Both of these methods involve setting up a stationary computer with a wireless LAN card and running the Kismet program 24 hours a day. The computer will not be attached to the wireless network; it will simply be in “listen mode.”
Method 1: Listening for NetStumbler signatures
© SANS Institute 2002, Author retains full rights.
Wardriving is an activity that many can participate in with low cost and minimal technical expertise. Wardrivers simply record the name, location, and security setting of your wireless access point and the results of this activity point to a large problem of insecure wireless access points. According to Peter Shipley, the inventor of wardriving, “WEP usage is now 33%” (Shipley, p.2). The number of wireless access points that do not enable any form of wireless protection are plentiful. Not enabling WEP encryption on your wireless access point is inviting unauthorized and accidental access to your local network. No protection is perfect, but the use of WEP encryption on your wireless access point will deter most unauthorized access attempts.
A recent addition to the Kismet scanning program is the ability to detect nearby wardrivers that are using NetStumbler. A unique behavior of NetStumbler is that it emits a packet of data after it has detected a wireless network. This packet has a signature that can now be identified by Kismet (Kershaw, p.1).
Atwood, Mark, et al. “Lucent Wireless Card.” Version 65. 30 August 2002. URL: http://www.seattlewireless.net/index.cgi/LucentWirelessCard (3 September 2002).
Method 2: Listening for excessive 802.11b probe requests
Key ingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 A less accurate method of detecting wardrivers is to simply listen for an excess amount of 802.11b probe requests. This will not positively identify all wardrivers because even legitimate 802.11b clients emit 802.11b probe requests. In my own tests, I have found that, on average, NetStumbler emits probe packets more frequently than legitimate 802.11b clients. Further, if you know what devices are legitimately using your network, you may deduce that all foreign 802.11b probe requests are from wardrivers and other unauthorized users.
blackwave. “kismet->wi-scan converters posted here.” 29 July 2002. URL: http://www.kismetwireless.net/Forum/General/Messages/1027904934.958515 (3 Septembere2002t).= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2002,
As part of the Information Security Reading Room.
Author retains full rights.