Wireless Fidelity - Your Guide to Getting Free by riscphree, riscphree@gmail.com, http://riscit.info ===================Contents=================== 1. Legal stuff 2. Hardware 2.1 Computers 2.2 Wireless Cards 2.3 Antennas 2.3.1 Antenna 101 2.3.2 Omni-Directional 2.3.3 Directional 3. Software 4. Security 4.1 WEP 4.2 MAC Filtering 4.3 WPA 5. Staying Anonymous ================== 1. Legal stuff The information contained herein is for educational and testing purposes only. You may only use what you find in here for those pusposes and the author cannot be held accountable for what you use this for. The legality of wardriving, as far as I know, is a very fine line between getting 5 years in jail and not dropping the soap. So make sure you check your local laws on this. In the U.S. wardriving is legal, as it should be in every country. But the law states that you may not connect to a network without authorization. Now, Microsoft was kind enough to include an auto connect when it finds a wireless connection, so make sure you turn that off. That is located under the settings of your card. 2. Hardware 2.1 Computers For wardriving, mobility is the key, obvisouvely. I use a Gateway 7210GX, which has an Athlon 3000+ (2.2Ghz), 512MB RAM, and an 80GB hard drive. Now if all your doing is wardriving, this is overkill. For the bare minimum, I'd say you can get by with a 400Mhz processor with a small amount of RAM. Now, you won't want to run Windows on there, cause that would be just ... slow. I'd suggest an install of a flavor of Linux, as this will run much faster, in my experience. A good Linux distro to try out is Knoppix-std. This distro comes with all the wifi security tools you would ever need. You can find it at www.knoppix-std.org. Abother live cd distro is Auditor. This is a very cool distro too, there are about 300 tools and is a competitor to knoppix-std. You can find Auditor at www.remote-exploit.org 2.2 Wireless Cards To connect antennas, which will be discussed next, you need a wireless card that has an antenna port on it. Different manfufacturers have different connector types. Below is a table of brands and the type of ports (that I know of). BRAND | Connector Type ----------------------------------------- Orinoco, Apple, Avaya | MC Senao, Proxim, Symbol | MMCX Belkin, D-Link, | RP-SMA Linksys, Netgear | RP-TNC Apple Airport Extreme | MCX Most cards that you buy at a retail store, say Best Buy have a relativitely small output of around 32mW. Some cards have output of 300mW which is a substantial boost of sensitivity. Cards with output of 300mW include the Senao www.senao-me.com and the Reliaware (now Demarc Technology) demarctech.com. However, these cards can become quite expensive when bought from the manufacturer, I suggest you look at ebay first. 2.3 Antennas There are two types of antennas that I will cover. They are omni-directional and directional. Omni- directional antennas will cover a circular area style. While directional, will get signals from the direction in which you point the antenna in. 2.3.1 Antenna 101 Many factors are taken into account when using an antenna. Antenna gain is measured in decibels isotropic (dBi), which is the strength of an antenna as realated to a theoretical sphere around an imaginary antenna. dBi is logarithmitic measurement,meaning every 3 dBi is doubling antenna gain. Just remember that the higher the dBi, the more sensitive and focused the antenna is. To connect the antenna to your wireless card, you will need to get a pigtail with a connector to your card and a N-Male connector, or whatever the device uses. There will be another antenna and pigtail making article from me in the near future. How to Calculate Line Loss from an Antenna Let's say we start with a signal of 100mW(+20dBm) and use a 100ft. cable. We'll use LMR-100 and LMR-400 for comparision. For every 100 feet of LMR-100 cable, there is -38.9dB loss of signal. For LMR-400 there is -6.6dB loss of signal per 100 feet. Start with the transmit power in our case, +20 dBm (or 100mW), subtract the negative dB of line loss, and the result is the power at the other end of the cable. LMR-100 (38.9dB loss): +20dBm - 38.9dB = -18.9dBm (~0.001mW) LMR-400 (6.6dB loss): +20dBm - 6.6dB = +13.4dBM (~20mW) As you can see, the LMR-100 cable has a significant loss of signl compared to the LMR-400, but the sacrifice is in cable diameter. LMR-100 is 1/10" whilst LMR-400 is 3/8". Remember to keep your cable lengths short and if you need more info on calculating cable loss, just search google, there are plenty of calculators available online. 