Wardriving - Getting Rolling with Common Wi-Fi Hacks - Hacking Wireless Networks (2015)

Hacking Wireless Networks (2015)

Part II

Getting Rolling

with Common

Wi-Fi Hacks

Chapter 9

Wardriving

In This Chapter

ᮣ Installing and configuring Network Stumbler

ᮣ Running NetStumbler

ᮣ Interpreting the results

ᮣ Mapping and viewing the results

When most people think of wireless security (or the lack of it), they think of someone driving around their neighborhood discovering their access point and trying to connect. This is a striking image: A nerd in a car by himself with his beloved laptop and some arcane software. It’s an activity called wardriving, and though it seems hostile at first blush, the reality is actually a lot more diverse. In effect, wardriving is an educational opportunity for everyone — especially for ethical hackers. Peter, for example, actually goes wardriving with his teenage daughter. After all, the family that drives together, strives together.

In this chapter, we take our first look at wardriving. To understand this genre of software, we will look at Network Stumbler (a.k.a. NetStumbler). We’ll also see how to map the results of your work. In Chapter 10, we discuss other examples of wardriving software, such as Kismet and Wellenreiter.

Introducing Wardriving

The term wardriving is derived from the phrase war dialing. But it really doesn’t involve guns or offensive weapons of any kind. Wardriving is just the term coined for wireless network discovery. Nothing more or less. In Chapter 4, we outlined the tools you need for your wardrive, but all you need to wardrive is some software and a wireless network interface card or adapter. If you really want to get into it, you can add an external antenna to enhance the signal strength of any access points that you find. This enables you to detect these access points at a greater distance than when you were only using the built-in antenna of your wireless NIC alone. You could also add a global positioning system (GPS) to map the latitude and longitude of the networks you find.

15_597302_ch09.qxd 8/4/05 7:03 PM Page 132

132 Part II: Getting Rolling with Common Wi-Fi Hacks

Driving a car and watching your computer is a dangerous activity. It may even be illegal. So when you go wardriving, please take someone with you so you can concentrate on the road. We don’t want you ending up as “warkill.”

Network Stumbler is the application for wardrivers who favor the Windows platform. It runs on Windows 3.9 x, Me, 2000, and XP. NetStumbler uses the active scanning method to discover access points; and when it’s equipped with a GPS unit, it records the latitude and longitude of any discovered access points. You can later graph the recordings with mapping software.

NetStumbler uses the active scanning method described by the IEEE 802.11

specification to discover wireless networks. It sends multiple probe requests, and records probe responses. You may wonder why this would work, but when you think about it, it makes perfect sense. The developers of this standard made the active scanning option available so clients with multiple unique networks could find all of their available networks.

Once an access point receives a probe request, it typically responds with a probe-response management frame containing the network BSSID and the WLAN SSID. Some access points can “cloak” their SSID by responding to probe requests with only a single space for the SSID, forcing users to have prior knowledge of the network SSID before joining the networks. NetStumbler cannot report access points that cloak their SSID. You’ll need to skip to Chapter 10 and read about Kismet in that case.

When NetStumbler locates a network, it records the following information: ߜ The signal, noise, and signal-to-noise ratio (SNR) of the discovery: This simplistically can indicate how close you are to the device.

ߜ The operating channel: In North America, this is a number between 1 and 11.

ߜ Basic SSID (BSSID): This is actually the MAC address of the access point.

ߜ Service Set Identifier (SSID): The SSID is a 32-character unique identifier for the network embedded to the header of frames sent over a WLAN.

ߜ The access point’s “nickname”: This is the access point’s name.

NetStumbler also has a very useful way of graphing the signal strength of the received APs and other Wi-Fi clients in your surrounding area. This signal strength meter may be used with a directional antenna (such as a cantenna) to help figure out the location of the signal.

We know you want to get started. So let’s go.

15_597302_ch09.qxd 8/4/05 7:03 PM Page 133

Chapter 9: Wardriving

133

Installing and Running NetStumbler

Installing NetStumbler is easy. Go to www.netstumbler.com/downloads/

and download it. Run the self-installer and you will have the usual Windows installation-wizard experience. When prompted, select to install all options.

You can always delete the shortcut or move things later. If you want to view the files you’ve installed and their locations, you can do so by clicking the Show details button. You may want to read the README file before you start using NetStumbler.

