Note that the 8571 uses an Atheros-based radio.To configure your Soekris/Pebble device, per- form the following steps: 1. Enter the following: /usr/local/sbin/remountrw 2. Next, edit the /etc/network/interfaces file by typing: vi /etc/networks/interfaces 3. Comment out any lines in that file and replace it with the following: auto lo iface lo inet loopback auto ath0 iface ath0 inet static address #insert IP address for your 802.11 card, i.e. 10.0.0.2 netmask 255.255.255.0 broadcast 10.0.0.255 gateway 10.0.0.1 up iwconfig ath0 ap #enter the MAC Address of the 802.11a AP on the other side of the link, i.e. 00:20:A6:47:f7:30 www.syngress.com Wireless Access Points • Chapter 4 87 Figure 4.26 Close-up Shot of a PCMCIA Card after Removal from an 8571 308_WiFi_Hack_04.qxd 9/30/04 1:47 PM Page 87 # alternatively use the following line (uncomment) if you want the client to look # for a particular SSID instead of a specific AP MAC Address # up iwconfig ath0 mode managed essid socalfreenet.org auto eth0 iface eth0 inet static address #insert IP address for your wired Ethernet port, i.e. 192.168.1.1 netmask 255.255.255.0 broadcast 192.168.1.255 4. To save your changes in the editor, press Shift and type ZZ. 5. Next, you will need to modify /etc/modules. (Again, type vi /etc/modules.) Add the line: ath_pci N OTE If you have a Soekris device that supports a second Wi-Fi radio, you can use an 802.11b card and have one device operate as both an 802.11a backhaul and 802.11b client access radio. If you are using an 802.11b Mini-PCI card, you should add the line hostap_pci to the /etc/modules file. If you are using an 802.11b PCMCIA card, you can omit that step. 6. Next, don’t forget to define the 802.11b radio (wlan0) in the /etc/network/interfaces file. For example: auto wlan0 iface wlan0 inet static address 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255 up iwconfig wlan0 essid socalfreenet.org channel 1 7. Finally, to save your changes and reboot, enter the command: /usr/local/sbin/fastreboot Figure 4.27 shows an example of a Soekris box with a “harvested” 802.11a PCMCIA card, next to an 802.11b PCMCIA card. When selecting antennas, keep in mind that the 8571 AP operates in www.syngress.com 88 Chapter 4 • Wireless Access Points 308_WiFi_Hack_04.qxd 9/30/04 1:47 PM Page 88 the U-NII 2 middle band (5.25-5.35 GHz). Again, always be sure to select antennas that are in com- pliance with FCC rules (or whichever rules apply in your country). Under the Hood: How the Hack Works You can learn more about the Proxim 8571 at the www.proxim.com Web site. Of particular interest is the April 2002 press release announcing the 8571 at www.proxim.com/about/pressroom/pressre- lease/pr2002-04-01.html, which reads “The Harmony 802.11a Access Point—connectorized version (Model Number 8571) is available immediately for $695.”You can also read the User Manual at www.proxim.com/support/all/harmony/manuals/pdf/857xman01.pdf. In addition, be sure to upgrade the firmware to the most recent version here: http://support.proxim.com/cgi-bin/ proxim.cfg/php/enduser/std_adp.php?p_faqid=1227. Use the option For stand-alone APs (no AP Controller). If you are curious, the antenna connectors on the PCMCIA card are Radiall UMP series.You can find more information here: www.firstsourceinc.com/PDFs/ump.pdf. Furthermore, the Proxim 8571 does support PoE, but since it predates any IEEE PoE standards, the 8571 is not 802.3af compliant. For PoE operation, you should use a Proxim Harmony Power System, Model 7562.These can also be found at aftermarket resellers and auction sites. For more information, see the User’s Guide at www.proxim.com/support/all/harmony/manuals/pdf/7562newmanb.pdf. A quick port scan of the 8571 reveals two open