Getting to Know Your Neighbors

by Shiv Polarity

Note: In most places, connecting to your neighbor's network without their
permission is illegal. Additionally, you can be prosecuted by your neighbor's
Internet provider for theft of services if you access the Internet through
their network. These instructions are purely for informational purposes and are
intended to help you learn how to secure your own wireless network by learning
the tactics of potential attackers. Do not invade not invade the privacy of
your neighbors; it is rude. Do not steal Internet access; it is wrong.

The use of devices such as 802.11b network cards in schools, coffee shops, and
the workplace is becoming more and more common every day. In a setting such as
an apartment complex, it is common to have one or more neighbors who have
laptops or computers equipped with such a device. If you have a wireless
network in your home, you should know how a motivated WiFi user might try to
gain access to your network. To adequately protect your network from invaders,
you should understand what tools and tactics could be used against you.

The first thing you would need to explore a neighbor s network is a computer
with a correctly configured 802.11 network card. I use a laptop with a Compaq
WL100 PCMCIA card. The drivers I have found most useful are the linux-wlan-ng
drivers from http://www.linux-wlan.com/linux-wlan. For the purposes of this
article, the use of these drivers will be assumed. Other cards may require
other drivers, though almost any Prism2-based card should be fine with
linux-wlan-ng. Download the source and follow the instructions to compile for
your specific configuration.

Phase 1: Discovery

The first step toward exploration is discovery. By default, your network card
will try to connect to the strongest available signal it finds. This is good
for accessing the Internet from coffee shops or school, but for our purposes we
need a little bit more information. This is where a little app named Kismet
comes into play.

Kismet is an "802.11 wireless network sniffer," available from
http://www.kismetwireless .net. Once it has been downloaded and configured you
can use it to scan the surrounding airwaves for wireless networks.

To start Kismet you must first use the root account to start the Kismet server
by running kismet_monitor. This will put your card into scan mode, which will
disconnect you from any previous networks you may have been connected to. The
kismet_monitor command starts up the Kismet server application. Once that has
been started, open a different console and run the command kismet. In your
kimset.conf file, you should have configured Kismet for a default user. This is
the only user that can start the application, so be sure you run the kismet
command as that user.

The graphical interface presented by Kismet can be confusing at first. I
suggest you read the documentation at the Kismet web site and get to know what
all the symbols and sounds mean. Personally, I find the sounds irritating and
usually turn them off by pressing the "m" key. Kismet offers a great deal of
information, providing statistics and details for all detected wireless
signals. For our purposes, all we are interested in is the list of available
access points.

The perfect access point will be unencrypted (access points named "default" are
particularly delicious). Kismet will tell you whether or not a given access
point is using WEP (Wireless Encryption Protocol). If all of the listed access
points for your location are encrypted, you will not be able to proceed. WEP
can be broken, but it is a timeconsuming process and is beyond the scope of
this article (a little too invasive for my taste). Though I will suggest you
visit http://airsnort.shmoo.com if it is not beyond the scope of your personal
ethics.

Once you have identified an unencrypted access point, write down its SSID
(name) as well as the channel the signal is using and quit Kismet. Once you
have closed the Kismet application, run the kismet_unmonitor command as root.
This stops the Kismet server and puts your WiFi card back into its normal mode
of operation, though it doesn't hurt to also run /etc/init.d/pcmcia restart
just for good measure, assuming you are using a laptop.

Phase 2: Connectivity

The next step is actually connecting to the access point you have identified.
The steps involved in connecting to an access point will differ from one 802.11
driver to the next. These instructions apply to linux-wlan-ng drivers only. If
you use different drivers, consult the instructions for those drivers.

Edit /etc/wlan/wlan.conf and look for the line beginning with SSID_wlan0. The
value for that key should be the SSID of the access point you wish to connect
with.

Next, look in /etc/wlan for a file named wlancfg-DEFAULT. That file is your
template config file. Do not edit it or overwrite it. Instead, use the cp
command to create a copy of it. The name of the copy is important and is
determined by the SSID of the access point you are trying to connect with. For
example, if your target access point is named myAccessPoint you would use the
following command:

cp wlancfg-DEFAULT wlancfg-MyAccessPoint

This will create a new file named /etc/wlan/wlancfg-MyAccessPoint. For access
points named default create the file /etc/wlan/wlancfg-default. Remember, this
is Linux so wlancfg-DEFAULT and wlancfg-default are totally different files.
The linux-wlan-ng drivers will use this new file the next time your wireless
connection is initialized.

After you have the new config file, edit it. The contents of the file should be
pretty easy to understand. Enter the channel in the appropriate place, as well
as the WEP key if needed (if you used Airsnort to acquire one). Most of this
file can probably be left as is.

