1. Wireless 101
Workshop

2. Productivity Paradox
Why is it that the only location where employees have access to all their productivity tools...
...is the one location where they spend the least amount of time— their desks?
Why are you interested in wireless networking?
What are you hoping to gain with wireless networking?
Where do you hope to implement wireless?
Provided by Cisco, Inc. © Copyright 2003

3. Why Wireless Networking?
Saves installation of network cabling
Eases relocation and other modifications to network structure
Can network areas inaccessible or cost prohibitive to traditional wired networks
Some environments/applications perfect for the wireless networking
Buildings with large open areas
Warehouses
Convention Centers
Arenas/Stadiums/Gymnasiums
Auditoriums
Mobile Educational Labs
Airports
Hospitals
Historic Buildings
Greenhouses/Botanical Gardens
Outdoors
May also have wired network in same location
Servers and stationary workstations
Historic Buildings are a prime use of wireless network technologies today. Wireless networking both protects the aesthetics of the structure as well as keeps modifications to a minimum. You can modernize a historic landmark with the addition of networking without compromising its historic status and beauty.
Some Examples:

4. (Metropolitan Area Network) (Personal Area Network)
Wireless Technologies
WAN
(Wide Area Network)
MAN
(Metropolitan Area Network)
LAN
(Local Area Network)
PAN
(Personal Area Network)
“A Personal Area Network is the interconnection of information technology devices within the range of an individual person, typically within a range of 10 meters.” (Retrieved May 21, 2003, from
“A Local Area Network is a group of computers and associated devices that share a common communications line or wireless link within a small geographic area.” (Retrieved May 21, 2003, from
“A Metropolitan Area Network is a network that interconnects users with computer resources in a geographic area or region larger than that covered by even a large local area network but smaller than the area covered by a wide area network. The term is applied to the interconnection of networks in a city into a single larger network. It is also used to mean the interconnection of several local area networks by bridging them with backbone lines. The latter usage is also sometimes referred to as a campus network.” (Retrieved May 21, 2003, from
“A Wide Area Network is a geographically dispersed telecommunications network.” (Retrieved May 21, 2003, from
PAN
LAN
MAN
WAN
Standards
Bluetooth
802.11
HiperLAN2
MMDS, LMDS
GSM, GPRS,
CDMA, 2.5-3G
Speed
< 1Mbps
11 to 54 Mbps
11 to 100+ Mbps
10 to 384Kbps
Range
Short
Medium
Medium-Long
Long
Applications
Peer-to-Peer
Device-to-Device
Enterprise networks
T1 replacement, last mile access
Mobile Phones, cellular data
Provided by Cisco, Inc. © Copyright 2003

5. Types of Wireless Networks
Infrared (IR) LANs: Individual cell of IR LAN limited to single room
IR light does not penetrate opaque walls
Narrowband RF (microwave): Microwave frequencies but not spread spectrum
Some require FCC licensing
Spread spectrum LANs: Mostly operate in ISM (industrial, scientific, and medical) bands
No Federal Communications Commission (FCC) licensing is required in USA
What is commonly referred to as Wireless LANS, WLANS, or Wi-Fi.
standard.
From Data and Computer Communications by William Stallings. © Copyright 2003

6. Infra-Red LAN Spectrum virtually unlimited
Infrared spectrum is unregulated worldwide
Extremely high data rates
Infrared shares some properties of visible light
Diffusely reflected by light-colored objects
Use ceiling reflection to cover entire room
Does not penetrate walls or other opaque objects
More easily secured against eavesdropping than radio
Separate installation in every room without interference
Inexpensive and simple
Uses intensity modulation, so receivers need to detect only amplitude
Background radiation
Sunlight, indoor lighting
Noise, requiring higher power and limiting range
Power limited by concerns of eye safety and power consumption
From Data and Computer Communications by William Stallings. © Copyright 2003

7. Licensed Narrow Band RF LAN
Cellular common usage
Microwave radio frequencies usable for voice, data, and video licensed within specific geographic areas to avoid interference
Radium 28 km
Can contain five licenses
Each covering two frequencies
Motorola holds 600 licenses (1200 frequencies) in the 18-GHz range
Cover all metropolitan areas with populations of 30,000 or more in USA
Use of cell configuration
Adjacent cells use non-overlapping frequency bands
Motorola controls frequency band
Can assure nearby independent LANs do not interfere
All transmissions are encrypted
Licensed narrowband LAN guarantees interference-free communication
License holder has legal right to interference-free data channel
From Data and Computer Communications by William Stallings. © Copyright 2003

