Wireless hacking
- 369 trang
- file .pdf
Register for Free Membership to
[email protected]
Over the last few years, Syngress has published many best-selling and
critically acclaimed books, including Tom Shinder’s Configuring ISA
Server 2000, Brian Caswell and Jay Beale’s Snort 2.0 Intrusion
Detection, and Angela Orebaugh and Gilbert Ramirez’s Ethereal
Packet Sniffing. One of the reasons for the success of these books has
been our unique [email protected] program. Through this
site, we’ve been able to provide readers a real time extension to the
printed book.
As a registered owner of this book, you will qualify for free access to
our members-only [email protected] program. Once you have
registered, you will enjoy several benefits, including:
■ Four downloadable e-booklets on topics related to the book.
Each booklet is approximately 20-30 pages in Adobe PDF
format. They have been selected by our editors from other
best-selling Syngress books as providing topic coverage that
is directly related to the coverage in this book.
■ A comprehensive FAQ page that consolidates all of the key
points of this book into an easy to search web page, pro-
viding you with the concise, easy to access data you need to
perform your job.
■ A “From the Author” Forum that allows the authors of this
book to post timely updates links to related sites, or addi-
tional topic coverage that may have been requested by
readers.
Just visit us at www.syngress.com/solutions and follow the simple
registration process. You will need to have this book with you when
you register.
Thank you for giving us the opportunity to serve your needs. And be
sure to let us know if there is anything else we can do to make your
job easier.
WIRELESS
HACKING
Projects for
Wi-Fi Enthusiasts
By the SoCalFreeNet.org Wireless Users Group
Lee Barken with
Eric Bermel, John Eder, Matthew Fanady
Michael Mee, Marc Palumbo, Alan Koebrick
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively
“Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and
WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or conse-
quential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of
liability for consequential or incidental damages, the above limitation may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when working with computers,
networks, data, and files.
Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack
Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Syngress:The Definition of a Serious Security Library”™,
“Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing,
Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies.
KEY SERIAL NUMBER
001 HJCV184764
002 PO5FGHJ887
003 82JH26765V
004 VBHF43299M
005 C23NMVCXZ3
006 VB5T883E4F
007 HJJ3EBNBB6
008 2987GMKKMM
009 629JT5678N
010 IMWT6T3456
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Wireless Hacking: Projects for Wi-Fi Enthusiasts
Copyright © 2004 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as per-
mitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any
means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception
that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for
publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-931836-37-X
Publisher: Andrew Williams Page Layout and Art: Patricia Lupien
Acquisitions Editor: Christine Kloiber Copy Editor: Mike McGee
Technical Editor: Lee Barken Indexer: Odessa&Cie
Cover Designer: Michael Kavish
Distributed by O’Reilly Media, Inc. in the United States and Canada.
For information on rights and translations, contact Matt Pedersen, Director of Sales and Rights, at Syngress Publishing; email
[email protected] or fax to 781-681-3585.
Acknowledgments
Syngress would like to acknowledge the following people for their kindness and support in making this
book possible.
Syngress books are now distributed in the United States and Canada by O’Reilly Media, Inc.The
enthusiasm and work ethic at O’Reilly is incredible and we would like to thank everyone there for
their time and efforts to bring Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark
Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol
Matsutaro, Steve Hazelwood, Mark Wilson, Rick Brown, Leslie Becker, Jill Lothrop,Tim Hinton, Kyle
Hart, Sara Winge, C. J. Rayhill, Peter Pardo, Leslie Crandell, Valerie Dow, Regina Aggio, Pascal
Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen,
Betsy Waliszewski, Dawn Mann, Kathryn Barrett, John Chodacki, and Rob Bullington.
The incredibly hard working team at Elsevier Science, including Jonathan Bunkell, Ian Seager, Duncan
Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran,
Emma Wyatt, Rosie Moss, Chris Hossack, Mark Hunt, and Krista Leppiko, for making certain that our
vision remains worldwide in scope.
David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai Hua, and Joseph Chan
of STP Distributors for the enthusiasm with which they receive our books.
Kwon Sung June at Acorn Publishing for his support.
David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer, Stephen O’Donoghue, Bec
Lowe, and Mark Langley of Woodslane for distributing our books throughout Australia, New Zealand,
Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands.
Winston Lim of Global Publishing for his help and support with distribution of Syngress books in the
Philippines.
v
Technical Editor & Contributor
Lee Barken CISSP, CCNA, MCP, CPA, is the co-director of the Strategic
Technologies And Research (STAR) Center at San Diego State University (SDSU)
and the President and co-founder of SoCalFreeNet.org, a non-profit community
group dedicated to building public wireless networks. Prior to SDSU, he worked as
an IT consultant and network security specialist for Ernst & Young’s Information
Technology Risk Management (ITRM) practice and KPMG’s Risk and Advisory
Services (RAS) practice. Lee is the technical editor for Mobile Business Advisor
Magazine, and writes and speaks on the topic of wireless LAN technology and
security. He is the author of How Secure Is Your Wireless Network? Safeguarding Your
Wi-Fi LAN (ISBN 0131402064) and co-author of Hardware Hacking: Have Fun
While Voiding Your Warranty (ISBN 1932266836).
Lee is the author of Chapter 1 “A Brief Overview of the Wireless World,” Chapter 2
“SoCalFreeNet.org: An Example of Building Large Scale Community Wireless Networks,”
Chapter 4 “Wireless Access Points,” Chapter 8 “Low-Cost Commercial Options,” and
Appendix A “Wireless 802.11 Hacks.”
“The most precious possession that ever comes to a man in this world is a woman’s heart.”