Running NetStumbler is as easy. Either double-click the Network Stumbler icon on the desktop or choose Network Stumbler under All Programs from the Start menu. Then you see the NetStumbler 0.4.0 splash screen, which shows the adapter, driver information, and MAC address. When NetStumbler starts, it needs no prompting: It immediately attempts to open a new document, locate a wireless adapter and a GPS, and start scanning. NetStumbler starts to capture data in a file labeled YYYYMMDDHHMMSS.ns1, which is based on the date and time of the capture.

Figure 9-1 gives you an example of what you see when you start NetStumbler.

Figure 9-1:

Network

Stumbler

window.

Active access points

Status information

15_597302_ch09.qxd 8/4/05 7:03 PM Page 134

134 Part II: Getting Rolling with Common Wi-Fi Hacks

Setting Up NetStumbler

After NetStumbler starts, you may want to set the options to maximize your wardriving experience.

Figure 9-1 shows data from an actual wardriving session, shot after the session. Looking at the window, you can see a left and a right pane. The status bar beneath the panes provides some valuable information. The message in the middle of the status bar tells you how many access points are active. To the right of that is the status information. You can find descriptions of the possible status messages in Table 9-1. The last piece of information on the far right tells you how many networks NetStumbler found. In our case, it found 461. The number before the slash tells you how many networks meet the cri-teria or filter that you selected from the left pane. If you are looking at the main screen and not filtering anything, then the first and second number are the same. Anytime you select anything from the left-hand pane, the first number will change. For example, when I select the Encryption Off under Filters, the number is 253 of 461, or about 55 percent of my neighbor’s networks don’t use encryption. (You can get a closer look at the two panes later in the chapter, after we talk about the setup options.)

Table 9-1

Status Message

Message

Description

Card not present

Wi-Fi card not detected. Make sure you have installed a

wireless NIC.

A device attached

Problem working with the Wi-Fi card. Switch interface

to the system is not

mode on the device menu.

functioning

Not scanning

Scanning is not enabled. Click the arrow or start from the File menu.

No APs active

Wi-Fi card is working, but not detecting any networks at the time.

x APs active

Wi-Fi card is working and detecting x number of networks.

GPS: Acquiring

NetStumbler is receiving a message from the GPS.

GPS: Disabled

The GPS is disabled. Start it to record network

coordinates.

GPS: Disconnected

The GPS was working but stopped. Check the GPS power.

15_597302_ch09.qxd 8/4/05 7:03 PM Page 135

Chapter 9: Wardriving

135

Message

Description

GPS: Listening

NetStumbler is attempting to make a connection to the

GPS.

GPS: No position fix

The GPS is working but cannot find a signal. Move the

GPS or your laptop.

GPS: Port unavailable

The communication port is locked by another program,

such as Streets & Trips. Close the other program and try again.

GPS: Timed out

A connection could not be made to the GPS. Try a differ-

ent port or turn the GPS on.

GPS: N:x W:y

Indicates your GPS is working, and these are your

coordinates.

x/y

Currently displaying the x AP in the list of y APs.

You’ll also see that there is the usual Windows drop-down menus, such as File and Edit. There also are some icons that we will discuss shortly. The logical place to start is with the menus. Under the File menu, you see New, Open, Close, and Save As. These features work similar to any other Windows-based program. There is a Merge feature that allows you to merge a previous scan with the current one. This allows you to merge all your scans into one scan.

Another option on the File menu is Export. We cover exporting files in Summary, Text, or Wi-Scan format later in the chapter. You can use File➪Enable to start the scan when you previously disabled it. (If Enable is not checked, then it is not enabled.) Alternatively, you can use Ctrl+B to enable a scan.

There are many choices under the View menu. First, you can decide whether you want to display the Toolbar at the top of the window or the Status Bar at the bottom of it. You use the Split option to size the two panes. Of course, you can select the bar running between the two panes and drag it either left or right. Select either Large Icons or Small Icons depending on your eyesight.

Similarly, select either List or Details to change the amount of information displayed in the right pane. Zoom In/Zoom Out is sometimes grayed out, but you can use it with the Signal/Noise view to zoom in or out. Should you wish, you can use the Arrange Icons to view the icons By Name or let the program do it when you select Auto Arrange. Also, you can use the Line up Icons option to line up the icons in the right pane in List view. You can save the defaults by selecting Save Defaults. Network Stumbler displays information using the 8-point MS Sans Serif regular font style. Don’t like this font? Then change it by selecting Font. The last selection under View is Options, which we detail later in the chapter.

