Difference between revisions of "Summerschool Aachen 2004/Wireless security Lab"

From C4 Wiki
Jump to: navigation, search
m (Reverted edits by Oxudocopaj (talk) to last revision by ScottyTM)
 
(9 intermediate revisions by 6 users not shown)
Line 1: Line 1:
[http://willa-ford-mp3.boom.ru/ | Willa Ford Mp3]
+
== Notes on lab session ==
[http://used_ford_truck.chat.ru/ | Used Ford Truck]
+
 
[http://used_ford_rang.chat.ru/ | Used Ford Rang]
+
=== Bluetooth/OBEX ===
[http://used_ford_auto.chat.ru/ | Used Ford Auto]
+
 
[http://texas-ford-dea.boom.ru/ | Texas Ford Dea]
+
I did not find the Bluetooth Specifications and Profiles Book readily on Google, so for your convenience I put these two documents up [http://www.informatik.hu-berlin.de/~thalheim/aachen2004/ here]. The profiles book, together with the OBEX specification should be the sources to use when trying to figure out what these vulnerabilities were that Christian was talking about this morning in the lecture. As far as I understand, the mentioned attacks exploit the fact that in some profiles you can use functions which are not specified to be in there, but which were actually defined for other profiles which are more heavily protected. (e.g. you need to connect to the device, pair with it, enter a pin, stuff).
[http://texas_ford_deale.chat.ru/ | Texas Ford Deale]
+
 
[http://senator-john.boom.ru/ | Senator John]
+
-- [[Lisa Thalheim]]
[http://remanufactured_f.chat.ru/ | Remanufactured F]
+
 
[http://q1997_ford_explo.chat.ru/ | Q1997 Ford Explo]
+
=== Preparation for the WiLDing session ===
[http://q1997_ford_esc.chat.ru/ | Q1997 Ford Esc]
+
 
[http://q1996_exporer.chat.ru/ | Q1996 Exporer]
+
In order to get the most out of our WiLDing experience, you should have a few tools available and basically set up when we start. For *nix, you should probably get [http://www.kismetwireless.net Kismet] in version 4.x, since it supports many more chipsets. Also, you should make sure that your WLAN card supports monitor mode, since Kismet works completely passively. For Windows, you might wanna try [http://www.netstumbler.com Netstumbler]. In case you have other tools available you feel more comfortable with, please feel free to use those.
[http://problem_with_for.chat.ru/ | Problem With For]
+
 
[http://picture-of-henry.boom.ru/  | Picture Of Henry ]
+
You need to install/compile Kismet with ImageMagick support enabled in order to use its map drawing feature. For this you should also get [http://www.gpsdrive.de gpsdrive] and gpsd, which comes bundled with it.
[http://old-ford-truck.boom.ru/ | Old Ford Truck]
+
 
[http://northern_califor.chat.ru/ | Northern Califor]
+
Kismet creates quite a few files representing discovered networks in different formats, so you might wanna have a seperate directory to keep those. Please also note that Kismet needs to be run suid root in order to switch your card into monitor mode. If Kismet does not support your special chipset, try to do the switch manually or grab another card from the lab or somewhere else.
[http://new-ford-truck.boom.ru/ | New Ford Truck]
+
 
[http://model_a_ford.chat.ru/ | Model A Ford]
+
I will try to get maps for this region to use with the map drawing feature. Hopefully they will be put on our file server. Right now gpsdrive is still bugging me with less verbose error messages.
[http://melissa_ford_pho.chat.ru/ | Melissa Ford Pho]
+
 
[http://john_ford_tennes.chat.ru/ | John Ford Tennes]
+
UPDATE: I got maps which should be about right for us. I got one for a scaling factor of [http://www.asta.rwth-aachen.de/~ernest/map_file0010.gif 15000] which should cover most of Aachen aswell as one of the city centre at the scale of [http://www.asta.rwth-aachen.de/~ernest/map_file0009.gif 10000]. Get those either from the links provided or using gpsdrive directly (take the expedia server). The coordinates I used are:
[http://john_bleakley_fo.chat.ru/ | John Bleakley Fo]
+
 
[http://indiana_ford_dea.chat.ru/ | Indiana Ford Dea]
+
Lat: 50.775
[http://henry_ford_mus.chat.ru/ | Henry Ford Mus]
+
Long: 6.082
[http://henry_ford_hos.chat.ru/ | Henry Ford Hos]
+
 
