Conducting Your “Business” from Wireless Networks

If you conduct online business under an alias such as “Mr. Green” or “Zero Cool” then using wireless networks that do not belong to you and have no connection to you is a great way to cover your tracks. You might just be a small time spammer trying to pay your rent. You could be a hacktivist preparing to deface a website. You could be many things and have numerous goals but the anonymity provided by using wireless networks that have no connection to you is golden.

In this article I’ll cover the topics of wireless networks and how to gain access to them. Masking the identity of your hardware on those networks. Laws that relate to computer crime and what you could be convicted with. I’ve a section for other simple tips as well, such as erasing log files, masking your physical self from cameras and people. Such as that lady that was bringing you your coffee at Starbucks when you were redirecting DNS records for msnbc.com to lemonparty.

I only touch the surface of these topics but a lot of this information is still not utilized. Either because people breaking the law don’t realize they should be doing more to hide their real identity or maybe they’re just too lazy. Either way, people are still getting caught, fined and imprisoned for crimes they’ve committed from wireless networks when they should have been completely anonymous.

Gaining Access

There are a lot of wireless access points out there that are left wide open, requiring no sort of authentication at all. A network like this has its advantages because you’re probably not the only one doing something shady on it and there are probably many others doing nothing shady at all. There is most likely a large volume of traffic on the network and network equipment will be flushing and writing over log files fairly quickly.

There are times when you cannot find an open network. So you’ll have to go a step further and gain entry to a network using some form of encryption.  One of the most widely used encryption algorithms is WEP. In fact, there are internet service providers who still set up customers wireless routers with WEP encryption by default. WEP contains some serious weaknesses which allow it to be cracked very quickly with free and open source tools. The newer WPA and WPA2 standards can be cracked via a dictionary attack. Basically, if the access point uses WPA or WPA2 and has a long and complex password which does not exist in your password file, you’re never going to get in.

So what software is out there for you to do this? Well, the easiest way I’ve found is using the Aircrack-ng suite with the BackTrack Linux distribution.

The Aircrack-ng Suite

The Aircrack-ng suite is really the standard software used for cracking access points using WEP or WPA/WPA2. For the purposes of quickly cracking WEP you should learn how to use the following from the suite:

• aircrack-ng – For cracking WEP/WPA/WPA2.
• airodump-ng – The packet sniffer. You’ll use this to capture packets to an IVS file for WEP or to capture a WPA handshake to then be cracked with aircrack-ng.
• airmon-ng – You’ll use this to put your wireless card into monitor mode.
• aireplay-ng The packet injector. This you will use to generate ARP packets, disconnect clients, etc.

There are other tools in the suite as well but you won’t need them in most situations. You won’t learn how to use them just by reading this article either. This is something you need to research on your own and practice. I will provide you with the information to get started including links to information on the algorithms and the instructions on the Aircrack-ng site for cracking WEP and WPA/WPA2.

You’ll also need an operating system to run the suite from (Linux or Windows). I recommend Linux, specifically the BackTrack distribution (just like everyone else usually recommends) because it has been geared towards penetration testing and already contains everything you need. If you use the live CD distribution of BackTrack without mounting any physical media to write to you will also be preventing any evidence or artifacts from being left behind on the hard drive on your machine (like information in this article). If you use the virtual machine, make sure you fully encrypt your hard drive to prevent a forensics examination if your laptop is seized.

Aircrack-ng.org has provided very thorough and informative tutorials on cracking WEP and WPA. So there is no sense in me re-writing them here.

Wired Equivalent Privacy (WEP Encryption)

Tutorial: Aircrack-ng’s Simple WEP Crack

“This tutorial walks you though a very simple case to crack a WEP key. It is intended to build your basic skills and get you familiar with the concepts. It assumes you have a working wireless card with drivers already patched for injection.”

WiFi Protected Access (WPA/WPA2)

Tutorial: Aircrack-ng’s Cracking WPA

“This tutorial walks you through cracking WPA/WPA2 networks which use pre-shared keys.”

“WPA/WPA2 supports many types of authentication beyond pre-shared keys. aircrack-ng can ONLY crack pre-shared keys. So make sure airodump-ng shows the network as having the authentication type of PSK, otherwise, don’t bother trying to crack it.”

Working Wireless Cards

I personally have the following adapter which works great: Alfa 500mW 802.11b/g USB Wireless WiFi Adapter

There is a cheaper version which does not come with the 9dBi antenna here.

