The Art

of War Driving and Security Threats

-A Malaysian Case Study
Biju Issac, Seibu Mary Jacob and Lawan A. Mohammed
Information Security Research (iSECURES) Lab
Swinbume University of Technology (Sarawak Campus)
Kuching, Sarawak, Malaysia.
{bissac, sjacob, Imohanmmed)I@swinburne.edu.my

Abstract-The fact that Wireless Local Area Networks

(WLAN) use radio spectnum for transnitting data has with it
pros and cons. Mobility without wires and the ease to move
around to connect to network resources has made LEEE802.11
WLANs quite popular. The users need to have a laptop with a
wireless network adapter that negotiates with an Access Point.
Once authenticated and associated with the Access Point, the
user can easily nove around in the transmission range of the
Access Point without losing data or network connection
enjoying bandwidths of the order of multiples of 10 Mega
Bytes. On the negative side, these Wireless LANs tend to have
fuzzy boundaries, nmking it easy for an intruder to capture
these transmission signals with a receiving device fitted with a
sensitive antenna. An analysis of these captured packets can be
good news to the intruder. We try to investigate on war driving
(an act of locating wireless networks from within a moving
vehide), on interception of transnission data from the located
wireless LANs in some of the highways in our country and on
doing a brief analysis of that, eventually discussing on the
attacks and security precautions.

Keywords-Packet capture, Security threats, War driving,

Wireless LAN.
1. INTRODUCTION

When the concept of wireless networking evolved, the

world received it with open arms and in the recent past, the
world is increasingly becoming mobile. Ubiquitous and
mobile computing are thus beconing the de-facto standard
in the future world of computer networks. Wireless networks
however are not meant to replace wired networks. They
support and complement each other. The fact of the matter
is, in infrastructure mode, the Access Point needs to be
connected to a wired LAN.
In the forthcoming sections we try to introduce the basic
technology of wireless networks in Section II, War driving
exercise in Section IIl, Configuration of laptop to be carried
along in Section IV, Packet capturing and observations in
Section V, Statistical analysis in Section VI, WEP cracking
verification in Section VII, Network traffic filtering of
image/audio in Section VIIi, Privacy invasion in Section IX,
Attacks and precautions in Section X, Analysis of hacker
tools in Section Xl, Prevention measures that can be taken in
Section XH and Conclusion in Section XIII.
IL. BASIC TECHNOLOGY

The Wireless Local Area Network (WLAN) operates on

IEEE802.11 standards. Its initial products were released in
1997. 802.l1b standard is the most popular-with a wide
implementation base on wireless products. It operates from 2
Mbps up to 11 Mbps speed. 802.1 Ig standard is becoming
popular now, with the transmission speed of up to 54 Mbps.

14244-0000-7/05/$20.00 02005 IEEE.

The above standards operate at 2.4 GHz ISM band [11.

There are other IEEE standards for wireless products that
are scarcely available in the markets today like 802.11a,
802.1 1i etc. but would be available in future. We will focus
our analysis on IEEE802.1 lb/g wireless LAN only.
In infrastructure mode wireless LAN requires two
components, namely an Access Point and a laptop computer
with a wireless card. Access Point acts a 2-port bridge and is
connected to a wired LAN 121. It connects the wireless node
to the resources in wired LAN. In 802.1 lb and 802.11g,
encryption is not mandatory and the default setup is without
encryption. The implementer of the wireless LAN is left with
that choice of enabling or disabling encryption. As the radio
transnmission happens in the air at around 2.4 GHz
frequencies, the possibilities of an intruder intercepting these
waves are high. He just needs a receiving device with a
sensitive antenna. Unlike wireless networks, wired networks
have an inherent security in the fact that the data
transmission happens through the wire that is shielded
through the ducts in the wall of a building that is not easy to
tap or can be protected by strong physical access control like
locks on the doors of wiring closets etc.
IEEE802.1I b/g uses WEP (Wired Equivalent Privacy) as
its encryption protocol. It can be 40 bit or 104-bit
encryption. It is a proven fact that WEP's design is flawed
and the encryption key can be known by capturing sufficient
number of packets [31. IEEE802.1 lb/g also uses RADIUS
server with Extensible Authentication Protocol (EAP) for
backend authentication. This user authentication can harden
the security of wireless network. WPA with PSK or
RADIUS authentication with TKIP/AES is what we can find
in the current 802.1 l g equipments.
III. WAR DRIVING IN HIGH WAYS

As we understood the fuzzy boundaries of wireless

network installations because of radio transmissions and the
ease of sniffing, we thought of testing it ourselves by driving
around with a laptop computer in some of the highways. We
are not aware of any law of the land that prevents a person
from eavesdropping a wireless network, especially when the
radio waves break out into the open and public space. We
think the line of division that demarcates lawful activity
from lawless activity in such a case would be very thin and
sensitive.
We went to different areas where wireless networks were
detected and started capturing packets using the preconfigured laptop we had. For getting a more random
sample, we drove to different places, at different times.
The ease of wireless data capture is well illustrated in the
figure below. It is called as parking lot attack in 141.