Use the Device menu to select the device when you have more than one to use for scanning. In Figure 9-2 you can see the drop-down menu with multiple devices to select for your scan.

15_597302_ch09.qxd 8/4/05 7:03 PM Page 136

136 Part II: Getting Rolling with Common Wi-Fi Hacks

Figure 9-2:

Network

Stumbler

devices.

The Window menu allows you to adjust the window panes. And the Help menu offers the usual help information. (You may find older versions of NetStumbler that had no help information.)

Next, set up the options: Select Options from the View menu and you should see a dialog box like that shown in Figure 9-3.

Figure 9-3:

Network

Stumbler

general

options.

The next subsections take a look at the tabs, starting with the General tab, which is shown on top when you select Options.

15_597302_ch09.qxd 8/4/05 7:03 PM Page 137

Chapter 9: Wardriving

137

Selecting General options

For scan speed, there’s a sliding scale from Slow to Fast on the left side of the General tab. Use the information in Table 9-2 as a rule of thumb for setting this parameter for your stumbling.

Table 9-2

Scan Speed Settings

Setting

Interval Description

Slow

1.50 seconds

For walking

-

1.25 seconds

For fast walking, jogging, and

inline skating in a crowd

Midpoint

1.00 seconds

For inline skating and biking

-

0.75 seconds

For low-speed driving up to 25

Mph (about 40 Km/h)

Fast

0.50 seconds

For driving above 25 Mph

(about 40 KM/h)

Table 9-3 describes the remaining parameters for the dialog box.

Table 9-3

General Scan Options

Option

Description

Auto adjust using GPS

Use this parameter to use your GPS positioning to deter-

mine the scan speed. It automatically adjusts the scan

speed to the GPS velocity measurement. As your GPS

reports speeds to NetStumbler, the timer frequency is set in the range of 2 to 6 times per second.

New document

Use this parameter to force a new scan when you open a

starts scanning

new document.

Reconfigure card

Use this parameter to allow NetStumbler to reconfigure

automatically

your wireless card using a null SSID and BSS mode. If you use this mode, then you may end up disassociated from an access point.

Query APs for names

Use this parameter to ask the device whether it supports names so NetStumbler can record the names.

Save files

Use this file to save the current scan file automatically —

automatically

every 5 minutes and when you close NetStumbler.

Those are the General options. Click the Display tab to see further options.

15_597302_ch09.qxd 8/4/05 7:03 PM Page 138

138 Part II: Getting Rolling with Common Wi-Fi Hacks

Selecting Display options

The Display options are really the Display option, since there is only one —

the angle format. What you see in Figure 9-4 is a drop-down list controlling the GPS latitude-and-longitude format. The default value is degrees and minutes to the one-thousandth — in the format DºMM.MMM. The other options follow:

ߜ Degrees to the ten-thousandth, in the format D.DDDDº

ߜ Degrees to the hundred-thousandth, in the format D.DDDDDº

ߜ Degrees and minutes, and ten-thousandths of a minute, in the format DºMM.MMMM

ߜ Degrees, minutes, and seconds, in the format DºM_S_

ߜ Degrees, minutes, seconds, and hundredths of a second in the format DºM_S.SS_

Figure 9-4:

Display

options.

You’ll probably want to leave the default alone unless you have a compelling reason to change it (this assumes you understand why you may want to change it).

Selecting GPS options

Click the GPS tab and you should see a dialog box like the one in Figure 9-5.

Figure 9-5:

GPS

options.

15_597302_ch09.qxd 8/4/05 7:03 PM Page 139

Chapter 9: Wardriving

139

Table 9-4 lists the parameters, describes them, and provides the options or settings you may choose.

Table 9-4

GPS Options

Option

Description

Settings

Protocol

Format of the GPS data

NMEA 0183, Earthmate,

Garmin Binary, Garmin Text,

or Tripmate

Bits per second

Transfer rate from the GPS

110 to 256000

Data bits

Number of bits used

5 to 8

for data

Parity

Parity bits

Mark, One, Odd, or Space

Port

Communication port

Disabled or COM1 to COM16

for the GPS

Stop bits

Number of bits used for

1, 1.5, or 2

communication

Flow control

Handshaking protocol

None, Hardware, or Xon/Xoff

The NMEA standard sends a signal to NetStumbler every 2 seconds, whereas the Garmin standard sends it once per second.

