fiddyspence's blog

Reverse Wardriving

Sometimes funny ideas just occur to me.  One such hit me yesterday.  I was wandering around London taking break from a customer visit, and I started thinking about wardriving and finding open wifi.  I have kind of wardriven myself - travelling around South-East Asia on a shoestring looking for bandwidth makes you do that sort of stuff.  Sometimes it transpires that folks wardriving look for open wifi just to see what’s there.

It occurred to me that one could do the reverse.  You see, I am fundamentally lazy (it’s why I think I make a reasonable sysadmin - my goal is to always make myself replaceable so I can do other, more interesting things).  Thus today, I am going to take the credit for inventing Warcouching.

The principle here is that I am interested in seeing what devices wander past my flat that promiscuously associate themselves with a wholly private wireless VLAN using a commonly known SSID, watching the DHCP logs and having a look at what connects.

So, a teensy bit of ruby watches the messages file on the dhcp server triggers an nmap scan of the IP address of the device that connected and captures the log:

      if runcommand
          system(“/bin/nmap -O -vvv #{$log[loopstart.to_int].split(’ ‘)[7]} >> #{$mylog}”)
        rescue => e
          puts “#{e.message}”
        runcommand = false

and thusly do we see in the logfile:

Starting Nmap 6.00 ( http://nmap.org ) at 2012-11-13 13:28 GMT
Initiating ARP Ping Scan at 13:28
Scanning [1 port]
Completed ARP Ping Scan at 13:28, 0.15s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:28
Completed Parallel DNS resolution of 1 host. at 13:28, 6.50s elapsed
DNS resolution of 1 IPs took 6.50s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan at 13:28

Scanning dhcp-54.spence.org.uk.local ( [1000 ports]

Warcouching - watching passing strangers automagically.  It’ll be fashionable, I tell you.