—Josiah G. Holland
To the love of my life, Stephanie:
Thank you for your never-ending love and encouragement.
vii
Contributors
Eric Bermel is an RF Engineer and Deployment Specialist. He has many years of
experience working for companies such as Graviton, Western US, Breezecom,
Alvarion, and PCSI. Eric has extensive experience developing and implementing
RF site surveys, installation and optimization plans for indoor and outdoor ISM
and U-NII band systems.
Eric is the author of Chapter 10 “Antennas.”
John Eder (CISSP, CCNA) is a security expert with Experian. He currently pro-
vides strategic and technical consulting on security policy and implementation. His
specialties involve: risk profiling, wireless security, network security, encryption
technologies, metrics development and deployment, and risk analysis. John’s back-
ground includes a position as a consultant in the Systems and Technology Services
(STS) practice at Ernst & Young, LLP.
John holds a bachelor’s degree from San Diego State University. He actively
participates in the security community, making presentations and writing numerous
articles on wireless security. John is a proud member of SoCalFreeNet.
John enjoys the support of his loving wife Lynda, a caring family (Gabriel, Lyn,
and Genevieve), and a great friendship with his director, Michael Kurihara.The
security information in this book was made possible through the help of the
m0n0wall team, the Soekris Engineering team, the West Sonoma County Internet
Cooperative Corporation, and the many members of SoCalFreeNet.
John is the author of Chapter 3 “Securing Our Wireless Community.”
Matthew Fanady is a gear-head turned networking and computer enthusiast, and
has been wrenching on cars and building computers since he was 16 years old. He
is currently employed designing and constructing electric vehicles for a small
startup company in San Diego, and spends his free time troubleshooting computers
and exploring new ways to incorporate the latest communications technologies
into everyday life. Matthew was one of the early pioneers of community wireless
networks. In 2002, he began building a grass-roots community wireless network in
his own neighborhood of Ocean Beach, where he was able to bring his passion for
viii
hacking together with his passion for wrenching. His efforts, along with those of
others in San Diego, led to the inception of SoCalFreeNet which continues to
build community-based wireless networks in San Diego.
Matthew is the author of Chapter 11 “Building Outdoor Enclosures and Antenna
Masts,” and Chapter 12 “Solar-Powered Access Points and Repeaters.”
Alan Koebrick is the Vice President of Operations for SoCalFreeNet.org. He is
also a Business Systems Analyst with a large telecommunications company in San
Diego. Alan has a Bachelors degree in E-Business from the University of Phoenix.
Prior to his current job, Alan spent 4 years with the United States Marine Corps
where he performed tasks as a Network Administrator and Legal Administrative
Clerk. Alan is also launching a new venture, North County Systems, a technology
integrator for the Small Office / Home Office market.
Alan is the author of Chapter 5 “Wireless Client Access Devices.”
Michael Mee Michael started building his own computers after discovering the
TRS-80 at Radio Shack years ago. He went on to work for a software startup,
before dot coms made it fashionable.Then he had several great years at Microsoft,
back when ‘the evil empire’ meant IBM.There he worked on database products
like Access and Foxpro for Windows. Returning to his hacking roots, he’s now
helping build high-speed community wireless for users everywhere, especially
through SoCalFreeNet.org.
Michael is the author of Chapter 6 “Wireless Operating Systems,” and Chapter 7
“Monitoring Your Network.”
Marc Palumbo (Society of Mechanical Engineers #4094314) is the Creative
Director for the SoCalFreeNet.org. He is an Artist/Engineer and the owner of
Apogee Arts, headquartered in San Diego, California. His company builds
Community Networks, provisions Internet access for business and residential use,
and designs and executes LANS purposed for specific vertical markets such as
graphics, video editing, publishing, and FDA regulated manufacturing. He has built
secure wireless surveillance systems deployed in Baghdad, Iraq, and for Homeland
Security. Noteworthy wireless triage installations include the city of Telluride,
ix
Colorado, and Black Rock Desert, Nevada for Burning Man. Marc holds a bache-
lors degree from the University of Maryland, received a National Endowment for
the Arts stipend, and was a Fellow at the Center for Advanced Visual Studies, MIT.
He began building his first computers in 1978 as part of his voice activated
pyrotechnic interactive sculpture, “Clytemnestra.”The work won a once in 20-year
honor for the Boston Arts Festival, 1985. He built his first RF device to light high
voltage Neon works of art.
Marc also helped deliver the first paint package for the PC, Splash! with
Spinnaker Software and LCS Telegraphics. He created the first digital images for
the PC, and his digital imagery has been published in Smithsonian Magazine,
Volume 11, Number 9, Dec. 1980, pp. 128-137 and Macworld Magazine, October
1988, pp. 96 through April 1989. One of the first Artists to use lasers for art, he has
created large-scale images in the sky, mountains, and in the urban landscape. He has
worked for and appeared on national television, including “Race for the High
Ground”, Frontline News with Jessica Savitch (S.D.I. Demo of Star Wars Defense
System, laser destroying satellite, W.G.B.H., Boston, MA, April 1983). He has also
worked on production and on air talent crews for Discover Magazine’s TV show
with James (Amazing) Randi, “A Skeptic’s Guide” March 1999.
Working with Miami Springs High School and his corporate sponsor, Symbiosis,
he created a team to build a robot to compete in Dean Kamen’s US First
Competition, a program to encourage engineering careers for high school students.