[http://ford-focus-svt.boom.ru/ | Ford Focus Svt]
+
In case you are going for really strange routes, you might wanna play with the coordinates (just as a reminder: to go north, increase Lat; to go east, increase Long).
[http://ford-explor.chat.ru/ | Ford Explor]
+
 
[http://ford-conversion.boom.ru/ | Ford Conversion]
+
You also need mySQL to get Kismet and gpsdrive to play together. Use the provided .sql file (and maybe edit it beforehand) to set up the geoinfo database.
[http://ford-commercial.boom.ru/ | Ford Commercial]
+
 
[http://ford-body-part.boom.ru/ | Ford Body Part]
+
I4 has asked us to provide our results to their research team, so please keep your data (preferrably in csv format) and we can collect them afterwards.
[http://ford-amphitheat.boom.ru/ | Ford Amphitheat]
+
 
[http://ford_windstar_pa.chat.ru/ | Ford Windstar Pa]
+
-- [[Ernest Hammerschmidt]]
[http://ford_truck_sea.chat.ru/ | Ford Truck Sea]
+
 
[http://ford_truck_recal.chat.ru/ | Ford Truck Recal]
+
=== preparations and a discussion ===
[http://ford_truck_per.chat.ru/ | Ford Truck Per]
+
 
[http://ford_tractor.chat.ru/ | Ford Tractor]
+
Hm, I haven't done that much during the labsession. I made some slides for the coffee table talk on wednesday
[http://ford_thunderbi.chat.ru/ | Ford Thunderbi]
+
and afterwards had a talk with Christian klein about bluetooth discovery. The idea is to listen on one channel and then sniff some frame. This gives you the mac address of some bluetooth devices and is probably more relialble then the @stake method of bruteforcing. C. told me that he's going to look into this with some special crafted material. Who knows, maybe there's going to be a paper about this.  
[http://ford_rangers_f.chat.ru/ | Ford Rangers F]
+
 
[http://ford_ranger_repa.chat.ru/ | Ford Ranger Repa]
+
--- Ilja van Sprundel
[http://ford_probe_raced.chat.ru/ | Ford Probe Raced]
+
 
[http://ford_probe_fo.chat.ru/ | Ford Probe Fo]
+
== Wardriving session I ==
[http://ford_pickup_tr.chat.ru/ | Ford Pickup Tr]
+
Alex, Christian (Dietrich) and me were on an exciting adventure on the streets of Aachen. We had a GPS receiver connected to a notebook with WLAN running kismet and gpsdrive.  
[http://ford_part_restor.chat.ru/ | Ford Part Restor]
+
We soon found many access points and gpsdrive showed us the (nearly) exact locations of all the networks we drove through. Unfortunately, gpsdrive crashed and so we lost the tracking data of that program. At home we had to use the data kismet logged during the wardriving session. We used the kismet tool gpsmap to draw some maps which you will find attached below.
[http://ford_part_onl.chat.ru/ | Ford Part Onl]
+
 
[http://ford_new_hol.chat.ru/ | Ford New Hol]
+
We found 298 access points, 147 with WEP enabled and 152 without WEP!
[http://ford_mustang_par.chat.ru/ | Ford Mustang Par]
+
 
[http://ford_mustang_for.chat.ru/ | Ford Mustang For]
+
=== Common SSIDs ===
[http://ford_mustang_cl.chat.ru/ | Ford Mustang Cl]
+
Here is a list of common SSIDs:
[http://ford_mustan.chat.ru/ | Ford Mustan]
+
 
