wardriving wireless penetration testing
www.syngress.com Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our cus- tomers. We are also committed to extending the utility of the book you purchase via additional materials available from our Web site. SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions. Once registered, you can access our solutions@syngress.com Web pages. There you may find an assortment of value-added features such as free e-books related to the topic of this book, URLs of related Web site, FAQs from the book, corrections, and any updates from the author(s). ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of exper- tise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few. DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in download- able Adobe PDF form. These e-books are often available weeks before hard copies, and are priced affordably. SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings. SITE LICENSING Syngress has a well-established program for site licensing our ebooks onto servers in corporations, educational institutions, and large organizations. Contact us at sales@syngress.com for more information. CUSTOM PUBLISHING Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use. Contact us at sales@syngress.com for more information. Visit us at 410_WD2e_FM.qxd 10/17/06 10:54 AM Page i 410_WD2e_FM.qxd 10/17/06 10:54 AM Page ii Chris Hurley Russ Rogers Frank Thornton Daniel Connelly Brian Baker WarDriving & Wireless Penetration Testing 410_WD2e_FM.qxd 10/17/06 10:54 AM Page iii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc- tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 78GJIP332K 005 CVPLQ6WQ23 006 VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010 IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 WarDriving and Wireless Penetration Testing Copyright © 2007 by Syngress Publishing, Inc. All rights reserved. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the pub- lisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in Canada. 1 2 3 4 5 6 7 8 9 0 ISBN 10: 1-59749-111-X ISBN 13: 978-1-59749-111-2 Publisher: Andrew Williams Page Layout and Art: Patricia Lupien Acquisitions Editor: Erin Heffernan Copy Editor: Judy Eby Technical Editor: Chris Hurley and Russ Rogers Indexer: Odessa&Cie Cover Designer: Michael Kavish Distributed by O’Reilly Media, Inc. in the United States and Canada. For information on rights, translations, and bulk sales, contact Matt Pedersen, Director of Sales and Rights, at Syngress Publishing; email matt@syngress.com or fax to 781-681-3585. 410_WD2e_FM.qxd 10/17/06 10:54 AM Page iv Acknowledgments v Syngress would like to acknowledge the following people for their kindness and support in making this book possible. Syngress books are now distributed in the United States and Canada by O’Reilly Media, Inc.The enthusiasm and work ethic at O’Reilly are incredible, and we would like to thank everyone there for their time and efforts to bring Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Steve Hazelwood, Mark Wilson, Rick Brown,Tim Hinton, Kyle Hart, Sara Winge, Peter Pardo, Leslie Crandell, Regina Aggio Wilkinson, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Kathryn Barrett, John Chodacki, Rob Bullington, Kerry Beck, Karen Montgomery, and Patrick Dirden. The incredibly hardworking team at Elsevier Science, including Jonathan Bunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, Krista Leppiko, Marcel Koppes, Judy Chappell, Radek Janousek, Rosie Moss, David Lockley, Nicola Haden, Bill Kennedy, Martina Morris, Kai Wuerfl-Davidek, Christiane Leipersberger,Yvonne Grueneklee, Nadia Balavoine, and Chris Reinders for making certain that our vision remains worldwide in scope. David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai Hua, Joseph Chan, June Lim, and Siti Zuraidah Ahmad of Pansing Distributors for the enthusiasm with which they receive our books. David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer, Stephen O’Donoghue, Bec Lowe, Mark Langley, and Anyo Geddes of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji,Tonga, Solomon Islands, and the Cook Islands. 410_WD2e_FM.qxd 10/17/06 10:54 AM Page v 410_WD2e_FM.qxd 10/17/06 10:54 AM Page vi vii Technical Editor and Lead Author Chris Hurley is a Senior Penetration Tester in the Washington, DC area. He has more than 10 years of experience performing penetra- tion testing, vulnerability assessments, and general INFOSEC grunt work. He is the founder of the WorldWide WarDrive, a four-year project to assess the security posture of wireless networks deployed throughout the world. Chris was also the original organizer of the DEF CON WarDriving contest. He is the lead author of WarDriving: Drive, Detect, Defend (Syngress Publishing, ISBN: 19318360305). He has contributed to several other Syngress publi- cations, including Penetration Tester’s Open Source Toolkit (ISBN: 1- 5974490210), Stealing the