Most platforms have one or two popular scanning tools along with a handful of other less feature-filled applications available. Windows is no exception. The ubiquitous NetStumbler is by far the most popular scanning tool, and for the Windows user who wants monitor mode, AiroPeek is the usual solution.
NetStumbler is by far the most popular scanning tool on Windows. While NetStumbler has a lot of unique features, it also has some drawbacks. It has GPS support, so it can record the location of an access point (AP), but it is not tightly integrated into mapping/ navigation software. Also, because it's an active scanner, it might not be able to find "hidden" APs, and it definitely will not be able to find the name of a hidden AP. Access points that are closed or hidden (your vendor may use different language) don't respond to broadcast probe requests. They also don't transmit their real name in beacons (they are set to null). A examination of how NetStumbler works is detailed here. The best way to see what NetStumbler can do is to install it. One of the biggest advantages of NetStumbler is the intuitive interface. A screenshot of the main window is shown in Figure 5-1.
Since NetStumbler is an active scanner, it relies on probe responses and possibly beacons. When an AP is in cloaked mode, it still sends out beacon packets periodically. If NetStumbler can't make use of the beacon packets, it is at a huge disadvantage. The two networks without SSIDs that NetStumbler has found in Figure 5-1 are not responding to broadcast probe requests, but they are still transmitting "censored" beacons. If NetStumbler cannot see the beacons, you will end up with a display that looks like Figure 5-2.
It's a popular misconception that NetStumbler (or active scanners in general) cannot use beacon packets. Hopefully, Figures 5-1 and 5-2 have convinced you otherwise. The questions are, when can NetStumbler use beacon packets, and how do you know if it is using them?
Well, if you've been looking for networks for a while and every network NetStumbler finds has an SSID, it is probably not picking up beacon packets. The easiest way to determine whether or not this is the case is to disable SSID broadcasting on an AP that you control and double-check.
The reason that NetStumbler can or can't see these networks (like so many other things wireless) comes down to drivers. Because NetStumbler and the drivers it is talking with are closed source, it is hard to verify exactly what is going on. There are a number of possible scenarios as to why this is occurring; the most likely is the following.
When NetStumbler talks to certain wireless drivers, it sends a command to the card that says, "Please scan for available networks now." A few moments later, it asks the driver, "What networks are available?" Though NetStumbler itself doesn't get to see the beacon packets, the driver keeps track of them. When NetStumbler asks for a list, the driver may return the networks that it knows are beaconing, but not responding to broadcast probe requests. Apparently, even easy-to-use active scanners have to worry about drivers at some level.
So which drivers work best with NetStumbler? A quick test of nearby cards shows that Atheros chipsets tend to show hidden networks inside NetStumbler. The Ralink, Broadcom, and prism-based cards I tried did not. This doesn't mean that all cards with prism, Broadcom, or Ralink chipsets won't, just that the specific drivers I happened to have installed for each of these didn't. Individual versions of drivers will vary.
Now that you know why it's important to use good drivers, even with an active scanner, let's dig into the details of Figure 5-1. In the main window, you can see that NetStumbler has found a total of six networks. NetStumbler displays the following information about each network.
MAC The MAC column of the main window contains the Media Access Control (MAC) address of every AP that has been found. Though large wireless networks can contain more than one AP with the same SSID, every device has a unique MAC address. MAC addresses are six bytes long. The IEEE assigns the first three bytes of a MAC address to vendors. These bytes can be used to identify the brand of AP to some degree. The MAC address of an AP has the same function as the MAC address on an ordinary Ethernet card.
SSID The SSID is commonly referred to as the network name. This name is what shows up in Windows when you click View Wireless Networks. SSID stands for Service Set Identifier.
Name Cisco and Orinoco products both offer support for a name external to the SSID. NetStumbler can detect this under certain circumstances and fill it in. Usually, this column is empty. If NetStumbler does fill it in, it means you are (or at least were) connected to that network and had selected the Query APs for Names checkbox under NetStumbler's options.
Chan Chan represents the channel on which the AP is operating.
Speed The next column, Speed, lists the AP's operating speed. Generally, the speed is 11 Mbps (802.11b) or 54 Mbps (802.11g).