Once all of your values are entered correctly into the new config file, restart
your wireless connection. Personally, I use "/etc/init.d/pcmcia restart" to do
this, though you may have a different means. If everything is correct, you will
connect to your target access point. My card gives me two high-pitched beeps to
indicate a good connection. One high-pitched beep followed by a low-pitch beep
indicates failure.

There are several reasons your connection attempt might fail. If the access
point uses MAC address filtering, you will probably not be able to connect to
the access point. In this case you are probably up against a fairly savvy
access point and you re better off seeking lower-hanging fruit. You may also
have made a mistake in your wlancfg file. Double-check it. Restart Kismet if
you need to make sure you got everything right to begin with. Also double-check
to make sure the access point isn't using encryption. Another reason for
connection failure could be poor signal strength. Again, check Kismet to make
sure there is a reliable signal getting to you. If not, try walking around
(assuming you have a mobile computer) and see if you can get a better signal
somewhere else. Sometimes just a few feet in the right direction can make a
huge difference. If all else fails, check /var/log/syslog or one of your other
error logs.

Phase 3: Exploration

Now you're connected to your neighbor's access point. Congratulations, you
outlaw. Before proceeding, be aware that your connection has been logged on
your neighbor's access point or wireless router. Of course, if your neighbor
has left his access point wide open, they probably don't even know what the log
means and probably never check it. But you should be aware. They have a log of
your MAC address, what time you connected, what IP you were assigned, and,
depending on the access point, they may be logging everything you do on their
network.

So What Now?

Well, my first thing would probably be to see what IP I have been assigned. It
is usually 192.168.0.x where x is some number greater then 1. Also, pinging
192.168.0.1 usually works because that is probably the IP to the access point
or wireless router. Try opening a Web browser and entering in
http://192.168.0.1. If prompted for a username/ password, try typing in "admin"
as the username and leave the password blank. If they are truly using the
out-of-the-box configuration, this will usually let you into the configuration
page. If you can get into the configuration page, you now have full control of
the access point and/or router. One good idea might be to clear the activity
log. But hey, this is your gig. Do what you like.

Another interesting venture could be to look at any port-forwarding rules.
Finding out which ports are forwarded is a good way to determine what sorts of
things go on over this network. Is there a Web server somewhere? An SSH server?
Does anyone play video games? If so, what IP do these services run on? This is
all very interesting stuff.

If you can't find the access point right away, try using a tool known as nmap
(http://www.insecure.org/nmap/). As root, run the command xnmap to get a nice
graphical interface for this incredible tool. You have several options you can
perform with nmap. One of my favorites is an IP scan using operating system
detection. If you tell it to scan 192.168.0.*, it will scan every possible IP
on that segment and return to you a list of all active IP addresses, along with
which operating systems they are using. The IP for the access point will have
an operating system such as "D-Link DWL 900AP+" or something along those lines.
It should be obvious.

So now you know where the access point is. You also know what model the access
point is. Try a Google search for that model number. You can sometimes find
interesting bugs or vulnerabilities on Web forums for specific models. At the
absolute least you should be able to download the PDF manual for the access
point to learn how it works along with a confirmation of the default username
and password.

You also know how many clients are using the access point, and you know their
IP addresses. So now it's time to be neighborly. Go grab an application called
LinNeighbor - hood. This program gives you a graphical interface to your local
network, much like Microsoft's famous Network Neighborhood.

Once you ve started LinNeighborhood you probably will only see your computer
listed in the main window. Since it is highly unlikely that you re on the same
workgroup as your neighbor's computers, you will have to do a little work to
find them. Click the button at the top labeled Add. This will bring up a dialog
asking for a name, group, IP, etc. Enter an IP from the list given to you by
nmap, then click Query. LinNeighborhood will fill in the rest of the values for
the Add dialog. Once the rest of the values have been filled in, click OK. The
new computer should now show up in LinNeighborhood. Do this for each of the
computers found by nmap.

Clicking on the computers listed in LinNeighborhood will show you any shared
folders they have. You will need to know the usernames and passwords to access
them, unless they have been shared publicly. But at this point, why would you
suspect your neighbor of not sharing his files publicly? LinNeighborhood will
mount the shares your local file system, and you can look around and see what
is there. My personal suggestion would be to not look at the files, and
(assuming you can get write access) politely leave a conspicuous text file
explaining how to properly secure a wireless network, suggesting WEP
encryption, MAC filtering, and setting new passwords and IP addresses for
everything. If you do this, most definitely be sure to clear the activity logs
in the access point or router.

At the absolute least you should be able to learn the names, groups, and IP
addresses of your neighbor's computers. You can use the port forwarding rules
from the router to determine what roles the network clients perform and you ll
be able to access the Internet, albeit illegally.

Of course, the smartest thing to do would be to not try any of this stuff
yourself and instead double-check your own access point or wireless router
configuration to be sure they are secure. Also, be sure to change your WEP keys
from time to time and keep an eye on your logs. You never know who lives
nearby. It could be another 2600 reader.