124

Figure 1. Parking Lot Atack

Here the attacker could be

intruding

as

into the wireless [AN

IV.

illustrated in [41 and

equipped

with

boundary

as

laptop

diagram reproduced.
in

car

parking lot,

shown.

CONFIGURATION AND

SETUP USED

following configuration:
laptop
Laptop, Processor: Mobile Centrino processor,
Memory/RAM: 256 MB, Hard Disk Capacity: 20 GB with
Onboard wireless network adapter, PCMCIA Wireless
Adapter slot etc. So our laptop had 2 wireless network
adapters. We used one for wireless network detection, using
NetStumbler 0.4.0 software [51 and the other for 802.1 lb/g
packet capturing using Link Ferret 3. 10 software [6].
that

The

we

used had the

Make: Acer

fixed

We

CISCO

Aironet

350

series

PCMCIA

adapter and configured the laptop to capture

wireless packets using Link Ferret packet capturing software
and appropriate network drivers. WinPcap software was also
needed to be installed for packet capturing to work. The
Link Ferret software can be configured to capture packets
from different channels with a huge buffer size, with average
size of around 64 bytes or more. We also installed

Wireless

packet

Network Stumbler software that could stumble upon/detect

wireless networks as we drive around. It basically
for
any presence of wireless LAN. The Network Stumbler
software could show
the wireless networks and its details
scans

us

like MAC address, SSID name/network name, Access Point

name

and details, details of

absence

encryption

if enabled or the

time stamp, signal

strength etc. With the Network Stumbler Scanning enabled
and Link Ferret packet capturing enabled, with two laptops
we did a drive-around in one of our cars on some of our
of it, the channel number, the

detected and
highways. As expected, wireless networks
packets were captured from the needed places. The results
were quite revealing.
were

V.

PACKET

CAPTIURIG

AND OBSERVATIONS

Packet

Capturing were done in various spots where

networks were detected through Net Stumbler

wireless
alerts. It
number of
that quite
quite surprising to
wireless networks were working without encryption. They
simply had no't enabled the WvnEP
option. The packet
for
capturing done in eight different sessions
was

us

were

average

duration

of

around

30 minutes and were

an

captured

eight different files. These files have been merged form

single file do overall analysis. For security reasons,
didn't want draw our driving map or disclose locations.
to

to

to

an

The captured packet files are mainly from different

locations that include Petrol Stations, Banks, Financial
Institutions, Shopping Complexes and Government
organizations. Other minor capturing includes Hotels, Public
Wi-Fi Hotspots in Cafes and other private installations. It is
unfortunate that the header of the wireless packets can reveal
some interesting information, as it is transmitted in the clear.
Sniffing and getting such details on a wired network is not
that easy. Wireless frames/packets captured were a
combination of Control Frames, Management Frames and
Data Frames. Control and Management Frames were much
more in comparison to data frames. Packets/Frames with
their protocols and total number in brackets were as follows:
IEEE 802.11(228837), IEEE 802.1(636), CDP(4), IEEE
802.2(23603), IEEE SNAP(l44lo), ARP(2746), IP(997 1),
ICMP(347), IGMP(50), BOOTP(329), EGP(1), GRE(i),
IPX(564), IPX RIP(14), UDP(36o4), TCP(5442), NBNS(471),
NBDS(288), NBSS(3763), IPX NETBIOS(l8), NETBEUI(85),
NCP(I), SMB(6), FTP(i), HTTP(693), HTTPS(279), DNS(i 13),
OSPF(26), SSDP(290), NNTP(28), IPX SAP(78) and
NMPI(1I). Other critical information captured was source,
destination and BSSID (or AP) MAC addresses, source and
destination node IP addresses, source and destination node
open port numbers, checksum details, initialization vector
(IV) value etc. This information in itself is not very
sensitive, but some of it can be used to launch attacks
against a wireless LAN as explained under section X,
especially the DoS attacks. Encrypted packets showed signs
of using a set of WEP keys (against using one static key) and
in some packets TKIP protocol was used.
Well, we need not speak much about the data packets
captured that were not even encrypted. Even though some
AP's were using WEP encrypted transmnission with TKIP
enabled, we could still collect quite a number of unencrypted
fragmented IEEE 802.11 data frames (with Frame Control
type=2, i.e. type=Data Frame). These can be used to get
meaningful or sensitive information that can interest an
intruder, if one uses appropriate tools and show some patient
effort. For example, EtherPEG and DriftNet are free
programs [7], [81 that show you all the image files like
JPEGs and GIFs traversing through our network. It works by
capturing unencrypted TCP packets, and then grouping
packets based on the TCP connection (i.e. from details
determined from source IP address, destination IP address,
source TCP port and destination TCP port). It then joins or
reassembles these packets in the right order based on the
TCP sequence number and then looks the resulting data for
byte pattems that shows the existence of JPEG or GIF data
[7]. This is useful when one gets connected 'illegally' to a
wireless LAN. We tested Driftnet execution on Linux as in
section VIII. Overall, we located 50 Access Points or peers
in wireless networks without WEP encryption and 21 Access
Points or peers with WEP encryption using NetStumbler.
We could even connect to an encrypted peer wireless
network in a government organization by typing in a random
password. The PC or laptop thus connected was assigned an
IP address.