Marc is the author of Chapter 9 “Mesh Networking.”
x
Foreword Contributor
Rob Flickenger has been hacking systems all of his life, and has been doing so
professionally for over ten years. He is one of the inventors of NoCat, and is also an
active member of FreeNetworks.org. Rob has written and edited a number of
books for O’Reilly & Associates, including Wireless Hacks and Building Wireless
Community Networks. He is currently a partner at Metrix Communication LLC in
Seattle, WA (http://metrix.net/).
xi
Contents
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxi
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxiii
Part I Introduction to Wireless Hacking . . . . . . . . . . . . . . . .1
Chapter 1 A Brief Overview of the Wireless World . . . . . . .3
Introduction to Wi-Fi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
The History and Basics of 802.11 . . . . . . . . . . . . . . . . . . . . . . .4
IEEE Alphabet Soup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
802.11b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
802.11a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
802.11g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Ad-Hoc and Infrastructure Modes . . . . . . . . . . . . . . . . . . . .9
Connecting to an Access Point . . . . . . . . . . . . . . . . . . .10
FCC Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
FCC and IEEE Regulations . . . . . . . . . . . . . . . . . . . . .14
Why Wi-Fi? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Benefits for Property Owners . . . . . . . . . . . . . . . . . . . . . .16
Benefits for Volunteers . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Social Ramifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Security in a Community Wireless Network . . . . . . . . . . . .18
Every Computer Needs to Be Protected . . . . . . . . . . . . .18
Legal Liability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Defending the Neighborhood . . . . . . . . . . . . . . . . . . . .20
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Chapter 2 SoCalFreeNet.org: Building Large
Scale Community Wireless Networks . . . . . . . . . . . . . . .23
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Wireless Distribution System (WDS) . . . . . . . . . . . . . . . . . . . .24
5 GHz Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Working with Client Devices . . . . . . . . . . . . . . . . . . . . . . . . .26
Competing with the Phone/Cable Companies . . . . . . . . . . . . .28
xiii
xiv Contents
Outfitting Coffee Shops and Retail Locations . . . . . . . . . . . . . .29
Getting the Neighborhood Involved . . . . . . . . . . . . . . . . . . . .30
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Chapter 3 Securing Our Wireless Community . . . . . . . . . .33
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
The Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Wiring the Network for Security . . . . . . . . . . . . . . . . . .36
Choosing the Captive Portal Software and Hardware . . . .37
Performing the Hack: Enabling Our Captive Portal . . . . . . .40
Writing Our Terms of Service . . . . . . . . . . . . . . . . . . . .41
Captive Portal Graphics . . . . . . . . . . . . . . . . . . . . . . . .42
Building a PPTP VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Performing the Hack: Enabling the VPN . . . . . . . . . . . . . . .45
Configuring Our Community Users . . . . . . . . . . . . . . . . . .50
Hacking the Mind of a Wireless User . . . . . . . . . . . . . . . . . . . .54
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Performing the Hack:The Beginning and the End . . . . . . . .54
Other Hacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Part II Hacking Projects . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Chapter 4 Wireless Access Points . . . . . . . . . . . . . . . . . . .59
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Wi-Fi Meets Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Reflashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Linksys WRT54g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Sveasoft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
NewBroadcom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
HyperWRT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
eWRT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Wifi-box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Batbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
OpenWRT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
WRT54G Shortcomings . . . . . . . . . . . . . . . . . . . . . . . . . .75
Soekris Single-Board Computers . . . . . . . . . . . . . . . . . . . . . . .75
net4501 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Contents xv
net4511 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
net4521 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
net4526 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
net4801 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Soekris Accessories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Proxim 8571 802.11a Access Point . . . . . . . . . . . . . . . . . . . . . .81
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Under the Hood: How the Hack Works . . . . . . . . . . . . . . .89
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Chapter 5 Wireless Client Access Devices . . . . . . . . . . . . .97
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Notebook Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
PCMCIA Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Mini-PCI Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Desktop Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
PCI Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
USB Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Ethernet Bridges . . . . . . . . . . . . . . . . . . . . . . . . . . . .103
PDAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103
Compact Flash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Secure Digital IO Cards . . . . . . . . . . . . . . . . . . . . . . .105
WarDriving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
Why Are People WarDriving? . . . . . . . . . . . . . . . . . . . . .106
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .106
Required Equipment . . . . . . . . . . . . . . . . . . . . . . . . .107
WarDriving Software . . . . . . . . . . . . . . . . . . . . . . . . .107
Optional Equipment . . . . . . . . . . . . . . . . . . . . . . . . . .108
WarDriving Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Part III Software Projects . . . . . . . . . . . . . . . . . . . . . . . . .115
Chapter 6 Wireless Operating Systems . . . . . . . . . . . . . .117
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
m0n0wall—Powerful, Elegant, Simple . . . . . . . . . . . . . . . . . . .120
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .121
xvi Contents
m0n0wall on a Standard PC . . . . . . . . . . . . . . . . . . . .121
m0n0wall on a Single Board Computer (SBC) . . . . . . . .121
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
Downloading a Recent Version . . . . . . . . . . . . . . . . . .123
Creating a CD-ROM from Windows . . . . . . . . . . . . . .123
Creating a Compact Flash (CF) Card from Windows . . .125
Starting Your Standard PC . . . . . . . . . . . . . . . . . . . . . .127
Starting Your SBC . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Configuring m0n0wall . . . . . . . . . . . . . . . . . . . . . . . .134
Under the Hood: How the Hack Works . . . . . . . . . . . . . .148
Pebble—Powerful, Raw, Complete . . . . . . . . . . . . . . . . . . . . .148
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .149
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .150
Creating a Boot CD and Starting Knoppix . . . . . . . . . .150
Configuring the Compact Flash Reader/Writer . . . . . .152
Formatting the Compact Flash Card . . . . . . . . . . . . . . .154
Downloading Pebble . . . . . . . . . . . . . . . . . . . . . . . . . .156
