Getting to Know Your Neighbors (Autumn, 2003) --------------------------------------------- By Shiv Polarity Note: In most places, connecting to your neighbor's network without their permission is illegal. Additionally, you can be prosecuted by your neighbor's Internet provider for theft of services if you access the Internet through their network. These instructions are purely for informational purposes and are intended to help you learn how to secure your own wireless network by learning the tactics of potential attackers. Do not invade not invade the privacy of your neighbors; it is rude. Do not steal Internet access; it is wrong. The use of devices such as 802.11b network cards in schools, coffee shops, and the workplace is becoming more and more common every day. In a setting such as an apartment complex, it is common to have one or more neighbors who have laptops or computers equipped with such a device. If you have a wireless network in your home, you should know how a motivated WiFi user might try to gain access to your network. To adequately protect your network from invaders, you should understand what tools and tactics could be used against you. The first thing you would need to explore a neighbor s network is a computer with a correctly configured 802.11 network card. I use a laptop with a Compaq WL100 PCMCIA card. The drivers I have found most useful are the linux-wlan-ng drivers from http://www.linux-wlan.com/linux-wlan. For the purposes of this article, the use of these drivers will be assumed. Other cards may require other drivers, though almost any Prism2-based card should be fine with linux-wlan-ng. Download the source and follow the instructions to compile for your specific configuration. Phase 1: Discovery The first step toward exploration is discovery. By default, your network card will try to connect to the strongest available signal it finds. This is good for accessing the Internet from coffee shops or school, but for our purposes we need a little bit more information. This is where a little app named Kismet comes into play. Kismet is an "802.11 wireless network sniffer," available from http://www.kismetwireless .net. Once it has been downloaded and configured you can use it to scan the surrounding airwaves for wireless networks. To start Kismet you must first use the root account to start the Kismet server by running kismet_monitor. This will put your card into scan mode, which will disconnect you from any previous networks you may have been connected to. The kismet_monitor command starts up the Kismet server application. Once that has been started, open a different console and run the command kismet. In your kimset.conf file, you should have configured Kismet for a default user. This is the only user that can start the application, so be sure you run the kismet command as that user. The graphical interface presented by Kismet can be confusing at first. I suggest you read the documentation at the Kismet web site and get to know what all the symbols and sounds mean. Personally, I find the sounds irritating and usually turn them off by pressing the "m" key. Kismet offers a great deal of information, providing statistics and details for all detected wireless signals. For our purposes, all we are interested in is the list of available access points. The perfect access point will be unencrypted (access points named "default" are particularly delicious). Kismet will tell you whether or not a given access point is using WEP (Wireless Encryption Protocol). If all of the listed access points for your location are encrypted, you will not be able to proceed. WEP can be broken, but it is a timeconsuming process and is beyond the scope of this article (a little too invasive for my taste). Though I will suggest you visit http://airsnort.shmoo.com if it is not beyond the scope of your personal ethics. Once you have identified an unencrypted access point, write down its SSID (name) as well as the channel the signal is using and quit Kismet. Once you have closed the Kismet application, run the kismet_unmonitor command as root. This stops the Kismet server and puts your WiFi card back into its normal mode of operation, though it doesn't hurt to also run /etc/init.d/pcmcia restart just for good measure, assuming you are using a laptop. Phase 2: Connectivity The next step is actually connecting to the access point you have identified. The steps involved in connecting to an access point will differ from one 802.11 driver to the next. These instructions apply to linux-wlan-ng drivers only. If you use different drivers, consult the instructions for those drivers. Edit /etc/wlan/wlan.conf and look for the line beginning with SSID_wlan0. The value for that key should be the SSID of the access point you wish to connect with. Next, look in /etc/wlan for a file named wlancfg-DEFAULT. That file is your template config file. Do not edit it or overwrite it. Instead, use the cp command to create a copy of it. The name of the copy is important and is determined by the SSID of the access point you are trying to connect with. For example, if your target access point is named myAccessPoint you would use the following command: cp wlancfg-DEFAULT wlancfg-MyAccessPoint This will create a new file named /etc/wlan/wlancfg-MyAccessPoint. For access points named default create the file /etc/wlan/wlancfg-default. Remember, this is Linux so wlancfg-DEFAULT and wlancfg-default are totally different files. The linux-wlan-ng drivers will use this new file the next time your wireless connection is initialized. After you have the new config file, edit it. The contents of the file should be pretty easy to understand. Enter the channel in the appropriate place, as well as the WEP key if needed (if you used Airsnort to acquire one). Most of this file can probably be left as is. Once all of your values are entered correctly into the new config file, restart your wireless connection. Personally, I use "/etc/init.d/pcmcia restart" to do this, though you may have a different means. If everything is correct, you will connect to your target access point. My