Check the manual that comes with your GPS; it should tell you the settings you need.

Selecting Scripting options

NetStumbler lets you modify its operation through the use of scripts. You may choose to use common scripting languages such as PerlScript, Python, VBScript, Jscript, Windows Script Components, Windows Script Host, and Windows Script Runtime version. After you write your script, install it on the same system as Network Stumbler and then make it known by clicking the Scripting tab of the Network Stumbler Options dialog box. Do so and you should see the options shown in Figure 9-6.

Select the Type, File name, scripting Language, and Status of the script. Then when NetStumbler starts, it will execute the script. You can find a scripting guide at www.stumbler.net/scripting.html. Also, you might want to check out the Scripts Forum at

http://forums.netstumbler.com/forumdisplay.php?s=&forumid=24

15_597302_ch09.qxd 8/4/05 7:03 PM Page 140

140 Part II: Getting Rolling with Common Wi-Fi Hacks

Figure 9-6:

Scripting

options.

Others have authored scripts and made them available through the Forum.

For example, you can find a script to export NetStumbler output to Streets & Trips.

Selecting MIDI options

The final tab is for the MIDI or Musical Instrument Digital Interface settings.

The MIDI standard is supported by most synthesizers. MIDI would allow NetStumbler to play music when events happen instead of the existing sounds. You could use this feature to modulate the sound as the signal gains or loses strength. Figure 9-7 shows the MIDI options.

Figure 9-7:

MIDI

options.

First tick the Enable MIDI output of SNR box. Then you can change the MIDI Channel, Patch, and Transpose parameters. Check the manual that comes with your MIDI device for the correct settings for these parameters.

To change the existing sounds, you can also use your WAV files: Just rename them to the names used by Network Stumbler and move them to the Network Stumbler folder on your system.

Navigating the toolbar

Looking again at Figure 9-1, you can see some icons on the toolbar below the menu bar. Figure 9-8 shows you the icons from the toolbar.

15_597302_ch09.qxd 8/4/05 7:03 PM Page 141

Chapter 9: Wardriving

141

Configure

Wireless Adapter

Details View

New

Columns

document

Zoom

Save

Options

Out

Figure 9-8:

Toolbar

About Information

icons.

Open

Enable

Zoom In

Sounds

List of Networks

Enable/Disable

Scanning

List

The New (document icon), Open (folder icon), and Save (diskette icon) buttons are visible. You can use the green-arrow icon to enable or disable scanning. It works the same as selecting File➪Enable. The gear icon automatically configures the wireless adapter. The hand-holding-the-menu icon opens the Options dialog box we talked about above. The two-underlined-documents icon enlarges the icon for the network shown in the right pane. It will also put them in columns as a list rather than one after another. The icon consisting of three small, underlined documents gives you smaller icons in columnar format. The six smaller underlined documents provide a list of the networks.

The spreadsheet icon reverts the right-hand pane back to details view. You will find that the zoom in and out buttons are grayed out. The question mark provides About information. Click the X to close the About window should you open it.

If you need to change some of the options, you should do so now before we look at the results of our scan.

Interpreting the Results

NetStumbler provides a wealth of information, but it’s just nonsense when you don’t know how to interpret the data. So, okay, the first step in interpretation is to look back at Figure 9-1 and notice the two panes: The left pane is a familiar tree structure with three levels: Channels, SSIDs, and Filters; the right pane lists all detected networks. Table 9-5 lists the columns in the right pane and describes their usage.

15_597302_ch09.qxd 8/4/05 7:03 PM Page 142

142 Part II: Getting Rolling with Common Wi-Fi Hacks

Table 9-5

Right-Pane Column Headings and Descriptions

Column

Description

Circle Icon

You will notice a small circular or disk icon in the first column. When the icon has a padlock inside it, the access point uses encryption. Also, the icon changes color to

denote signal strength. The color of the icon is one of the following:

Grey No

signal

Red Poor

signal

Orange Fair

signal

Yellow Good

signal

Light green

Very good signal

Bright green

Best signal

MAC

48-bit Media Access Code (MAC) address of the access

point.

SSID

Network name or Service Set Identifier.