Vendor NetStumbler attempts to guess the vendor based on the MAC address of the AP. Usually it does pretty good; however, "(fake)" seems to show up for some very real vendors.
Type The 802.11 standard allows for two types of networks. One network is based around the idea of an access point. The other type of network is commonly known as peer-to-peer or ad-hoc. Peer-to-peer networks are groups of users who don't have an AP but decide to create a network just by linking their laptops together. NetStumbler will label networks as AP or Peer. In IEEE jargon, the networks are known as BSSs (Basic Service Set) and IBSSs (Independent Basic Service Set), respectively.
Encr Encryption. This field is set either to empty or WEP. Other possibilities for encryption include WPA and WPA2. NetStumbler, however, doesn't currently recognize these as different and labels every encrypted network it sees as WEP.
SNR SNR stands for signal to noise ratio. This column displays how strong the signal is for the AP. Higher is better. Details on SNR in NetStumbler will be covered in the next section.
SNR+ This column lists the maximum SNR for a given network.
Signal/Signal+ This column gives you the current and maximum value for a signal that has been recorded for the AP.
Noise/Noise– This column gives you the current and minimum value for noise that has been recorded for the AP.
IP Addr, Subnet If either of these columns is filled in, then you were connected to the network. And since you were connected, NetStumbler queried Windows about IP address information related to your wireless interface. If you were assigned an IP address via DHCP, NetStumbler will be able to figure out the subnet of the wireless network and possibly an IP address. If you did not intentionally associate with a network that has this information filled in, something is misconfigured. The section on NetStumbler precautions covers what to do to prevent this from happening.
First Seen, Last Seen This column gives you the date and times that the AP was originally discovered and the last time it was seen. This information is useful when you save the NetStumbler output to a file and are reviewing it later.
Longitude/Latitude If you have GPS enabled, NetStumbler records the location you were in when you received the strongest signal.
Flags Flags is a field in every 802.11 header. It contains bits that are set for various things including WEP, ad-hoc versus infrastructure mode, and so on. Most of the useful information has already been extrapolated out of this field and displayed in other columns inside NetStumbler.
Beacon Interval APs and even ad-hoc networks are required to send beacons at fixed intervals so clients can synchronize their clocks. This is of little use when war driving. If it differs from most vendors' defaults (1/10 th of a second, 100 in NetStumbler's time units) you may have stumbled upon an advanced network administrator.
Distance This column gives the distance between you and the AP. Obviously, GPS must be enabled for this to work.
One of the most useful features of NetStumbler is the real-time display of signal strength. When you click an individual network in the left-hand column, you will see a display that looks something like the display in Figure 5-3.
Different drivers return results in different formats. There are essentially two flavors of signal strength: dBm and arbitrary units. Figure 5-3 shows a graph with arbitrary units. These are easy to read: the higher the number, the greater the signal. The numbers can't meaningfully be compared to anything other than themselves.
The other format, dBm, can (in theory) be compared to other devices. For example, if you wanted to compare the numbers you and a friend obtained using different antennas, and the signals were in dBm, you should be good to go. You can't, however, compare dBm to arbitrary units because there is no relationship between them. Even comparing arbitrary units from one card to units from another card will probably not make much sense. Though you should be able to compare dBm values from different cards, keep in mind the values can be skewed on different cards.
When NetStumbler shows a graph using dBm, it looks a little different than the graph in Figure 5-3 because there are red and green areas (and also purple) on the graph. The red area represents the noise level. Purple on either type of display indicates temporary loss of signal. As you would expect when looking at a dBm graph, the more green, the stronger the signal.
NetStumbler allows you to save your scanning information to a file. The native format ends in an .ns1 extension. This is the preferred format for NetStumbler. Using .ns1 files will allow you to scan your block one week, save it to disk, load the saved file next week, and repeat. This way you can keep all of the information about your neighborhood inside a single file.
The .ns1 file format is well documented; however, it is hard for developers of other tools to interact with. To help people who want to write tools that interact with NetStumbler, NetStumbler supports a few other file formats. The most useful of these is the Summary format. To save your information to a summary-formatted file, go to File | Export | Summary. This file format is used most often with StumbVerter, a program used to generate maps from NetStumbler summary files.
