If you want to locate vulnerable WLANs in wholesale
lots, there is an even more interesting tool. At http://www.kismetwireless.net/
you can download Kismet, a WLAN sniffer that also separates and
identifies many wireless networks in the area you are testing.
A version of Kismet for Linux, Kismet also supports FreeBSD,
OpenBSD and MacOSX in on the Überhacker CD-rom.
Kismet works with any 802.11b wireless card that is capable
of reporting raw packets (rfmonsupport). These include any Prism2
based card (Linksys, D-Link, Rangelan, etc), Cisco Aironet cards,
and Orinoco based cards. Kismet also supports the WSP100 802.11b
remote sensor by Network Chemistry and is able to monitor 802.11a
networks with cards using the Ar5k chipset. Heres where
it gets interesting. There is a version that allows you to deploy
many Kismet sensors for distributed sniffing. Each "drone"
sensor sends packets over a TCP connection to a Kismet server.
Its output can be piped into Snort (http://www.snort.org) and some other
Intrusion Detection Systems (IDS).
You can get an idea of where easy-access Wi-Fi access points
exist in abundance at http://www.WiFiMaps.com/ and http://www.wigle.net/maps. If you hunt
on foot, keep an eye out for chalk marks on sidewalks or walls.
These often denote Wi-Fi access points.
If you would rather hunt while sitting in your hacker lab,
you can get into WLANs that are tens of kilometers away by using
a directional antenna. http://www.fab-corp.com/ is an example
of a place where you can buy these.
There are many commercial products for detecting WLANs. They
are often used in companies that have problems with employees
setting up unauthorized access points. For example, AirMagnet
can run on the iPAQ PDA, and detects problems such as a Wi-Fi
access point advertising its SSID.
It is legal to detect WLANs, but not to use some of the wireless
systems you may access. It is best to make sure a WLAN is open
to the public before using it. However, unless it requires some
sort of authentication to log on, law enforcement wont
waste time pursuing casual visitors to WLANs. If you do this
and get busted anyhow, well, thats the risk you take in
any unauthorized computer access.
Now we come to the slightly hard part. How do you break in
if the WLAN asks for some sort of authentication? Wired Equivalent
Privacy (WEP) is a common way to authenticate, and can be broken
in minutes if you have a computer with a reasonably fast CPU.
Since some Wi-Fi hardware is incompatible with better ways than
WEP to authenticate, chances are you can find a lot of WEP nets
Airsnort is an example of a program that cracks WEP keys.
Once it has captured enough packets it can usually crack WEP
in a second or so, if running on Linux with a reasonably fast
CPU. Airsnort has varieties that run on BSD, Linux, OS X and
Windows, and can be downloaded at http://airsnort.shmoo.com/.
Now we come to the super hard part: WiFi Protected Access
(WPA). Its the latest, greatest way to keep intruders from
abusing Wi-Fi. It can work, for example, with Windows Remote
Authentication Dial-In Services to authenticate users
and keep the uninvited out. At this writing no technique has
been publicized to break it. However, if by the time you read
this, a way has been discovered, here are some web sites that
are likely to offer downloads of the tools that do it, and instructions
for their use.
This Guide has been excerpted from the upcoming Second Edition
of Überhacker! How to
Break into Computers, by Carolyn Meinel. You are welcome
to post this Guide to your web site or forward it to other people.
This is a Guide devoted to *legal* hacking! If anyone plans
to use any information in this Guide to commit crime, check out
to find out what happens to bad hacker girlz and boyz.
You are welcome to join our chat groups at http://happyhacker.org/jirc/
Clown Princess and author of this Guide to (mostly) Harmless
Hacking: Carolyn Meinel, (505)281-0490
Why do we freely give out information that even the total
beginner may use as a two-edged sword of cyberspace power? We
do this "to turn over to mankind
at large the greatest possible power to control
the world and deal with it according to its lights and
values." -- Robert J. Oppenheimer, head
of the Manhattan Project, which created the world's first nuclear