in

we

VI. STATISTICAL ANALYSIS

Packet Analyzers like Ethereal [9], Packetyzer 110] and

Link Ferret monitor software [61 were used for the detailed
analysis of packets. Using filters we could list out only the
packets we are interested in. Each of those packets could
then be analyzed with its detailed contents. We did some

125

statistical analysis on the captured packets that showed some

indicative results. Table I gives some statistical information
on data frames/packets that are unencrypted and figure 2
shows the related graph. The captured packet files (pktl to
pkt8) are from 7 different locations during different times.

mathematically, PO(DP I UP) = P(DP nUP) = 0. 15, where

P(UP)
DP is Data Packet and UP is Unencrypted Packet.

Grouping the captured packets based on the source

company/organization yielded table 1I. The 95% Confidence
Interval was also calculated, assuning 5% error in captured
packets. The results are quite revealing.

TABLE I. DETAILS OFTHE CAPTURED PACKET FILES

No. of
No. of
Average
No. of
Packet file to>l
unencrypted unencrypted data unencrypted
data
name
data packets packet size (in
packets (UDP)
packets/sec
bytes)
32767
1081.86
3.31
pktl.cap
2532
2.42
108.17
pkt2.cap 32767
7482
1.05
pkt3.cap
19321
1397
428.34
228.15
0.45
pkt4.cap 32767
1465
1.30
173.85
pkt5.cap 6073
2385
4.71
3527
83.57
pkt6.cap 32767
1.13
32768
84.79
pkt7.cap
1558
1.81
77.25
pkt8.cap 39607
2550
2.02
Merged
228837 22896
241.08

TABLE nI. SOURCE OF CAPTURED PACKETS WITH 95% Cl

CALCULATION

Placket
name
pktl
.cap
pklcp

45

ffb0

pkt3.cap

Petrol Station

(6.87%, 7.60%)

pkt4.cap

Multistoried
Shopping
Complex

(4.25%, 4.70%)

pkt5.cap

Bank! Financial Institution

(38.04%, 40.50%)

pkt6.cap

Bank! Financial Institution

(10.43%, 11.10%)

pkt7.cap

Organization!
Government
Office

(4.52%, 4.99%)

Organization/

(7.49%, 8.07%)

Capture Sessions

7.78

aircrack 2.1
2
Got 256947" unique IUs I fudge factor
Elapsed time I08:88:851: tried 11 keys at 132 k/n

KB

depth
8/ 1
0/ 4

votes

AB( 59> 85(

31) D6C
12( 63) CC(
PFDC 344> 8CC
E7C 186) E5C

15>
16)
18>
26>
25>
15>
89C 184) FP6
CD( 66> 6EC 26>
ESC 129) IC( 22>
67C 13> ASC 12>
AFC 72> 58C 18)
B4C 69> 11< 28>
56C 12?) SEC 18>

Figure 2. The graph showing the percentage of unencrypted data packets

(UDP) captured from eight different sessions, based on Table 1.

are not considered for tabular analysis, since they contain no

data payload or irrelevant data.
From the above table we note that the average number of
unencrypted data packets per second is 2 and the average
unencrypted data packet size is around 241. Using
Conditional Probability on the 8 samples collected, the
following is observed. Given an unencrypted packet, there
exists a 15% average chance that it is a data packet. Thus

8/
8/
v/
8.