Copying Pebble to the Compact Flash . . . . . . . . . . . . .156
Booting Pebble . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Configuring Pebble . . . . . . . . . . . . . . . . . . . . . . . . . .158
Under the Hood: How the Hack Works . . . . . . . . . . . . . .160
Chapter 7 Monitoring Your Network . . . . . . . . . . . . . . . .163
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
Enabling SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .165
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
Under the Hood: How the Hack Works . . . . . . . . . . . . . .167
Getif and SNMP Exploration for Microsoft Windows . . . . . . .168
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .168
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .168
Retrieving Device Interface Information . . . . . . . . . . .169
Exploring the SNMP OIDs . . . . . . . . . . . . . . . . . . . . .170
Graphing the Data . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Under the Hood: How the Hack Works . . . . . . . . . . . . . .173
STG and SNMP Graphs for Microsoft Windows . . . . . . . . . . .173
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .174
Contents xvii
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .174
Under the Hood: How the Hack Works . . . . . . . . . . . . . .177
Cacti and Comprehensive Network Graphs . . . . . . . . . . . . . . .177
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .178
Apache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178
PHP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
Perl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
RRDTool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
Cacti . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
Installing Apache . . . . . . . . . . . . . . . . . . . . . . . . . . . .180
Installing PHP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182
Installing Perl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185
Installing RRDTool . . . . . . . . . . . . . . . . . . . . . . . . . .185
Installing MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
Miscellaneous Settings . . . . . . . . . . . . . . . . . . . . . . . . .186
Installing Cactid and Cacti . . . . . . . . . . . . . . . . . . . . . .187
Graphing Data in Cacti . . . . . . . . . . . . . . . . . . . . . . . .192
Under the Hood: How the Hack Works . . . . . . . . . . . . . .197
Additional References . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198
Chapter 8 Low-Cost Commercial Options . . . . . . . . . . . .199
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200
Sputnik . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200
Sputnik Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . .200
Sputnik Control Center . . . . . . . . . . . . . . . . . . . . . . . . . .202
Sputnik Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
Pre-Paid Module . . . . . . . . . . . . . . . . . . . . . . . . . . . .205
A Sputnik Revolution . . . . . . . . . . . . . . . . . . . . . . . . . . .207
Sveasoft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207
MikroTik . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212
xviii Contents
Chapter 9 Mesh Networking . . . . . . . . . . . . . . . . . . . . .215
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216
Preparing the Hacks . . . . . . . . . . . . . . . . . . . . . . . . . . . .217
The Basic Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . .218
WDS (Wireless Distribution System) . . . . . . . . . . . . . .220
Real World Example . . . . . . . . . . . . . . . . . . . . . . . . . . . .222
Example Two: LocustWorld Mesh Networks . . . . . . . . . . .222
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223
Additional Resouces on the Web . . . . . . . . . . . . . . . . . . .224
Part IV Antennas and Outdoor Enclosure Projects . . . . . .225
Chapter 10 Antennas . . . . . . . . . . . . . . . . . . . . . . . . . . .227
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
Before You Start: Basic Concepts and Definitions . . . . . . . . . . .228
Federal Communications Commission . . . . . . . . . . . . . . .234
Attenuation in Cables, Connectors, and Materials . . . . . .236
System Grounding and Lightning Protection . . . . . . . . . . .238
Building a Coffee Can Antenna . . . . . . . . . . . . . . . . . . . . . .240
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .240
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .241
Under the Hood: How the Hack Works . . . . . . . . . . . . . .243
Troubleshooting Common Antenna Issues . . . . . . . . . . . . .244
The Future of Antennas . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Chapter 11 Building Outdoor Enclosures and
Antenna Masts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248
Building Outdoor Enclosures . . . . . . . . . . . . . . . . . . . . . . . .248
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .249
Selecting a Raw Enclosure . . . . . . . . . . . . . . . . . . . . .249
Hardware Selection . . . . . . . . . . . . . . . . . . . . . . . . . . .252
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .255
Metal NEMA 3 Enclosures . . . . . . . . . . . . . . . . . . . . .255
Under the Hood: How the Hack Works . . . . . . . . . . . . . .263
Building Antenna Masts . . . . . . . . . . . . . . . . . . . . . . . . . . . .263
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .264
Contents xix
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .265
The Free-Standing Antenna Mast . . . . . . . . . . . . . . . . .265
Direct Mount Antenna Masts . . . . . . . . . . . . . . . . . . . .269
Lightning Protection . . . . . . . . . . . . . . . . . . . . . . . . . .272
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273
Chapter 12 Solar-Powered Access Points
and Repeaters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .276
Calculating Power Requirements . . . . . . . . . . . . . . . . .276
Battery Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . .279
Selecting a Solar Panel . . . . . . . . . . . . . . . . . . . . . . . .281
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .286
Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .286
Solar Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
Electrical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
Electronics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
Under the Hood: How the Hack Works . . . . . . . . . . . . . .295
The Batteries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
The Solar Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
Appendix A Wireless 802.11 Hacks . . . . . . . . . . . . . . . . .299
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
Wireless NIC/PCMCIA Card Modifications: Adding an
External Antenna Connector . . . . . . . . . . . . . . . . . . . . . . .301
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .302
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
Removing the Cover . . . . . . . . . . . . . . . . . . . . . . . . .303
Moving the Capacitor . . . . . . . . . . . . . . . . . . . . . . . .305
Attaching the New Connector . . . . . . . . . . . . . . . . . . .307
Under the Hood: How the Hack Works . . . . . . . . . . . . . .308
OpenAP (Instant802): Reprogramming Your Access Point
with Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .309
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .310
Installing the SRAM Card . . . . . . . . . . . . . . . . . . . . . .311
Power Me Up, Scotty! . . . . . . . . . . . . . . . . . . . . . . . . .314
[email protected]
Over the last few years, Syngress has published many best-selling and
critically acclaimed books, including Tom Shinder’s Configuring ISA
Server 2000, Brian Caswell and Jay Beale’s Snort 2.0 Intrusion
Detection, and Angela Orebaugh and Gilbert Ramirez’s Ethereal
Packet Sniffing. One of the reasons for the success of these books has
been our unique [email protected] program. Through this
site, we’ve been able to provide readers a real time extension to the
printed book.
