1 / 27

Why We Did It

Flying the Front Range: Detecting Wireless Networks Dr. Stephen C. Hayne Professor Computer Information Systems Steve H., Sean I., Jesse C., Travis M., Travis R. Why We Did It. Gauge wireless network usage Analyze packet captures Attempt to ID wISPs, long-haul 802.11, A,B,G WAPs

shayna
Télécharger la présentation

Why We Did It

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Flying the Front Range:Detecting Wireless NetworksDr. Stephen C. HayneProfessorComputer Information SystemsSteve H., Sean I., Jesse C., Travis M., Travis R.

  2. Why We Did It • Gauge wireless network usage • Analyze packet captures • Attempt to ID wISPs, long-haul 802.11, A,B,G WAPs • Encryption, usage, demographic statistics • Compare GPS recordings in car vs. plane • Compare Kismac, Netstumbler and Kismet • Compare antennae

  3. WarDriving • Tools • Windows XP, Netstumbler • Areas Covered • Loveland, Windsor, Ft. Collins, Laporte • Hypothesis & Goal • Driving would more accurately locate WAPs than flying • Provide baseline for comparing flight data

  4. WarDriving Results • Ft. Collins • 3112 WAPs found

  5. WarDriving Results • Windsor • 315 WAPs found

  6. WarDriving Results • Loveland • 520 WAPs found

  7. WarFlying • Tools • Windows XP, Orinoco Gold PC Card, Netstumbler v 4.0, Lucent 5.5dBi omnidirectional antenna • Apple Powerbook, Compaq WL110 PC Card, Kismac v .11b, Cisco 12dBi omnidirectional antenna • Cessna Centurion

  8. Flying

  9. Flying

  10. Antenna Comparison

  11. WarFlying Results • Kismac found 2251 802.11x networks • After crashing, losing 1280 WAP locations • Included computers in ad-hoc mode, computers probing (Netstumbler), WPA, WEP, A/B/G networks, hidden SSIDs • Netstumbler found 1012 networks • 1 hour of flying at +-1500 ft. produced similar amount of data as 24 hours of driving • Kismac tends to find 1.5 to 2x more WAPs than Netstumbler

  12. WarFlying Results • Circled Rockwell • Attempted to use Rockwell WAPs to access a web page • Also used this data to compare GPS locations

  13. WarFlying • Circling Rockwell picking up 802.11 traffic at 1500’ • Signals travel much further vertically than horizontally

  14. WarFlying Circling my house trying to connect and load a web page

  15. WarFlying Results • GPS Location Data Comparison • Surprisingly similar between car and plane • Left map is from Kismac, Right is from Netstumbler • In the car alleycat-2 found on College Ave. between Plum and Laurel

  16. 18.0% 110 POP3 10.5% 5190 AOL 10.0% 80 HTTP 9.0% 8 unassigned 3.8% 443 HTTPS 3.8% 68 bootstrap protocol client 2.8% 137 NetBIOS Name Service 2.5% 25 SMTP 2.3% 57586 unassigned 1.8% 53 DNS WarFlying Results 2004Network Traffic Top 10 Protocol Captures as Percent of Total

  17. WarFlying Results 2004Network Traffic • Plain POP3 instead of POP3 over SSL (port 995) • Bad end user education • Actually captured full email with .xls attachment for well-known national home furnishing store explaining contractual problems & revisions • High proportion of AOL traffic • Bad end user education ;-)

  18. Summary 2004 • Out of 5,363 WAPs found (driving + flying), we predicted 33% WEP, 66% non-WEP • Found 1501 (28%) WEP, 3862 (72%) non-WEP • The ratios of 25-33% vs. 75-66% appear to be common in every WEP / non-WEP comparison • Few WPA access points are in use but will increase

  19. Summary 2004 • Top 21 SSIDs in use • We wanted the 21st because it shows the Poudre R-1 School District • The () represents “hidden” SSIDs SSIDNumber Seen linksys 1895 default 665 NETGEAR 369 Hiddenssid 206 wireless 175 csu 164 MSHOME 79 ACTIONTEC 70 () 60 WLA 58 home 49 belkin54g 40 no ssid 34 SpeedStream 25 digis-000 25 Gateway 23 tmobile 16 123 15 101 13 homenet 12 SST-PR-1 11

  20. Summary 2004 • Identified some long haul connections • Larinet • Larimer county? Covered from Laporte to Ft. Collins • High Plains Access • Identified some Wireless ISPs • DIGIS • Could see plaintext traffic behind their NAT gateway

  21. All 5,363 WAPs Found in2004

  22. Summary 2005 • One short flight (45m) found 2,256 WAPs • 1062 (48%) encrypted • 1164 (52%) still not encrypted • Ratio has changed from 25% encrypted !

  23. Summary 2005 Frequency Distribution 802.11b = 40% 802.11g = 60% • Top 10 SSIDs linksys 474 NETGEAR 172 ActionTec 142 default 100 blank 26 csu 23 Belkin 22 Home 22 Channel Distribution 1 101 8% 2 17 1% 3 18 2% 4 18 2% 5 6 1% 6 600 50% 7 14 1% 8 22 2% 9 99 8% 10 28 2% 11 277 23%

  24. 2005

  25. 2006 • Different Antennas 5 dB omni 13 dB 30° directional

  26. 2006 Hidden/WEP WPA Unencrypted

  27. Questions ?

More Related