TCP ports (80/HTTP and 23/Telnet) as well as one open UDP port (161/SNMP).Ahah! A Telnet port.Thanks to an anonymous poster on our Web site, you can now Telnet to the 8571 using the password notbrando and gain access to a special DebugTerm mode. Pressing the question mark (?) reveals the following list of commands: www.syngress.com Wireless Access Points • Chapter 4 89 Figure 4.27 An Example of a Soekris Box with 802.11a and 802.11b Radios 308_WiFi_Hack_04.qxd 9/30/04 1:47 PM Page 89 Password->notbrando DebugTerm->? A = MAL registers a = Atheros Radio Menu b = netbuf debug c = crash-o-matic d = bridge tables E = enet chip info e = packet debug f = radio tests g = toggle watchdog L = lock guided mode l = enable debug log M = mfg info m = miniap info n = net stats o = reboot p = print auth filtering stats Q = quit r = show radio settings R = remote AP debug s = show stacks T = disable telnet u = mem debug v = version V = display Config w = write config X = nuke config Y = nuke image z = write new bootrom Z = write new image 0 = reset debug stats 1 = force deregister 8 = show 802.1x menu Main-> www.syngress.com 90 Chapter 4 • Wireless Access Points 308_WiFi_Hack_04.qxd 9/30/04 1:47 PM Page 90 Pressing the letter “r” (lower case) reveals interesting radio statistics. Main->r Radio State Down 100 resetOn = 0 Radio Misc Statistics curTxQ = 0 maxTxQ = 1 curRxQ = 400 minRxQ = 0 txDescC= 0 TxPend = 0 rxDescC = 400 sibAge = 0 StaInPS= 0 StaDim = 0 psChange= 0 txUrn = 0 curtxPS= 0 maxtxPS= 0 PSQueue = 0 PSDeque= 0 curAltQ= 0 maxAltQ= 0 AltQueue= 0 AltDequ= 0 Rx = 0 Tx = 472 RxBad = 0 TxBad = 0 RxGood = 0 TxGood = 472 RxUni = 0 TxUni = 0 RxMulti= 0 TxMulti= 472 RxMgt = 0 TxMgt = 0 RxCtrl = 0 TxCtrl = 0 RxDscrd = 0 TxDscrd= 29 RuBrdg = 0 TuBrdg = 0 RmBrdg = 0 TmBrdg = 472 RepUnPk= 0 RepMuPk= 0 nullPtr = 0 hwReset= 0 802.11a settings SSID- socalfreenet.org Channel- 56 Main-> Pressing the letter “V” (upper case) displays some interesting Configuration data: Main->V MAC Address = 00:20:a6:47:f7:30 IP Address = 0.0.0.0 SSID = socalfreenet.org Channel = 56 SNMP Enabled = 0 AP or STN = 0 Security Mode = 0 Default Key = 1 WEP Key Size = 13 Old wepState = 0 Auth Address = 0.0.0.0 Auth Address2 = 0.0.0.0 www.syngress.com Wireless Access Points • Chapter 4 91 308_WiFi_Hack_04.qxd 9/30/04 1:47 PM Page 91 Auth Retry Tm = 0 Turbo Mode = 0 Repeating Enbled = 0 Beacon Interval = 100 DTIM Period = 1 Fragmentation Enabled = 0 Fragmentation Threshold = 2346 RTS Threshold = 2346 RTS Mode = 0 Supported Rates = 0xff Turbo Supported Rates = 0xff keyBuf40 : 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 keyBuf128: 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 keyBuf152: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 authSecret: 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Main-> Another interesting menu can be found by pressing lowercase f and then the question mark (?): Main->f Radio Tests->? a = set antenna b = bc stats www.syngress.com 92 Chapter 4 • Wireless Access Points 308_WiFi_Hack_04.qxd 9/30/04 1:47 PM Page 92 c = set channel d = dump eeprom e = const dac f = channel freq g = pwr tx h = pwr rx i = init radio j = stats k = tx99 l = listen rx m = tx loopback p = set pwr ctrl dca q = quit to main menu r = set rate t = set turbo mode s = sine wave x = continuous tx y = continuous rx Radio Tests-> Finally, another screen can be found by pressing lowercase a and then the question mark (?) to reveal the Atheros Radio menu: Main->a Radio->? ? = show help a = display All error stats A = set AP Mode b = display station info B = get MAC Reg c = set channel C = set MAC Reg d = display config D = DMA Size e = rate Enable E = display rate Counters f = rate Disable F = set Rate g = set ch