As a registered owner of this book, you will qualify for free access to
our members-only [email protected] program. Once you have
registered, you will enjoy several benefits, including:
■ Four downloadable e-booklets on topics related to the book.
Each booklet is approximately 20-30 pages in Adobe PDF
format. They have been selected by our editors from other
best-selling Syngress books as providing topic coverage that
is directly related to the coverage in this book.
■ A comprehensive FAQ page that consolidates all of the key
points of this book into an easy to search web page, pro-
viding you with the concise, easy to access data you need to
perform your job.
■ A “From the Author” Forum that allows the authors of this
book to post timely updates links to related sites, or addi-
tional topic coverage that may have been requested by
readers.
Just visit us at www.syngress.com/solutions and follow the simple
registration process. You will need to have this book with you when
you register.
Thank you for giving us the opportunity to serve your needs. And be
sure to let us know if there is anything else we can do to make your
job easier.
WIRELESS
HACKING
Projects for
Wi-Fi Enthusiasts
By the SoCalFreeNet.org Wireless Users Group
Lee Barken with
Eric Bermel, John Eder, Matthew Fanady
Michael Mee, Marc Palumbo, Alan Koebrick
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively
“Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and
WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or conse-
quential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of
liability for consequential or incidental damages, the above limitation may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when working with computers,
networks, data, and files.
Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack
Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Syngress:The Definition of a Serious Security Library”™,
“Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing,
Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies.
KEY SERIAL NUMBER
001 HJCV184764
002 PO5FGHJ887
003 82JH26765V
004 VBHF43299M
005 C23NMVCXZ3
006 VB5T883E4F
007 HJJ3EBNBB6
008 2987GMKKMM
009 629JT5678N
010 IMWT6T3456
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Wireless Hacking: Projects for Wi-Fi Enthusiasts
Copyright © 2004 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as per-
mitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any
means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception
that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for
publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-931836-37-X
Publisher: Andrew Williams Page Layout and Art: Patricia Lupien
Acquisitions Editor: Christine Kloiber Copy Editor: Mike McGee
Technical Editor: Lee Barken Indexer: Odessa&Cie
Cover Designer: Michael Kavish
Distributed by O’Reilly Media, Inc. in the United States and Canada.
For information on rights and translations, contact Matt Pedersen, Director of Sales and Rights, at Syngress Publishing; email
[email protected] or fax to 781-681-3585.
Acknowledgments
Syngress would like to acknowledge the following people for their kindness and support in making this
book possible.
Syngress books are now distributed in the United States and Canada by O’Reilly Media, Inc.The
enthusiasm and work ethic at O’Reilly is incredible and we would like to thank everyone there for
their time and efforts to bring Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark
Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol
Matsutaro, Steve Hazelwood, Mark Wilson, Rick Brown, Leslie Becker, Jill Lothrop,Tim Hinton, Kyle
Hart, Sara Winge, C. J. Rayhill, Peter Pardo, Leslie Crandell, Valerie Dow, Regina Aggio, Pascal
Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen,
Betsy Waliszewski, Dawn Mann, Kathryn Barrett, John Chodacki, and Rob Bullington.
The incredibly hard working team at Elsevier Science, including Jonathan Bunkell, Ian Seager, Duncan
Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran,
Emma Wyatt, Rosie Moss, Chris Hossack, Mark Hunt, and Krista Leppiko, for making certain that our
vision remains worldwide in scope.
David Buckland, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai Hua, and Joseph Chan
of STP Distributors for the enthusiasm with which they receive our books.
Kwon Sung June at Acorn Publishing for his support.
David Scott, Tricia Wilden, Marilla Burgess, Annette Scott, Andrew Swaffer, Stephen O’Donoghue, Bec
Lowe, and Mark Langley of Woodslane for distributing our books throughout Australia, New Zealand,
Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands.
Winston Lim of Global Publishing for his help and support with distribution of Syngress books in the
Philippines.
v
Technical Editor & Contributor
Lee Barken CISSP, CCNA, MCP, CPA, is the co-director of the Strategic
Technologies And Research (STAR) Center at San Diego State University (SDSU)
and the President and co-founder of SoCalFreeNet.org, a non-profit community
group dedicated to building public wireless networks. Prior to SDSU, he worked as
an IT consultant and network security specialist for Ernst & Young’s Information
Technology Risk Management (ITRM) practice and KPMG’s Risk and Advisory
Services (RAS) practice. Lee is the technical editor for Mobile Business Advisor
Magazine, and writes and speaks on the topic of wireless LAN technology and
security. He is the author of How Secure Is Your Wireless Network? Safeguarding Your
Wi-Fi LAN (ISBN 0131402064) and co-author of Hardware Hacking: Have Fun
While Voiding Your Warranty (ISBN 1932266836).
Lee is the author of Chapter 1 “A Brief Overview of the Wireless World,” Chapter 2
“SoCalFreeNet.org: An Example of Building Large Scale Community Wireless Networks,”
Chapter 4 “Wireless Access Points,” Chapter 8 “Low-Cost Commercial Options,” and
Appendix A “Wireless 802.11 Hacks.”
“The most precious possession that ever comes to a man in this world is a woman’s heart.”
—Josiah G. Holland
To the love of my life, Stephanie:
Thank you for your never-ending love and encouragement.
vii
Contributors
Eric Bermel is an RF Engineer and Deployment Specialist. He has many years of
experience working for companies such as Graviton, Western US, Breezecom,
Alvarion, and PCSI. Eric has extensive experience developing and implementing
RF site surveys, installation and optimization plans for indoor and outdoor ISM
and U-NII band systems.