1
1
1
8/ 1
8. 1
3/ 6
8/ 1
8/ 1
8/ 1
8/ 2

C8

E9C

15) 68C

4
15)
15)
25)
15)
13)
17)
12)
9)
18)
11)
14)
15)

3)
13)
13)
21)
14)
12)
15>
18)
3FP
ICC
9)
9
AB( 9)
1e
EFP 8>
BSC 11>
11
43( 15)
12
ADC 88> IM
XEYV FOUND! t AIC0I2FSE?9SCDE56?FP456AD I
Press Ctrl-C to exit.
0
1
2
3
4
S
6
7
a

Frames of type Data + Acknowledgement (No data,

frame type 37), Data + CF-Poll (No data, frame type 38),
Data + CF-Acknowledgement (No data, frame type 39), QoS
Data (frame type 40) and QoS Null (No data, frame type 44)

Goverment
Office

Verification of WEP cracking was done on packets

captured within our research lab with encryption using a
static 104-bit WEP key (abc012fde789cde567afb456ad) as
shown in figure 3. The cracking was done using Aircrack
software and it took only 5 seconds with around 6 nillion
packets, as WEP design was proved to be flawed. WEP key
is crackable because of IV collision where the same IV
night repeat after sometime [I I]-[13].

.15

4-4754.75

pkt7ncap

VII. WEP CRACKING VERIFICATION

22.835

7.737.

(7.44%,
8.02%))
74%80

Overall in all the packets combined, we found the

broadcast frames to be of 41% (with 28% bytes), Multicast
frames to be 15% (with 35% bytes) and Directed frames to
be 43% (with 36% bytes).

es35.9
030

v2

Petrol Station & Private

Instalations

for the proportion of

unencrypted data packets
(22.38%, 23.29%)

pkt8.cap

; 1g4
7|g 4R 7l39.27

CL.

95% Confidence Interval

Bank! Financial Institution

pkt2.cap

The data frames considered for tabular analysis falls into

the following categories or groups -Data (frame type 32),
Data + CF-Acknowledgement (frame type 33), Data + CFPoll (frame type 34) and Data + CF-Acknowledgement/Poll
(frame type 35). These data packets would be referred to as
unencrypted data packets (UDP) from henceforth. Data
Frame type 32 doninates the population. We also noted
Data Frames of type 32 that are encrypted with WEP, which
are not considered for analysis. The sample considered for
analysis consists of unencrypted data frames and
unencrypted fragmented data frames -both containing
visible data sections in HEX format as viewed through
Ethereal. Our packet samples are only indicative and they
are not very exhaustive. Hence our results are also indicative
in nature.

Type of Company!
Organization

3C115)
8SC 15>
6C( 25>
8CC 28)
SE( 14)
57( 28>
UC 17
lPC 12)
67< 12)
87C 15)
52C 17)
45> CS( 17)

6CC
SDC
2PC
DSC
F2C
D2C
12(
2B<
43C
EEC
SC
53C

4EC
EA(
FM
PBC
59(
45(
M

S3C
C6<
GAC
6D<
54C
8P<

3>
18>
12>

28)

14)
12>
B3< 15>
96< 9)
11C
8)
9)
M
8)
DP
9)
3X<
C9C 14)

Figure 3. Aircrack software successfully cracked 104-bit WEP key

encryption. Around 6 million packets were used.

VIII. NETWORK TRAFFIC FLTERING OF IMAGE/AUDIO

We tested the image or audio (MPEG) filtering
capability of driftnet software [8] on wireless network traffic
in our research lab. The software listens to network traffic
and picks out images/audio from TCP streams it observes.
So once connected to a foreign wireless LAN, this can be a
good hacker tool.Using ARP poisoning the attacker can

126

direct all the traffic to his laptop and filter all the images. If
image/audio can be filtered, any other files (like .txt, .pdf,
.doc, .htm etc) can be filtered, by writing appropriate
software.
We executed it as ./driftnet -a (adjunct mode of
operation) as shown in figure 4. It then saves all the image
files in the network traffic to a temporary directory
(/tmp/fileLVE4ifI as shown below) which can be processed
later. With a -S option it extracts only MPEG streamed
audio.
w

P.