8. Unlicensed Narrow Band RF LAN
1995, RadioLAN introduced narrowband wireless LAN using unlicensed ISM spectrum
Used for narrowband transmission at low power
0.5 watts or less
Operates at 10 Mbps
5.8-GHz band
50 m in semiopen office and 100 m in open office
Peer-to-peer configuration
Elects one node as dynamic master
Based on location, interference, and signal strength
Master can change automatically as conditions change
Includes dynamic relay function
Stations can act as repeater to move data between stations that are out of range of each other
From Data and Computer Communications by William Stallings. © Copyright 2003

9. What is Spread Spectrum RF?
Data being sent over the air waves
Two-way radio communications (half duplex)
Same radio frequency for sending and receiving
The goal of sending data over radio frequencies to to send as much data as far and as fast as possible.
Two ways to increase the amount of data you can send on air waves
More frequency spectrum
Modulation
History Lesson:
Both the allies and the Axis powers experimented with simple Spread Spectrum systems. Much of what was done is still shrouded in secrecy, however. The first publicly available patent on Spread Spectrum came from Hedy Lamarr, the Hollywood movie actress, and George Antheil, an avant gard composer. This patent was granted in 1942, but the details were a closely held military secret for many years. The inventors never realized a dime for their invention; they simply turned it over to the US Government for use in the war effort, and commercial use was delayed until after the patent had expired. The design was used to make torpedoes less susceptible to jamming.
Most of the work done in Spread Spectrum throughout the '50s, '60s and '70s was heavily backed by the military and drowned in secrecy. GPS (Global Positioning System) is now the world's largest single Spread Spectrum system. Most of the details on GPS are now public information.
A nice detailed history can be found at

10. Spread Spectrum LAN ACCESS POINT CONFIGURATION:
Usually use multiple-cell arrangement
Adjacent cells use different center frequencies
Access Point is typically mounted on ceiling
Connected to wired LAN
Connect to stations attached to wired LAN and in other cells
May also control access
IEEE point coordination function
May also act as multiport repeater
Stations transmit to hub and receive from hub
Stations may broadcast using an omnidirectional antenna
Logical bus configuration
Access Point may do automatic handoff
Weakening signal, hand off
From Data and Computer Communications by William Stallings. © Copyright 2003

11. Spread Spectrum LAN Issues
Licensing regulations differ from one country to another
USA FCC authorized two unlicensed applications within the ISM band:
Spread spectrum - up to 1 watt
Very low power systems- up to 0.5 watts
MHz (915-MHz band)
GHz (2.4-GHz band)
GHz (5.8-GHz band)
2.4 GHz also in Europe and Japan
Higher frequency means higher potential bandwidth
Interference
Devices at around 900 MHz, including cordless telephones, wireless microphones, and amateur radio
Devices at around 2.4 GHz, including cordless telephones, wireless microphones, microwaves, wireless stereos, and some fluorescent lighting
Little competition at 5.8 GHz
Higher frequency band, more expensive equipment
From Data and Computer Communications by William Stallings. © Copyright 2003

12. Types of Spread Spectrum
Frequency Hopping Spread Spectrum (FHSS)
FCC requires 75 channels before repeating in the 78 channel spectrum
Synchronized channel hops every .4 seconds
Minimal time on interfered channels. Hard to intercept because of hopping.
Packets can be lost due to interference
Cordless phones often use this.
Direct Sequence Spread Spectrum (DSSS) – Standard
Single bit converted into chips. With 11 bits, the bandwidth is 22 Mhz.
11 channels – each channel is 22 Mhz wide. 3 non-overlapping channels (1,6,11)
Regulatory channels (US – 11, Mexico 2, Japan 14, Israel 6)
Packets can push through interference with redundant bits.