card gives me two high-pitched beeps to indicate a good connection. One high-pitched beep followed by a low-pitch beep indicates failure. There are several reasons your connection attempt might fail. If the access point uses MAC address filtering, you will probably not be able to connect to the access point. In this case you are probably up against a fairly savvy access point and you re better off seeking lower-hanging fruit. You may also have made a mistake in your wlancfg file. Double-check it. Restart Kismet if you need to make sure you got everything right to begin with. Also double-check to make sure the access point isn't using encryption. Another reason for connection failure could be poor signal strength. Again, check Kismet to make sure there is a reliable signal getting to you. If not, try walking around (assuming you have a mobile computer) and see if you can get a better signal somewhere else. Sometimes just a few feet in the right direction can make a huge difference. If all else fails, check /var/log/syslog or one of your other error logs. Phase 3: Exploration Now you're connected to your neighbor's access point. Congratulations, you outlaw. Before proceeding, be aware that your connection has been logged on your neighbor's access point or wireless router. Of course, if your neighbor has left his access point wide open, they probably don't even know what the log means and probably never check it. But you should be aware. They have a log of your MAC address, what time you connected, what IP you were assigned, and, depending on the access point, they may be logging everything you do on their network. So What Now? Well, my first thing would probably be to see what IP I have been assigned. It is usually 192.168.0.x where x is some number greater then 1. Also, pinging 192.168.0.1 usually works because that is probably the IP to the access point or wireless router. Try opening a Web browser and entering in http://192.168.0.1. If prompted for a username/ password, try typing in "admin" as the username and leave the password blank. If they are truly using the out-of-the-box configuration, this will usually let you into the configuration page. If you can get into the configuration page, you now have full control of the access point and/or router. One good idea might be to clear the activity log. But hey, this is your gig. Do what you like. Another interesting venture could be to look at any port-forwarding rules. Finding out which ports are forwarded is a good way to determine what sorts of things go on over this network. Is there a Web server somewhere? An SSH server? Does anyone play video games? If so, what IP do these services run on? This is all very interesting stuff. If you can't find the access point right away, try using a tool known as nmap (http://www.insecure.org/nmap/). As root, run the command xnmap to get a nice graphical interface for this incredible tool. You have several options you can perform with nmap. One of my favorites is an IP scan using operating system detection. If you tell it to scan 192.168.0.*, it will scan every possible IP on that segment and return to you a list of all active IP addresses, along with which operating systems they are using. The IP for the access point will have an operating system such as "D-Link DWL 900AP+" or something along those lines. It should be obvious. So now you know where the access point is. You also know what model the access point is. Try a Google search for that model number. You can sometimes find interesting bugs or vulnerabilities on Web forums for specific models. At the absolute least you should be able to download the PDF manual for the access point to learn how it works along with a confirmation of the default username and password. You also know how many clients are using the access point, and you know their IP addresses. So now it's time to be neighborly. Go grab an application called LinNeighbor - hood. This program gives you a graphical interface to your local network, much like Microsoft's famous Network Neighborhood. Once you ve started LinNeighborhood you probably will only see your computer listed in the main window. Since it is highly unlikely that you re on the same workgroup as your neighbor's computers, you will have to do a little work to find them. Click the button at the top labeled Add. This will bring up a dialog asking for a name, group, IP, etc. Enter an IP from the list given to you by nmap, then click Query. LinNeighborhood will fill in the rest of the values for the Add dialog. Once the rest of the values have been filled in, click OK. The new computer should now show up in LinNeighborhood. Do this for each of the computers found by nmap. Clicking on the computers listed in LinNeighborhood will show you any shared folders they have. You will need to know the usernames and passwords to access them, unless they have been shared publicly. But at this point, why would you suspect your neighbor of not sharing his files publicly? LinNeighborhood will mount the shares your local file system, and you can look around and see what is there. My personal suggestion would be to not look at the files, and (assuming you can get write access) politely leave a conspicuous text file explaining how to properly secure a wireless network, suggesting WEP encryption, MAC filtering, and setting new passwords and IP addresses for everything. If you do this, most definitely be sure to clear the activity logs in the access point or router. At the absolute least you should be able to learn the names, groups, and IP addresses of your neighbor's computers. You can use the port forwarding rules from the router to determine what roles the network clients perform and you ll be able to access the Internet, albeit illegally. Of course, the smartest thing to do would be to not try any of this stuff yourself and instead double-check your own access point or wireless router configuration to be sure they are secure. Also, be sure to change your WEP keys from time to time and keep an eye on your logs. You never know who lives nearby. It could be another 2600 reader.