What Is a Wireless Network? 361
What makes this type of attack possible is that wireless detection software will either
listen for the beacon of a network or send off a probe request designed to detect the
network. Once a network is detected, it can be singled out for later attack by the intruder.
Some of the software packages that are used to perform this type of attack are KisMAC,
NetStumbler, Kismet, WaveStumbler, and InSSIDer.
Wireless detection tools known as site survey tools can be used to
reveal wireless networks. Tools of this type are typically targeted toward
corporate-level admins who need to optimize their wireless networks as
well as detect rogue access points and other issues.It is common for site survey tools to include the ability to connect to a GPS
device in order to pinpoint an access point or client within a few feet.There are also variations of the wardriving attack, all of which have the same objective:Warflying Same as wardriving, but uses a small plane or ultralight aircraft
Warballooning Same as warflying but makes use of a balloon instead
Warwalking Involves putting the detection equipment in a backpack or something similar
and walking through buildings and other facilities
A technique known as warchalking involves the placement of symbols in locations where
wireless signals were detected. These symbols tell the informed that a wireless access point
is nearby and provide data about it where available, including open or closed access points,
security settings, channel, and name.
These symbols evolved from hobo marks, which were frequently used
by vagrants during the 1930s to tell others where they could get a free
meal, where a dog may be, or if the police were likely to arrest you if they
found you.Rogue Access Points
A rogue access point is another effective way of breaching a network by violating trust. The
attacker installs a new access point that is completely unsecured behind a company firewall.
The attacker can then connect with relative impunity to the target network, extracting
information or carrying out further attacks.
This type of attack has been made relatively easy to perform through the use of more
compact hardware access points and software designed to create an access point. A savvy
attacker will either hide the access point from being readily observed and/or will configure
the SSID to appear as a corporate access point.