13. DSSS Channels (Global)
Regulatory Domain
Channel Frequency Americas EMEA Israel Japan Mexico
X X X
X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X X X
X X
X X X
5 MHz offset between each channel.
3 Non-Overlapping Channels exist in US: 1, 6, and 11
These are very important when doing Access Point layout and Site Surveying.
Provided by Cisco, Inc. © Copyright 2003

14. WECA and WiFi™ WECA Wireless Ethernet Compatibility Alliance
Members include Cisco, Avaya, Intel, Symbol, Proxim, IBM, 3Com, IBM, Nokia, Compaq, Dell…
Mission:
Certify interoperability of WLAN products (802.11)
Wi-Fi™ is WECA’s stamp of approval
Goal is to promote Wi-Fi™ as the global standard.
WECA/Wi-Fi
WECA’s mission is to promote standards and its members hope to help design those standards. Standards include such areas as
Quality of Service
Roaming
Interoperatiblity
Power Management
Security
WECA certifies products and projects that pertain to the wireless data communications industry.

15. Wi-Fi Alliance Wi-Fi Certification Wi-Fi ZONE
Wi-Fi (which stands for "Wireless Fidelity") certification gives consumer and business buyers assurance that wireless LAN products bearing the Wi-Fi CERTIFIED logo have been tested for interoperability and actually meet the standard. Such PC products include PCMCIA cards for notebooks and PCI cards for desktops, and USB modules that can be used with either one.
Wi-Fi ZONE
Wi-Fi is Freedom - the freedom to connect to your network or the Internet without wires wherever you are, indoors or outdoors. The Wi-Fi ZONE program allows travelers to easily identify locations that offer Wi-Fi services allowing them to stay connected while away from home or the office. This program is free to both provider and users. The ZONE finder and provider sign up can be found at

16. WLAN IEEE 801.11 Standards 802.11a: 5GHz, 54Mbps
802.11b: 2.4GHz, 11Mbps
802.11d: Multiple regulatory domains
802.11e: Quality of Service (QoS)
802.11f: Inter-Access Point Protocol (IAPP)
802.11g: 2.4GHz, 54Mbps
802.11h: Dynamic Frequency Selection (DFS) and Transmit Power Control (TPC)
802.11i: Security
802.11j: Japan 5GHz Channels ( GHz)
802.11k: Measurement
802.11x refers to a group of wireless local area network standards that are still being developed as part of overall IEEE standard. As of March 2003, these incomplete standards were:
802.11e - Quality of Service
802.11f - Access Point Interoperability
802.11h - Interference
802.11i - Security
Provided by Cisco, Inc. © Copyright 2003

17. 802.11 Enabled Devices PDA’s Printers Projectors Tablet PC’s
HP iPAQ 5450 PDA
Epson Printer
PDA’s
Printers
Projectors
Tablet PC’s
Barcode scanners
Custom devices for vertical markets:
Healthcare
Manufacturing
Retail
Restaurants
SpectraLink
Sharp M25X Projector
HHP Barcode Scanner
Compaq Tablet PC
Provided by Cisco, Inc. © Copyright 2003

18. Ad Hoc Wireless Network
Peer-to-peer network
Set up temporarily to meet some immediate need
E.g. group of employees, each with laptop or palmtop, in business or classroom meeting
Network for duration of meeting
Great for sharing files between two people
From Data and Computer Communications by William Stallings. © Copyright 2003

19. Infrastructure Wireless Network
From Data and Computer Communications by William Stallings. © Copyright 2003

20. Bridged Wireless Network
Government Buildings
Connect buildings’ data networks
Cheaper than T1 (fast ROI)
Cheaper than trenching fiber
Backup system for when cables get cut
Education
Public school system sharing WAN link
Colleges expanding into leased facilities
Connecting classroom trailers to main bldg.
Municipal Applications
Emergency response (police, fire, city hall)
Public transportation (buses)
Courthouse
Temporary Broadband Link
Construction sites
Sporting events
County Fairs
Provided by Cisco, Inc. © Copyright 2003

21. Line of Sight/Earth Curvature
Many obstructions may block line of sight.
Topographic features such as hills or mountains
Vegetation such as trees or vines
Man-made objects like buildings or towers
The curvature of the Earth.
Line of Sight disappears at 6 miles (9.65 km) due to the curvature of the earth.
It is highly recommended if you are going beyond a mile to seek professional assistance. The equipment necessary for lining up antennas properly at those distances can be quite expensive.

