Download presentation
Presentation is loading. Please wait.
Published byTânia Antunes Casado Modified over 6 years ago
1
WarDriving: Drive, Detect and Defense for Wireless Networks
Alan M. Nutes
2
Goals and Objectives The Goals and Objectives of this session are to acquaint participants with: the motives technology and; methods used by individuals which could be considered a threat to the wireless networks of a corporation. In addition, safeguards against the threat will be provided.
3
HOW WILLING ARE YOU TO ROLL THE DICE ?
4
Definitions
5
What Are Wireless Networks (WiFi)
A wireless network allows users to connect to a wired network many times supplying an internet connection, through a wireless link. Most wireless LANs are based on the b/g standard – up to 54 Mbps bandwidth at 2.4 GHz
6
Wireless Equivalent Privacy (WEP)
Referred to as “W ow E asy P rey”. WEP is part of the standard which acts as a security protocol. However, older versions of the WEP encryption key are flawed Updated firmware have started to correct this error, but most hardware is still vulnerable.
7
Wi-Fi Protected Access
(WPA) Better designed than WEP Fixes problem in WEP by using: Temporal Key Integrity Protocol (TKIP) Pre Shared Key (PSK) Implemented into newer wireless hardware devices Compatible with all standards
8
The Origins of WarDriving
9
Movie “Wargames” 1983 Depicts young hacker programming a modem to dial every possible number to access to computers Technique became know as “wardialing” Not that productive since it was time consuming
10
What’s In A Name? WarDriving is the act of driving around areas and scanning for open WiFi hotspots and mapping the population . Sometimes referred to as “Geek’s catch and release fishing”. This can include such terms as: WarWalking for walking WarBiking for bicycling and so forth
11
History of WarDriving Terminology
WarDriving probably began day after the deployment of 1st wireless access point Conducted 18 month study Results was reported at annual DefCon hacker conference Became well known when process was automated by Peter Shipley This laid ground work of the “TRUE” WarDriver
12
Threat is present and increasing
The WarDriver Motives WarDriving is done for many reasons As a community service to increase awareness As a business model to secure for profit Cause the dreaded criminal acts of spreading viruses, hack or commit fraud. Threat is present and increasing
13
Wireless Incidents
14
Wireless Invasions Best Buy – May 2002
Customer credit card/transaction data at 1900 stores are left vulnerable CULPRIT: Portable Point-of-Sale (POS) terminals and wireless LAN Network detected from a car parked in store’s parking lot System was operated without even the basic WEP This was the result of a person purchasing a wireless card, plugging it into their laptop and found they were intercepting the transactions
15
US Airports Found to Have Unsecured Wireless LANs
Wireless Invasions US Airports Found to Have Unsecured Wireless LANs Wireless local area networks at San Fransico International, Chicago O’Hare, Atlanta and San Diego airports were found to be operating without basic security protections in place. The networks handled tasks including passenger check-in and baggage transfer. ComputerWorld, October 7, 2002
16
Wireless Invasions Michigan Men sentenced with Hacking Store System November 2003 Two Michigan men (age 21) for allegedly wardriving, finding a Lowes Home Improvement network and proceeded to steal company data and credit card information. Break-ins occurred between October 25th, 2003 and November 7th, 2003. One pled guilty and was sentenced to nine (9) years in a federal prison One pled guilty and was sentenced to 26 months in prison and 2 years of court supervised release Conducted “wardriving” techniques, penetrated network and modified proprietary software to trap credit card transactions
17
North Carolina Man First in Nation Convicted of Wireless Crime
Wireless Invasions North Carolina Man First in Nation Convicted of Wireless Crime November 2003 Perpetrator (age 29) hacked into more then 2000 patient records at Wake Internal Medicine Consultants. Used a laptop from his car and penetrated the wireless network of the facility Pled guilty and received 18 months probation and $10,000 fine.
18
DRIVE Let’s Go WarDriving
19
HARDWARE Laptop booting Win2K or WinXP
Wireless network card with external Antenna connection 7 dbi omni-directional antenna GPS unit with serial connection Power Inverter Smaller & Compact Option
20
Software Windows 2000/XP NetStumbler
Microsoft Streets and Trips or Microsoft MapPoint Orinoco Client Utility
21
WarDriving
23
Lawrence, Kansas
24
And the cost of these antennas are ???
25
Mobile Netstumbler Kit w/PC Card
Specs Plugs into laptop Type-11 slot Coverage range of up to 1750 feet Provides 5dB gain performance Easy Installation IEEE b/g certified
26
Parts Cost Total: All Threaded Rod 2 Nylon Lock Washers 5 Washers
Aluminum Tubing Connector Copper Wire Construction Time: 1 hour Copper Wire 12 gauge Scrap Plastic Disc
27
With increasing need to discover more Access Points,
WarDriving have been taken to a newer “art” level.
