 45 194 149 ] |
31 |
40 |
6 |
|
( bmg.ist.nyc-bw1540 ) |
BSS |
( 00:40:96:55:df:98 ) |
|
[ 42 191 149 ] |
31 |
40 |
6 |
|
( bmg.ist.nyc-bw1540 ) |
BSS |
( 00:40:96:55:df:f5 ) |
|
[ 21 170 149 ] |
31 |
40 |
6 |
|
( turbonet ) |
BSS |
( 00:40:96:5b:20:2e ) |
|
[ 24 173 149 ] |
21 |
2 |
1 |
|
( roomlinx ) |
BSS |
( 00:40:96:a0:17:ce ) |
|
[ 6 155 149 ] |
1 |
40 |
6 |
|
( MSHOME ) |
BSS |
( |
|
[ 21 170 149 ] |
1 |
40 |
6 |
|
( fanTM ) |
BSS |
( 00:a0:f8:51:43:61 ) |
|
[ 36 185 149 ] |
1 |
40 |
6 |
|
( ParisCafe ) |
ad-hoc |
( |
|
[ 6 155 149 ] |
2 |
400 |
10 |
|
( CJ23988-A ) |
ad-hoc |
( |
|
[ 6 155 149 ] |
22 |
800 |
11 |
|
( linksys2 ) |
ad-hoc |
( |
|
[ 6 155 149 ] |
22 |
800 |
11 |
|
( AT&T Wireless ) |
ad-hoc |
( |
|
[ 9 158 149 ] |
22 |
800 |
11 |
|
( pwc80211 ) |
ad-hoc |
( 02:0c:f1:be:53:91 ) |
|
[ 18 167 149 ] |
22 |
400 |
10 |
|
( valkyrie ) |
ad-hoc |
( |
|
[ 15 164 149 ] |
32 |
800 |
11 |
|
( wireless ) |
ad-hoc |
( 02:eb:31:96:f4:7b ) |
|
[ 6 155 149 ] |
2 |
400 |
10 |