Name

The access point’s name. This is an optional field, so

frequently this field is blank. NetStumbler only detects the name of APs that use the ORiNOCO or Cisco naming

standards.

Chan

Channel number the network is using. In North America,

this number is between 1 and 11, though the standard

specifies 1 through 14. An asterisk (*) following the channel number means NetStumbler is currently associated

with the access point. When you see a plus sign (+), it

means NetStumbler recently associated with the access

point on the channel. When there is no character, it

means NetStumbler located an access point but did not

associate.

Speed

A misnomer for network capacity in Mbps (megabits per

second). You will see either 11 (802.11 or 802.11b) or 54

Mbps (802.11a or 802.11g).

Vendor

Equipment manufacturer’s name or other brand identifier.

Type

Network type, either AP or Peer. AP denotes an

Infrastructure, Basic Service Set (BSS), or ESS (Extended Service Set) network. Peer denotes an Independent Basic

Service Set (IBSS), Peer-to-Peer, or Ad-Hoc network.

15_597302_ch09.qxd 8/4/05 7:03 PM Page 143

Chapter 9: Wardriving

143

Column

Description

Encryption

When the traffic is not transmitted in cleartext, you will see WEP in this column. NetStumbler cannot discern the type of encryption, but rather reports that WEP is on when the Flag is set to 0010 (the Privacy Flag).

SNR

The current Signal-to-Noise ratio, measured in microwatt decibels (dBm).

Signal+

The maximum RF signal seen.

Noise-

The minimum RF noise (the unusable part of a signal), shown in dBm.

SNR+

The maximum RF SNR in dBm.

IP Addr

The reported IP address of the device.

Subnet

The reported subnet.

Latitude

The latitude reported by the GPS when NetStumbler detects the network.

Longitude

The longitude reported by the GPS when NetStumbler detects the network.

First Seen

The time (based on the system’s clock) when NetStumbler first detects the network, shown in hours, minutes, and seconds.

Last Seen

The time (based on the system’s clock) when NetStumbler last detects the network, shown in hours, minutes, and seconds.

Signal

The current RF signal level, in dBm. You will see a value only when you are within range of a network.

Noise

The current RF noise level, in dBm. You will see a value only when you are within range of a network.

Flags

Flags from the network, in hexadecimal. Table 9-6 shows various values for the flags.

Beacon Interval

The interval of the beacon broadcast, measured in milliseconds.

Distance

The distance between where you currently are and the location when the best SNR was found. The default value is 100 ms, but you may see other values.

15_597302_ch09.qxd 8/4/05 7:03 PM Page 144

144 Part II: Getting Rolling with Common Wi-Fi Hacks

The first 24 bits (or 3 bytes) of the MAC or hardware address represent the manufacturer. The IEEE assigns these values, called Organizationally Unique Identifiers (OUI). You can find out an OUI for a manufacturer at http://standards.ieee.org/regauth/oui/index.shtml

The displayed latitude-and-longitude values are actually your coordinates when you discover the network, not the actual coordinates of the network itself.

Table 9-6

NetStumbler Flags

Flag

Description

0001

BSS, ESS, or infrastructure mode.

0002

Peer-to-peer, IBSS, or ad-hoc mode. This is the inverse of the BSS mode.

0004

Connection Free (CF) polling for Request-To-Send/Clear-To-Send.

0008

Contention Free (CF) CF-Poll Request, used by the CF-Pollable protocol.

0010

Encryption is enabled.

0011

Infrastructure mode with encryption.

0020

WLAN uses the Short Preamble to improve the efficiency of some real-time applications such as streaming video or Voice over IP

(VoIP).

0031

Infrastructure mode with encryption, using Short Preambles.

0040

WLAN uses Packet Binary Convolutional Code (PBCC). This indicates that the access point uses Texas Instruments’ 22 Mbps version of 802.11b sometimes called 802.11b+.

0051

Infrastructure mode with encryption, using PBCC.

0080

Channel agility, which allows the network to switch channels automatically when there is interference.

0400

Short Time Slot.

2000

Direct Sequence Spread Spectrum (DSSS).

4000

Orthogonal Frequency-Division Multiplexing (OFDM).

DB00

Reserved for future use.

