Site Survey Considerations and Planning
After the data-gathering phase is complete, decide how you are
going to survey the area and position yourself. The possibilities include the
following:
-
Warwalking
-
Warcycling
-
Wardriving
-
Warclimbing
Each tactic has its own advantages and disadvantages.
Warwalking does not cover a large area, but a large amount of dumped data is
guaranteed. You can stop at any point to check the signal strength, check the
network traffic in real time, attempt to connect to the network, launch DoS or
man-in-the-middle attacks, and so on. Besides, you have the advantage of
physically surveying the area to spot the following:
"No Bluetooth" or similar signs are a clear indicator of a
wireless network with a system administrator understanding the concept of
interference and taking care to prevent it. Warchalking refers to marking the
sidewalks and walls to indicate nearby wireless access points. A good source on
warchalking is http://www.warchalking.org. It is essential that you
familiarize yourself with warchalking signs and their significance. To assist
you, we have gathered a small collection of warchalking signs and placed it in
Appendix F. Depending on the area,
two different warchalking signs might mean the same thing, and there is even a
sign for FHSS networks. Thus, do not consider the relative obscurity of your non-802.11
DSSS network such as HomeRF or 802.11 FHSS WLAN to be an ultimate protection
against possible intruders. Someone must be out there scanning for them and we
won't be surprised if new warchalking signs ("Bluetooth PAN," "non-802.11
standard point-to-point link," as well as "WEPPlus WLAN," "802.1x in use, EAP
type is ...," "802.11i-enabled network," "TKIP," "TurboCell," etc.) decorate the
streets soon.
Warwalking has some obvious disadvantages: You have to carry
all your equipment around (antennas present the largest problem) and have power
limited to the battery power of your laptop or PDA and the amount of spare
batteries you can carry. It is unlikely you can take a very high-gain
directional antenna or an amplifier on a warwalking trip. Most important, a
warwalker and his or her equipment are exposed to the adverse effects of the
elements. Laptops do not really enjoy rain, and wet RF connectors mean a
significant loss that might persist afterward due to rusting.
Wardriving, on the contrary, provides good protection against
the elements and a good source of power in the form of a car battery and a
generator. You can discover all networks in the area, and it doesn't matter how
fast you drive: The beacon frames are sent every 10 milliseconds and you won't
miss one while passing by or through the WLAN. Of course, you won't dump a lot
of traffic unless you drive really slowly and will have difficulties in
observing and analyzing the packets in the air and launching various attacks
unless you can park in the appropriate place. This is often impossible in the
center of a large city or on a private corporate premises. Another obvious
problem when wardriving is the antenna. You'll need to place an external antenna
outside of the car to avoid a significant loss caused by the car frame. Remember
that even a normal glass brings around 2 dBm of loss. Of course, placement of an
external antenna would mean an RF cable with connectors, which brings more loss.
Typical wardriver kits or "rigs" include a magnetic-mount, ground plane,
omnidirectional antenna with about 5 dBi gain and a thin pigtail-style cable
that might cause more loss than the gain produced by the little omnidirectional
on the top of the car. Mounting anything better on your car roof would present
an additional technical challenge and you won't be able to use high-gain
directional antennas unless you wardrive in a convertible. Thus, an appropriate
combination of wardriving and warwalking is usually required.
Warcycling presents an intermediate solution between warwalking
and wardriving. You are power-limited, exposed to elements, and slow, but some
traffic can be dumped in the process, there is no metal cage around, parking is
easy, and no one can stop you from hanging a covered high-gain omnidirectional
over your shoulder. The use of directional antennas
while warcycling does not make any sense and your hands are usually too busy to
type any commands. A PDA fixed between the bike handlebars might provide a good
solution for real-time traffic and signal strength monitoring when
warcycling.
"Warclimbing" is a term we use at Arhont to define discovering,
analyzing, and penetrating wireless networks from a stationary high position.
Why go and look for a network if the network might come knocking at your door?
In summer 2002, from the top of the Cabot Tower in Bristol (Figure 7-2) we discovered 32 wireless networks using a 19
dBi directional grid or half that number of networks using 15 dBi Yagi. Some of
these networks were in Bath and across the Welsh border, quite an impressive
reach! Even with a 12 dBi omnidirectional we were still able to detect about a
dozen networks in the area; I guess the number has grown significantly since
then.
A high place from which to search and connect might be a tall
building roof, top of a hill, or a room on the top floor of an appropriately
placed hotel where a determined wireless attacker could stay for a day or two to
get into the target corporate wireless network. The advantages of warclimbing
are derived from the stationary position of an attacker and the distance and
link quality obtained by using a high-directional antenna and having a clear
line of sight (LoS). Of course, appropriate warclimbing sites have to be present
and the best site found by checking the signal strength of a targeted network.
In terms of penetration testing, finding all such sites in the area and being
aware of their positions beforehand can be a great help should one ever need to
triangulate and find an advanced attacker armed with a high-gain directional
antenna and confident of his or her invincibility, like Boris in Golden Eye.
We do not cover more exotic methods of enumerating wireless
networks such as warflying. As someone pointed out at Slashdot, "How do you
chalk from 12,000 feet high?" Surely the networks could be discovered, but if
you manage to log a single data packet, consider yourself lucky. Nevertheless,
we are planning a trip in a hot air balloon with a decent directional antenna, a
hybrid of warclimbing and warcycling, perhaps.
When planning your site survey and further penetration testing,
take into account the things you might already know from the data-gathering
phase; for example, the area landscape and network positioning:
-
Which floors of the buildings are the access points or
antennas on?
-
Where are the antenna masts?
-
What are the major obstacles in the area?
-
From what material are the building walls constructed?
-
How thick are the walls (see the Obstacles/Loss table in Appendix E)?
-
Are any directional antennas used for blasting through the
obstacles present?
-
How good is the physical security of the site? How are the
guards and closed-circuit TV (CCTV) cameras positioned?
Sections
Archive
Syndication
