Results 1 to 10 of 10

Thread: a tip for the windows wardrivers out there

  1. #1

    a tip for the windows wardrivers out there

    I have a little story for you, covering both a bit of advice and security at the same time. However, this isn't Access Point side security, it's the security you have as a wardriver

    As a greyhat, I wardrive for the fun of locating what exists within cities and streets and to protect my city against blackhats and scripties. Sometimes actively scanning in windows, sometimes passively scanning in Linux. One I find an unencrypted (and thus unprotected) WAP, I pinpoint the location of the AP and thus the store/homeowner/company that is running it. My contact with them is brief, as I just notify the CEO/head of household that their network to the outside world is wide open. After handing them a summary of how to secure a WAP and who they should send this memo to in their company, I leave.

    This way their network is secured, and it's one less WAP that idiots can use against the company. Greyhat == "lord of the ring" type rangers of the internet. Nothing illegal preformed.

    I told you that to tell you this, so bare with me. There are some things you never want to access, or test. Even if you come across them, there are some things that are just better left alone. This also applies for unintentional access. Allow me to explain. You see, in Windows you have the unfortunate problem of the wireless card autoapplying the TCP/IP and dhcp settings to automagically attempt connection to the closest WAP it can find. This is bad, as you don't want to try (not even in a sense of password usage, but just the beginning handshake with the WAP) to connect to a WAP that you do not have legal access to. I relearned this the hard way.

    While scanning a main street in my city, I came across the local police station. As always, their wireless network remains unencrypted (I know they know better, so I assume it may be a honeypot, but none the less) and thus instally throws a redflag on netstumbler. No big deal, I've documented them before. But wait... what's this? I see the wireless icon in my systray start moving. It's attempting to connect... to what? Low and behold, windows was trying ruthlessly to get a connection to the police-station's WAP. Not in a brute-force sense, but requesting an IP from it over and over again. Whoops :X I quickly shut off my NIC, renamed the network name for my laptop, and sped off. Scared shitless that their admin may have caught my consistant broadcasts to connect to them that may have been going on for a minute or two. You see, I had done a reformat just yesterday, and had forgot to turn off TCP/IP on the wireless card settings while wardriving.

    Moral of the story: While wardriving in windows, unbind TCP/IP from your NIC until you plan to actually connect. That's the ONLY time you need it, as it's unnessessary for just the detecton of networks. Not only could this raise an eye or two, but could be viewed as highly illegal due to how Windows demands over and over WAP access. To disable TCP/IP on your nic card, go into your control panel and into network connections. Right click on your wireless nic connection and choose properties. Once in properties, uncheck the TCP/IP box, and apply/ok it. There, you are now set to wardrive without the worry of windows banging on everyone's door.

    Have fun, be safe, and try your best to keep this in mind when heading out to wardrive.

  2. #2
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    *ironical grin*
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  3. #3
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    There's nothing illegal about connecting to an unsecured wireless network, police station or not:

    The ECPA (Electronic Communications Privacy Act, United States Code Title 18, Part I Sections 2510-2521, 2701-2711, 3121-3127) rules that it is not unlawful to
    intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public.
    And that's exactly what the case was in your umm... case. This part of the ECPA talks about unlicensed bands/frequencies, which is exactly what wireless networks are.

    If someone less knowledgeable than you would be living next to that police station, and that person would have a wireless network installed, his wireless client may instead connect to the police station's network. The ECPA is there exactly to protect people like that: the police station's signals are "readily accessible", and there is no way for someone not knowledgeable to even prevent his client from accessing the police network - the person probably wouldn't even know.

  4. #4
    What in the... Why?

    edit: Seems theentropy deleted his post about wanting me to crash in the car and die next time. So disregard the above.

    Negative, thanks for the insight on that Was not aware that Access Points that were improperly configured to allow full outside access could be viewed as legal. Does it cover just the ignorance of the user accidentally connecting, or also the one who knows it shouldn't be open?

  5. #5
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    Edit after seeing your edit: disregard this I thought it was directed at my post...

    Heh... here's another way to look at it:

    Laws aren't just invented to punish - they're also invented to protect people.

    Wireless networks operate on frequencies that are not licensed (unlike for example radio stations operating on licensed frequencies). Just like microwave ovens and wireless phones (both using those same unlicensed frequencies), you don't need a license to own/operate a wireless network.

