WarDriving - What gets logged just by Probing?

ParityByte · 10-21-2004

While WarDriving, your sending out a 'probe request' every second for available AP's in the Vacinity - and you'll receive an "I am here" as applicable (from active AP's).

Just from that brief interaction, what data about YOU/the Device that your using, will the AP then have?

(without any further probing/interaction with that AP).

ie: Will the AP have logged your PDA/Laptop BIOS Name etc/Device type/Operating Systems - or no 'specific' Device information is sent (to the AP)? ....I'm presuming it's the latter (no 'specific' information is sent).

I have searched the Boards for the answer to this, while finding Threads on a similar subject, none specifically answer THIS question.

If I has mis-understood any concepts here, then please feel free to correct me!

Thorn · 10-21-2004

Quote:

Originally Posted by ParityByte

While WarDriving, your sending out a 'probe request' every second for available AP's in the Vacinity - and you'll receive an "I am here" as applicable (from active AP's).

Just from that brief interaction, what data about YOU/the Device that your using, will the AP then have?

(without any further probing/interaction with that AP).

ie: Will the AP have logged your PDA/Laptop BIOS Name etc/Device type/Operating Systems - or no 'specific' Device information is sent (to the AP)? ....I'm presuming it's the latter (no 'specific' information is sent).

I have searched the Boards for the answer to this, while finding Threads on a similar subject, none specifically answer THIS question.

If I has mis-understood any concepts here, then please feel free to correct me!

It will know it was probed. Depending on what networking protocols you have enabled, it may know a whole lot or nothing. By the way, the probes are at more like four times a second.

beakmyn · 10-21-2004

So when running NetStumbler it's best to go into the Wireless network connection properties dialog and uncheck all protocols etc. for your wireless card. That way Windows can't connect to an AP.

Right click Network Places
Right click wireless connection
select properties
On the general tab uncheck everything in the "The connection uses the following items:" list
Ok

Thorn, correct me if I'm wrong but there's two scenarios happening:

Windows trying to associate with the AP, which would give away certain
information about the computer, especially if it was able to associate.

And the Probe packet which I believe would contain the MAC address of the wireless card?

Do APs log probe requests?
I don't remember seeing that option in my Linksys log.
Now I'm interested in watching the wardriver!

Clyde Vargus2 · 10-21-2004

This IS an interesting question, and one I'd like to know more about also.

So what type of networking protocols allow what specific information to get to the AP, and how are they enabled / disabled? Show a specific path to access them, like C: << Documents << Settings or something like that.

And by enabling / disabling certain protocols, what other computer functions are affected?

G8tK33per · 10-21-2004

AirSnare will pick it up (the MAC, that is) if you have it running when a stumbler stumbles by...

beakmyn · 10-21-2004

hmm, Google is my friend.

2002 article on Wardriving and watching the wardriver

another article better then first

Kismet is 'undetectable'

Thorn · 10-21-2004

Quote:

Originally Posted by beakmyn

...
Thorn, correct me if I'm wrong but there's two scenarios happening:

Windows trying to associate with the AP, which would give away certain
information about the computer, especially if it was able to associate.

And the Probe packet which I believe would contain the MAC address of the wireless card?

That's pretty much it, although a purist might insist that it's the networking protocols (independant of the OS) rather than Windows per se.

1) So you have 802.11 networking (wireless probes, association, etc.) As this is basically a variation of Ethernet, the MAC is in there.

2) Standard networking, TCP/IP, NetBIOS, etc. This is where things like the DHCP, IP address, machine name, etc. all go back and forth.

It's pretty interesting watching this stuff go back and forth in packets. You can learn a lot with a packet capture program and Ethereal. You can also get pretty paranoid when you realize how naked this information is when you see it without encryption. It is trivial to pick out passwords, usernames, machine names, addresses, etc. I shudder when I think of the Credit Card numbers going accross open networks.

