Tools of the Trade
Before you go looking for wireless devices, you need to gather your arsenal. You’ll need a proper wireless card, some kind of wireless discovery software, and potentially antennas.
The selection of cards and software may go hand in hand. Some software requires certain types of cards to work. For instance, AirSnort is a popular tool for Linux (and the BSD versions) that finds wireless devices and attacks WEP. However, AirSnort requires a wireless card with a Prism II chipset in order to function properly. The AirSnort web site has pointers to these specific cards and how to use them.
NetStumbler is a popular tool for use in Windows. It has been around a long time; however, it has some drawbacks:
- NetStumbler won’t detect clients—just access points. If you’re looking for clients, NetStumbler is not the tool for you.
- NetStumbler only sees access points that are sending beacons. Access points that are hiding or "cloaking" by not sending beacons are not detected by NetStumbler.
- NetStumbler is loud. It sends out many packets in an attempt to find access points. If you care at all about stealth, don’t use NetStumbler.
Kismet is a great tool that runs under Linux and the BSDs. It’s not graphical like NetStumbler, but it does see clients and cloaked access points. It works with a wide variety of cards, including Cisco cards and many of the mass-market cards available at local electronic stores. Kismet can store its data in a variety of formats for analysis later, which is handy if you’re dealing with large datasets.
For the OS X users of the world, there’s KisMAC. KisMAC has most of the same features as Kismet, but also has quite a number of attack capabilities. It’s graphical and relatively easy to use. The one drawback of KisMAC is that it can’t see clients and cloaked access points when it’s configured to use Apple’s AirPort Extreme wireless interface. To get the most out of KisMAC, you’ll need a third-party card.
There are a variety of commercial tools that you could use. Wild Packets’ AiroPeek is a popular tool for doing device discovery. AiroPeek focuses on being easy to use and powerful in a large enterprise. It produces easy-to-read statistics and graphs, and allows you to easily see changes in your enterprise over time. It’s a bit pricey for the casual user, but larger businesses may find that the cost of a tool like AiroPeek is far outweighed by its utility.
Setting up all the variables to get the cards and the software to talk to each other correctly can be difficult. One of the best ways to experiment with tools like Kismet and AirSnort is with the Auditor bootable CD from Remote-Exploit.org. Auditor is a complete bootable Linux distribution with a pile of security tools built into it. It has a large set of scripts that autoconfigure the wireless software and cards to work automatically. If you want to try out AirSnort, for instance, but don’t want to go through the hassle of making everything play nice together, Auditor may be just the toolkit you need.
Antennas may or may not be required for your situation. In a nutshell, antennas boost your transmitted and received signals. If you’re roaming around inside a building, antennas may not be necessary; however, if you’re wardriving a larger facility or want to cover a large area quickly, you’ll want an antenna. Antennas come in two basic types:
- Omnidirectional antennas amplify signals in a 360-degree circle around the axis of the antenna.
- Directional antennas amplify signals in a narrower beam.
The power of an antenna is measured in decibels (dB), where the larger the number, the more powerful the antenna. Beware, however, because a stronger antenna has a more focused signal, which may actually make finding wireless devices more difficult. In general, an 8 dB omnidirectional antenna is great for general-purpose wardriving and device discovery.
Antennas are a complicated topic. To learn more, check out the Wikipedia entry on them.