28
WarFlying WarFlying
29
WarFlying Advantages Covers more ground in less time
Can fly over areas of interest without being restrained by where the roads lead WarFlying
30
WarFlying How It Is Done Flew at an average speed 136 mph Equipment:
Laptop running Win2K/Win XP Omni-directional antenna GPS unit attached to the laptop to record location when signal is detected Flight covered from San Diego, Encinitas, Oceanside, Vista, Escondido, Mission Valley, Pacific Beach, Mission Beach, Ocean Beach, Pt Loma, Chula Vista and then head to the airport to land
31
Flights Have Been Conducted
WarFlying Flights Have Been Conducted 4 Times: August 2001 August 2002 December 2003 April 2004 Areas Flown Over Perth, Australia San Diego, CA San Jose, CA Los Angeles, CA Flight covered from San Diego, Encinitas, Oceanside, Vista, Escondido, Mission Valley, Pacific Beach, Mission Beach, Ocean Beach, Pt Loma, Chula Vista and then head to the airport to land
32
WarFlying What Was Accomplished Flight Was Over San Diego Area
Flight lasted about 1.5 hours Detected 437 access points Flight covered from San Diego, Encinitas, Oceanside, Vista, Escondido, Mission Valley, Pacific Beach, Mission Beach, Ocean Beach, Pt Loma, Chula Vista and then head to the airport to land
33
WarFlying Silicon Valley Flight went west from Montgomery Field
then north to Silicon Valley Picked up Access Points over ocean Determined Access Points were miles away
34
San Diego to LA to Bay Area revealed 592 APs
WarFlying Silicon Valley 430 Access Points were uncovered Flew over Oracle and even Oracle’s APs were setup with default Total trip: San Diego to LA to Bay Area revealed 592 APs
35
DETECT
36
NetStumbler Laptop Version PDA Version
37
270 AP’s in 2 Neighborhoods
38
Only 61 Had Encryption, 22.6%
39
Red Dots = Encrypted Green Flags = Wide Open
40
Take Another Look – All you need to use the internet AND gain access to the router is the SSID and Vendor
41
But what about router passwords?
A searchable listing of over 1300 default logins and passwords by vendor solves that!
42
Statistical Databases
43
(WorldWideWarDrive.org)
Effort by security professionals and hobbyists to generate awareness of the need by individual users and companies to secure their access points. The goal of the WorldWide WarDrive (or WWWD) is to provide a statistical analysis of the many access points that are currently deployed. Organizers of this event mounted an effort for participants to find the most wireless networks throughout the world. Based out of Alberta, Canada
44
Four (4) Worldwide WarDrives have taken place:
August 31 to September 7, 2002. October 26 to November 2, 2002. June 28 to July 5, 2003. June 12 to June 19, 2004
45
WWWD 1 WWWD 2 WWWD 3 WWWD 4 TOTAL APs FOUND 9,374 100% WEP Enabled
2,825 30.13% No WEP Enabled 6,549 69.86% Default SSID 2,768 29.53% Default SSID and No WEP 2,497 26.64% TOTAL APs FOUND 24,958 100% WEP Enabled 6,970 27.92% No WEP Enabled 17,988 72.07% Default SSID 8,802 35.27% Default SSID and No WEP 7,847 31.44% WWWD 3 WWWD 4 TOTAL APs FOUND 88,122 100% WEP Enabled 28,427 32.26% No WEP Enabled 59,695 67.74% Default SSID 24,525 27.83% Default SSID and No WEP 21,822 24.76% TOTAL APs FOUND 228,537 100% WEP Enabled 87,647 38.35% No WEP Enabled 140,890 61.65% Default SSID 71,805 31.42% Default SSID and No WEP 62,859 27.50%
46
The Combined Results from All Four WorldWide WarDrives
CATEGORY 1st WWWD 2nd WWWD 3rd WWWD 4th WWWD TOTAL TOTAL% TOTAL APs FOUND 9,374 24,958 88,122 228,537 350,991 100 WEP Enabled 2,825 6,970 28,427 87,647 125,869 35.86 No WEP Enabled 6,549 17,988 59,695 140,890 225,122 64.14 Default SSID 2,768 8,802 24,525 71,805 107,900 30.74 Default SSID and No WEP 2,497 7,847 21,822 62,859 95,025 27.07
47
WiGLE WIreless Geographic Logging Engine
WiGLE is a nationwide database and mapping website which to date has mapped wireless networks since September 2001. 6,936,919 WiGLE is a submission – based catalog of wireless networks. It’s basically a “Gee Isn’t This Neat” type of engine for learning the spread of WiFi.
48
Orlando, FL area
49
WarDriving Resources
50
WarDriving Resources Tool Web Site Description www.netstumbler.com
Freeware wireless access point identifier - listens for SSIDs & sends beacons as probes searching for access points. Kismet Freeware wireless sniffer and monitor - passively monitors wireless traffic & sorts data to identify SSIDs, MAC addresses, channels and connection speeds Ethereal Freeware WLAN analyzer - interactively browse the capture data, viewing summary and detail information for all observed wireless traffic. WEPCrack Sourceforge.net/projects/wepcrack Freeware encryption breaker - Cracks WEP encryption keys using the latest discovered weakness of RC4 key scheduling.