Network: How to Own an Identity (ISBN: 1597490067), InfoSec Career Hacking (ISBN: 1597490113), and OS X for Hackers at Heart (ISBN: 1597490407). He has a BS from Angelo State University in Computer Science and a whole bunch of certifi- cations to make himself feel important. He lives in Maryland with his wife, Jennifer, and daughter, Ashley. First, I thank my co-authors on WarDriving and Wireless Penetration Testing, Dan Connelly, Brian Baker, Frank Thornton, and Russ Rogers. I also thank my fellow members of Security Tribe.You all have been great at pointing me in the right direction when I have a question or just giving me an answer when I was too dense to find it myself. I need to thank Jeff Thomas for all of the nights in the basement owning boxes and eating White Castles. (Oh . . . and you know a thing or two about a thing or two as well.Thanks for teaching me both of them :) I also need to thank Jeff and Ping Moss.You have provided me with so many opportunities.Taking a chance on some unknown guy and letting me speak at DEF CON for the first time really started this ball rolling. I want to thank the other members of our penetration test team, Mike Petruzzi, Paul Criscuolo, Mark Carey, and Mark Wolfgang. I learn some- thing new from you every day and you make coming to work a pleasure. I 410_WD2e_FM.qxd 10/17/06 10:54 AM Page vii viii also want to thank Bill Eckroade, George Armstrong, Brad Peterson, and Dean Hickman for providing me with the opportunity to do the job I love and an environment that makes it fun in which to do the job. I would like to thank Andrew Williams from Syngress for providing me the opportunity to write this book. It has been fun working with you, Andrew, and I hope we can continue to do so for a long time. I want to thank my mom and dad for having computers in the house as far back as I remember.The early exposure ignited my interest in them. Oh yeah, thanks for that whole providing, protecting, and raising me stuff too. Finally I want to thank my wife, Jennifer, and daughter, Ashley, for giving me the time to write this book.They gave up evening, weekends, and some- times entire days so that I could concentrate on getting this book finished. Without their help and understanding, this book never would have made it to press. Russ Rogers (CISSP, CISM, IAM, IEM, HonScD) is author of the popular Hacking a Terror Network (Syngress Publishing, ISBN: 1928994989), co-author on multiple other books including the best selling Stealing the Network: How to Own a Continent (Syngress, ISBN: 1931836051), Network Security Evaluation Using the NSA IEM (Syngress, ISBN: 1597490350) and Editor in Chief of The Security Journal. Russ is Co-Founder, Chief Executive Officer, and Chief Technology Officer of Security Horizon; a veteran-owned small business based in Colorado Springs, CO. Russ has been involved in information technology since 1980 and has spent the last 15 years working professionally as both an IT and INFOSEC consultant. Russ has worked with the United States Air Force (USAF), National Security Agency (NSA), and the Defense Information Systems Agency (DISA). He is a globally renowned security expert, Technical Editor and Contributing Author 410_WD2e_FM.qxd 10/17/06 10:54 AM Page viii ix speaker, and author who has presented at conferences around the world including Amsterdam,Tokyo, Singapore, Sao Paulo, and cities all around the United States. Russ has an Honorary Doctorate of Science in Information Technology from the University of Advancing Technology, a Masters Degree in Computer Systems Management from the University of Maryland, a Bachelor of Science in Computer Information Systems from the University of Maryland, and an Associate Degree in Applied Communications Technology from the Community College of the Air Force. He is a member of both ISSA and ISACA and co-founded the Global Security Syndicate (gssyndicate.org), the Security Tribe (securitytribe.com), and acts in the role of professor of network security for the University of Advancing Technology (uat.edu). Russ would like to thank his father for his lifetime of guidance, his kids (Kynda and Brenden) for their understanding, and Michele for her constant support. A great deal of thanks goes to Andrew Williams from Syngress Publishing for the abundant opportunities and trust he gives me. Shouts go out to UAT, Security Tribe, the GSS, the Defcon Groups, and the DC Forums. He’d like to also thank his friends, Chris, Greg, Michele, Ping, Pyr0, and everyone in #dc-forums that he doesn’tt have room to list here. Frank Thornton runs his own technology consulting firm, Blackthorn Systems, which specializes in wireless networks. His spe- cialties include wireless network architecture, design, and implemen- tation, as well as network troubleshooting and optimization. An interest in amateur radio helped him bridge the gap between com- Contributing Authors 410_WD2e_FM.qxd 10/17/06 10:54 AM Page ix