Chapter 5. Learning to WarDrive: Network Mapping and Site Surveying

"It will not do for the army to act without knowing the opponent's condition, and to know the opponent's condition is impossible without espionage."

—Du Mu

After all the necessary hardware is acquired and set and you are familiar with the drivers, configuration, files and utilities, it is time to get some fresh air and survey your wireless network or map the WLANs in a neighborhood. Warwalking is good for your health and does not involve mindless stepping or weightlifting in a gym far away from the soothing green-on-black console. As long as you don't abuse the found networks' resources and don't eavesdrop on bypassing data traffic, wardriving or warwalking is not illegal. Learn the local law pertaining to recreational wireless activities to stay on the safe side and avoid legal trouble.

Site surveying is very different from casual wardriving or warwalking. A surveyor concentrates on a specified network and studies it in great detail, mapping the SNR around the whole coverage area. We also suggest pinging the access point or wireless gateway and logging packet loss and delay as you move.

Wardriving or warwalking doesn't have to be an activity that demands specifically devoted time and effort; it can be casual. By casual wardriving we mean "looking around" when using hotspots, carrying your PDA set to map networks (and, in the attacker's case, dump the traffic) on the way to a meeting with a client, and so on. There are also means of network discovery without deassociating from the WLAN you are using. By the end of the chapter you will become familiar with the tools necessary to implement these means.

How you survey the wireless site or wardrive is a question of requirements, circumstances, and your personal preferences. Unlike planning a proper penetration test as outlined in Chapter 7, we cannot walk you through a wardriving procedure because there isn't one. Instead, we are going to take the "teach a man to fish instead of giving him bread every day" approach and concentrate on the available wireless network mapping and signal monitoring tools, explaining how they work and how to use them.

Network discovery tools are the most abundant; the majority of them are free. Some of these tools are more than just network mapping software, and support advanced features such as WEP decryption on the fly or wireless IDS signature database. In general, all you need to detect wireless networks or hosts and log wireless traffic is to put a client card into the RFMON mode and run tcpdump on the appropriate interface. The rest of the features are often a power-consuming luxury, helping users to visualize the discovered networks and decode traffic. Of course, reading tcpdump output might not be very intuitive, but it helps a lot in understanding 802.11 protocols and networking events. Nothing is a substitute for tcpdump / Ethereal (if you need a GUI) traffic analysis in gaining 802.11 networking experience. Another common luxury that can actually come in handy is a specific RF signal strength or other network parameters monitored by a network discovery tool (as watch -n1 "date >>/home/survey-wlan0 ;cat /proc/net/wireless |grep wlan0 >> /home/survey-wlan0"will do the job anyway).

There are three ways of discovering wireless networks: active scanning, monitor mode sniffing, and searching for access points and ad-hoc cells with the iwlist scanning command, which is a form of active scanning anyway.