Wardriving has a bit of a bad connotation to it. When applied defensively, it is a tool that adds a lot of situational awareness and can confirm what is seen digitally. Using the same tools and techniques as offensive wardrivers, defensive wardriving is an easy transition. Wireless security without inspection is not really security.
- [Instructor] Wardriving is mildly controversial, but is a great way to learn about electromagnetic radiation. In order to become a better wardriver, you have to learn the mechanics of geolocation. Here is the legal notice. Electrons leaving an antenna are equivalent to someone yelling loudly, at a philosophical level. Local laws may determine otherwise. The Computer Fraud and Abuse Act doesn't call out wardriving.
Electronic Communications Protection Act doesn't either. Wiretap Act gets a bit closer, but doesn't specifically call out wardriving, nor does DMCA. Intent can change things a bit though. For example, it can be considered the reconnaissance stage of a penetration test. Decrypting signals probably is illegal, regardless of how poorly it's encrypted. Using someone else's network without consent is probably illegal.
Theft of services, Trespass and Unjust enrichment could all be applied if you enter an unauthorized network. Wardriving is not those things. What is wardriving? Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a portable computer, smartphone, or personal digital assistant (PDA). While it started with Wi-Fi, it isn't necessarily limited to just Wi-Fi.
Wardriving has a bit of a despicable context to it, but is a lot more than what it sounds like. Remember the commercials with the can you hear me now guy? That is pretty much wardriving. Ever drive around a campus looking for road access points? That is pretty much wardriving. There's some easy and available resources to conduct legal wardriving, wireless network troubleshooting, or even network planning. NetSpot released in 2011 for Mac provides visual data to help analyze radio signal leaks, discover noise sources, map channel use, optimize access point locations.
Also, the application to perform Wi-Fi network planning. The data that are collected help to select channels and placements for new hot spots. Kismet has been around since at least 2000. I actually couldn't find the original date that it was published. It's used in a number of commercial and open source projects, distributed with Kali Linux. It's used for wireless reconnaissance, but can also be used with other packages for an inexpensive wireless intrusion detection system.
WiGLE Wi-Fi, short for Wireless Geographic Logging Engine, started in 2001. It collects hot spot data, like GPS coordinates, SSID, MAC address, and the encryption type used on the hot spots discovered. If you don't like these ones or they don't meet your requirements, there are many variations available. An important part of wardriving is the antenna.
The infamous Cantenna can amplify Wi-Fi signals significantly enough to where people have gotten artfully creative about it just by using basic laws of antenna theory. As a cheap homemade directional antenna, it focuses the electrons released. They can boost ranges up to four miles. Take that antenna theory, and actually work some more science into it, and you get the Yagi Antenna.
Also known as Yagi-Uda, they were invented in 1926 by a pair of Japanese inventor professors, mostly by a guy named Mr. Uda and a little bit by another guy named Mr. Yagi. When the paperwork got filed in Japan though, Yagi didn't put Uda's name on it. Well Marconi Company-- Remember the guy who transmitted across the Atlantic Ocean? Yeah, his company bought the patent. Ironically, in World War II, there's a story from the Battle of Singapore where Japanese intelligence officers captured notes of a British radar technician that mentioned the Yagi antenna, but they had no clue the design originated from Japan.
It had been used in airport radar because of its simplicity and directionality. After World War II the antenna design was commonly seen in TV antennas and are still used today. The Cantenna has around eight decibels isotropic, or dBi. The Yagi usually scores around 17 dBi. Since dB is a logarithmic unit, every three dB increase is a doubling of the power or intensity.
This means that if you switch out your theoretic zero dBi antenna for a three dBi antenna, you will gain the same amount of extra range as doubling your transmitter output power. Some special parabolic antennas can reach 24 dBi. While you may think higher dB, the better the antenna, not exactly. There is a cost for the distance, and most of the time it is the short range effectiveness, so while that range of an eight dBi antenna will do better than a three dBi, at close range there may be a significant handicap.
A variety of antenna can compensate for that, such as including the next one in your designs. The Omni-directional, or just Omni, is pretty common and even simpler. They uniformly radiate power in all directions in one plane. With power decreasing to zero at the poles, which causes it to make a donut shape. Don't think of Omni antennas as weaker though. Some Wi-Fi Omni antennas can be found with 15 dBi gains and under $100.
Funny thing about signals, basically the rays of power become spread out over distance making the signal weaker. Other things like buildings, trees, weather, and what not can affect that even more. WiGLE, with an antenna, GPS, and some sort of wireless device has a method for geolocation. In fact, it does something called triangulation, which is actually called weighted-centroid trilateration, which basically is the average of latitudes and longitudes weighted by signal strength.
In our atmosphere, signal strength changes at the inverse square of the distance. It works pretty good if you can circle around the signal. The way the math usually works is wide angles work better. Driving, you'd want to plot a route that will take you around your area of interest not just go through the middle in a straight line. Having sensors placed around the object minimizes the amount of moving you would have to do too.
Have you ever heard a fire alarm chirp from a low battery? How sure of its location were you after the first chirp? Did you move around to get a better idea of where it was? The first few chirps cause you to look in a direction. After moving around the object some, following chirps, indicated its location. This works in the same ways. I know this is a bit of a blast of terminology and big words.
Hang in there. We will now go into the wireless situation we currently have.
Note: This course was recorded and produced by Mentor Source, Inc. We're pleased to host this training in our library.
- Access points
- Reviewing the concept of geolocation
- Reviewing available products for geolocation
- Use cases