RN-l' R.R-,`~III I

4SBi+X-tse t--. >iX4 /driftnet --a

1/tmp'/f i leLVE4if/driftnet-42c170926b8b4567.gi f

/trip/fi leLVE4if/driftnet-42cl7092327b23c6.9if
t/trp/f ileLVE4 if/driftnet-42cl7093643c9869,gif
I/trip/fiieLVE4i f/driftnet-42c1709366334873 jpe9
l/trip/fi leLVE4if/driftnet-42c1709474bOdc51.jpeg
1/trip/f ileLVE4if/driftnet-42c1709419495cff .gif
f/trnp/fi leLVE4if/drift.net-42cl70952ae8944a,!gif

/tmrp/fi leLVE4if/driftnet-42c17096625558ec.gif
/trp/f i leLVE4 if/driftnet-42cl797238elf29,9if
/tmp/fi leLVE4if/driftnet-42cl709746e87ccd.jpe9
./tnp/fi leLVE4if/driftnet-42cl7O983dlb58ba,!gif

X/trip/f ileLVE4if/driftnet-42cl7O9c5O7ed7ab.gif

Figure 4. Driftnet-0.1.6 software on Linux that flters images and MPEG

audio files from wireless network traffic is shown. Note the gif and jpeg
images captured and stored under ltmp/fileLVE4if! directory.

IX. PRIVACY INVASION

From the customer point of view, war driving can lead to

privacy breaches. A report in [14] indicated that customers
are worried about their privacy and potential intrusion when
using wireless and mobile devices. In certain transactions,
customers would like to be anonymous. The anonymity will
be disclosed if the MAC address of the device is identified
and the owner of the device is known. Other privacy concern
is the identification of user's location. User's location
generally describes their whereabouts or reference point
based on the AP address. This shows that the users are
within the coverage area of the AP. Moreover, since the
MAC address or the IP address of his device can be
captured, if the user of the device can be identified, it is easy
to approach the user with a good or bad intention. For
instance, users entering a particular wireless zone can be
targeted with notices containing viruses or wonns with the
intension of damaging their devices. Other dangers include
manipulation of user's behavior, users being blackmailed, or
even physically attacked. These attacks can easily be
organized by tracking and tracing user's location. Tracking
refers to the plotting of trail or sequence of location within a
space that is followed by a user over a period of time [151. A
real-time trace refers to identification of an object or person
at any particular point in time, with a degree of precision
[161. By tracking a person at varying time intervals, it is
possible to observe his behavior. Other threats associated
with location as described in [171 are individual danger,
social danger, and organizational danger.
X. ATrACKS AND PRECAUTIONS

Unfortunately, the installation of a wireless network

opens a 'back door' into the intemal wired network that
allows an attacker access into the network and it's resources.
Thus the attacker can do the 'parking lot attack, where the
attacker sits in the company's car parking lot and accesses

hosts on the internal network [4]. Some known attacks are as

follows [2]:
1) Using more sensifive antennas (with high level of
directional sensitivity) anyone can pick up the RF
signals of wireless LAN, say up to several miles. If
sufficient numbers of frames are captured, WEP key
can be reconstructed using software application
programs like Airsnort, WEPCrack and AirCrack (as
demonstrated).
Precautions: Consider antenna
positioning and the use of shielding. Position AP
antenna so that signals are more powerful in the
needed areas. Use aluminum foil shields around the
AP to weaken the signals going outside the building
premises. Lower the transmit signal strength (to say
5mW or lOmW), thus reducing the range of RF
signals generated by the AP.
2) The attacker can also pretend to be a legitimate user
of the network, say through MAC spoofing.
Masquerading can be very dangerous as it provides an
open door to one's network resources. It can be
through SSID name broadcast or WEP weakness.
Precaution: A triple-A approach can be considered Authentication, Authorization and Accounting.
3) Typically AP's control access by permitting only
those stations with known MAC addresses. Either the
attacker has to compromise a computer system that
has a station, or he spoofs with legitimate MAC
addresses in frames that he manufactures. By setting
his own MAC address to a legitimate MAC address,
the attacker can access the wireless network.
Precaution: Restrict or filter MAC addresses in AP
or/and in RADIUS server. Use intruder
detection/prevention software.
4) Certain bits could be flipped in the frame by the
attacker, changing the Integrity Check Value without
the knowledge of the user. Precaution: Encrypt the
802.11 frames within a layer 3 (network layer)
wrapper, so that any tampering cannot go undetected.
We may need to use IPSec tunnel as on VPN on
WLAN or TKIP (Temporal Key Integrity Protocol)
encryption.
5) In Denial of Service (DoS) attack, the intruder floods
the network with either valid or invalid messages
affecting the availability of the network resources.
Due to the nature of the radio transmission, the
wireless LANs are very vulnerable against denial of
service attacks. The DoS attacks can be launched
against APs or clients. Ping flooding the AP to
paralyze its operation is a common attack. SYN
flooding, Smurf attack, Fraggle attack are all flooding
attacks that can be launched on a wireless LAN. In
other attack on clients, some tools like wlan-jack from
air-jack suite tools can be used to broadcast
disassociate messages to clients.
Precaution:
Network monitoring, usage of IDS or IPS software
and deny access to foreign stations by using a mutual
authentication (like PEAP with MSCHAPv2).
6) Under Accessing AP's setup console, the use of web
browser or Telnet program to access the setup
console of an access point can be a possibility. This
allows the attacker to modify the configuration of the
access point. Precaution: Create new user name and
password for authentication for AP's setup access.