Eric is the author of Chapter 10 “Antennas.”
John Eder (CISSP, CCNA) is a security expert with Experian. He currently pro-
vides strategic and technical consulting on security policy and implementation. His
specialties involve: risk profiling, wireless security, network security, encryption
technologies, metrics development and deployment, and risk analysis. John’s back-
ground includes a position as a consultant in the Systems and Technology Services
(STS) practice at Ernst & Young, LLP.
John holds a bachelor’s degree from San Diego State University. He actively
participates in the security community, making presentations and writing numerous
articles on wireless security. John is a proud member of SoCalFreeNet.
John enjoys the support of his loving wife Lynda, a caring family (Gabriel, Lyn,
and Genevieve), and a great friendship with his director, Michael Kurihara.The
security information in this book was made possible through the help of the
m0n0wall team, the Soekris Engineering team, the West Sonoma County Internet
Cooperative Corporation, and the many members of SoCalFreeNet.
John is the author of Chapter 3 “Securing Our Wireless Community.”
Matthew Fanady is a gear-head turned networking and computer enthusiast, and
has been wrenching on cars and building computers since he was 16 years old. He
is currently employed designing and constructing electric vehicles for a small
startup company in San Diego, and spends his free time troubleshooting computers
and exploring new ways to incorporate the latest communications technologies
into everyday life. Matthew was one of the early pioneers of community wireless
networks. In 2002, he began building a grass-roots community wireless network in
his own neighborhood of Ocean Beach, where he was able to bring his passion for
viii
hacking together with his passion for wrenching. His efforts, along with those of
others in San Diego, led to the inception of SoCalFreeNet which continues to
build community-based wireless networks in San Diego.
Matthew is the author of Chapter 11 “Building Outdoor Enclosures and Antenna
Masts,” and Chapter 12 “Solar-Powered Access Points and Repeaters.”
Alan Koebrick is the Vice President of Operations for SoCalFreeNet.org. He is
also a Business Systems Analyst with a large telecommunications company in San
Diego. Alan has a Bachelors degree in E-Business from the University of Phoenix.
Prior to his current job, Alan spent 4 years with the United States Marine Corps
where he performed tasks as a Network Administrator and Legal Administrative
Clerk. Alan is also launching a new venture, North County Systems, a technology
integrator for the Small Office / Home Office market.
Alan is the author of Chapter 5 “Wireless Client Access Devices.”
Michael Mee Michael started building his own computers after discovering the
TRS-80 at Radio Shack years ago. He went on to work for a software startup,
before dot coms made it fashionable.Then he had several great years at Microsoft,
back when ‘the evil empire’ meant IBM.There he worked on database products
like Access and Foxpro for Windows. Returning to his hacking roots, he’s now
helping build high-speed community wireless for users everywhere, especially
through SoCalFreeNet.org.
Michael is the author of Chapter 6 “Wireless Operating Systems,” and Chapter 7
“Monitoring Your Network.”
Marc Palumbo (Society of Mechanical Engineers #4094314) is the Creative
Director for the SoCalFreeNet.org. He is an Artist/Engineer and the owner of
Apogee Arts, headquartered in San Diego, California. His company builds
Community Networks, provisions Internet access for business and residential use,
and designs and executes LANS purposed for specific vertical markets such as
graphics, video editing, publishing, and FDA regulated manufacturing. He has built
secure wireless surveillance systems deployed in Baghdad, Iraq, and for Homeland
Security. Noteworthy wireless triage installations include the city of Telluride,
ix
Colorado, and Black Rock Desert, Nevada for Burning Man. Marc holds a bache-
lors degree from the University of Maryland, received a National Endowment for
the Arts stipend, and was a Fellow at the Center for Advanced Visual Studies, MIT.
He began building his first computers in 1978 as part of his voice activated
pyrotechnic interactive sculpture, “Clytemnestra.”The work won a once in 20-year
honor for the Boston Arts Festival, 1985. He built his first RF device to light high
voltage Neon works of art.
Marc also helped deliver the first paint package for the PC, Splash! with
Spinnaker Software and LCS Telegraphics. He created the first digital images for
the PC, and his digital imagery has been published in Smithsonian Magazine,
Volume 11, Number 9, Dec. 1980, pp. 128-137 and Macworld Magazine, October
1988, pp. 96 through April 1989. One of the first Artists to use lasers for art, he has
created large-scale images in the sky, mountains, and in the urban landscape. He has
worked for and appeared on national television, including “Race for the High
Ground”, Frontline News with Jessica Savitch (S.D.I. Demo of Star Wars Defense
System, laser destroying satellite, W.G.B.H., Boston, MA, April 1983). He has also
worked on production and on air talent crews for Discover Magazine’s TV show
with James (Amazing) Randi, “A Skeptic’s Guide” March 1999.
Working with Miami Springs High School and his corporate sponsor, Symbiosis,
he created a team to build a robot to compete in Dean Kamen’s US First
Competition, a program to encourage engineering careers for high school students.
