War drivers are in the business of finding wireless access points, documenting them and uploading their locations to the web. Why would someone do this, well for several reasons:
First they want free internet access. Next they could just be war driving as a hobby; finally they could be targeting your network for financial gain.
One of the most asked questions is how do you stop hackers from trying to hack your wireless lan and how to catch them in the act.
1. Use directional antennas: One of the most under stated uses of directional antennas are how they keep your wireless signal within your area of operation. If you are using a Omni directional antenna that is causing half the signal to travel outside your building, you have a major security problem. Also while using your wireless directional antenna turndown transmit power to reduce your signal strength if you can.
2. Blend your wireless antennas into your buildings architecture or keep them low profile. This is not expensive, the whole point is not letting your antennas stick out like a sore thumb so anyone driving by doesn’t say, wow they have a wireless network. Once again the best way to stop people from trying to hack your wireless network is to keep it hidden.
3. Use Kismet or Airsnort – Make a cheap wireless Intrusion detection system. Use an older desktop computer install Linux, install a USB wireless adapter or PCI wireless adapter and boom you have your wireless war driver stopper. Both Kismet and airsnort will alert you when wireless clients are probing your network. If a wireless client is using netstumber and not joining networks they will be found by Kismet. Their wireless adapters MAC address will be logged and other details of the operating system. Most of the time these could be false hits but if you notice a pattern of the same MAC address probing networks you could have hacker issues.
4. Security Cameras – No matter how hard you try not to have your signal bleed outside your operations area it will…to a point. Probe your own network as if you were a wardriver. Don’t just use a standard wireless adapter to find out where you still can detect your network. You will want to use a highly directional antenna to see how far away you can detect your own network. Once you know your weak points setup some cheap security cameras to monitor those areas.
5. Setup a Honey Pot – Give the Wardriver what they want, a network to hack. Take an access point connect it to a standalone switch with another junk computer connected to that switch. Name the SSID something sounding important like server WLAN and name the computer Database. Finally use a weak password or just leave the access point without any security. Script kiddies who say they “hack networks” really are only connecting to open wireless lans with no security. If you give them a “Important sounding SSID with a “database to hack” this will keep them occupied until you can track them down. There are many honeypot programs free and commercial that will simulate networks or servers but are really just recording all the hackers’ information and types of attacks.
6. Use a RADIUS Server – RADIUS servers require Wireless clients to authenticate with a username and password not just with a PSK (Pre- Shared Key). With out a RADIUS server you really don’t know who is on your WLAN. With a RADIUS server you know who is accessing your WLAN and when they accessed it. Also a RADIUS server gives you the ability of creating policies for times your WLAN can be accessed and other required security features the wireless clients must have enabled their computers.
Now let’s put this all together to catch our hacker. First you are going through your daily routine of checking logs on your Kismet IDS server and you notice the same MAC address probing networks but not joining. Next you check your help tickets and notice that in one area of the building clients were having trouble connecting to the wireless network or they had trouble staying connected.
Flags go up in your head, so you go over to your honeypot server and check that . You notice it was accessed around the same time of the Kismet logs showed a client probing the network. The honey pot recorded the MAC address of the WAR driver and the operating system and the computer name.
Next you check your security cameras for that time but don’t really notice anything. So for the next couple days you keep monitoring your honey pot server and watch the hacker try and crack the WLAN and the database server. The whole process of cracking wireless encryption is actually two steps. The first step is gathering enough packets for your cracking program to crack. This whole process of gathering enough packets can takes days or weeks not five minutes. Now once you do have enough packets 64 bit WEP encryption can be cracked in less that five minutes. 128 bit encryption can take many times longer, WPA with TKIP and AES encryption can takes months to crack.
My whole point is that you have some time to catch your hacker because he will be back many times, assuming that you already have at least the basic security features in place.
Now once you have all your logs compiled and your honey pot data you should have a good idea how the hacker behaves. Check your security cameras and you probably notice the same car or person in the area around that time. Take that information to your in house security and tell them to watch for that vehicle or person and call the police.
If you are lucky security or police will spot him and apprehend him. Convicting him or her will be tough but with your compiled logs and video you should have a lot of evidence to help your case.