[http://ford_motor_recal.chat.ru/ | Ford Motor Recal]
+
31 "WLAN"<br>
[http://ford_motor_comp.chat.ru/ | Ford Motor Comp]
+
25 "mops"<br>
[http://ford_motor_co.chat.ru/ | Ford Motor Co]
+
11 "vodafone"<br>
[http://ford_model_part.chat.ru/ | Ford Model Part]
+
11 "default"<br>
[http://ford_m.chat.ru/ | Ford M]
+
10 "ConnectionPoint"<br>
[http://ford_health_henr.chat.ru/ | Ford Health Henr]
+
6 "linksys"<br>
[http://ford_gt_picture.chat.ru/ | Ford Gt Picture]
+
5 "NETGEAR"<br>
[http://ford_focus_r.chat.ru/ | Ford Focus R]
+
4 "T-Mobile_T-Com"<br>
[http://ford_falcon_part.chat.ru/ | Ford Falcon Part]
+
3 "FRITZ!Box<br>
[http://ford_falcon_for.chat.ru/ | Ford Falcon For]
+
2 "wlan"<br>
[http://ford_factory_par.chat.ru/ | Ford Factory Par]
+
2 "wireless"<br>
[http://ford_f250_diesel.chat.ru/ | Ford F250 Diesel]
+
2 "SMC"<br>
[http://ford_f150_truck.chat.ru/ | Ford F150 Truck]
+
2 "sd9wh2pq"<br>
[http://ford_f150_sacra.chat.ru/ | Ford F150 Sacra]
+
2 "foldr.org"<br>
[http://ford_f_150_pictu.chat.ru/ | Ford F 150 Pictu]
+
2 "Endres"<br>
[http://ford_explorer_r.chat.ru/ | Ford Explorer R]
+
2 "BUSCH"<br>
[http://ford_escort_z.chat.ru/ | Ford Escort Z]
+
2 "Acer"<br>
[http://ford_escort_bo.chat.ru/ | Ford Escort Bo]
+
2 "101"<br>
[http://ford_escape_p.chat.ru/ | Ford Escape P]
+
 
[http://ford_dealer_was.chat.ru/ | Ford Dealer Was]
+
56 access points showed no SSID.
[http://ford_dealer_st.chat.ru/ | Ford Dealer St]
+
 
[http://ford_dealer_pa.chat.ru/ | Ford Dealer Pa]
+
=== Maps ===
[http://ford_dealer_okla.chat.ru/ | Ford Dealer Okla]
+
 
[http://ford_dealer_nas.chat.ru/ | Ford Dealer Nas]
+
[[Image:Wardriving-image-2004-09-28_route_and_networks.jpg|thumbnail|Routes and Networks]]
[http://ford_dealer_illi.chat.ru/ | Ford Dealer Illi]
+
[[Image:Wardriving-image-2004-09-28_hull.jpg|thumbnail|Hull]]
[http://ford_dealer_fo.chat.ru/ | Ford Dealer Fo]
+
[[Image:Wardriving-image-2004-09-28_estimated_range.jpg|thumbnail|Estimated Range]]
[http://ford_dealer_denv.chat.ru/ | Ford Dealer Denv]
+
 
[http://ford_dealer_b.chat.ru/ | Ford Dealer B]
+
--[[User:Feanor|Boris Leidner]] 22:10, 28 Sep 2004 (CEST)
[http://ford_deale.chat.ru/ | Ford Deale]
+
 
[http://ford_credit_com.chat.ru/ | Ford Credit Com]
+
 
[http://ford_credit_card.chat.ru/ | Ford Credit Card]
+
== Wardriving around Aachen ==
[http://ford_contour_svt.chat.ru/ | Ford Contour Svt]
+
 
 +
Samad, Sammy, Jan and me started "war-walking" on the first day (28/9), while we're getting
 +
our equipment and setup to work. At the end of the day, we found 21 wireless access points
 +
using my Centrino laptop with a Garmin GPS receiver, by walking to the bakery and back.
 +
 
 +
On the second day, we had more success, having gotten Netstumbler and kismet to work on
 +
3 laptops with 2 available GPS receivers. Samad was driving his car for this session. I found a total of 109 APs (after merging my netstumbler logs, cos the program apparently needed to restart frequently before it'll detect new APs).
 +
 
 +
The map, generated using the facility at www.gpsvisualizer.com is appended.
 +
 
 +
[[Image:Wardrivemap2.JPG|center|frame|463|Wardriving]]
 +
 
 +
---[[User:Flwong|Ford L Wong]]
 +
 
 +
 
 +
[[Category:Summerschools]] [[Category:Hacks]]

Latest revision as of 17:36, 24 November 2010

Notes on lab session

Bluetooth/OBEX

I did not find the Bluetooth Specifications and Profiles Book readily on Google, so for your convenience I put these two documents up here. The profiles book, together with the OBEX specification should be the sources to use when trying to figure out what these vulnerabilities were that Christian was talking about this morning in the lecture. As far as I understand, the mentioned attacks exploit the fact that in some profiles you can use functions which are not specified to be in there, but which were actually defined for other profiles which are more heavily protected. (e.g. you need to connect to the device, pair with it, enter a pin, stuff).