22. Fresnel Zone
(pronounced 'fre-nel' the "s" is silent) The area around the visual line-of-sight that radio waves spread out into after they leave the antenna. This area must be clear or else signal strength will weaken. Fresnel Zone is an area of concern for 2.4 GHz wireless systems. Although 2.4 GHz signals pass rather well through walls, they have a tough time passing through trees. The main difference is the water content in each. Walls are very dry: trees contain high levels of moisture. Radio waves in the 2.4 GHz band absorb into water quite well.
Wireless Link ~Value "F" ft (2.4 GHz) ~Value "C" Value "H" ft.
Distance (miles) (60% Fresnel Zone) (Earth Curvature) (mounting Ht)
(Beyond 25 miles is very difficult to implement without hopping)
“Note that as path loss increases and distance decreases with frequency, these distances are only applicable to the 2.4 GHz band. A 10dB fade margin is included for dependable communications in all weather conditions. Outdoors, every increase of 6 dB will double the distance. Every decrease of 6 dB will halve the distance. Shorter cable runs and higher gain antennas can make a significant difference to the range.” (Retrieved May 21, 2003, from
Fresnel Zone can be improved by raising the antenna, cutting down problem trees, and/or changing the mount point.
(Retrieved May 21, 2003, from

23. Wireless Network Requirements
Same as any Local Area Network
High capacity, short distances, full connectivity, broadcast capability
Throughput: Efficient use of wireless medium
Number of nodes: Hundreds of nodes across multiple cells
Connection to backbone Local Area Network: Full network access
Service area: 100 to 300 meters
Low power consumption: Need long battery life on mobile stations
Transmission robustness and security: Interference prone and easily eavesdropped
Collocated network operation: Two or more wireless LANs in same area
License-free operation: Public bands.
Handoff/roaming: Move from one cell to another
Dynamic configuration: Addition, deletion, and relocation of end systems without disruption to users

24. 802.11a Data rates supported: 54, 48, 36, 24, 12, and 6 Mbps
Client will automatically “downshift” to lower data rate when it gets further from AP
15 Countries have approved the use of today’s a products:
U.S., Australia, Poland, Denmark, France, Sweden, New Zealand, Ireland, U.K, Germany, Japan, Singapore, Canada, Belgium, Netherlands
802.11h will ultimately permit worldwide usage of 5 GHz
Transmit Power Control (TPC)
Dynamic Frequency Selection (DFS)
5 GHz band has more channels than 2.4 GHz band
UNII-1 + UNII-2 = 8 channels (vs. 3 channels for 2.4 GHz)
However, depending on distance between APs, you may only be able to use half of the 5 GHz channels due to adjacent channel interference
5 GHz band subject to less interference than 2.4 GHz band
However, 2.4 GHz interference not a major problem in most business environments
Not compatible with b or g.
From Data and Computer Communications by William Stallings. © Copyright 2003

25. 802.11b Data rates supported: 11, 5.5, 2 and 1 Mbps
Client will automatically “downshift” to lower data rate when it gets further from AP
2.4 GHz band. Chipping rate 11 MHz
Same as original DSSS scheme
Same occupied bandwidth
Complementary code keying (CCK) modulation to achieve higher data rate in same bandwidth at same chipping rate
Industry (global) accepted standard.
Wi-Fi™ approved. Every major computer company producing products.
Can be purchased in many retail stores. Integrated into brand name computers. Available in coffee shops, airports, restaurants, schools, and at most conferences held today.
Very affordable. Dropping in price quickly.
Not compatible with a.
Compatible with g.
From Data and Computer Communications by William Stallings. © Copyright 2003

26. 802.11g
Data rates supported: 54, 48, 36, 24, 18, 12, 11, 6, 5.5, 2, and 1 Mbps
Client will automatically “downshift” to lower data rate when it gets further from AP
2.4 GHz using OFDM/CCK technology
Full forward/backward compatibility with b
54 Mbps g products available now
Higher-speed extension to b
Combines physical layer encoding techniques used in a and b to provide service at a variety of data rates
Not compatible with a.
From Data and Computer Communications by William Stallings. © Copyright 2003

27. 802.11b Data Rates 1 Mpbs DSSS 2 Mpbs DSSS 5.5 Mpbs DSSS 11 Mpbs DSSS
802.11g Adds In:
12, 18, 24, 36, 48, and 54 Mpbs