Assuming your GPS device is installed and working at the operating system level (if not, refer to Chapter 4), getting NetStumbler to support it is usually pretty easy. Click the GPS tab on NetStumbler's configuration options window, and select the COM port that your device is connected to. For most GPS devices, the default serial port options (4800 bps, 8 data bits, no parity, 1 stop bit, no flow control) are fine. The only two settings that need changing are Port and possibly Protocol.
The Protocol field specifies the format in which the GPS device outputs its data. The two most common are the proprietary Garmin format and the public standard NMEA format. Most Garmin devices will output data in the Garmin binary protocol by default. Any supported format will work fine with NetStumbler; you just have to make sure they match. If GPS is not working inside NetStumbler, then the easiest thing to do might be to try every reasonable protocol. Alternatively, you could try to figure out exactly what protocol your GPS device is outputting. The steps involved in doing this will vary from device to device, but on a Garmin eTrex, you can find the information under Menu | Setup | Interface.
If you have tried to get NetStumbler to talk to your GPS device but you simply can't get it to work, a better troubleshooting tool may be required. One possible solution is to use HyperTerminal to see exactly what is coming in through your serial port.
HyperTerminal is available for all versions of Windows since Windows 95. To see what is coming through your serial port using HyperTerminal, go to Start | Programs | Accessories | HyperTerminal. It will probably ask you for a name for the new connection, so input a dummy value such as TestSerialPort. The next screen will ask you for a phone number and also has a Connect Using drop-down box. Ignore the phone number portion and click Connect Using, and select the port your GPS device is on-COM4, for example.
On the next screen, you will be able to tweak all your connection parameters. You will probably want to set your bits per second to 4800 (unless you think your GPS device uses something else). When you are done making any changes, click OK. If you see something resembling the output shown in Figure 5-4 (which is NMEA), you have successfully connected to your GPS device. If you don't see anything, or you see some sort of garbled output that doesn't look like printable characters, you are either looking at a binary data stream or have misconfigured a setting on the serial port (most likely the speed). In this case, your best bet is to click the Disconnect button inside HyperTerminal, go to File | Properties | Configure, tweak the settings on your port, and then click Connect.
Repeat this process until you have something that looks like NMEA. If you never get a response or see any output, double-check that you have the correct port and that your device is actually configured to output something. Once you have figured out the correct settings inside HyperTerminal, you can set the correct values in NetStumbler.
One of the things you may have noticed missing from NetStumbler is a map. NetStumbler does not have any integrated support for making maps. It depends on external programs to create maps of the data it generates. The most popular way to do this is to use a free tool from SonarSecurity called StumbVerter. StumbVerter takes in a file generated by NetStumbler (in summary format) and generates a nice looking map, such as the one in Figure 5-5.
The only downside to using StumbVerter is that it requires you to have Microsoft MapPoint installed. MapPoint is an expensive piece of software, and unfortunately, StumbVerter doesn't work with the cheaper mapping products Microsoft offers, such as Microsoft Streets and Maps.
NetStumbler probably has one of the more innovative sets of scanning tool extras. One clever tool is the use of GPS to auto-scale the scan speed. Inside the main NetStumbler configuration window, shown in Figure 5-6, you can control the speed at which NetStumbler will send probe requests. The default (in the middle of the slider) is to scan once every second. Pushing the slider all the way to the right will cause NetStumbler to scan every half second. Slow is once every two seconds. Setting the speed yourself can be cumbersome if you want to change it frequently. If you have a GPS device hooked up, NetStumbler can automatically adjust its scanning speed based on your current real speed.
Another clever feature built in to NetStumbler is MIDI output of the current signal to noise ratio (SNR). This can provide an informational audio clue about your current signal strength, without your having to look at a graph. This can be quite useful for one person scans.