-- Lisa Thalheim

Preparation for the WiLDing session

In order to get the most out of our WiLDing experience, you should have a few tools available and basically set up when we start. For *nix, you should probably get Kismet in version 4.x, since it supports many more chipsets. Also, you should make sure that your WLAN card supports monitor mode, since Kismet works completely passively. For Windows, you might wanna try Netstumbler. In case you have other tools available you feel more comfortable with, please feel free to use those.

You need to install/compile Kismet with ImageMagick support enabled in order to use its map drawing feature. For this you should also get gpsdrive and gpsd, which comes bundled with it.

Kismet creates quite a few files representing discovered networks in different formats, so you might wanna have a seperate directory to keep those. Please also note that Kismet needs to be run suid root in order to switch your card into monitor mode. If Kismet does not support your special chipset, try to do the switch manually or grab another card from the lab or somewhere else.

I will try to get maps for this region to use with the map drawing feature. Hopefully they will be put on our file server. Right now gpsdrive is still bugging me with less verbose error messages.

UPDATE: I got maps which should be about right for us. I got one for a scaling factor of 15000 which should cover most of Aachen aswell as one of the city centre at the scale of 10000. Get those either from the links provided or using gpsdrive directly (take the expedia server). The coordinates I used are:

Lat: 50.775 Long: 6.082

In case you are going for really strange routes, you might wanna play with the coordinates (just as a reminder: to go north, increase Lat; to go east, increase Long).

You also need mySQL to get Kismet and gpsdrive to play together. Use the provided .sql file (and maybe edit it beforehand) to set up the geoinfo database.

I4 has asked us to provide our results to their research team, so please keep your data (preferrably in csv format) and we can collect them afterwards.

-- Ernest Hammerschmidt

preparations and a discussion

Hm, I haven't done that much during the labsession. I made some slides for the coffee table talk on wednesday and afterwards had a talk with Christian klein about bluetooth discovery. The idea is to listen on one channel and then sniff some frame. This gives you the mac address of some bluetooth devices and is probably more relialble then the @stake method of bruteforcing. C. told me that he's going to look into this with some special crafted material. Who knows, maybe there's going to be a paper about this.

--- Ilja van Sprundel

Wardriving session I

Alex, Christian (Dietrich) and me were on an exciting adventure on the streets of Aachen. We had a GPS receiver connected to a notebook with WLAN running kismet and gpsdrive. We soon found many access points and gpsdrive showed us the (nearly) exact locations of all the networks we drove through. Unfortunately, gpsdrive crashed and so we lost the tracking data of that program. At home we had to use the data kismet logged during the wardriving session. We used the kismet tool gpsmap to draw some maps which you will find attached below.

We found 298 access points, 147 with WEP enabled and 152 without WEP!

Common SSIDs

Here is a list of common SSIDs:

31 "WLAN"
25 "mops"
11 "vodafone"
11 "default"
10 "ConnectionPoint"
6 "linksys"
5 "NETGEAR"
4 "T-Mobile_T-Com"
3 "FRITZ!Box
2 "wlan"
2 "wireless"
2 "SMC"
2 "sd9wh2pq"
2 "foldr.org"
2 "Endres"
2 "BUSCH"
2 "Acer"
2 "101"

56 access points showed no SSID.

Maps

Routes and Networks
Hull
Estimated Range

--Boris Leidner 22:10, 28 Sep 2004 (CEST)


Wardriving around Aachen

Samad, Sammy, Jan and me started "war-walking" on the first day (28/9), while we're getting our equipment and setup to work. At the end of the day, we found 21 wireless access points using my Centrino laptop with a Garmin GPS receiver, by walking to the bakery and back.

On the second day, we had more success, having gotten Netstumbler and kismet to work on 3 laptops with 2 available GPS receivers. Samad was driving his car for this session. I found a total of 109 APs (after merging my netstumbler logs, cos the program apparently needed to restart frequently before it'll detect new APs).

The map, generated using the facility at www.gpsvisualizer.com is appended.

Wardriving

---Ford L Wong