28. Diversity and Multipath
Like light, radio signals bounce off objects. Thus, a radio signal can take ore than one path to travel from the radio transmitter (client) to the radio receiver. This is call Multipath signalling.
Multipath signals can cause high RF signal strength but poor signal quality. As the signals of different paths and different times to delivery are combined within a device, distortion can results. If a signal were to return to an antenna from two paths exactly 180 degrees out of phase, this would cause a dead spot.
Dead spots are very common in buildings. As well, antennas receiving multiple copies of the same signal at different strength levels can cause noise.
The best way to compensate for Multipath is to move the antenna. Moving antennas can remove you from the dead spots but cannot compensate for mixing of signals and the resultant distortion.
Wireless Access Points commonly compensate for Multipathing by using Diversity Antennas. Two antennas connected to a device receive the various multiple path signals at different times and can determine the strongest individual signal and utilize it, ignoring the others.

29. Multipath Distortion
Provided by Cisco, Inc. © Copyright 2003

30. Antennas
Directionality – Which way the antenna broadcasts the RF signal
Omni directional (360 degrees)
Directional (limited range of coverage)
Gain – The amount of increase in energy that an antenna appears to add to the RF signal.
Measured in dBi and dBd (0 dBd = 2.14 dBi)
As gain goes up, the coverage area or angle diminishes (called beamwidth)
Polarization – Physical orientation of the element of the antenna that actually emits the RF signal.
Antennas are used in the vertical polarization
LAW
FCC requires that ALL Spread Spectrum antennas be certified with the radio they are to be sold with.
Any removable antenna must use a unique “non-standard” connector.
Provided by Cisco, Inc. © Copyright 2003

31. Antenna Coverage Omni Directional Directional Patch Yagi/Parabolic
Examples of antenna coverage.
Omni Directional Dipole “Duck” antennas are the most common. In most locations, they are quite adequate and provide the most ideal coverage. Purchasing separate antennas is often not necessary.
Omni Directional
Directional Patch
Yagi/Parabolic
Provided by Cisco, Inc. © Copyright 2003

32. Interference Signal Interference
Other 2.4 GHz equipment (Cordless Phones/Speakers/Rogue Access Points)
Radio/Cellular
Humidity/Dampness/Water
X-Ray/MRI/Lab Equipment
Newer radio based fluorescent lighting
Intercom Systems
Fire/Security Alarm Systems
Computer Equipment
High Voltage
Microwave Ovens
Physical Interference
Walls
Shelving
Shielding (Lead lined walls, Firewalls)
Paints/Wall Coverings
Some interference is very obvious and can be accounted for. Others are best found, tested and confirmed by doing a Site Survey. Even those that you know exist should be tested to see what impact they have. Sometimes just rotating or moving an access point a few feet can make a big difference.

33. Channel Setup Channel 1 Channel 11 Channel 6 Channel 11 Channel 1
Most critical step to good deployment in a multiple Access Point topology is Access Point layout based upon non-overlapping channels and dead zones.
Desired bandwidth has a major impact on overlapping channels
If your WLAN topology calls for a coverage area at any bandwidth, then the radio signals can have minimal overlap
If your WLAN topology calls for 11 meg access everywhere, then you will have major overlap of the 5.5, 2, and 1 meg bandwidth zones
Channel 6
Channel 1
Channel 11
Channel 6
Channel 11

34. Overview of Wireless Security
As a Wireless Network administrator you need to understand:
What is available
What works with your network and equipment
What systems work with what other systems
Basic security - SSID/WEP has inherent weaknesses
Other methods of security need to be implemented
Problem for ALL technologies of WLANS— a, b and g
IEEE i is working on an industry standard
Wi-Fi is working on an industry standard (WPA)
Today security solutions for Wireless Networks are very strong, scalable and manageable and are being improved quickly.