Now that all of the features that NetStumbler implements have been covered, it is time to consider some techniques that can improve your NetStumbler experience. When you run NetStumbler, it is only one of many programs trying to talk to your wireless card. Both the Windows Wireless Zero Configuration (WZC), or your particular card configuration client, can influence what your card is doing. This can range from mildly annoying (the signal is always reported incorrectly) to crippling (you can only see packets from the network you forgot to disconnect from) to self-incriminating. In the self-incriminating case, Windows (or your wireless cards configuration client) actually attempts to connect and get an IP from a network you are scanning. As a general rule, you shouldn't let your computer connect to a network unless you tell it to explicitly.
NetStumbler is aware of this problem and does everything it can to get exclusive control of your wireless card. NetStumbler calls this feature auto-reconfigure, and it can be enabled by clicking the fifth icon from the left-the one that looks like two gears-or by selecting the checkbox in the main configuration dialog. Auto-reconfigure is NetStumbler's attempt to put the card into a "good" state for war driving. Specifically, auto-reconfigure will do the following:
If you are not using an Orinoco or prism driver, auto-reconfi gure will simply stop WZC. Unless you are using a special wireless configuration client, this will probably be sufficient.
If auto-reconfi gure detects an Orinoco driver, it will stop WZC and make sure the card is set to a blank SSID.
If auto-reconfi gure detects a prism driver, it will stop WZC and check to see if the card is set up with a blank SSID. If it isn't, it will modify the card's registry settings and ask you to reinsert the card.
One thing that auto-reconfigure can't do is determine if a third-party configuration client is either running or interfering. If you have one of these configuration client programs running, the best thing to do is to get the card into a state where it will associate with any SSID. If it's looking for a particular network, the card may ignore packets that NetStumbler would like to see. Details vary from program to program, but in general, you will want to create a new profile, set the SSID to Any, and save it as WarDriving or NetStumbler or something similar. Whenever you want to run NetStumbler, apply the profile and exit (not minimize) the client program. Figure 5-7 shows a good setup for the Broadcom client configuration program.
In order to be really sure that your computer doesn't go around connecting to networks without your permission, you can make one more configuration change to Windows before going on a war drive. Before going war driving, unbind TCP/IP from your network interface. Even if something is unexpectedly controlling your wireless card, you will be sure not to get an IP and transmit any data. To do this, go to Control Panel | Network Connections. Right-click your wireless card and go to Properties. You should see a dialog that looks like Figure 5-8.
Just remove the checkmark by Internet Protocol (TCP/IP) and press OK. Later, when you are done scanning and want to connect to a network, reselect the option.
Following these guidelines before starting NetStumbler will help ensure that you are seeing the most networks possible, and at the same time, prevent you from accidentally joining a network you don't trust. If you have trouble getting NetStumbler to see networks once it starts, the most likely cause is a third-party wireless configuration client. Simply stopping the configuration program may be enough to get NetStumbler back in control of the wireless card. Other times, you must take specific actions. In most cases, NetStumbler's auto-reconfigure feature can avoid these problems.
AiroPeek comes in two versions, NX and SE. WildPackets offers a free trial download of NX. Though they are similar, it should be noted that the detailed instructions and screenshots in this section were created with NX. In general, the features mentioned here should be available in both versions; therefore, I will just refer to AiroPeek for brevity.
Popularity: |
2 |
Simplicity: |
4 |
Impact: |
2 |
Risk Rating: |
3 |
AiroPeek is not really a wardriving tool. It's more like a Windows development company rolled most of the functionality from Kismet, Wireshark, and your favorite packet injector into one big program, put a Windows interface on it, and started selling it. That's not necessarily a bad thing; it's just not what most people with a UNIX background are used to seeing.
AiroPeek is designed to be used by people with significant understanding of the 802.11 standard and a large network to administer. They are also expected to have a proportionally large IT budget, as the cheap version of AiroPeek (SE) currently costs $895. The reason that we are interested in AiroPeek is that it offers the easiest way to get a card into monitor mode on Windows. For the most part, we'll ignore its impressive set of bells and whistles and focus on using it to capture data and view the surrounding networks.
Since AiroPeek will let you get a card into monitor mode on Windows, it must install a special driver. If you don't install a driver that AiroPeek can use, it won't be able to gather any packets. AiroPeek has drivers for quite a few cards; however, the preferred chipset is Atheros. WildPackets maintains excellent information on supported cards and instructions on installing their driver, available at http://www.wildpackets.com/support/product_support/airopeek/hardware. The driver download comes with a readme file explaining how to install it.
