Tag Archives: SANS

Wardriving With the Netscout AirCheck G2- Just For Fun

Ah, wardriving. Those of us with a long history in wireless networking know well what it is, and to me the very word conjures up memories of a different time… when Wi-Fi was new, kinda edgy, and not everybody really understood it very well. There are different motivations behind the act of wardriving, and I’m going to purposefully leave that side of the discussion out.

Wardriving used to be cool…

If you’d like to learn more or re-familiarize yourself with wardriving, look at these:

Back in the day, Netstumbler was the go-to wardriving tool for Windows, while Kismet was popular with the Linux community. There have been a slew of other suitable tools, but few have stood the test of time for name recognition like Netstumbler and Kismet.

Today, all you need to wardrive is a smartphone, and it’s really not all that glamorous anymore. We’re so used to looking at that list of SSIDs that more of them is hardly exciting, and it’s actually a pain at times. But through the right lens, wardriving is still kinda fun.

Netscout’s AirCheck G2 is a big gun

As I continue to evaluate the latest model AirCheck tester from Netscout, I decided to have a little fun with it on my way to work. My wife and I carpool, and I usually ride shotgun. So, one morning I opted to let the AirCheck G2 listen as we rolled through a couple of rural Upstate NY villages. The last time I did this exercise in these sleepy hamlets, I’d be lucky if I could see two-dozen networks. But times have changed, and in a stretch of about five miles in two villages with a combined population of under 4,000 people, The G2 shows that Wi-Fi is a-thumping even out in the country.wardrive

As you can see in the snippet above, some of these networks are obviously printers and such, but there’s still a lot going on. The AirCheck was in the car (sub-optimal reception), the vehicle was moving at 30, 45, and 55 MPH, and we have long stretches where there are no buildings. This is hardly scientific, but it is interesting- and the AirCheck makes gathering and extracting the info a breeze with it’s reporting capabilities..

Here’s some of what I saw:

  • Around 2 dozen truly open networks
  • Around a dozen WEP
  • 17 WPA-PSK networks
  • Balance (around 80) WPA2-PSK
  • No 802.1X WPA
  • Lots of channel buffoonery from “CableWiFi” and “TWCWiFi”
    • 17 on channel 3
    • 8 on channel 4
    • 6 on channel 5
    • 3 on channel 7
    • 1 on Channel 8
  • At least half of all networks name NetGear-xxx or other default SSIDs

The point?

There really isn’t one, except sometimes it is fun to simply gather SSIDs along the way and see what you can characterize about them as a data set. Of course, a good tool helps- and the AirCheck G2 is a very good tool.


Related:

My review on AirCheck G2 for Network Computing

Good Pineapple, Bad Pineapple, Educational Pineapple

Years ago, I got certified in CWSP and also taught wireless security for a while. I took an amazing class from SANS back in 2008, and had the honor of having Joshua Wright as the instructor. I’ve written a fair amount of wireless policy, designed networks that use 802.1x, VPN, Encryption Gateways and almost any other mainstream (or slightly off the beaten path) security method available, and have done the PCI and HIPA wireless things. I got really good at finding rogue APs through network clues, combined with “other” elements of information that many in wireless might find atypical (thank you, ten years in a fascinating Air Force career field). I like to think that even though it’s not my current core competency, I generally “get it” when it comes to wireless security.

But my goodness, what a pineapple is teaching me.

OK, it’s not a real pineapple- it’s a cute little router warmed over with bastardized Open-WRT firmware. And it’s teaching me (and reminding me of many things I’d forgotten) a lot about general wireless security.

Part of the experience, as I contemplate why I’m enjoying this evil little toy so much, is where it falls on my own timeline. My Linux skills used to be a lot stronger than they are now for lack of use, phishing is becoming commonplace, and I’m part of a society that is generally both more mobile and hyper-willing to jump on any open WLAN they can find. For me, the Wi-Fi Pineapple is providing hours of entertainment and serving as a self-guided training course of sorts in wireless security, penetration testing, and being an absolute pain in the ass to those nearby.

Once you get set up (spring for the thumb drive, it’s pretty much essential), there are roughly a couple of dozen “infusions” or packages to install. Some amount to stand alone hacks/tricks, others work in concert to pull off the likes of a sophisticated phishing attack.

I’m basically working through the list, getting competent in each infusion as I go. This is accomplishing the following for me:

  • making me dust off past Linux command skills
  • making me think about why what I’m doing is working, or not
  • taking my brain to wireless places that I don’t have to think about day to day
  • making me much more paranoid and careful about using public Wi-Fi
  • helping me to understand the mechanics of a number of wireless attacks
  • putting me in a better position to participate in, defend against, and converse about wireless pen testing by making the attacks easy to do and demonstrate
  • providing great fun- who doesn’t like Rick-rolling family members?

Those who are deeper into real wireless security or have good scripting skills might wave off the Pineapple as something you can do yourself for cheaper and without the pre-packaging. I don’t debate the point, but I also know that I find great value in the support forums and slew of Pineapple related videos available all over the Internet. I like that the Pineapple is a starting point, and that lots of people who try to use it get frustrated- it shows that you still need to think and experiment at least somewhat. Your experience, curiosity, threshold for cheap-thrills, and general knowledge will have direct bearing on how much value you get out of the experience.

This little unit is great fun, but after playing with it I can say this: the thought of a secret army of Pineapple soldiers out among the common folks in public wireless cells is a bit disturbing. It’s worth reading about, if for nothing more than knowing what kind of relatively-easy-to-use potentially bad stuff (it’s just a tool, it only becomes bad when the user opts to go that way with it) is out there.