Wardriving, gathering information about wireless networks
Gathering information about wireless networks or wardriving (depending on the mode of transportation, it can be both warwalking and warflying, and, as was demonstrated at BlackHat 2008 - warbalooning ), the activity is very exciting and at the same time provides rich statistics on the security level of wireless networks the city.
In the case of analyzing a small area (house or quarter), the power of the adapter and antenna built into the laptop or PDA may be enough. But for more serious research, we would recommend a USB or PCMCIA adapter with a connector for an external antenna. When choosing an adapter, its chipset model is very important, which will be discussed in more detail in the next section. Below are some of the most popular adapters:
')
Alfa networks AWUS036H
Notable for its power (500mW), antenna SMA connector and a well-supported USB chipset.
Ubiquiti SRC
Adapter also high power (300mW), MMCX connector for antenna, perfectly supported chipset, PCMCIA
Linksys WUSB54GC
Less powerful adapter without antenna connector. The main advantages are the supported chipset and the possibility of its free acquisition in Ukraine.
A full list of maps that are suitable for this kind of research can be found here .
If you decide to use a card with a connector for connecting an external antenna, then you will need either a directional or omnidirectional antenna. The former have a greater range, with equal gain, but a much smaller angle of coverage. Directional antennas are best used to scan a limited area, or to assess the security of specific access points. The second type is better suited for wardriving, for collecting data over a large area. For normal coverage, a full antenna with a gain of 7–9 dbi is sufficient. Pay attention to the antenna connector, so that it matches the connector on the adapter. Typically, this is a SMA connector, it is on most cards with external antennas. Sometimes there are more rare MMCX or N-type. The manufacturer does not have much importance, the main characteristics of the antenna itself.
In order to collect information not only the parameters of the access point, but also its coordinates, you need to have gps. And it can be either bluetooth or usb / serial gps, or a normal gps-navigator connected to the computer with a cable or a smartphone with built-in gps. The main thing is that this device could transmit data via the nmea protocol (or in the case of separate gps navigators, the proprietary garmin protocol).
It seems to us that it is much more convenient to collect information about wireless networks on Linux OS. The following steps were performed on Ubuntu linux 8.04, but with minor changes they can be repeated on any other Linux.
For wardriving, you need a driver that supports the so-called “monitor mode”, the mode in which the adapter will accept all packets, and not just those that are intended for it. In some drivers, this mode is provided by the manufacturer, some will have to be patched and recompiled. The most complete information about drivers is here . The painters for Ralink rt2500, Realtek 8187 and Atheros chipsets are installed painlessly and, in our opinion, work.
To work with gps, it is necessary that it be installed as a serial device and fixed as, for example, / dev / ttyS0. After that, run the gpsd program ( apt-get install gpsd )
gpsd / dev / ttyS0
If you are using bluetooth gps add the -b switch
gpsd / dev / ttyS0 -b
The main 2 programs for wardriving are Kismet and Aircrack-ng suite. Consider first the first.
Kismet is in all repositories, so it’s enough to run apt-get install kismet (or yum install kismet or emerge kismet , respectively for Debian (Ubuntu), Fedora and Gentoo systems), and then open the / etc / kismet / kismet configuration file .conf and change the line in it
source = <driver, for example rtl8187>, <interface, for example wlan0>, <just designations of this source, for example first interface> (without brackets)
gps = true if gpsd connected to the gps adapter is running on your system
This will be enough to make kismet ready for work. It remains only to run it with the kismet command. After that, you will see a gradually filling up list of access points. During this, the program will record all information in files of several formats - .csv, with a list and parameters of all points, .gps - coordinates of points and xml - where the first and second are recorded.
These files will then be converted to .kml for viewing on Google Earth and Google Maps. You can convert one of the many scripts for this - Kismet Earth , KisGearth . Also, if you have several .csv / .gps / .xml files gathered, they can be combined into one merge program from the Kismet tools suite .
We will talk about the second program aircrack-ng suite in the next article about wireless security, because it is less designed for wardriving and more for auditing wireless networks.
It is quite difficult to hide the existence of your network from a random wardriver. In urban conditions, the hotspot waves, beating off the walls, can fall into completely unexpected places, so you should not underestimate the step of planning and placing the point and position it in order to cover the necessary territory as much as possible and limit the wave departure in unnecessary directions. Some access points allow you to adjust signal strength, which is a tool for controlling signal propagation. If necessary, 100% of the invisibility of the wireless network can only be recommended to use ethernet or completely screen the room with an access point (for example, like this ). And the last thing - hiding the name of the access point (ESSID cloaking) in no way hides your network, it can be calculated from the data sent by the clients, and most sniffers do it automatically, so the best level of encryption and authentication will be your best defense (WPA2-PSK with long key or WPA2-enterprise with an external authentication server) and then even if they find your network, attackers will not be able to penetrate it.
