In my previous
article about wireless security and hacking, I introduced common security
threats in WLANs and ways that wireless hackers use them to break into a wireless
network. Before a wireless hacker breaks into a WLAN, he/she must identify a
suitable open network to launch her/his attack. This article explains what the
common methods for wireless scanning are, and how to get protected against them
What is wireless scanning?
Wireless scanning is a method to find an available wireless network access point.
It allows you to identify wireless networks through the use of WNIC (wireless
network interface card) running in promiscuous mode and a software that will
probe for access points. Once an open wireless access point is found, the wardriver
usually maps it, so at the end he would have a map of access points with their
properties (SSID, WEP, MAC etc.). Whenever the attacker wants to return into
the network, he/she usually logs packets for later analysis, or to run them
though a WEP key cracker when a weak key is being used.
There are many different types of wireless scanning. The most known and used
scanning method is Wardriving, next comes Warchalking. There are many other
methods such as Warstrolling, Warflying etc., however this articles deals with
Wardriving and Warchalking only.
The term “war”, which is used in Wardriving, Warchalking etc., was taken from
the old days of WarDialing. WarDialing, the hacking practice of phoning up every
extension of a phone network until the number associated with a modem is hit
upon, has been replaced by WarDriving with the introduction of wireless LANS.
WarDriving – Let’s take a drive…
Wardriving is the first and well known method used to find available wireless
networks (means unsecured). It is usually done with a mobile device such as
a laptop or iPaq. Wardriving scanning is accomplished in an easy way: the attacker
takes the device with him/her into a car, and detects networks (NetStumbler
for Windows, BSD-AriTools for BSD, and airsnort for Linux). Once an open access
point is detected, the attacker maps it, explores, or stumbles into a pipe to
The equipment necessary to WarDrive is: A wireless network interface card (PCMCIA),
a device capable of locating itself on a map (GPS, not always necessary), a
laptop or any other mobile device, Linux Red Hat or Debian (Windows is not recommended),
Wireless tools (WEPCrack, AirSnort etc.).
The equipment is all off the shelf and pretty inexpensive.
WarChalking – The hobo language
“Now a new 'language' is developing, WarChalking. The idea is based on the 'hobo
symbols' and is there to tell persons on the street where there is an open wireless
network node, and what the settings are. It may look like incomprehensible squiggles,
and most people would walk past thinking it is odd graffiti, but it conveys
a lot of info that is understood by the hackers. Furthermore, it is now being
adopted by those that are sharing networks voluntarily as a way to give the
info out to the community.' – Zig
WarChalking was conceived by a group of friends in June 2002, and published
by Matt Jones.
WarChalking is simply drawing a chalk symbol on a wall or pavement to indicate
the presence of a wireless network, so that other can easily notice it and the
details about it. WarChalking is a the modern version of the hobo sign language,
which was used by low-tech kings of the road to alert each other to shelter,
food and potential trouble. The chalks symbols are nothing more than giving
a visual cue to of a wireless network.
The following are the WarChalking symbols:
SSID Open Node
SSID Closed Node
WEP Node SSID Access Contact
( W )
Example for a WarChalking symbol:
This symbol indicates a open node with SSID “Retina” and bandwidth equal to
With the use of these symbols, wardrivers can a lot about the node, and whether
this is a worth network. Anyone initiated in the ways of WarChalking will recognize
what it means, and get online.
Securing a wireless network is much simpler than securing a wired network. Building
a secure wireless network can be done within few steps. So, you ask yourself
“why then it’s easy to break into a wireless network?” the answer is very simple.
Whenever a company wants to connect their employees wirelessly into the company
network, the administrators often forget to change the default settings of a
router, firewall, access point, enabling WEP and more.
Further more, far too many systems administrators forget that the wireless network
extends beyond the walls of a building. There may be security guards at the
door, and firewalls on the fixed cable network, but the wireless back door is
The Wireless network security issues are not discussed in this article. WLANs
security issues were discussed in my previous article “Wireless
Security & Hacking”.
Links & Sources
- Map server listing wireless access points.
- GPS driving software for Linux.
- Wireless console bases sniffer. It supports GPS and has a lot of features.
- Wireless GUI sniffer for breaking WEP keys.
- FreeBSD WScan
- WarChalking Symbols
- WEPCrack – Linux
- Fake AP - Linux
- PrismStumbler – Linux
- SSID Sniff – Linux
- Hobo Symbol Type Font
If you have any questions, suggestions, ideas, comments regarding this article;
feel free to contact me at firstname.lastname@example.org,
or at email@example.com.