Friday, 25 May 2012

Detecting Wardriving

For my research one of the questions I would like to answer is how prevalent is wardriving or is it only researchers that are doing this type of activity. According to wikipedia "Wardriving is the act of searching for Wi-Fi wireless networks by a person in a moving vehicle, using a portable computer, smartphone or personal digital assistant (PDA)." Which is a definition I would agree with, when it moves from locatingWi-Fi access points to connecting to them to me that has moved away from Wardriving and starting to commit if you are within the UK an illegal act, legalisation varies around the world so I will refer to UK laws.

Although I am started with a question about wardriving, the real question is how many people are scanning for Wi-Fi networks there can connect to when they don't have authorisation to do so.

Detecting Wi-Fi networks can be done in a number of ways.

1) Listening for broadcast beacons (Passive)


Access points will broadcast there SSID and capabilities using a broadcast beacon frame at a regular interval. If you turn of "Broadcast SSID" it is this frame that is no longer broadcast.

2) Probe request & response frames (Active)


A client can issue a probe request with or without a SSID, an access point if it has a matching SSID to that within the probe will send a probe response with the access points capabilities included. If the probe response has a blank SSID then most access points will respond to the probe request with a probe response with the access points capabilities included.

3) Sniffing frames (passive)

This last method involves the client "sniffing" packet capture of frames and then decode them to identify the SSID of the Wi-Fi network.

It is impossible to detect someone using passive methods to locate a Wi-Fi network, until they connect to an access point, however this is beyond the scope of this blog entry, I'm concentrating on detecting probe request and probe responses.

Wi-Fi frames

A bit of a background to the frames used by Wi-Fi networks, the 802.11 standard defines various frame types that stations (NICs and access points) use for communications, as well as managing and controlling the wireless link.
  • Data Frames.
  • Management Frames
  • Control Frames
The first two bytes of the MAC header form a frame control field specifying the form and function of the frame. The frame control field is further subdivided into the sub-fields, the two fields I am interested are :-
  • Type: two bits identifying the type of WLAN frame. Control, Data and Management are various frame types defined in IEEE 802.11.
  • Sub Type: Four bits providing addition discrimination between frames. Type and Sub type together to identify the exact frame.
Management frames are type 0
Control frames are type 1
Data frames are type 2

Management Frames (type 0)
  • Authentication frame: subtype 11
  • Deauthentication frame: subtype 12
  • Association request frame:  subtype 0
  • Association response frame: subtype 1
  • Reassociation request frame:  subtype 2
  • Reassociation response frame: subtype 3
  • Disassociation frame:  subtype 10
  • Beacon frame:  subtype 8
  • Probe request frame: subtype 4
  • Probe response frame:  subtype 5
Identification of frames

Use a packet sniffing capable of analysing Wi-Fi packets such as CommView for WiFi or WireShark with a suitable wireless NIC we can sniff the frames being broadcast, in order to keep the exercise ethical we use a filter to ensure we only examining the Probe Request and Probe Response frames.

With wireshark we can use the following rules to formulate a filter

Management frames wlan.fc.type eq 0
Probe request wlan.fc.type_subtype eq 4
Probe response wlan.fc.type_subtype eq 5

What we are looking for is a pattern of probe requests and probe response, a person wardriving will be continually sending out probe requests with a blank SSID, which while they are in range we can detect, a person just doing a quick scan for available networks will send a short burst of probe requests with a blank SSID.

This will be continued with some examples of the findings.




No comments:

Post a Comment