35. WLAN Security Hierarchy
Enhanced Security
802.1x,
TKIP/SSN Encryption,
Mutual Authentication,
Scalable Key Mgmt., etc.
Basic Security
Open Access
40-bit or 128-bit Static WEP Encryption
No Encryption, Basic Authentication
Prior to deploying an education institution needs to conduct a risk assessment of its environment and decide how much security it needs
No Security – Open Access
Security Options - SSID; Public/Private WLAN segregation
Drawbacks - “Promiscuous mode” drivers; Null association
Basic Security
Security Options – SSID; WEP Encryption; Public/Private WLAN Segregation
Drawbacks - Static keys; Easily hacked
Enhanced Security
Security Options – 802.1x Authentication Framework;
Drawbacks – Cost and management
Maximum Security – Special Applications requiring maximum security
Provides the following:
Tunneling
Encryption
Packet integrity
User and device authentication
Policy management
Public “Hotspots”
Home Use
Business
Virtual Private Network (VPN)
Business Traveler, Telecommuter
Remote Access
Provided by Cisco, Inc. © Copyright 2003

36. Wireless Network Security
A secure wireless solution is in addition to, not a replacement for, your physical network security.
Wireless Network Security Options
Non-Broadcast SSID
WEP/WPA
MAC Filtering
Physical Access
Authentication (EAP)
Firewall
Access Control Lists
VLANs
Proxy
Filters
VPN
NAT/PAT
In some networks, wireless access is more secure than physical networking access just by the addition of encryption. You must judge the necessity of security on your wireless network based on how important security on your physical network is.

37. WLAN Risks “Out of the Box” (default) configurations
SSID is well documented (linksys for Linksys, tsunami for CISCO)
WEP and other security disabled by default
“Rogue” Access Points
Employee receives free Access Point at conference/gift or purchases one
Recommend “War Driving” to find these on your own network
Stolen Equipment
Contains SSID and/or Static WEP keys
Have IP addresses and perhaps network SNMP settings
Signal “Bleed”
Misplaced Access Point “bleeds” signal over into unnecessary locations
Possible to adjust the radio transmission power on access point to limit “bleed”
Placement of Access Point also affects “bleed”

38. WLAN Hacking
Wireless networks have garnered the interests of curiosity seekers looking for free bandwidth and true hackers seeking bandwidth or access to your internal network. And it is increasing in popularity and occurrences.
Reasons
Published Standards
Minimal equipment costs
Lack of security
Many tools available to WLAN Hackers today.
The Wireless Access Network Card Client
Air Snort/Kismet
Netstumber
Cantenna
War Driving
War Chalking
War Jacking
War Spamming

39. Common WLAN Attacks Bit flipping
Bits are flipped in WEP encrypted frames, and ICV CRC32 is recalculated
Replay
Bit flipped frames with known IVs resent
AP accepts frame since CRC32 is correct
Layer 3 device will reject, and send predictable response
Response database built and used to derive key
Man-in-the-Middle Attacks
Network sniffing.
Same as sniffing your physical network.
Provided by Cisco, Inc. © Copyright 2003

40. WLAN Risks “Out of the Box” (default) configurations
SSID is well documented (linksys for Linksys, tsunami for CISCO)
WEP and other security disabled by default
“Rogue” Access Points
Employee receives free Access Point at conference/gift or purchases one
Recommend “War Driving” to find these on your own network
Stolen Equipment
Contains SSID and/or Static WEP keys
Have IP addresses and perhaps network SNMP settings
Signal “Bleed”
Misplaced Access Point “bleeds” signal over into unnecessary locations
Possible to adjust the radio transmission power on access point to limit “bleed”
Placement of Access Point also affects “bleed”

41. WLAN Hacking
Wireless networks have garnered the interests of curiosity seekers looking for free bandwidth and true hackers seeking bandwidth or access to your internal network. And it is increasing in popularity and occurrences.
Reasons
Published Standards
Minimal equipment costs
Lack of security
Many tools available to WLAN Hackers today.
The Wireless Access Network Card Client
Air Snort/Kismet
Netstumber
Cantenna
War Driving
War Chalking
War Jacking
War Spamming

42. Wireless Client Software
The drivers themselves often contain useful hacking tools
Network idenfication
Firmware versions
IP address of Client and/or WAP
Hop information
SSID
Signal Strength
Signal Quality
Network Type
MAC Addresses
Example is of Cisco Aironet Client Utility.