Aside: Last Xmas I walked the local mall with MS. The seasonal kiosks where up and running and I counted about 20-25 POS units without any WEP. Quite obviously that's what they were as they had SSIDs of things like "POS" or the kiok's name. Damned scary. I could only hope they had some other encryption scheme going, but I doubt it.

Quote:

Originally Posted by beakmyn

...
Do APs log probe requests?
I don't remember seeing that option in my Linksys log.
Now I'm interested in watching the wardriver!

I've never in as part of an AP, but as G8tk33per mentioned AirSnare will document it and I believe NSSpyGlass will also.

G8tK33per · 10-21-2004

The author of the second is a member here.

beakmyn · 10-21-2004

I saw spyglass mentioned along with airsnare.

Then I found something about the "Generic Kernel Packet Engine" being used in Kismet which will make Kismet detectable but so far I've been unable to find out if Kismet runs that way out of the box or if some config switches have to be set to run that way.

Quote:

It's pretty interesting watching this stuff go back and forth in packets. You can learn a lot with a packet capture program and Ethereal. You can also get pretty paranoid when you realize how naked this information is when you see it without encryption. It is trivial to pick out passwords, usernames, machine names, addresses, etc. I shudder when I think of the Credit Card numbers going accross open networks.

Yeah, for the techno savvy criminal it's a goldmine. Picture a guy walking through the mall with a PDA in his pocket capturing packets and then using his cell phone to buy something with a credit card number he just captured. While some of the details in this scenario are missing its entirely possible.

Clyde Vargus2 · 10-21-2004

Well, couldn't that cell phone be traced back to him? I think the better idea would be to use a common pay phone and pay with coins, not a calling card or anything else.

beakmyn · 10-21-2004

Yes. There's intentional flaws in the design. I didn't want to go into detail about Call ID spoofing, and social engineering since it would probably violate the rules of the board.

Gabriel · 10-21-2004

Quote:

Aside: Last Xmas I walked the local mall with MS. The seasonal kiosks where up and running and I counted about 20-25 POS units without any WEP. Quite obviously that's what they were as they had SSIDs of things like "POS" or the kiok's name. Damned scary. I could only hope they had some other encryption scheme going, but I doubt it.

Hello all,

Question: If accessing an AP and using available bandwidth is wrong; why then is sniffing ok? Accessing information or bandwidth what’s the difference?

ParityByte · 10-21-2004

ALOT of very interesting points made! Thanx!!

I may infact buy the gear and setup a Wireless LAN at home, then install a number of Network Monitoring products/Tools on my LAN.

THEN, Scan for my Wireless LAN using my PDA so that I pick it up, then go back onto my LAN and see EXACTLY what has been 'logged' in each of the different Network Monitoring/Logging products!?

That way I can make changes to my PDA WarDriving setup, so I know as little as possible is 'revealed' when out on the street/in the car.

Also I think the comprehensive findings would make a very interesting read if I was to post it onto this Site? Has anyone done this before? Suggestions?

beakmyn · 10-21-2004

Quote:

Originally Posted by Gabriel

Hello all,

Question: If accessing an AP and using available bandwidth is wrong; why then is sniffing ok? Accessing information or bandwidth what’s the difference?

Scanning the AP does not utilize the internet access, bandwidth or network that the AP is attached to. You are sending a probe request to the AP which responds with a reply. It's kinda like pinging a computer on a network but your not on the 'network'

wrzwaldo · 10-21-2004

Quote:

Originally Posted by Gabriel

Hello all,

Question: If accessing an AP and using available bandwidth is wrong; why then is sniffing ok? Accessing information or bandwidth what’s the difference?

Because you DON't access the AP to get the information... And do you mean sniffing or detecting? Wardriving is NOT sniffing!

