Here’s a walk-through :

• type the following command into your iTouch Terminal.app (assuming you’ve installed the BSD subsystem) :

tcpdump -v -s 65535 -w log.txt

• once you’ve collected enough packets, cancel the command (ctrl c), AFPd the file from the iTouch to your Mac and open it with Wireshark (this is the most convenient way to install binaries under Leopard as well as an updated version of X11. For other platforms, or source code, see here)

• do whatever black magic you feel you have to perform using Wireshark (the new name for Ethereal) or other password crackers

Starting an iTouch in a network-rich environment you will be asked which network you want to connect to (see for example this wardriving video). However, if you need more information on the networks, there is a port of the OSX-tool iStumbler for the iPhone/iTouch : Stumbler (available also from the Install.app under Network). This morning I flipped open my iTouch in a generic street near the University and was surrounded by 12 wireless networks, 6 of them wide open…

One may then ask : what about less innocent wardriving tools such as Kismet or Ethereal itself? The problem with porting those seems to be that no-one knows whether the iTouch wireless driver can be put into ‘promiscuous mode’ (see for example this thread).

Once you have collected open networks at your favourite places or have passwords to closed networks, it would be nice if the iTouch would auto-detect these and connect to them without you having to remember the particular name or having to type in username/password combinations. Surprisingly, this is possible thanks to the people at devicescape.com. Create a free login, then get Devicescape Connect (available under Network) run it and write down the pincode you are given and follow the instructions to complete the installation. You can then edit your Wi-Fi list of desired hotspot or personal networks, together with all login-data. There is a nice TidBit article describing devicescape in full detail.

Back home, I dumped a good part of our CD-collection on the blue
iMac (1440 songs, good for 4.3 days of music and taking up 7.11 Gb of
the vast 120 Gb hard disk) to test the iTunes Central hack
explained by Alan Graham in his six
great tips for homemade dot mac servers. Would I manage to get the
entire collection on my old iBook which had only (after installing all
this WarWalking-software) 800 Mb of free disk space? Here is what
I did :

1. On the iBook (or any machine you want to
play this trick on) go to your Home/Music/iTunes-folder and drag
the two files and one directory it contains to the Trash. Do the
same for the two files com.apple.iTunes.eq.plist and
com.apple.iTunes.plist which are in the
Home/Library/Preferences-folder.

2. On the
iBook, use the Finder/Network-icon to connect to the server
(iMacServer in my case) and browse to the iTunes-folder where you placed
all the music (still, on the iBook in the Finder-window opened when you
connect to iMacServer). Make an Alias of the two files and the
directory in it (click on one of them once, go to the
File-submenu of the Finder and choose Make Alias) which
results in three new entries in the iTunes directory : iTunes 4 Music
Library alias, iTunes 4 Music Library.xml alias and iTunes
4 Music Library alias. Drag these 3 aliases to the
Home/Music/iTunes-folder on the iBook and rename them by removing
the alias-addendum.

3. In the Finder-window on
the iBook corresponding to the iMacServer browse to the
Home/Library/Preferences-folder and drag the two files
com.apple.iTunes.eq.plist and com.apple.iTunes.plist to
the Home/Library/Preferences-folder of the iBook. Launch
iTunes and it will give you access to the whole iTunes-collection
of iMacServer! In all, the three aliases and the 2 copied files take up
128 Kb…

