Guide to (mostly) Harmless Hacking LANJacking: the New Hacker Mecca Getting free Internet access through IEEE standard 802.11b wireless Ethernet LANs (often called Wi-Fi LANs or WLANs) is the newest and biggest ever hacker scene. In many areas you can get free access legally through Wi-Fi systems run by volunteers. Elsewhere, it's the wild west all over again, with spammers, computer criminals, and mostly harmless hackers running wild on WLANs whose owners have no concept of what they are hosting. First we will cover the easy stuff: how to break into a WLAN that doesn't authenticate users (LANJacking). These are fairly common. To do this, get a laptop with a wireless NIC (WNIC). Configure your NIC to automatically set up its IP address, gateway and DNS servers. Then, use the software that came with your NIC to automatically detect and get you online. For example, with an Orinoco NIC, in Client Manager set the SSID (service set identifier required to be able to exchange packets on that WLAN) to be "any" or "null." Then from the Advanced menu select Site Manager. That should show you all available Wi-Fi access points. Once you are set up to detect WLANs, then for happiest hunting, start driving (wardriving) or walking (stumbling) around an area with businesses or apartment buildings. Susan Updike points out, "Don't forget airports - many VIP lounges, etc. have wireless hubs accessible from inside the airport or even in the parking lots." How do you know when you've gotten online? One way is to run an intrusion detection system that alerts you when you get any kind of network traffic. An easier and faster way to find those access points and choose the one you want to use is to run Network Stumbler, at It shows you all Wi-Fi access points within range of you. Network Stumbler runs on Windows desktop and laptop machines, and Mini Stumbler runs on Wi-Fi-enabled PDAs. Netstumbler-like software is available for MacOSX with either an internal AirPort card or any PCMCIA Wi-Fi card at For NetBSD,OpenBSD,and FreeBSD you can get BSD-Airtools at If you want to locate vulnerable WLANs in wholesale lots, there is an even more interesting tool. At you can download Kismet, a WLAN sniffer that also separates and identifies many wireless networks in the area you are testing. A version of Kismet for is available for Linux. Kismet also supports FreeBSD, OpenBSD and MacOSX. Kismet works with any 802.11b wireless card that is capable of reporting raw packets (rfmonsupport). These include any Prism2 based card (Linksys, D-Link, Rangelan, etc), Cisco Aironet cards, and Orinoco based cards. Kismet also supports the WSP100 802.11b remote sensor by Network Chemistry and is able to monitor 802.11a networks with cards using the Ar5k chipset. Here's where it gets interesting. There is a version that allows you to deploy many Kismet sensors for distributed sniffing. Each "drone" sensor sends packets over a TCP connection to a Kismet server. Its output can be piped into Snort ( and some other Intrusion Detection Systems (IDS). You can get an idea of where easy-access Wi-Fi access points exist in abundance at and If you hunt on foot, keep an eye out for chalk marks on sidewalks or walls. These often denote Wi-Fi access points. If you would rather hunt while sitting in your hacker lab, you can get into WLANs that are tens of kilometers away by using a directional antenna. is an example of a place where you can buy these. There are many commercial products for detecting WLANs. They are often used in companies that have problems with employees setting up unauthorized access points. For example, AirMagnet ( can run on the iPAQ PDA, and detects problems such as a Wi-Fi access point advertising its SSID. It is legal to detect WLANs, but not to use some of the wireless systems you may access. It is best to make sure a WLAN is open to the public before using it. However, unless it requires some sort of authentication to log on, law enforcement won't waste time pursuing casual visitors to WLANs. If you do this and get busted anyhow, well, that's the risk you take in any unauthorized computer access. Now we come to the slightly hard part. How do you break in if the WLAN asks for some sort of authentication? Wired Equivalent Privacy (WEP) is a common way to authenticate, and can be broken in minutes if you have a computer with a reasonably fast CPU. Since some Wi-Fi hardware is incompatible with better ways than WEP to authenticate, chances are you can find a lot of WEP nets floating around. Airsnort is an example of a program that cracks WEP keys. Once it has captured enough packets it can usually crack WEP in a second or so, if running on Linux with a reasonably fast CPU. Airsnort has varieties that run on BSD, Linux, OS X and Windows, and can be downloaded at Now we come to the super hard part: WiFi Protected Access (WPA). It's the latest, greatest way to keep intruders from abusing Wi-Fi. It can work, for example, with Windows Remote Authentication Dial-In Services to authenticate users - and keep the uninvited out. At this writing no technique has been publicized to break it. However, if by the time you read this, a way has been discovered, here are some web sites that are likely to offer downloads of the tools that do it, and instructions for their use. This Guide has been excerpted from the upcoming Second Edition of "šberhacker! How to Break into Computers," by Carolyn Meinel. You can see a version of this Guide with screen shots included at You are welcome to post this Guide to your web site or forward it to other people. Happy hacking! ___________________________________________________________ This is a Guide devoted to *legal* hacking! If anyone plans to use any information in this Guide to commit crime, check out to find out what happens to bad hacker girlz and boyz. You are welcome to join our chat groups at Or join our email discussion groups. You can do so by emailing: Linux-for-Everyone-subscribe@yahoogroups.com Moderator: Debbie, zzz_debbie@yahoo.com hh-unix-subscribe@yahoogroups.com Moderators: Phil Dibowitz phil@ipom.com and Tom Massey hhwindows-subscribe@yahoogroups.com Windows moderators: John Demchenko and Michael Devault hhnetwork-subscribe@yahoogroups.com Moderator: Tanvir Ahmed hhprogramming-subscribe@yahoogroups.com Moderator: Tanvir Ahmed Clown Princess and author of this Guide to (mostly) Harmless Hacking: Carolyn Meinel, cmeinel@techbroker.com, (505)281-9675 Happy Hacker, Inc. is part of a 501 (c) (3) tax deductible organization ___________________________________________________________ To unsubscribe from this group, send an email to: happyhacker-unsubscribe@egroups.com See for hacking news and tutorials. See to see what's new in the latest edition of Meinel's book The Happy Hacker.