War Driving

• 2001... Peter Shipley
• -Drove around Silicon Valley
• -Discovered hundreds of APs
• War Walking
• War Flying
• War Biking
• War Chalking
• All = War Driving (AKA 'stumbling')
• http://www.wardriving.com/

Active Scanning

• Sending probe packets
• 802.11 packets with ESSID of 'Any'
• Response from WLAN access points

NetStumbler v0.4.0 (Apr 2004)

• 802.11a/b/g
• MAC addresses
• ESSID
• Wireless channels
• Signal strength
• [IP addresses]
• Wireless Security

Passive Listening

• Wireless promiscuous mode
• rfmon mode
• vistarfmon (Josh Wright http://inguardians.com/tools/)
• All wireless packets incl. mgmt frames

Wellenreiter (v1.9 Aug 2003) [Ger: wave runner / surfer]

• Stealth ESSID broadcasts
• Channel
• MAC Addresses
• Security
• DHCP / ARP
• -list of IPs
• tcpdump compatible

Wellenreiter II (handhelds)

Kismet (v2008-05-R1 May 08)

• 802.11a/b/g + GPS mapping
• tcpdump compatibility
• Hidden SSID decloaking
• Graphical network mapping
• Mfgr/Model APs and clients
• Known defaults detection