WAR = Wireless
Access Reconnaissance

so let us hope this acronym
will catch on. Now then, what is WarChalking ? It was invented by
Matt Jones and the idea is that a WarWalker should write a symbol in
chalk on the wall nearest to the discovered Access Point describing its
nature (see picture on the left) : the first sign depicts an open
node, the next a closed one and the last one is a node with
WEP-protection (btw. WEP=Wired Equivalent Privacy). A lot
of people seem to take this fairly serious, there is even a webpage warchalking.org devoted to it on which you can
find a lot more information. And as warchalking was originally British,
there had to be also an American site containing among other things a not
that active forum. Further, the unofficial HOW-TO of WarDriving may be
interesting. To me it all sounds as an excuse to buy a
GPS-receiver and a
laptop…

sudo fink install ethereal-ssl

Fink will tell you that it needs some additional packages to
install (12 in my case) and you agree to this with typing Y. Get
yourself a coffee and a book or newspaper because the compilation
process takes quite a while (in my case it took over one hour!). When it
finally stops you hope to be done, so start up X11 and type

sudo /sw/bin/ethereal

and it
works! If you want to begin sniffing you have to click on
Capture/Start and a pop-up window appears. Specify en1 as
Interface and click on Ok. If after some time you press
Stop all the captured packages appear in the main window and you
can start playing. We will see another time what exactly you can do with
all this information…

The previous time that I
tried to install Ethereal (on an iBook) I got an error message :
dyld: /sw/bin/ethereal can’t open library: /sw/lib/libdl.0.dylib (No
such file or directory, errno = 2). Fortunately a simple Google gave
me the following work-around. So if you get into problems that will
probably solve them. I also needed to type xhost in X11 to
allow su to use my window. But, none of these problems appeared right
now so maybe they updated the package.

Moreover,
Ethereal is very well documented both with an online manual-page and a User’s guide (which you can also download as
PDF-file : 454 pages! but only the first 100 or so are worth
printing).

Okay,
let us go one step further and try to get Kismet
running. It seems to be an unwritten law in open source-software that
the more potential harmful a program is, the more difficult it is to
install, so installing Kismet is by no means trivial.
Fortunately, Kismet is very well documented with a manual and a forum. First, we need the Viha Airport
driver, that is we need Viha Wireless Tools 0.0.1a Binary Release. Go in Terminal to the
Desktop-folder where you will find the Folder Viha-0.0.1a.
Then type

mv Viha-0.0.1a/WiFi.framework/
/Library/Frameworks/

Next, we get the latest
version of Kismet, that is kismet-3.0.1.tar.gz and get a kismet-3.0.1
folder on our Desktop. Use Terminal to go into this folder and
type

./configure –disable-pcap –enable-viha;
make

and the following process may last for a
while. If you finally get a prompt, type

sudo make
install

and the process will end with some
warning messages :

If you have not done so
already, read the README file and the FAQ file. Additional
documentation is in the docs/ directory. You MUST edit
/usr/local/etc/kismet.conf
and configure Kismet for your
system, or it will NOT run properly!
Kismet has NOT been
installed suid-root. This means you will need to start
it as
root. If you have no untrusted users on your system, it can be
installed
as suid-root via ‘make suidinstall’. READ THE
DOCUMENTATION BEFORE INSTALLING KISMET AS SUID-ROOT!”

Fine, so let us go to /usr/local/etc and change the
following lines in kismet.conf

suiduser=lieven
source=viha,en1,Airport

(of course you have to replace lieven by your
normal OSX login name). Further, in the file kismet_ui.conf
replace the last line by

apm=false

Finally, you have to type in the Terminal

export TERM=xterm-color

and you should
be done. To launch Kismet, type as your usual user (the one you
specified in the kismet.conf file) in the Terminal

Kismet

and all will work. Again there is
a switch of Airport to Viha driver (and if all works well also at the
end). Often, the Airport card does not come up at the end in which case
it is best to restart Kismet and Quit again (btw. you quit Kismet with
capital Q). Then the Airport icon appears but it may be that you have to
logon to your network again.

We wouldnt have done so
much trouble if it were not that Kismet is a VERY powerfull
application which can be used to Hack wireless networks. But if you
think that KisMAC and Kismet are already scary, wait until
next time when we deal with Ethereal…

Both
MacStumbler and iStumbler are active scanners
meaning that they send out probe request to nearby access points. As a
result they are not able to detect closed networks. To detect
them you need far more intrusive passive scanning software, but
that is for next time.