Marc is the author of Chapter 9 “Mesh Networking.”
x
Foreword Contributor
Rob Flickenger has been hacking systems all of his life, and has been doing so
professionally for over ten years. He is one of the inventors of NoCat, and is also an
active member of FreeNetworks.org. Rob has written and edited a number of
books for O’Reilly & Associates, including Wireless Hacks and Building Wireless
Community Networks. He is currently a partner at Metrix Communication LLC in
Seattle, WA (http://metrix.net/).
xi
Contents
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxi
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxiii
Part I Introduction to Wireless Hacking . . . . . . . . . . . . . . . .1
Chapter 1 A Brief Overview of the Wireless World . . . . . . .3
Introduction to Wi-Fi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
The History and Basics of 802.11 . . . . . . . . . . . . . . . . . . . . . . .4
IEEE Alphabet Soup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
802.11b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
802.11a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
802.11g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Ad-Hoc and Infrastructure Modes . . . . . . . . . . . . . . . . . . . .9
Connecting to an Access Point . . . . . . . . . . . . . . . . . . .10
FCC Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
FCC and IEEE Regulations . . . . . . . . . . . . . . . . . . . . .14
Why Wi-Fi? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Benefits for Property Owners . . . . . . . . . . . . . . . . . . . . . .16
Benefits for Volunteers . . . . . . . . . . . . . . . . . . . . . . . . . . .16
Social Ramifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Security in a Community Wireless Network . . . . . . . . . . . .18
Every Computer Needs to Be Protected . . . . . . . . . . . . .18
Legal Liability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Defending the Neighborhood . . . . . . . . . . . . . . . . . . . .20
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Chapter 2 SoCalFreeNet.org: Building Large
Scale Community Wireless Networks . . . . . . . . . . . . . . .23
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
Wireless Distribution System (WDS) . . . . . . . . . . . . . . . . . . . .24
5 GHz Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Working with Client Devices . . . . . . . . . . . . . . . . . . . . . . . . .26
Competing with the Phone/Cable Companies . . . . . . . . . . . . .28
xiii
xiv Contents
Outfitting Coffee Shops and Retail Locations . . . . . . . . . . . . . .29
Getting the Neighborhood Involved . . . . . . . . . . . . . . . . . . . .30
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Chapter 3 Securing Our Wireless Community . . . . . . . . . .33
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
The Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Wiring the Network for Security . . . . . . . . . . . . . . . . . .36
Choosing the Captive Portal Software and Hardware . . . .37
Performing the Hack: Enabling Our Captive Portal . . . . . . .40
Writing Our Terms of Service . . . . . . . . . . . . . . . . . . . .41
Captive Portal Graphics . . . . . . . . . . . . . . . . . . . . . . . .42
Building a PPTP VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Performing the Hack: Enabling the VPN . . . . . . . . . . . . . . .45
Configuring Our Community Users . . . . . . . . . . . . . . . . . .50
Hacking the Mind of a Wireless User . . . . . . . . . . . . . . . . . . . .54
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Performing the Hack:The Beginning and the End . . . . . . . .54
Other Hacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Part II Hacking Projects . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Chapter 4 Wireless Access Points . . . . . . . . . . . . . . . . . . .59
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Wi-Fi Meets Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Reflashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Linksys WRT54g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Sveasoft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
NewBroadcom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
HyperWRT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
eWRT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Wifi-box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
Batbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
OpenWRT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
WRT54G Shortcomings . . . . . . . . . . . . . . . . . . . . . . . . . .75
Soekris Single-Board Computers . . . . . . . . . . . . . . . . . . . . . . .75
net4501 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Contents xv
net4511 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
net4521 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
net4526 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
net4801 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .79
Soekris Accessories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Proxim 8571 802.11a Access Point . . . . . . . . . . . . . . . . . . . . . .81
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Under the Hood: How the Hack Works . . . . . . . . . . . . . . .89
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Chapter 5 Wireless Client Access Devices . . . . . . . . . . . . .97
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Notebook Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
PCMCIA Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Mini-PCI Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Desktop Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
PCI Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
USB Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Ethernet Bridges . . . . . . . . . . . . . . . . . . . . . . . . . . . .103
PDAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103
Compact Flash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Secure Digital IO Cards . . . . . . . . . . . . . . . . . . . . . . .105
WarDriving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
Why Are People WarDriving? . . . . . . . . . . . . . . . . . . . . .106
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .106
Required Equipment . . . . . . . . . . . . . . . . . . . . . . . . .107
WarDriving Software . . . . . . . . . . . . . . . . . . . . . . . . .107
Optional Equipment . . . . . . . . . . . . . . . . . . . . . . . . . .108
WarDriving Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Part III Software Projects . . . . . . . . . . . . . . . . . . . . . . . . .115
Chapter 6 Wireless Operating Systems . . . . . . . . . . . . . .117
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
m0n0wall—Powerful, Elegant, Simple . . . . . . . . . . . . . . . . . . .120
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .121
xvi Contents
m0n0wall on a Standard PC . . . . . . . . . . . . . . . . . . . .121
m0n0wall on a Single Board Computer (SBC) . . . . . . . .121
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .122
Downloading a Recent Version . . . . . . . . . . . . . . . . . .123
Creating a CD-ROM from Windows . . . . . . . . . . . . . .123
Creating a Compact Flash (CF) Card from Windows . . .125
Starting Your Standard PC . . . . . . . . . . . . . . . . . . . . . .127
Starting Your SBC . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Configuring m0n0wall . . . . . . . . . . . . . . . . . . . . . . . .134
Under the Hood: How the Hack Works . . . . . . . . . . . . . .148
Pebble—Powerful, Raw, Complete . . . . . . . . . . . . . . . . . . . . .148
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .149
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .150
Creating a Boot CD and Starting Knoppix . . . . . . . . . .150
Configuring the Compact Flash Reader/Writer . . . . . .152