127

7) Because the cost of access points has fallen, many Access Point Hunter. It can find and automatically connect
organizations face the threat of rouge APs that joins to whatever wireless network is within range. CDPsniffer by
the company's network. When the company does not Max Moser is a small perl only Cisco discovery protocol
employ authentication techniques like RADIUS, (CDP) decoding sniffer. Chopchop by KoreK is a WEP
VPNs etc. the above scenario can be dangerous. cracker which uses the AP to decipher packets. Easiest ones
Precaution: Intrusion detection or prevention to decipher are ARP packets. CoWPAtty WPA Cracker by
software, monitoring tools (for example, IBM Joshua Wright is designed to audit the pre-shared key (PSK)
Distributed Wireless Security Auditor) should be selection for WPA networks based on the TKIP protocol.
Supply a libpcap file that includes the TKIP four-way
employed to locate the rogue access points.
handshake to mount an offline dictionary attack with a
8) In ARP poisoning, an attacker creates illegitimate supplied wordlist. Ethereal by Gerald Combs et al is a free
packets with a spoofed IP address which claims that network protocol analyzer for Unix and Windows. It allows
IP belongs to his own computer's MAC address.- you to exanine data from a live network or from a capture
Then, all transmissions from hosts that use the file on disk. FakeAP by Black Alchemy Enterprises
"shortcut" method of learning MAC/IP address generates thousands of counterfeit 802.1 lb access points.
combinations will be directed to the attacker's Hotspotter by Max Moser and Joshua Wright passively
computer (thus eavesdrop or manipulate responses). monitors the network for probe request frames to identify the
Precaution: Network Monitoring, denying access to preferred networks of Windows XP clients and to damage
foreign stations or to use a secure-ARP version.
later. Kismet by Mike Kershaw is an 802.11 layer 2 wireless
9) Session hijacking is said to occur when an attacker network detector, sniffer, and intrusion detection system. It
causes the user to lose his connection, and the can be very powerful by identifying clients and not just
attacker assumes his identity and privileges for a access points. MacStumbler by Korben is a utility to display
period. An attacker disables temporarily the user's information about nearby 802.1lb and 802.lIg wireless
system, say by DoS attack or a buffer overflow access points. NetChaser by Michael A. Waldron finds WiFi
exploit. The attacker then takes the identity of the hotspots with your Palm Tungsten C Handheld Computer.
user. The attacker now has all the access that the user NetStumbler by W. Slavin is a windows Utility for 802.1 lb
has. When he is done, he stops the DoS attacks, and based Wireless Network Auditing. Omerta by Mike D.
lets the legitimate user resume. The user may not Schiffman disassociates all 802.11 network connections
detect the interruption if the disruption lasts no more within range on the same channel as the card in the machine.
than a couple of seconds or few minutes. Such SMAC by KLC Consulting is an easy-to-use Windows MAC
hijacking can be achieved by using forged Address Modifying Utility that allows users to change MAC
Disassociation DoS attack. Precaution: Enable address for almost any Network Interface Card (NIC).
dynamic WEPITKP encryption, RADIUS StumbVerter by Michael Puchol and Sonar Security is a
authentication that is mutual and network monitoring. standalone application that allows you to import Network
Stumbler's summary files into Microsoft's MapPoint 2004
10) WPA Passive dictionary attack can be launched maps. voidl I by Reyk Floeter is a free implementation of
against a WPA-PSK (with 4-way handshake) setup in some basic 802.1 lb attacks. WellenReiter by Michael Lauer
802.1 Ig networks using a dictionary file of words is a wireless network discovery and auditing tool.
[I8]. Precaution: Avoid dictionary words for the pass WEPCrack by Anton Rager and Paul Danckaert is a tool that
phrase during AP configuration.
cracks 802.11 WEP encryption keys using the discovered
weakness of RC4 key scheduling. WEPWedgie by Anton
Rager is a toolkit for determining 802.11 WEP key streams
XI. ANALYSIS OF FREE HACKER TOOLS
and injecting traffic with known key streams. WPA Cracker
A brief analysis of WLAN hacker tools that are available by Takehiro Takahashi is a dictionary/brute-force attacker
free on the Intemet is given below as a list of tools [191. against WiFi Protected Access (WPA). Wscan by Portland
There are many more that are left out.
State University is a X-l I/visual 802.11 wireless signalThey are as follows: Aerosol by Sniph is easy to use strength display tool (version 2.0 includes AP scanning
wardriving software for PRISM2 Chipset, ATMEL USB and mode).
WaveLAN Wireless cards on Windows. AirCrack by
AirCrack Team is a 802.11 WEP key cracker. It implements
XI]. SECURITY MEASURES THAT CAN BE TAKEN
the so-called Fluhrer - Mantin - Shanmr (FMS) attack, along
Wireless
networks can never be security-risk-free. But we
with some new attacks by a talented hacker named KoreK.
Airfart by Dave Smith is a wireless tool created to detect can try our best, to minimize the possible attacks. Some
wireless devices, calculate their signal strengths, and present useful security steps are listed below [21, 1201, 1211.
them to the user in an easy-to-understand fashion. AirJack
1) To start with, WEP 104 bit encryption should be
by abaddon is a device driver (or suit of device drivers) for
enabled, with possible rotation of keys. WPA with
802.1 l(a/b/g) raw frame injection and reception. AirSnort by
TKIP/AES options can be enabled or CCMP/AES (in
The Shmoo Group is a wireless LAN (WLAN) tool which
future). Upgrade the firmware on AP to prevent the
recovers encryption keys by passively monitoring
use of weak IV WEP keys. This is the first line of
transmissions. AirTraf by Elixar, Inc. is a wireless sniffer
defense.
that can detect and determine exactly what is being
2) Ensure that mutual authentication is done through
transmitted over 802.11 wireless networks. AP Hopper by
IEEE802. lx protocol. Client and AP should both
Matthew Davidson and Jeffrey Strube is a program that
authenticate to each other. Implementing IEEE802. lx
automatically hops between access points of different
port based authentication with RADIUS server (like
wireless networks. It checks for DHCP and Internet Access
PEAP/MS-Chapv2) can be a second level of defense.
on all the networks found. APhunter by Jim Carter is an