51
WarDriving Resources THC-RUT Wellenreiter thehackerschoice.com CIRT
Packetstormsecurity.nl Freeware WLAN discovery tool - Uses brute force to identify low traffic access points; hides your real MAC; integrates with GPS. THC-RUT thehackerschoice.com Freeware WLAN discovery tool - Uses brute force to identify low traffic access points; "your first knife on a foreign network." CIRT cirt.net Provides a listing of the default passwords, wireless SSIDs, default WEP numbers and the default port lists for all the major manufacturers of wireless routers, cards and switches. Mobile Airscanner Freeware wireless sniffer that can decode passwords and packets. Free download but no longer supported due to costs. AirSnort Airsnort.schmoo.com Freeware encryption breaker - passively monitoring transmissions, computing the encryption key when enough packets have been gathered.
52
WarDriving Web Sites Wifimaps.com SeattleWireless.net
NetStumbler.com NYCWireless.net Wigle.net Michiganwireless.org nzwireless.org Wireless.net
53
The debate over the legality of WarDriving is still going on
Legalities The debate over the legality of WarDriving is still going on Currently it is not illegal for a person to use a corporations bandwidth to ride on the backbone and use it to strictly gain access for Internet surfing purposes. Once a person or persons begins to use it for data theft or other activities then and only then does it become illegal. FBI has only issued a warning to corporations to check the security of their networks
54
Security Issues
55
Wireless Security Issues
Without a proper setup, anyone can access your wireless network and anything attached Default security settings for wireless networks are not enabled on most devices Many of the optional security settings are not enough to protect a wireless network
56
Security Risks Hacker changes or steals corporate/personal information for their own use Data floods can be produced on the network to cause a denial of service attack Hacker uses your internet connection to hack another network Hacker uses the web on your bandwidth, or uses the bandwidth to distribute spam
57
SLIDE IS BLANK (state following) NOW AT THIS POINT, THE MAJORITY OF YOU ARE PROBABLY ASKING YOURSELVES Then Click
58
DEFEND
59
1. Discovery of Unsanctioned/Rogue Access Points
Securing Wireless 1. Discovery of Unsanctioned/Rogue Access Points Understand the Environment Discovery Can Be Accomplished with two Approaches Low cost of Wireless access points can result in rogue access points FOR EXAMPLE: $150 access point to wired network $70 wireless LAN card to Laptop A power surge or spike will reset all the access points to the default. Physically walking the network area with scanners 2. Monitor the wireless LAN with remote sensors.
60
2. Sanction Only Authorized Laptops
Securing Wireless 2. Sanction Only Authorized Laptops Use the Highest Level of WEP/WPA (WPA2/802.11i strongly preferred) 2. SANCTION ONLY AUTHORIZED LAPTOPS Unsanctioned wireless devices are making their way into enterprises from users who are quick to adopt this technology. Intel’s Centrino wireless chip is progressing to a point where all laptops will be wireless LAN ready. These new laptops will have to be configured to secure the user from connecting to unknown WLANs To protect one’s self from this, current policies have to be reevaluated as corporate executives are beginning to use the embedded wireless chips in their laptops DISCOURAGE AD HOC NETWORKS Similar top rogue access points, ad hoc networks represent another major concern. Wireless LAN cards enable peer to peer networking between laptops without an access point. Can allow a user to transfer corporate documents to unauthorized persons. Solution: monitor for ad hoc networks and policy enforcement.
61
Enable MAC based filtering
Securing Wireless Enable MAC based filtering Note: MAC Addresses can be changed easily by an attacker 5. Lock Down All Access Points Change Default Service Set Identifiers (SSID) Configure to disable broadcast mode Wireless points act as beacon Change Default Passwords SSIDs are essentially the public names of each access point CISCO default = tsunami Linksys default = linksys Intel & Symbol default = 101 Alerts hackers to vulnerable wireless LANs Change to something meaningless Broadcasts SSID as beacon for stations to connect to. Increase data Rates User stations should be set with a connection rate of 5.5Mbps or 11 Mbps Access points with connection speeds of 1 MBPS or 2Mbps indicates suspicious activity or degrade performance.
62
Check for updates and new releases.
Securing Wireless Update the firmware and drivers on your access points and wireless cards. Check for updates and new releases. 7. Use a virtual private network (VPN) 8. If possible, turn off your access points when you are not using them
63
Securing Wireless 9. Establish the Policies/standards and Procedures for Wireless Networks 10. KEY ELEMENT ENFORCEMENT
64
Securing Wireless 9. Establish the Policies/standards and Procedures for Wireless Networks 10. KEY ELEMENT ENFORCEMENT
65
Securing Wireless 9. Establish the Policies/standards and Procedures for Wireless Networks 10. Regularly TEST the security of your wireless network, using the latest Wardriving Tools
66
Securing Wireless 11. KEY ELEMENT ENFORCEMENT
67
THE FUTURE ??
68
Future Wireless Security Methods
WEP2 in development WPA still being updated Longer keys are being implemented which take longer to crack i with embedded encryption will replace b/g networks
69
The End For Now . . .
70
QUESTIONS
71
Thank You
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.