For more information about attacks on wireless networks and how to prevent them, see the following article on the security of wireless networks.
Part 1.Hardware
Wi-Fi adapter
In the case of analyzing a small area (house or quarter), the power of the adapter and antenna built into the laptop or PDA may be enough. But for more serious research, we would recommend a USB or PCMCIA adapter with a connector for an external antenna. When choosing an adapter, its chipset model is very important, which will be discussed in more detail in the next section. Below are some of the most popular adapters:
')
Alfa networks AWUS036H
Notable for its power (500mW), antenna SMA connector and a well-supported USB chipset.
Ubiquiti SRC
Adapter also high power (300mW), MMCX connector for antenna, perfectly supported chipset, PCMCIA
Linksys WUSB54GC
Less powerful adapter without antenna connector. The main advantages are the supported chipset and the possibility of its free acquisition in Ukraine.
A full list of maps that are suitable for this kind of research can be found here .
Antenna
If you decide to use a card with a connector for connecting an external antenna, then you will need either a directional or omnidirectional antenna. The former have a greater range, with equal gain, but a much smaller angle of coverage. Directional antennas are best used to scan a limited area, or to assess the security of specific access points. The second type is better suited for wardriving, for collecting data over a large area. For normal coverage, a full antenna with a gain of 7–9 dbi is sufficient. Pay attention to the antenna connector, so that it matches the connector on the adapter. Typically, this is a SMA connector, it is on most cards with external antennas. Sometimes there are more rare MMCX or N-type. The manufacturer does not have much importance, the main characteristics of the antenna itself.
GPS
In order to collect information not only the parameters of the access point, but also its coordinates, you need to have gps. And it can be either bluetooth or usb / serial gps, or a normal gps-navigator connected to the computer with a cable or a smartphone with built-in gps. The main thing is that this device could transmit data via the nmea protocol (or in the case of separate gps navigators, the proprietary garmin protocol).
Part 2.Software
It seems to us that it is much more convenient to collect information about wireless networks on Linux OS. The following steps were performed on Ubuntu linux 8.04, but with minor changes they can be repeated on any other Linux.
Drivers
For wardriving, you need a driver that supports the so-called “monitor mode”, the mode in which the adapter will accept all packets, and not just those that are intended for it. In some drivers, this mode is provided by the manufacturer, some will have to be patched and recompiled. The most complete information about drivers is here . The painters for Ralink rt2500, Realtek 8187 and Atheros chipsets are installed painlessly and, in our opinion, work.
To work with gps, it is necessary that it be installed as a serial device and fixed as, for example, / dev / ttyS0. After that, run the gpsd program ( apt-get install gpsd )
gpsd / dev / ttyS0
If you are using bluetooth gps add the -b switch
gpsd / dev / ttyS0 -b
Programs
The main 2 programs for wardriving are Kismet and Aircrack-ng suite. Consider first the first.
Kismet is in all repositories, so it’s enough to run apt-get install kismet (or yum install kismet or emerge kismet , respectively for Debian (Ubuntu), Fedora and Gentoo systems), and then open the / etc / kismet / kismet configuration file .conf and change the line in it
source = <driver, for example rtl8187>, <interface, for example wlan0>, <just designations of this source, for example first interface> (without brackets)
gps = true if gpsd connected to the gps adapter is running on your system
This will be enough to make kismet ready for work. It remains only to run it with the kismet command. After that, you will see a gradually filling up list of access points. During this, the program will record all information in files of several formats - .csv, with a list and parameters of all points, .gps - coordinates of points and xml - where the first and second are recorded.
These files will then be converted to .kml for viewing on Google Earth and Google Maps. You can convert one of the many scripts for this - Kismet Earth , KisGearth . Also, if you have several .csv / .gps / .xml files gathered, they can be combined into one merge program from the Kismet tools suite .
We will talk about the second program aircrack-ng suite in the next article about wireless security, because it is less designed for wardriving and more for auditing wireless networks.
Part 3. Protection
It is quite difficult to hide the existence of your network from a random wardriver. In urban conditions, the hotspot waves, beating off the walls, can fall into completely unexpected places, so you should not underestimate the step of planning and placing the point and position it in order to cover the necessary territory as much as possible and limit the wave departure in unnecessary directions. Some access points allow you to adjust signal strength, which is a tool for controlling signal propagation. If necessary, 100% of the invisibility of the wireless network can only be recommended to use ethernet or completely screen the room with an access point (for example, like this ). And the last thing - hiding the name of the access point (ESSID cloaking) in no way hides your network, it can be calculated from the data sent by the clients, and most sniffers do it automatically, so the best level of encryption and authentication will be your best defense (WPA2-PSK with long key or WPA2-enterprise with an external authentication server) and then even if they find your network, attackers will not be able to penetrate it.
For more information about attacks on wireless networks and how to prevent them, see the following article on the security of wireless networks.
Source: https://habr.com/ru/post/50109/
All Articles