When using AiroPeek for the first time, you can easily get overwhelmed by all the bells and whistles. The easiest way to get past this feeling is to explore the program on your own for a while and get used to the names it uses for different displays. Most of them aren't particularly interesting for security purposes, but they do give you more insight into how the local network is being utilized.
The window most useful for war driving is called Monitor Statistics or Wireless Statistics inside AiroPeek. Its icon looks like a red Apple airport logo. Before you can use this mode, you will probably have to configure some settings. Clicking Monitor | Monitor Options from the main window will bring up a display that looks like the following.
If you don't see a network adapter that says [WildPackets], then you haven't successfully installed the WildPackets driver. You should probably give the readme file included in the driver install another look.
Clicking 802.11 will bring up a display that lets you configure the traditional settings of a passive 802.11 scanner. These settings include selecting the channel and configuring which channels to scan through. If you are interested in a particular AP, you should just select the channel that it is on. If you are war driving and looking for networks in general, then you should select Scan.
Once you have configured the channels you are interested in, click OK. To enable the collection of monitor statistics (or to turn on the wardriving interface, depending on how you think of it) click Monitor | Monitor Statistics from the main menu. Inside the WLAN Statistics window, you will see a window that looks similar to this one.
The first thing you should notice is that this display contains a lot more data than NetStumbler. For starters, since AiroPeek sees every packet on the channel it is listening on, it knows all the clients that are talking to the AP. If you would rather see only APs and ignore clients for the time being, click the drop-down box that says All Nodes and select Access Points. You can also close the network statistics and log window at the bottom to clean up the display. Doing so will give you a much more terse view, similar to the window shown here.
Most of the columns should be pretty self-explanatory. Notice that AiroPeek can tell more specifically what type of encryption is being used. The only column that may be puzzling is Trust. AiroPeek can keep track of what APs are yours to help detect rogue access points. This is what the Trust column refers to.
Another useful feature that AiroPeek has is the ability to capture packets in real-time. To start a new capture, click File | New. A dialog box will pop up with some settings similar to the Monitor Options window. The default settings should be fine for now; click OK, and a new capture window will appear. Click the big green Start Capture button and watch as a list of packets gets updated in real-time.
Double-clicking a particular packet will bring up a display that looks a lot like Wireshark. Each row represents a single packet. Double-clicking a row will bring up the details for that packet.
AiroPeek can save packets it has captured into many different file formats. The two most useful are AiroPeek's native format and pcap. Unless you have a compelling reason not to, it's probably better to save in pcap format so you can use your packets with other tools as well. Note that saving packets is disabled in the evaluation version of AiroPeek.
It is worth mentioning that AiroPeek includes support for transmitting packets as well. The ability to inject arbitrary packets on Windows increases the numbers of attacks that can be performed substantially.
Unfortunately, the level of packet transmission support in AiroPeek isn't very useful for wireless hacking (though it's certainly useful for debugging network problems). This is for two reasons. One is that AiroPeek lacks a command-line interface, so it is not easily scripted. The bigger problem, however, is that AiroPeek is limited to transmission of data packets. That means you can't inject management or control frames that could be used to deauthenticate users. It appears that this limitation is actually built in to the driver, not just the application, which means writing a simple program to bypass the application-level filtering is probably not an option. While injecting packets, in general, can pose a significant risk, data packets are significantly less interesting than management or control packets. This is why the Risk Rating is so low.
AiroPeek is a very powerful tool, and most people could learn a lot from playing with the demo version. Though it has a ton of extra features, if you ignore most of them, AiroPeek turns out to be a capable wardriving program for Windows. The major drawbacks are the cost, the inability to save packet files in the demo, and the fact that the most useful mode to a war driver (monitor statistics and wireless statistics) disables itself after five minutes in the free version.
Perhaps the most useful thing that AiroPeek has contributed, however, is a driver for Windows that allows monitor mode and limited packet injection on many popular wireless cards. There are a few tools that can take advantage of this. In Chapter 6, you will see that aircrack can use this driver to accelerate cracking of WEP keys in real-time.