15_597302_ch09.qxd 8/4/05 7:03 PM Page 145

Chapter 9: Wardriving

145

In the right pane, you can right-click a MAC address, and the Look Up options will show in a popup menu. If you can find an active network with an IP

address or subnet value, this feature works; otherwise it won’t. The Look Up options include a Look Up for ARIN (American Registry for Internet Numbers), RIPE (Réseaux Internet Protocol Européens), and APNIC (Asian Pacific Network Information Centre). Just select one of these to do a whois query on the address.

You can use the left pane to winnow down the data by channel, SSID, or the built-in filters. Clicking Channels aggregates the networks by channel numbers as shown in Figure 9-9. If you select channel 1, you can see that it displays the status of 35/461. Translation: Of the 461 networks, 35 used channel 1.

Similarly, we can click the + sign beside SSIDs and open it up to filter by network name. You can scroll the list. In Figure 9-10, we have highlighted SSID

101, the 3Com default. This shows us that 2 of the 461 networks use this SSID.

Figure 9-9:

Channel

display.

15_597302_ch09.qxd 8/4/05 7:03 PM Page 146

146 Part II: Getting Rolling with Common Wi-Fi Hacks

Figure 9-10:

SSID

display.

The last level in the left pane is Filters. If you look at Figure 9-11, you will see these nine built-in filters:

ߜ Encryption Off: Shows only devices with WEP encryption disabled.

ߜ Encryption On: Shows only devices with WEP encryption enabled.

ߜ ESS (AP): Shows only devices in infrastructure mode.

ߜ IBSS (Peer): Shows only devices in ad-hoc mode.

ߜ CF Pollable: Shows only devices that are contention-free pollable.

ߜ Short Preamble: Shows only devices with the Short Preamble enabled.

ߜ PBCC: Shows only devices with PBCC enabled.

ߜ Short Slot Time (11g): Shows only devices with a short slot time.

ߜ Default SSID: Shows devices that are using the default SSID from the manufacturer.

If you don’t know what these filters mean, then we recommend you get yourself a good introductory book on wireless networks. Peter recommends Wireless Networks For Dummies (Wiley).

15_597302_ch09.qxd 8/4/05 7:03 PM Page 147

Chapter 9: Wardriving

147

Figure 9-11 shows the results sorted by the Encryption Off filter. In the figure, you can see that 253 of 461 networks have no encryption.

One last thing: Select Channel and then open one of the channels. Highlight a MAC address and you see a graphic representation of the Signal-to-Noise Ratio, as shown in Figure 9-12. The display shows red and green bars. The upper (or green) portion shows the RF signal above the noise, while the lower or red portion shows the noise level. Also, the decibels show as a negative number, measuring the power relative to one milliWatt (mW). You cannot see the purple line in the figure, but it’s there — it indicates that the signal was momentarily lost because you moved out of range or something blocked the signal.

You can merge different NetStumbler files by choosing File➪Merge and selecting the file(s) you want to merge with the current one. This way you can keep all your files together.

So there you have how to set up and use Network Stumbler. Now you can look at and study the information provided — but that’s a lot easier to view when you plot the data on a map. As they say, “A picture is worth a thousand words.”

Figure 9-11:

Filters

display.

15_597302_ch09.qxd 8/4/05 7:03 PM Page 148

148 Part II: Getting Rolling with Common Wi-Fi Hacks

Figure 9-12:

Signal-to-

Noise Ratio

(SNR)

display.

Mapping Your Stumbling

So you finished your wardrive and you want to plot your data. Well, first you have to export it. This is as easy as selecting one of three options: ߜ FileExportSummary: The Summary format exports the data in a tab-delimited format similar to that of the Network Stumbler graphical display. Choose Summary when you want to map the data in Microsoft’s MapPoint and Streets & Trips.

ߜ FileExportText: The Text format exports the same information but gives all readings for a particular network. Different signal strength readings create separate records. You might use this format to export the data to MySQL or Excel to do further analysis.

ߜ FileExportwi-scan: The Wi-Scan format exports the multiple readings for each network but with fewer columns. You can use the wi-scan format with Pete Shipley’s Wi-Scan utility found at

www.michiganwireless.org/tools/wi-scan/

Regardless of the format you choose, ensure that you append .txt to the file-name. NetStumbler will not do it for you.

15_597302_ch09.qxd 8/4/05 7:03 PM Page 149

Chapter 9: Wardriving

149

To use a map, you’ll want to export the data using the Summary format.