10-21-2004	#1 (permalink)
ParityByte Registered Member Join Date: Oct 2004 Posts: 11	What gets logged just by Probing? While WarDriving, your sending out a 'probe request' every second for available AP's in the Vacinity - and you'll receive an "I am here" as applicable (from active AP's). Just from that brief interaction, what data about YOU/the Device that your using, will the AP then have? (without any further probing/interaction with that AP). ie: Will the AP have logged your PDA/Laptop BIOS Name etc/Device type/Operating Systems - or no 'specific' Device information is sent (to the AP)? ....I'm presuming it's the latter (no 'specific' information is sent). I have searched the Boards for the answer to this, while finding Threads on a similar subject, none specifically answer THIS question. If I has mis-understood any concepts here, then please feel free to correct me! Last edited by ParityByte : 10-21-2004 at 08:34 AM.

10-21-2004	#5 (permalink)
G8tK33per Asshole Emeritus Join Date: May 2003 Location: S.E. VA. Posts: 5,932	AirSnare will pick it up (the MAC, that is) if you have it running when a stumbler stumbles by... __________________ "Benjamin is nobody's friend. If Benjamin were an ice cream flavor, he'd be pralines and dick." Sons of Confederate Veterans

10-21-2004	#8 (permalink)
G8tK33per Asshole Emeritus Join Date: May 2003 Location: S.E. VA. Posts: 5,932	The author of the second is a member here. __________________ "Benjamin is nobody's friend. If Benjamin were an ice cream flavor, he'd be pralines and dick." Sons of Confederate Veterans

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

10-21-2004	#3 (permalink)
beakmyn root\.workspace\.garbage. Join Date: Aug 2003 Posts: 4,796	So when running NetStumbler it's best to go into the Wireless network connection properties dialog and uncheck all protocols etc. for your wireless card. That way Windows can't connect to an AP. Right click Network Places Right click wireless connection select properties On the general tab uncheck everything in the "The connection uses the following items:" list Ok Thorn, correct me if I'm wrong but there's two scenarios happening: Windows trying to associate with the AP, which would give away certain information about the computer, especially if it was able to associate. And the Probe packet which I believe would contain the MAC address of the wireless card? Do APs log probe requests? I don't remember seeing that option in my Linksys log. Now I'm interested in watching the wardriver!

10-21-2004	#4 (permalink)
Clyde Vargus2 Registered Member Join Date: Sep 2004 Posts: 28	This IS an interesting question, and one I'd like to know more about also. So what type of networking protocols allow what specific information to get to the AP, and how are they enabled / disabled? Show a specific path to access them, like C: << Documents << Settings or something like that. And by enabling / disabling certain protocols, what other computer functions are affected?

10-21-2004	#6 (permalink)
beakmyn root\.workspace\.garbage. Join Date: Aug 2003 Posts: 4,796	hmm, Google is my friend. 2002 article on Wardriving and watching the wardriver another article better then first Kismet is 'undetectable'

10-21-2004	#10 (permalink)
Clyde Vargus2 Registered Member Join Date: Sep 2004 Posts: 28	Well, couldn't that cell phone be traced back to him? I think the better idea would be to use a common pay phone and pay with coins, not a calling card or anything else.

10-21-2004	#11 (permalink)
beakmyn root\.workspace\.garbage. Join Date: Aug 2003 Posts: 4,796	Yes. There's intentional flaws in the design. I didn't want to go into detail about Call ID spoofing, and social engineering since it would probably violate the rules of the board.

10-21-2004	#13 (permalink)
ParityByte Registered Member Join Date: Oct 2004 Posts: 11	ALOT of very interesting points made! Thanx!! I may infact buy the gear and setup a Wireless LAN at home, then install a number of Network Monitoring products/Tools on my LAN. THEN, Scan for my Wireless LAN using my PDA so that I pick it up, then go back onto my LAN and see EXACTLY what has been 'logged' in each of the different Network Monitoring/Logging products!? That way I can make changes to my PDA WarDriving setup, so I know as little as possible is 'revealed' when out on the street/in the car. Also I think the comprehensive findings would make a very interesting read if I was to post it onto this Site? Has anyone done this before? Suggestions?