128

3)

4)

5)

6)

7)

8)
9)

10)
11)

12)

13)

14)

There is now a regular rotation of key and per client

WEP key.
Turn off the SSID broadcast by AP and configure the
AP not to respond to probe requests with SSID "any",
by setting your own SSID.
Change default WEP settings, if any. For example,
Linksys AP WAP-1 I comes with Default WEP key
one: 10 11 12 13 14 15, Default WEP key two: 20 21
22 23 24 25, Default WEP key three: 30 31 32 33 34
35 and Default WEP key four: 40 41 42 43 44 45.
It's always better to change the default SSID (service
set identifier, like the network name for WLAN), to
difficult one and to disable any SSID broadcast in
control frames. Knowledge of SSID itself may not
cause a direct harm, but it can be the first step for an
attacker to proceed further.
Change the default IP address in the Access Point to a
different one. For example, CISCO WAP54G AP
comes with a built-in IP address 192.168.1.245 and
DLink AP DWL-G730AP comes with a default IP
address of 192.168.0.30.
Also change the default login/password details for
console access that comes along with an Access
Point. For example, CISCO WAP54G AP uses a
blank usemame and the word 'admin' as password,
CISCO Aironet 350 AP (802.1 Ib) doesn't use any
login/password by default and DLink AP DWLG730AP comes with a default user name 'admriin' and
no password.
Enabling the MAC filtering in AP level or in
RADIUS server or in both can tighten the security, as
there is restriction in the use of MAC addresses.
Positioning and Shielding of Antenna can help to
direct the radio waves to a limited space. It is also
good to control the transmission power of radio
waves from AP.
Limiting DHCP clients can restrict the number of
clients that can get hooked to the WLAN.
Using firewall between AP and the wired LAN can
secure the wired LAN from further intrusion. Firewall
can be configured to filter based on IP address, port
numbers, MAC address etc.
Enabling of accounting and logging can help to locate
and trace back some mischief that could be going on
in the network. Preventive measures can then be taken
after the analysis on log file.
Using a good intrusion detection software can help to
monitor the network activity in real time. Using an
intrusion prevention software can to some extend
prevent access to intruders or generate alarms.
Implement Virtual Private (VPN) Network over
WLAN. VPN technology has been used successfully
in wired networks especially when using Internet as a
physical medium. This success of VPN in wired
networks and the inherent security limriitations of
wireless networks have encouraged the use of VPN to
secure wireless LANs. IPSec can be used as the
security protocol and the secure tunneling with
authentication and encryption can strengthen security.