This is a USB adapter with an RP-SMA connector which allows you to add larger compatible antennas. I’ve a 9 dBi antenna as well as a custom cantenna which both work great with this adapter and allow it to sniff traffic from far away. The adapter is recognized immediately on the BackTrack distro as well.

Backtrack: Tested & Working Wireless Cards

Tutorial: Is My Wireless Card Compatible? – Aircrack-ng.org

MAC Address Spoofing

Spoofing your MAC address on a LAN can be very beneficial. The biggest reason you’re going to want to spoof your MAC address is to keep your real hardware addresses out of any network logs. At some point you may come across an access point that has MAC filtering enabled. This access point is only allowing certain clients with allowed MAC address to connect to the network.

When an access point is using MAC filtering you can view currently connected wireless clients and their hardware addresses with airodump-ng. So then it’s as simple as spoofing your MAC address to one of those that are successfully connected to that access point.

Linux – BackTrack Distribution

The BackTrack distribution makes things very easy as it has the macchanger software already available (I believe many distributions do). To use macchanger you will have to first take down the device and then use the program like so:

1. ifconfig [device] down
2. macchanger –mac 00:11:22:33:44:55 [device]
3. ifconfig [device] up

Windows XP

There are a million programs out there for Windows which allow you to easily and quickly modify the MAC address of your network adapters in registry. Just as an example, I’ve used the free software Mac MakeUp which works like a charm.

On Windows XP you can use the command “ipconfig /all” to view detailed stats about your current network adapters, including MAC addresses. However, an easier way to do this is to use the command “getmac /V” to list just network adapters and MAC addresses.

The Law

Unauthorized access involves trespassing in, communicationg with, storing data in, retreiving data from, intercepting data and changing or modifying computer resources without consent. The State and Federal laws and links to these laws listed here are all things you can be charged with for accessing wireless networks you do not own to commit crimes. I’m no lawyer so I’ll provide examples of real cases that have happened whenever possible.

Computer Fraud and Abuse Act, 18 USC 1030

You may be violating the CFAA if you were to gain access to a secured network by cracking its encryption keys or password. You will be violating the CFAA if you gain access to a machine which you use to send spam. If you sniff traffic on an open or closed network you can be charged and are in violation of the CFAA as well.

“In 2004, a man was convicted of piggy backing onto a Lowe’s open WiFi network in order to steal the credit card numbers that the store was transmitting over the open network.” Link

Interception and disclosure of wire, oral, or electronic communications prohibited, USC 18 2511

“intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication … ”

2511 could entail the use of software to sniff traffic on a network. Such as using Ettercap or Cain & Abel to ARP poison a network and sniff passwords or other details.

There is a hefty list of State laws as well. One large list you can find here.

Fact is, there are a lot of laws you are probably going to be violating. So don’t be stupid. Learn from the mistakes of others. Even if you are caught stealing WiFi from your car you should still be able to talk your way out of a situation if you are properly prepared. As I mentioned earlier, the use of full disk encryption along with custom boot messages could be very beneficial. If you are using TrueCrypt you should modify strings in the boot loader like in a previous post of mine.

This page at cybertelecom.org (link) was a great read. Some Federal and State laws are covered on that page as well as some real cases involving people who were caught.

Other tips

• Erase log files from network equipment such as the gateway device/soho router. If you’ve spoofed your MAC address I wouldn’t bother though.
• Wear some shades if you visit an internet cafe and don’t pose for the cameras.
• Use TrueCrypt or other software to fully encrypt your hard drive and enable a custom boot loader message like, “Missing operating system.” This will give you a strong argument to social your way out of certain situations. My lame excuse would be something like, “I just remembered I have a few important work documents that I need to make sure I put on my laptop, so I pulled over to check and now I can’t get my computer to start.”
• Something that is overlooked is using services such as email, instant messaging and forums. For example, if you defaced the homepage for NASA and then posted on a forum to brag about it only to then go home and on your own network leave another reply on that forum, you’re screwed. Same with using email and instant messaging services. Be careful if you have an instant messenger or email client that pulls email automatically when you have a connection to the internet. If there is any suspicion at all that you are involved it will only take a simple look at some log files to see that your home IP as well as the IP from the wireless network both accessed your personal email account.

If you have tips then please post them! I encourage you to comment on the information in this article and share your ideas, thoughts, criticism, etc.