2.3.2 Omni-directional There are various types of omni-directional antennas. I prefer an omni-directional antenna while wardrivng because a magnet mounted one on top of a car picks up a lot more signals than you would think. My findings about tripled when I first used my mag mount omni. There are a few different types of omnis, which you can find with a google search, as well as ebay. I also bought an antenna called a "blade", which I got off ebay and you can find many on there. The blade antenna is something that you can attach to the top of your laptop and it sticks up. It works very well for me so far. 2.3.3 Directional The directional antennas are used by me for testing the ranges that I can get. I don't use my directional antennas while I'm wardriving because, obvisouvely, you won't get the same results. There are also different versions of the omni antenna. There are cantennas, which I am sure you have seen or heard of. They are antennas made out of soup cans, Pringles cans, or coffee cans. Now, if your advanced in antenna design and theory, you'll notice that the circumference of the Pringles can does not sound right, which is around 2.5 inches. I am not sure myself on how this works, but it just does. And also what I've found out is to not aim the antenna directly at what you want to recieve. Aim a little high and off to the right or left, while slowly sweeing back and forth. The antenna gives off a 45 degree lobe on either sides, which is why that works best. 3. Software Software on the Windows side is pretty much dominated by Netstumbler (http://netstumbler.com). Netstumbler is the best I've used (on Windows) anyway. There are no config files to mess with, and when you start up, you shouldn't have to configure anything. The only options you might need to configure would be which card config you want to use. Most cards support NDIS and Prism. I have not found any differences in which one I use. If your using a GPS, you can use the config menu to set how fast it updates the coordinates. I always set it to as fast as it goes. I haven't seen any problems with it yet. For Linux there are a few more programs from what I've seen. The fore runner being Kismet (http://kismetwireless.net). Kismet will detect access points that are cloaking their SSID, which Netstumbler will not do. Kismet is also an intrusion detection and sniffer, which will come in handy when dealing with your wireless needs. I use Kismet whenever I can, but Netstumbler works well also. Knoppix-std, a live distro linux, contains security tools and kismet on there. If you dont have a linux distro on your laptop, or are not familiar with it, you can use this to boot into linux and run a fully working linux box with applications already installed. Airsnort (http://airsnort.shmoo.com) is used to crack the WEP key and can do so using 5 - 10 million packets which will then be cracked in under a second. Airsnort is currently a linux project, but I have gotten it to work under Windows. 4. Security 4.1 WEP WEP stands for Wired Equivalent Privacy. It was designed to protect the users from intruders using the same equipment. It based on the idea that the key is supposed to stay within the people wanting use the access point and regulates by MAC address. Now, WEP is not totally secure by any means. If you collect enough weak packets,called IVs, you can crack the pass. Note, you'll need about 5GB of network traffic to accomplish this. Do not rely on WEP encryption as your main source of security. 4.2 MAC Filtering MAC filtering is used to only allow certain MAC address onto the network. And as most of us know, MAC address are EASY to change, so in order to get past this, you will need to sniff a MAC out or guess :) . I would not advise you to use MAC filtering as your only security. 4.3 WPA WPA, Wi-Fi Protected Access, was designed to improve upon the security of existing WEP. Normally, it will be a firmware upgrade you do to your AP to make this feature available. This new standard includes two improvements: 1) improved data encryption through the temporal integrit protocol, which scrambles the keys and adding integrity checking allowing the user to see if the key has been tampered with and 2) User authentication though extensible authentication protocol. The EAP uses a more secure key scheme to protect users. WPA is a standard that will be replaced when the 802.11i standard is completed. 5. Staying Anonymous Staying hidden in this age is somewhat troublesome. What I can suggest you do is when crusing the radio waves, I'd change my computer name. And change the MAC address of the NIC also. This doesnt give you 100% anonymity though. Use proxy servers if your browsing the internet. Keep in mind, anything you transmit over the airwaves can and could very well be sniffed by someone who is looking to steal your information. Just use common sense when using wireless hotspots.