    In the case of radio stations (licensed), it is illegal to in any way interfere/tamper with/whatever with their broadcasts. But it's not illegal to "intercept" the signal (otherwise, nobody would be able to listen to radio stations legally). In the case of wireless networks, it's not illegal to intercept the signals either - as long as they're not protected. In a standard Windows configuration, Windows will pick up whatever signal is the strongest (or rather: it will pick up all signals, but connect to the strongest one). And that's where the "protection" part of the law comes in: if I would be an unknowing user, my Windows box could possibly connect to the police station's network (if their signal would be stronger than mine) - I probably wouldn't even notice. Law makers have decided that it would be unfair to punish that - and they're right, I would think.

    The only "punishment" they've built in is by making the distinction between "intentionally" and "unintentionally" connecting to that network. The unintentional connection to an unsecured network is protected (you are protected from being punished for that) - the intentional connection to an unsecured network otoh is punishable.
    It all changes when the network is protected: you are punishable for connecting to it whether you do it intentionally or not - there is no way (exeptions excluded ) that your Windows box would connect to a secured wireless network without you explicitly ordering it to - it's almost always considered intentional...

    Make sense?

    Edit: so the "protection" only covers unintentional connection - if you know what you're doing, you might still end up in jail...

  6. #6
    Senior Member
    Join Date
    Dec 2004
    Posts
    320
    Thanks for the clarification here, Neg. I always was kinda wondering if the 3-way handshake was allowable or not. Now I know.
    The fool doth think he is wise, but the wiseman knows himself to be a fool - Good Ole Bill Shakespeare

  7. #7
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Better safe than sorry.

    "Timmins, who works as a network engineer, and his then-roommate Adam Botbyl, now 21, initially stumbled across the unsecured wireless network at the Southfield, Michigan Lowe's in the spring of 2003, while driving around with laptop computers looking for wireless networks - the geek sport of "wardriving".

    Timmins immediately used the network to check his email, not knowing that it wasn't intended for public access, he claimed in an a telephone interview with SecurityFocus on Thursday. Then when he tried to surf the Web, and found himself connected to a Lowe's corporate portal instead, he realized it was a private corporate network, and he disconnected"

    Cyberlaw lawyer Jennifer Granick, director of Stanford Law School's Center for Internet and Society, agrees with the government that Timmins' is likely the first wardriving conviction. But she isn't convinced that he actually committed a crime.

    "Using an open wireless access point isn't the same thing as using a computer illegally," says Granick. "Convictions for this type of thing are possible where it's part of a larger criminal case, but it shouldn't happen in the absence of some other criminal purpose, like stealing credit cards, or knowledge that the network is closed. Wardriving isn't criminal."

    "All he did was check his email and try to browse the Internet," said Botbyl. "That's the only connectivity he had with their network. He didn't do anything at all... I think the only reason they charged him is because they arrested him."

    http://www.theregister.co.uk/2004/08...rivers_guilty/


    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  8. #8
    Senior Member
    Join Date
    Mar 2004
    Posts
    510
    Timmins immediately used the network to check his email, not knowing that it wasn't intended for public access,
    And he's supposed to be a network engineer. Holy f***. More like he didn't think it belonged to someone who would notice or catch him.
    \"You got a mouth like an outboard motor..all the time putt putt putt\" - Foghorn Leghorn

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    According to the local stories, (I live just up the street), they did a lot more than check email.... The stories state that they were messing around in the Lowes system and that the type of activity would be considered criminal and had done it over several connection periods, (I forget exactly what they had been thought to be doing).

    Now, if Lowes finds itself in the position of not being to produce logs or any other evidence of what these two did or that these were the same two that had made previous connections where criminal activity took place, (I'm led to believe that might be the case since these two seem to be making a case that they did nothing but collect email), then I have no sympathy whatsoever for Lowes. Lowes counts it's worth in terms of Billions and has significant assets to protect - even if it is only my CC number - Yet they managed to implement a completely open WAP???? I work for a non-profit and we have NO cash but i would be able to show the LEO's when, where and how the criminal activity came from..... It's all in the logfiles and my logging system is all open source.... How hard is that.....

    Lowe's, if you are reading this I will accept employment as your Computer Security Officer.... Salary is negotiable though far from "cheap".... But you won't be walking into a courtroom with no evidence....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    I think the other key item that could be used against the kid who only checked email was 'use of service'. Lowe's doesn't pay for bandwidth for other people to use. Did they fail to protect themselves? Certainly. But do we all realize the case laws behind those Security Warnings we all get popped with when we log on to corporate systems? "This system is solely intended for the use of Acme Corporation employees blah blah no expectation of privacy blah blah approved acceptable use only." By the letter of the law/policy, you could possibly lose your job just for posting on AO from work, if it's prohibited, for improper use of company resources. No wonder people want to string up all the lawyers.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •