War Strolling
 

War Strolling is the art of finding wireless access points (WAP's) with a PDA. The popularity of wireless internet access is growing faster than anybody expected, making it really easy to find many WAP's. Fortunately, many WAP owners don't understand how to properly set up a wireless access point thus making it almost too easy to locate and "share" there wireless bandwidth.

I will show you the basics of:

-Locating WiFi
-See if it's "secure"
-How to get on a WiFi connection even if it is "secure"

 

  • First of all you will need a PDA. Running Linux or Pocket PC (CE/XP)
  • Secondly you will need a WiFi card. This can be built in or an added card. However the external ones are generally going to give you better reception. Your best bet is to get Lucent gold card. Model #8410 (Kismet likes it. Prism/2 chipset). The CF card type will not work with Kismet.
  • Now you just need software to be able to find WiFi and software to "sniff" it if the WAP is "secure".

~:Finding WiFi:~

Zaurus /Linux/FreeBSD/OpenBSD/OSX : KisMet

Windows CE/XP: MiniStumbler

 

~:Breaking in to WiFi:~

Linux: KisMet

Windows CE/XP: KisMet (a little tricky right now)

 

Use the first pieces of software to find access points. The next pieces of software can break WEP (Wired Equivalent Protocol) encryption - if WEP is enabled. Kismet captures "interesting packets" that over time can discover the WAP password. If you have a Windows PDA, you can try to get KisMet to work. Read there documentation.

Once you have MiniStumbler up and running here is what it looks like:

 

Once you found a good strong signal, take a look at the SSID (WiFi ID/name). If you find SSID's that are generic labeled such as "Linksys"... that is a no brainer to get in. If the SSID is default, chances are - so are the username and password. In the case of a Linksys ID, the username is blank (nothing) and the password is "Admin".

This means no WEP encryption is enabled.

Here is The Default Password List for all known devices.

 

Now if there is WEP encryption enabled, then the SSID will be something made up and will be obvious. But have no fear, you can get in.

This is when you fire up your KisMet to capture packets. Once enough packets are captured, you will know the WAP password and be able to jump right on and enjoy somebody else's WiFi. The WiFi cards that work best with Kismet are the cards with the Prism2 chipset (Linksys, Cisco etc.).

Here is a picture of Kismet running:

If you are sniffing a large corporate network, you will get enough packets to break the password within a few hours. If the network only consists of a few users, it's going to take a few weeks. Save your session and come back later.

What is also great about Kismet is that it includes ‘Kismet to CWGD’ converter program and gpsmap mapping program. So if your PDA has GPS support you can log your finds via a map:

Red color is for WEP encrypted finds, green is "open". If you would like to upload your finding to a collective database or search a data base go to Wigle.net. Netstumbler (Mini), Kismet and GPS data can be convert between each specific data formats using WarGlue.

 

 

Just think: You don't even have to drive around in most cases. Just hook up a WiFi card, get a long antenna (if your WiFi card has an antenna jack) to drape outside your house and "have fun". Remember: the better your line-of-site, antenna and distance = the better your connection. If your WiFi card has a jack for an external antenna, you can make a cantenna or buy many types of external ones.

 

If you would like to prevent this from happening to you, read my how-to here. This helps but as of now there is no real "secure" way.

 

 

Helpful Links:
Rons ministumbler how-to:
Kismet
MiniStumbler forums:
Stumbler.net

 

 

 

Burke~

 

 

 

PDA Accessories @ Factory prices - Free Shipping 

 

 
 

 
Ramsinks.com Copyright 2005 All rights reserved