Summerschool Aachen 2004/Wireless security Lab

From C4 Wiki
Jump to: navigation, search

Notes on lab session


I did not find the Bluetooth Specifications and Profiles Book readily on Google, so for your convenience I put these two documents up here. The profiles book, together with the OBEX specification should be the sources to use when trying to figure out what these vulnerabilities were that Christian was talking about this morning in the lecture. As far as I understand, the mentioned attacks exploit the fact that in some profiles you can use functions which are not specified to be in there, but which were actually defined for other profiles which are more heavily protected. (e.g. you need to connect to the device, pair with it, enter a pin, stuff).

-- Lisa Thalheim

Preparation for the WiLDing session

In order to get the most out of our WiLDing experience, you should have a few tools available and basically set up when we start. For *nix, you should probably get Kismet in version 4.x, since it supports many more chipsets. Also, you should make sure that your WLAN card supports monitor mode, since Kismet works completely passively. For Windows, you might wanna try Netstumbler. In case you have other tools available you feel more comfortable with, please feel free to use those.

You need to install/compile Kismet with ImageMagick support enabled in order to use its map drawing feature. For this you should also get gpsdrive and gpsd, which comes bundled with it.

Kismet creates quite a few files representing discovered networks in different formats, so you might wanna have a seperate directory to keep those. Please also note that Kismet needs to be run suid root in order to switch your card into monitor mode. If Kismet does not support your special chipset, try to do the switch manually or grab another card from the lab or somewhere else.

I will try to get maps for this region to use with the map drawing feature. Hopefully they will be put on our file server. Right now gpsdrive is still bugging me with less verbose error messages.

UPDATE: I got maps which should be about right for us. I got one for a scaling factor of 15000 which should cover most of Aachen aswell as one of the city centre at the scale of 10000. Get those either from the links provided or using gpsdrive directly (take the expedia server). The coordinates I used are:

Lat: 50.775 Long: 6.082

In case you are going for really strange routes, you might wanna play with the coordinates (just as a reminder: to go north, increase Lat; to go east, increase Long).

You also need mySQL to get Kismet and gpsdrive to play together. Use the provided .sql file (and maybe edit it beforehand) to set up the geoinfo database.

I4 has asked us to provide our results to their research team, so please keep your data (preferrably in csv format) and we can collect them afterwards.

-- Ernest Hammerschmidt

preparations and a discussion

Hm, I haven't done that much during the labsession. I made some slides for the coffee table talk on wednesday and afterwards had a talk with Christian klein about bluetooth discovery. The idea is to listen on one channel and then sniff some frame. This gives you the mac address of some bluetooth devices and is probably more relialble then the @stake method of bruteforcing. C. told me that he's going to look into this with some special crafted material. Who knows, maybe there's going to be a paper about this.

--- Ilja van Sprundel

Wardriving session I

Alex, Christian (Dietrich) and me were on an exciting adventure on the streets of Aachen. We had a GPS receiver connected to a notebook with WLAN running kismet and gpsdrive. We soon found many access points and gpsdrive showed us the (nearly) exact locations of all the networks we drove through. Unfortunately, gpsdrive crashed and so we lost the tracking data of that program. At home we had to use the data kismet logged during the wardriving session. We used the kismet tool gpsmap to draw some maps which you will find attached below.

We found 298 access points, 147 with WEP enabled and 152 without WEP!

Common SSIDs

Here is a list of common SSIDs:

31 "WLAN"
25 "mops"
11 "vodafone"
11 "default"
10 "ConnectionPoint"
6 "linksys"
4 "T-Mobile_T-Com"
3 "FRITZ!Box
2 "wlan"
2 "wireless"
2 "SMC"
2 "sd9wh2pq"
2 ""
2 "Endres"
2 "Acer"
2 "101"

56 access points showed no SSID.


Routes and Networks
Estimated Range

--Boris Leidner 22:10, 28 Sep 2004 (CEST)

Wardriving around Aachen

Samad, Sammy, Jan and me started "war-walking" on the first day (28/9), while we're getting our equipment and setup to work. At the end of the day, we found 21 wireless access points using my Centrino laptop with a Garmin GPS receiver, by walking to the bakery and back.

On the second day, we had more success, having gotten Netstumbler and kismet to work on 3 laptops with 2 available GPS receivers. Samad was driving his car for this session. I found a total of 109 APs (after merging my netstumbler logs, cos the program apparently needed to restart frequently before it'll detect new APs).

The map, generated using the facility at is appended.


---Ford L Wong