There are several ways to look at the data. In the following sections, we’ll look at it using three different applications:

ߜ StumbVerter and MapPoint

ߜ Microsoft Streets & Trips

ߜ DiGLE

Using StumbVerter and MapPoint

StumbVerter is a standalone freeware application you can use to import NetStumbler’s Summary files into Microsoft’s MapPoint 2004 maps.

Should you have an older version of MapPoint, you will need to download StumbVerter 1.0 Beta from

www.michiganwireless.org/tools/Stumbverter

Installing StumbVerter is as easy as installing any Windows program. Just run the setup.exe program and follow the steps to specify the destination folder and to verify the installation options. Figure 9-13 shows the opening window for StumbVerter.

To import the NetStumbler data you exported in the previous section, follow these steps:

1. Click the Map icon and select Create new North America (or Create

new Europe, whichever is appropriate).

2. Click the Import icon to open your Summary file and import it into StumbVerter.

3. From the Open window, highlight the exported file and click the Open button.

StumbVerter will import your data and show the networks as small icons or pushpins, their colors and shapes relating to WEP mode and signal strength. You can download additional pushpins from www.microsoft.com/

downloads/details.aspx?familyid=2ad23c13-f367-45f4-809e-a77933

eea57e&displaylang=en.

MapPoint pushpins designate the access point, and by selecting one you can see balloons containing other information, such as the MAC address, signal strength, and mode. You can zoom in and out on the map.

15_597302_ch09.qxd 8/4/05 7:03 PM Page 150

150 Part II: Getting Rolling with Common Wi-Fi Hacks

Figure 9-13:

StumbVerter

window.

When you are finished you can save the map as either a MapPoint (.ptm) document, HyperText Markup Language (HTML), or as a bitmap image. You’ll need MapPoint to open a .ptm document, whereas you can open the HTML

document by using Internet Explorer, Netscape Navigator, or Mozilla Firefox (or use Paint to open the open bitmap image).

You can find StumbVerter at www.sonar-security.com/sv.html.

Using Microsoft Streets & Trips

MapPoint is great but a little pricey. If you want to save a little money, you can use Microsoft Streets & Trips.

You have to perform an interim step before you can import your Summary file into Streets & Trips — parsing the Summary file. You could write a parser of your own or you can get a ready-made one at http://kb3ipd.com/

phpStumblerParser/index.php. To use the phpStumblerParser, just click the Browse... button and navigate to the file on your system that you want to parse. Once you have selected the file, click the Generate Now! Button. Next, start Microsoft Streets & Trips.

To import the NetStumbler data you exported in the previous section, just select File➪Open and navigate to the file you want to import. (This is the one you just parsed.) Figure 9-14 shows the Streets & Trips map for our wardrive.

15_597302_ch09.qxd 8/4/05 7:03 PM Page 151

Chapter 9: Wardriving

151

Using DiGLE

Should you not want to line the coffers of Microsoft with your hard-earned cash, use DiGLE to generate your map. DiGLE stands for Delphi Imaging Geographic Lookup Engine. Go to the WiGLE registration page at www.wigle.

net/gps/gps/Register/main/, fill it out, download DiGLE, and install it.

Then double-click digle.exe to start the client shown in Figure 9-15.

Next you will need to get some maps by downloading a MapPack for the locale of your wardrive from

www.wigle.net/gps/gps/GPSDB/mappacks

Download the appropriate MapPack and unzip the contents into your DiGLE

directory. There are map packs for every U.S. county and most major metro-politan areas.

After downloading a map pack, you’re ready to import the NetStumbler data you exported in the previous section. Follow these steps: 1. Use the First Choose drop-down list (shown in Figure 9-15) and select the map from the list.

2. Click the Load Local button.

Figure 9-14:

Streets &

Trips

wardrive

map.

15_597302_ch09.qxd 8/4/05 7:03 PM Page 152

152 Part II: Getting Rolling with Common Wi-Fi Hacks

Figure 9-15:

DiGLE

window.

3. Navigate to your Network Stumbler file, highlight the file, and then click the Open button.

DiGLE generates a map like the one shown in Figure 9-16.

You can find DiGLE at www.wigle.net/gps/gps/GPSDB/dl/.

If you don’t use the Windows platform or want additional tools, you’ll find the next chapter of interest.

Figure 9-16:

DiGLE

mapping of

a wardrive.

16_597302_pt03.qxd 8/4/05 7:04 PM Page 153