|< Day Day Up >|
Site Survey Considerations and Planning
After the data-gathering phase is complete, decide how you are going to survey the area and position yourself. The possibilities include the following:
Each tactic has its own advantages and disadvantages. Warwalking does not cover a large area, but a large amount of dumped data is guaranteed. You can stop at any point to check the signal strength, check the network traffic in real time, attempt to connect to the network, launch DoS or man-in-the-middle attacks, and so on. Besides, you have the advantage of physically surveying the area to spot the following:
"No Bluetooth" or similar signs are a clear indicator of a wireless network with a system administrator understanding the concept of interference and taking care to prevent it. Warchalking refers to marking the sidewalks and walls to indicate nearby wireless access points. A good source on warchalking is http://www.warchalking.org. It is essential that you familiarize yourself with warchalking signs and their significance. To assist you, we have gathered a small collection of warchalking signs and placed it in Appendix F. Depending on the area, two different warchalking signs might mean the same thing, and there is even a sign for FHSS networks. Thus, do not consider the relative obscurity of your non-802.11 DSSS network such as HomeRF or 802.11 FHSS WLAN to be an ultimate protection against possible intruders. Someone must be out there scanning for them and we won't be surprised if new warchalking signs ("Bluetooth PAN," "non-802.11 standard point-to-point link," as well as "WEPPlus WLAN," "802.1x in use, EAP type is ...," "802.11i-enabled network," "TKIP," "TurboCell," etc.) decorate the streets soon.
Warwalking has some obvious disadvantages: You have to carry all your equipment around (antennas present the largest problem) and have power limited to the battery power of your laptop or PDA and the amount of spare batteries you can carry. It is unlikely you can take a very high-gain directional antenna or an amplifier on a warwalking trip. Most important, a warwalker and his or her equipment are exposed to the adverse effects of the elements. Laptops do not really enjoy rain, and wet RF connectors mean a significant loss that might persist afterward due to rusting.
Wardriving, on the contrary, provides good protection against the elements and a good source of power in the form of a car battery and a generator. You can discover all networks in the area, and it doesn't matter how fast you drive: The beacon frames are sent every 10 milliseconds and you won't miss one while passing by or through the WLAN. Of course, you won't dump a lot of traffic unless you drive really slowly and will have difficulties in observing and analyzing the packets in the air and launching various attacks unless you can park in the appropriate place. This is often impossible in the center of a large city or on a private corporate premises. Another obvious problem when wardriving is the antenna. You'll need to place an external antenna outside of the car to avoid a significant loss caused by the car frame. Remember that even a normal glass brings around 2 dBm of loss. Of course, placement of an external antenna would mean an RF cable with connectors, which brings more loss. Typical wardriver kits or "rigs" include a magnetic-mount, ground plane, omnidirectional antenna with about 5 dBi gain and a thin pigtail-style cable that might cause more loss than the gain produced by the little omnidirectional on the top of the car. Mounting anything better on your car roof would present an additional technical challenge and you won't be able to use high-gain directional antennas unless you wardrive in a convertible. Thus, an appropriate combination of wardriving and warwalking is usually required.
Warcycling presents an intermediate solution between warwalking and wardriving. You are power-limited, exposed to elements, and slow, but some traffic can be dumped in the process, there is no metal cage around, parking is easy, and no one can stop you from hanging a covered high-gain omnidirectional over your shoulder. The use of directional antennas while warcycling does not make any sense and your hands are usually too busy to type any commands. A PDA fixed between the bike handlebars might provide a good solution for real-time traffic and signal strength monitoring when warcycling.
"Warclimbing" is a term we use at Arhont to define discovering, analyzing, and penetrating wireless networks from a stationary high position. Why go and look for a network if the network might come knocking at your door? In summer 2002, from the top of the Cabot Tower in Bristol (Figure 7-2) we discovered 32 wireless networks using a 19 dBi directional grid or half that number of networks using 15 dBi Yagi. Some of these networks were in Bath and across the Welsh border, quite an impressive reach! Even with a 12 dBi omnidirectional we were still able to detect about a dozen networks in the area; I guess the number has grown significantly since then.
Figure 7.2. Cabot Tower in Bristol, United Kingdom.
A high place from which to search and connect might be a tall building roof, top of a hill, or a room on the top floor of an appropriately placed hotel where a determined wireless attacker could stay for a day or two to get into the target corporate wireless network. The advantages of warclimbing are derived from the stationary position of an attacker and the distance and link quality obtained by using a high-directional antenna and having a clear line of sight (LoS). Of course, appropriate warclimbing sites have to be present and the best site found by checking the signal strength of a targeted network. In terms of penetration testing, finding all such sites in the area and being aware of their positions beforehand can be a great help should one ever need to triangulate and find an advanced attacker armed with a high-gain directional antenna and confident of his or her invincibility, like Boris in Golden Eye.
We do not cover more exotic methods of enumerating wireless networks such as warflying. As someone pointed out at Slashdot, "How do you chalk from 12,000 feet high?" Surely the networks could be discovered, but if you manage to log a single data packet, consider yourself lucky. Nevertheless, we are planning a trip in a hot air balloon with a decent directional antenna, a hybrid of warclimbing and warcycling, perhaps.
When planning your site survey and further penetration testing, take into account the things you might already know from the data-gathering phase; for example, the area landscape and network positioning:
|< Day Day Up >|