15) Use honey pots or fake AP's in the regular network to

confuse the intruder and get him hooked to that.

16) Enabling biometric finger print authentication on the

top of existing schemes can really tighten the security.
XIII. CONCLUSION
Wireless networking and mobile computing are one of the
great innovations of this century. If used with proper security
knowledge, it can make life easy and make mobile
computing the finest new revelation in the computer
networking world. We don't claim to have hacked any
networks using the infonnation that we have extracted from
the packets. We just wanted to show the ease of use with
which an intruder can get some sensitive information from a
wireless network and analyze it with free hacking tools.
ACKNOWLEDGMENTS

We thank iSECURES Lab members Tommy Tang,

Raphael C.-W. Phan, Kwan-Yong Sim, Victor Chee, Lawan
A. Mohammed and Anding Nyuak for the war driving and
packet capturing field trips. SUTS supported and provided

us with needed CISCO 802.1 lb access points and wireless

nodes. CISCO (we thank Evelyn Ong and Raymond Ooi)
through SAINS (we thank Lucy Wong) provided us with
LinkSys 802.1 Ig AP and 802.1 ig network adapters.
REFERENCES

Ill Jochen H. Schiller, "Mobile communications", Addison Wesley,

2003.

121 Gilbert Held, "Securing wireless LANs", Wiley, 2003.

[31 Adam Stubblefield, John lonnidis, and Aviel D. Rubin, "Using the

Fluhrer, Mantin, and Sharmir attack to break WEP", In proc. of the

2002 Network and Distributed Systems Security Syrnposium, pp.
17-22, 2002.
14] William A. Arbaugh, Narendar Shankar and Y.C. Justin Wan, "Your
802.11 wireless network has no clothes" March 2001.
NetStumbler Software details: http://www.netstumbler.org
t61 LinkFerret Software details: httpJ/www.linkferret.wsl
[71 EtherPEG Software details: http://ywwwetherpeg.org/
[81 DriftNet Software details: hctp:/fwwtw.ex-parrot.coml-chris/driftnett
[91 Ethereal Software details: http:/fwww.ethereal com1
[101 Packetyzer Software details:

151

http:Hwwwv.networkchemistr.comlproducts/packetvzer/

1111 Nancy Cam-Winget, Russ Housley, David Wagner and Jesse Walker,
Security flaws in 802.1 1 data link protocols, Communications of the
ACM, May 2003.
[121 Nikita Borisov, lan Goldberg and David Wagner, "Intercepting
Mobile Comnmunications: The Insecurity of 802.11", ACM
S!GMOBILE, 2001
[131 Cyrus Peikari, and Seth Forgie, "Maximum wireless security",
Cracking WEP, Samst, 2003. Also available:

http://wwwv.airscanner.com/pubslwep.pdf

[141 Green P. "Eastern Europe's foray into m-commnerce", The New York
Times. pp3.8, 2000.

[151 Doman R., 'The essential guide to wireless Communication

Applications", Upper Saddle River, NJ: Prentice Hall, 2001.

[161 Smith D., and Andrew W., "Exploring instant messaging", Gartner
Research and Adversary Services, 2001.
[171 McCullagh A, Little P., and Caelli W., "Electronic signature:
Understanding the past to develop the future", University of NSW
Law Journal, 21(2), pp 1-13, 1998.
[181 Takehiro Takahashi, "WPA passive dictionary attack overview
(White Paper)", 2004.
[19] War driving tools, War driving software, War driving utilities
website: htto:/Hwww.wardrive.netlwardrivingltools

[201 Mike Hurton and Clinton Mugge, "Hack notes -Network security
portable reference", McGraw-Hill/Osborne, 2003, pp. 107-118.

[211 Paul Campbell, Ben Calvert and Steven Boswell, 'Security+ Guide to
network security fundamentals", Thomson Course Technology, 2003.

129