list www.syngress.com Wireless Access Points • Chapter 4 93 308_WiFi_Hack_04.qxd 9/30/04 1:47 PM Page 93 h = set turbo ch list i = set hw tx retry count I = set Beacon Interval j = set RD display code J = set DTIM Period k = set repeating K = display WEP Keys l = radioCal m = misc stat M = display MAC regs n = display Beacon o = display semaphore p = print radio stats q = quit to main menu r = reset radio s = radio stop S = radio Start t = turbo mode u = set RD v = set anntenna type V = set Turbo Allowed w = set wep x = dump EEPROM X = dump Prox EEPROM y = display Calibration z = zero stats 0 = toggle Debug Flags 1 = set SIFS 2 = set DIFS 3 = set aggressive PIFS 4 = disable 48/96 and 54/108 5 = enable 48/96 and 54/108 6 = set Beacon txRate 7 = set BC MC txRate 8 = set EEPROM 9 = get EEPROM Radio-> www.syngress.com 94 Chapter 4 • Wireless Access Points 308_WiFi_Hack_04.qxd 9/30/04 1:47 PM Page 94 From this menu, you can modify all manner of wireless configuration options, including WEP keys, data rates, channels, regulatory domain (FCC, ETSI, Spain, France, and so on), and more.You can also display statistics and view a list of association stations. NOTE You should use extreme care in using the Debug mode and always remain in compliance with local regulations. Summary In this chapter, we reviewed firmware upgrades for the Linksys WRT54g AP as well as provided a review of the Soekris SBC hardware line. Finally, we reviewed the Proxim 8571 and how you can use it to create 802.11a links. Choosing to use a Linksys or SBC device is a very deployment-specific issue. In general, we like to shy away from consumer-grade gear, but in some environments (such as small coffee shops or retail locations) it could be entirely appropriate. Because upgrading Linksys firmware is so simple (just use the browser-based management inter- face), we recommend playing with multiple distributions before making your selection. For SBCs, always be sure to check the hardware requirements of your distribution before selecting a particular SBC product. Soekris engineering makes an excellent line of SBCs that work great in community wireless networks. Another option to consider for backhauls is to use 5 GHz, where there is less interference and congestion than 2.4 GHz. A very low-cost method for building 802.11a backhaul links is to use a Proxim 8571. One device can operate as an AP while the other device can be “harvested” for its PCMCIA card and used as a client in a Soekris running pebble. Chapter 8 outlines other solutions that are commercial but low cost, such as the excellent Sputnik management platform. www.syngress.com Wireless Access Points • Chapter 4 95 308_WiFi_Hack_04.qxd 9/30/04 1:47 PM Page 95 308_WiFi_Hack_04.qxd 9/30/04 1:47 PM Page 96 [...]... this chapter, you will understand everything you need to know to get your client device up and running on a wireless network Notebook Computers Notebook computers or laptops are by far the most widely used computing platform for accessing a wireless network In fact, before the widespread use of wireless technologies became commonplace, most people had to either use a dial-up modem, or stretch a long,... is designed to function as a starting point for discovering wireless networks in an ethical and legal manner It is never legal to access a secured AP through means of cracking encryption The purpose of this HOWTO is for information gathering and data collection of historical trends We are not responsible for any actions taken while WarDriving or how any information is used Why Are People WarDriving?... in the form of contests such as the one held each summer at DefCon in Las Vegas, Nevada Others are more of a collaborative effort, such as the WorldWideWarDrive (WWWD), which posts data about the entire United States and Europe on its Web site WWWD is a massive worldwide coordinated effort to collect data during a one-week period NOTE…WWWD4 (JUNE 12–19, 20 04) During the WorldWideWarDrive in 20 04, over... list of resources for finding out more about WarDriving: I Audit [of] Michigan Wireless www.michiganwireless.org/staff/audit/wardriving I Stumbler Code of Ethics Renderman [of] Renderlabs www.renderlab.net/ projects/ wardrive/ethics.html I The GPS Store http://thegpsstore.com/pcpda_products.asp I WarDriving.com www.wardriving.com www.syngress.com Part III Software Projects 115 Chapter 6 Wireless Operating... disk W I A blank formatted 1 .44 MB diskette The ethernet cards should be supported by FreeBSD/i386 version 4. 9, as listed at: www.freebsd.org/releases /4. 9R/hardware-i386.html Most commonly available cards are supported m0n0wall on a Single Board Computer (SBC) To run m0n0wall on a single board computer, you’ll need: I A single board computer made by Soekris or PC Engines, or a small form-factor standard... Microsoft Pocket PC device Wireless networking allows the ultimate in portable connectivity for handheld devices www.syngress.com 1 04 Chapter 5 • Wireless Client Access Devices Compact Flash Compact Flash (or CF) cards are the most common interface used by PDA devices While originally used to extend the amount of memory in a device, the compact flash interface can now be used for network devices, such... III with about 256 MB of RAM, a 4 10 GB hard disk drive, and an available PCMCIA slot If you plan to use a GPS to log your precise location where the wireless APs are discovered, you will also need an available serial or USB port A suitable notebook can be found on eBay or other auction sites for less than $500 Wireless Cards When WarDriving, it is preferred to use a wireless card that supports an external... their methods for seeking wireless LANs, capturing data by air, on foot, and by rail What’s next? Only time will tell First, let’s review a little background on WarDriving.The term WarDriving has been credited to Pete Shipley, a security researcher from Berkley, California, who was one of the first people to automate the process of logging discovered wireless networks Others had come before him, but... www.syngress.com 102 Chapter 5 • Wireless Client Access Devices Figure 5.5 A typical USB adapter (pictured Lucent ORiNOCO USB Client) Figure 5.6 is a great example of some of the newer style of USB wireless adapters Most manufacturers have gone to a smaller form factor to reduce cost Figure 5.6 Another USB Adapter (pictured Linksys WUSB54G) Courtesy of Lynksys www.syngress.com Wireless Client Access Devices... flash “drive” (see Chapter 4 for more details on these boards) I PRISM II/2.5 chipset wireless card (either PCMCIA or miniPCI, or PCI depending on your hardware) www.syngress.com 122 Chapter 6 • Wireless Operating Systems I A compact flash card at least 8MB in size (larger is okay, but the extra space is not used and is unnecessary) Old digital camera cards are a great cheap source for the perfect-sized . management platform. www.syngress.com Wireless Access Points • Chapter 4 95 308 _WiFi_ Hack_ 04. qxd 9/30/ 04 1 :47 PM Page 95 308 _WiFi_ Hack_ 04. qxd 9/30/ 04 1 :47 PM Page 96 Wireless Client Access Devices Topics. aggressive PIFS 4 = disable 48 /96 and 54/ 108 5 = enable 48 /96 and 54/ 108 6 = set Beacon txRate 7 = set BC MC txRate 8 = set EEPROM 9 = get EEPROM Radio-> www.syngress.com 94 Chapter 4 • Wireless. i.e. 00:20:A6 :47 :f7:30 www.syngress.com Wireless Access Points • Chapter 4 87 Figure 4. 26 Close-up Shot of a PCMCIA Card after Removal from an 8571 308 _WiFi_ Hack_ 04. qxd 9/30/ 04 1 :47 PM Page 87 #