Formatting the Compact Flash Card . . . . . . . . . . . . . . .154
Downloading Pebble . . . . . . . . . . . . . . . . . . . . . . . . . .156
Copying Pebble to the Compact Flash . . . . . . . . . . . . .156
Booting Pebble . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Configuring Pebble . . . . . . . . . . . . . . . . . . . . . . . . . .158
Under the Hood: How the Hack Works . . . . . . . . . . . . . .160
Chapter 7 Monitoring Your Network . . . . . . . . . . . . . . . .163
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .164
Enabling SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .165
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
Under the Hood: How the Hack Works . . . . . . . . . . . . . .167
Getif and SNMP Exploration for Microsoft Windows . . . . . . .168
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .168
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .168
Retrieving Device Interface Information . . . . . . . . . . .169
Exploring the SNMP OIDs . . . . . . . . . . . . . . . . . . . . .170
Graphing the Data . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Under the Hood: How the Hack Works . . . . . . . . . . . . . .173
STG and SNMP Graphs for Microsoft Windows . . . . . . . . . . .173
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .174
Contents xvii
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .174
Under the Hood: How the Hack Works . . . . . . . . . . . . . .177
Cacti and Comprehensive Network Graphs . . . . . . . . . . . . . . .177
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .178
Apache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178
PHP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
Perl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
RRDTool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
Cacti . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
Installing Apache . . . . . . . . . . . . . . . . . . . . . . . . . . . .180
Installing PHP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182
Installing Perl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185
Installing RRDTool . . . . . . . . . . . . . . . . . . . . . . . . . .185
Installing MySQL . . . . . . . . . . . . . . . . . . . . . . . . . . . .186
Miscellaneous Settings . . . . . . . . . . . . . . . . . . . . . . . . .186
Installing Cactid and Cacti . . . . . . . . . . . . . . . . . . . . . .187
Graphing Data in Cacti . . . . . . . . . . . . . . . . . . . . . . . .192
Under the Hood: How the Hack Works . . . . . . . . . . . . . .197
Additional References . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198
Chapter 8 Low-Cost Commercial Options . . . . . . . . . . . .199
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200
Sputnik . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200
Sputnik Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . .200
Sputnik Control Center . . . . . . . . . . . . . . . . . . . . . . . . . .202
Sputnik Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204
Pre-Paid Module . . . . . . . . . . . . . . . . . . . . . . . . . . . .205
A Sputnik Revolution . . . . . . . . . . . . . . . . . . . . . . . . . . .207
Sveasoft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207
MikroTik . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212
xviii Contents
Chapter 9 Mesh Networking . . . . . . . . . . . . . . . . . . . . .215
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216
Preparing the Hacks . . . . . . . . . . . . . . . . . . . . . . . . . . . .217
The Basic Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . .218
WDS (Wireless Distribution System) . . . . . . . . . . . . . .220
Real World Example . . . . . . . . . . . . . . . . . . . . . . . . . . . .222
Example Two: LocustWorld Mesh Networks . . . . . . . . . . .222
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223
Additional Resouces on the Web . . . . . . . . . . . . . . . . . . .224
Part IV Antennas and Outdoor Enclosure Projects . . . . . .225
Chapter 10 Antennas . . . . . . . . . . . . . . . . . . . . . . . . . . .227
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
Before You Start: Basic Concepts and Definitions . . . . . . . . . . .228
Federal Communications Commission . . . . . . . . . . . . . . .234
Attenuation in Cables, Connectors, and Materials . . . . . .236
System Grounding and Lightning Protection . . . . . . . . . . .238
Building a Coffee Can Antenna . . . . . . . . . . . . . . . . . . . . . .240
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .240
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .241
Under the Hood: How the Hack Works . . . . . . . . . . . . . .243
Troubleshooting Common Antenna Issues . . . . . . . . . . . . .244
The Future of Antennas . . . . . . . . . . . . . . . . . . . . . . . . . . . .244
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Chapter 11 Building Outdoor Enclosures and
Antenna Masts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .247
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248
Building Outdoor Enclosures . . . . . . . . . . . . . . . . . . . . . . . .248
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .249
Selecting a Raw Enclosure . . . . . . . . . . . . . . . . . . . . .249
Hardware Selection . . . . . . . . . . . . . . . . . . . . . . . . . . .252
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .255
Metal NEMA 3 Enclosures . . . . . . . . . . . . . . . . . . . . .255
Under the Hood: How the Hack Works . . . . . . . . . . . . . .263
Building Antenna Masts . . . . . . . . . . . . . . . . . . . . . . . . . . . .263
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .264
Contents xix
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .265
The Free-Standing Antenna Mast . . . . . . . . . . . . . . . . .265
Direct Mount Antenna Masts . . . . . . . . . . . . . . . . . . . .269
Lightning Protection . . . . . . . . . . . . . . . . . . . . . . . . . .272
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273
Chapter 12 Solar-Powered Access Points
and Repeaters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .276
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .276
Calculating Power Requirements . . . . . . . . . . . . . . . . .276
Battery Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . .279
Selecting a Solar Panel . . . . . . . . . . . . . . . . . . . . . . . .281
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .286
Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .286
Solar Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
Electrical . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .288
Electronics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294
Under the Hood: How the Hack Works . . . . . . . . . . . . . .295
The Batteries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
The Solar Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296
Appendix A Wireless 802.11 Hacks . . . . . . . . . . . . . . . . .299
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
Wireless NIC/PCMCIA Card Modifications: Adding an
External Antenna Connector . . . . . . . . . . . . . . . . . . . . . . .301
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .302
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .303
Removing the Cover . . . . . . . . . . . . . . . . . . . . . . . . .303
Moving the Capacitor . . . . . . . . . . . . . . . . . . . . . . . .305
Attaching the New Connector . . . . . . . . . . . . . . . . . . .307
Under the Hood: How the Hack Works . . . . . . . . . . . . . .308
OpenAP (Instant802): Reprogramming Your Access Point
with Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308
Preparing for the Hack . . . . . . . . . . . . . . . . . . . . . . . . . .309
Performing the Hack . . . . . . . . . . . . . . . . . . . . . . . . . . . .310
Installing the SRAM Card . . . . . . . . . . . . . . . . . . . . . .311
Power Me Up, Scotty! . . . . . . . . . . . . . . . . . . . . . . . . .314