[ISN] War Flying

From: InfoSec News (isnat_private)
Date: Thu Aug 29 2002 - 00:16:26 PDT

  • Next message: InfoSec News: "RE: [ISN] Our raid on Downing St."

    [Those that either live in San Diego or have spent any time there 
    won't be suprised with the map of AP's listed on there. Check out the 
    above URL for hyperlinks to other sites and the map.  - WK]
    War Flying
    by Delta Farce 
    War driving is passť. Pete Shipley of the Bay Area Wireless Users
    Group (BAWUG) was the early big name in war driving. He and others
    popularized cruising the highways and local streets with laptops and
    802.11b NICs that would detect Wireless Access Points (APs), and GPS
    units to record the latitude and longitude at which they were noted.  
    Last year at DefCon he delivered a presentation at the same time that
    NetStumbler, a windows based war driving tool, was rapidly gaining in
    popularity.  Anyone who's done any war driving knows that about 60% -
    80% of the wireless LANs out there haven't had the most basic steps
    taken to secure them, making them as difficult to "break" into as
    buying a wireless NIC and downloading free software. For a technical
    overview of Wireless security, check out this Blackpaper.
    Like many people, I spent more than my share of hours and dollars war
    driving last year. However, since I do not access the open networks I
    see, it quickly got boring. Early this year I retired NetStumbler,
    except for the occasional wireless audit at work. Then Tracy Reed
    posted an invitation to go war flying on the San Diego Wireless Users
    Group (SDWUG) mailing list. Now that was a cool idea, and something I
    just had to do! In all fairness, while we weren't the first to do this
    (some blokes in Oz beat us to it), Tracy made the suggestion at least
    a month before those Aussies posted their results.
    This past Sunday (8/25) I met Tracy at Montgomery Field in San Diego
    at noon. He did the pre-flight while I prepped the stumbling gear. We
    hoped to rack up as many APs as we could so we planned to fly over or
    near high tech businesses, UCSD, Encinitas, Oceanside, Vista,
    Escondido, SDSU, Mission Valley, Pacific Beach, Mission Beach, Ocean
    Beach, Pt Loma, Chula Vista and then head to the airport to land.  
    Tracy kept the airspeed low (about 120 knots) so we could maximize the
    time we would spend in range of APs, hoping this would increase the
    likelihood of detecting them.
    Almost immediately after take off we passed over a business district
    and the APs started popping up, and fast. I thought they would taper
    off as we got higher. They didn't. After we leveled off at 1500' they
    just kept coming. As long as we were passing over areas with
    businesses or homes, we were getting APs. (Except for when XP and
    NetStumbler were fighting for control of the NIC and I had to reboot.  
    Insert your Linux/Kismet plug here.) At one point we had to ascend to
    2500', and yet the APs still kept rolling in. I guess the lack of
    intervening metal, wood, and concrete made a big difference. I didn't
    see a drop off in the home use (Linksys, etc) or the commercial
    (Cisco, etc.) APs.
    Here you can see a flight plan dotted with the SSIDs. The 437 blue
    diamonds represent our location when we detected an AP, and not the
    true location of the AP. Therefore, they are a pretty good
    representation of our flight path. As they are not the true locations
    of the APs, and they don't indicate whether or not they have WEP
    enabled (and it's really hard to read almost all of the SSIDs) I am
    willing to post this image.
    Here are the SSIDs and the manufacturers that were most represented in
    the data we collected. First up we have the SSID names, which as
    you'll see largely match the manufacturers:
    linksys 189 
    default 38 
    Wireless 14 
    Carroll 4 
    tsunami 4 
    UCS001 3 
    WLAN 3 
    Zoom033551 3 
    As you can see, along with not bothering to enable WEP, most people
    don't bother to change the name that their wireless access point comes
    setup with. 'linksys' is obviously Linksys, 'default' is D-Link,
    'Wireless' is Netgear, and 'tsunami' is Cisco. Those four
    manufactures' APs configured with default SSIDs account for 60% of the
    APs we saw.
    Linksys 257 
    Agere 33 
    Apple 33 
    Cisco 33 
    D-Link 28 
    Delta (Netgear) 18 
    Acer 12 
    Zoom033551 3 
    It really looks like Linksys has the lion's share of the market, at
    least in San Diego.
    Keeping in the same range as what I have seen while war driving, about
    23% (102) of the APs had WEP enabled. Folks still don't get it.
    We are planning to place a couple of APs in a house that we can spend
    some time flying over. We'd like to see how far away, and at what
    altitude, we can fly and still detect the AP. I'm also hoping to get
    some web and perhaps IRC time in.
    Don't forget to read Tracy's write up of our adventure.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Aug 29 2002 - 03:03:06 PDT