43. Air Snort/Kismet Air Snort and Kismet snagged wireless network packets
Currently only unix/linux versions. Windows in development.
WEP Key recovery possible due to statistical analysis of plaintext and “weak” IV (initialization vector)
Leverages “weak” IV (initialization vector)—large class of weak IVs that can be generated by RC4
Passive attack, but can be more effective if coupled with active attack
Features of Kismet:
Multiple packet sources
Channel hopping
IP block detection
Cisco product detection via CDP
Ethereal/tcpdump compatable file logging
Airsnort-compatable "interesting" (cryptographically weak) logging
Hidden SSID decloaking
Grouping and custom naming of SSIDs
Multiple clients viewing a single capture stream
Graphical mapping of data (gpsmap)
Cross-platform support (handheld linux and BSD)
Manufacturer identification
Detection of default access point configurations
Detection of Netstumbler clients
Runtime decoding of WEP packets
Multiplexing of multiple capture sources

44. Netstumbler Netstumbler available for many OSes
“Who should use this program?
Security folks wanting to check that their corporate LAN isn't wide open
Systems admins wanting to check coverage of their Wireless LAN
Gatherers of demographic information about popularity
Drive-by snoopers
Overly curious bystanders.”
Quoted from
Netstumbler, like many other “tools” on the internet, claim that it is designed for administrators. In truth, its primary use is for hacking and war driving. It is highly recommended that wireless network administrators familiarize themselves with this software so they know how to combat it.

45. Netstumbler MAP
The Netstumbler Map Database is currently down ( ) but as you can see it has depth. They are constantly adding to the map and the database as users throughout the US and the world contribute. As you can see, having secure Access Points is very important.

46. Cantenna Cantenna (htttp://www.cantenna.com)
Extends the range of a client and/or access point
Legitimate uses as well
The Famous Pringles Can Antenna
You can make your own antenna quite cheep and they work to. The benefit of the Cantenna is it is truly engineered perfectly in length and size for the 2.4GHz wavelengths.

47. War Driving
“Wireless LAN war drivers routinely cruise their immediate areas in cars equipped with laptops loaded with a wireless LAN card, an external high-gain antenna and a GPS receiver. The wireless LAN card and GPS receiver feed signals into freeware, such as NetStumbler, which detects APs and their identifiers along with their GPS-derived locations. NetStumbler also automatically detects whether or not built-in Wi-Fi Wired Equivalent Protocol (WEP) is turned on or off.
More malevolent war-drivers may use Air-Snort or Kismet, tools designed to crack WEP.
The term war-driving is derived from the "war-dialing" exploits of a teenage hacker in the 1983 movie WarGames who has his computer randomly dial hundreds of numbers and eventually winds up tapping into a nuclear command and control system. “
“War-walking
Think of it as war-driving, but on foot instead of in a car. The NetStumbler Web site offers MiniStumbler software for use on Pocket PC hardware, saving war-walkers from toting around laptops. War-walkers like to use MiniStumbler and Pocket PCs to sniff shopping malls and big-box retail stores. “
“War-flying
Just as the name implies, it's sniffing for wireless networks from the air. The same equipment is used, but from a private plane. Just last month, a Perth, Australia war-flier picked up s and Internet Relay Chat sessions from an altitude of 1,500 feet on a war-flying trip.”
(Retrieved May 22, 2003, from
Legal Side
War Driving is NOT against the law and some states are considering enacting laws that make it legal.
(Retrieved May 22, 2003, from

48. War Chalking
War Chalking is a hobo inspired language devoted to publicly labeling Wireless Networks across the world (this is more of a myth…not been proven this is done at all).
Standardization of nomenclature has already begun. Still not widely done but growing in interest.
Often anti-graphiti laws are enacted to prosecute those involved in War Chalking.

49. War Jacking/War Spamming
“War-jacking or Air-jacking
Knocking out a real AP with a denial-of-service attack and then setting up a new AP that will serve as a new hub to devices that homed on the legitimate AP.”
“War-spamming
Taking over a network connected to an unsecured AP and using it to inject spam into the Internet. Although there has been much speculation about wireless war-spamming in the hacker community of late, no egregious instances have yet been reported. “
War Jacking is similar to ARP Poisonings and DoS attacks on your routers. As always keep your IP address lists secure.
War Spamming is real and growing in strength. It is a combination of finding access to your network through an open Access Point and finding an open SMTP server in your internal network.
(Retrieved May 22, 2003, from

50. Primary Sources Linksys Group, Inc http://www.linksys.com Cisco, Inc.
Data and Computer Communications (Seventh Edition)
By William Stallings
Copyright 2003
Personal Experience and Research
T.R. Knight
Network Services Manager
Taylor University