Re: NetStumbler

In order to answer this, there needs to be a definition for hacking that you and your boss agrees upon as a foundation for discussion. Your definition could be the popular one, or the historical one, or a mixture of these two. It can even be a definition that you personally are uncomfortable using, but it needs to be a definition you and your boss can agree upon, within the scope of this topic.

Define hacking, and evaluation of it as a hacking tool should follow naturally with little analysis.

Re: NetStumbler

Airmagnet does:

Please see this white paper:

Also go to www.netsetumbler.org and check out the forums there.

Mite be old news but what the heck.

Airmagnet white paper states that netstumbler performs an attack on systems.

Access Control Attacks
Circumvent filters and firewalls
to obtain unauthorized access:

War Driving NetStumbler, WiFoFoFum

http://www.v-system.net:81/pdf/WLAN_whitepaper.pdf

xor

Sorry to hear and good luck. If you had your TCP/IP stack enabled and got an address on the network that could be considered a penetration. But if you are authorized to be on that network than no.

Re: NetStumbler

I wouldn't consider it one per se, but as others have pointed out the line is very blurred. One man's revolutionary is another man's freedom fighter... and one boss's "hacking tool" is another boss's "valuable security testing apparatus"

essentially, it comes down to (1) where you work, (2) your role there, and (3) your company policies.

if you are a security tech or sysadmin type then i would say you have every reason to have a tool like netstumbler in your kit. if you are a data-entry person and do not work with the IT shop then that's another story. basically, does your job involve any security testing ever? was netstumbler on your personal laptop or a company machine? are you being accused of using it improperly against your own network or are they saying you're just a nefarious character simply for having it at all?

in any case, your boss sounds like an ar-tard and you likely deserve something better. however, if you want to make a counter-argument, i would say pickup a copy of Drive, Detect, Defend in order to demonstrate that the bible of the WiFi security industry mentions it as a legitimate tool and devotes two whole chapters to its proper use.

All in all, however... i think most of all it should come down whether or not there's any evidence you were doing something questionable, not merely possessing something questionable. I like to think of it in terms of the most old-school "hacking" tool... a knife. (rim shot) I carry my knife everywhere. Even when i'm working at schools, i have it. I've never really gotten any crap for it, because while some people shouldn't have knives in a place like that, i always (1) use it numerous times a day in a legitimate way and (2) have never been seen or even alleged to use it improperly.

In the end, however, if i had a boss say "don't bring that here" i'd simply walk off the job as i take crap like that to be a sign that people have their heads up their asses and that it's easier to walk away early than to deal with the unending tide of bullshit that you're likely to receive from such folk.

just my $0.03

Re: NetStumbler

Many companies define ping, netcat, nmap and similar utilities as 'hacking utilities' that can be a fireable offense if used on the network. Absolutely absurd if you consider that the more likely cause of a rootable system will be lax admin accounts and custom scripts/apps; none of which require any of these, outside of basic gnu utils that they cannot be guarded against.

If they want to fire you, its probably an excuse or a supplimentary reason for something else. ... I sense a large portion of the story is missing.

oh.. and don't use netstumbler .. use kismet, or kismac, or some other real scanner if you are testing for something legit. netstumbler is an active scanner .. or maybe something has changed with a newer release, but it actually partially connects to APs to obtain the information and stats that it generates on your screen (thereby usually more accurate, but technically dancing on the grey line).

Re: NetStumbler

does it do that even if you have "get AP names" disabled? i would hope i haven't been misinforming people on that point in the past. it's odd that they wouldn't have had a pure RX-only mode, even if it doesn't produce the most detailed results as easily.

Re: NetStumbler

It's been a while, but from my understanding it extends to the statistics that it pulls for signal/noise strength .. where kismet is really just an amazing estimated guess, netstumbler is actually polling real data because it is actually partially associated. That is 3-5 year old unconfirmed (laziness) knowledge though .. so .. take it for what it is.

Re: NetStumbler

Sorry, Deviant, you have been misinforming people. The "Get AP Names" is only for those APs that are capably of sending an optional AP name string. Basically, it only applies to some Cisco, ORiNOCO, and a few Linksys-Cisco models. Disabling that feature just means you don't get the "AP Name" which has nothing to do with the SSID. The AP Name is merely an optional identifying string you can enter on some models, such as "AP #2", "Third Floor NE" or "Big Bad Bob's Home AP". On the Linksys units it defaults to the model number such as "WAP54g" or WRT54g".

NetStumbler was designed as a active (TX & RX) scanner. It always sends a Beacon Probe request packet, and it does not have an RX only mode. A lot of that had to do with the API that the author (Marius Milner) used to first program it.

To answer the original question, NetStumbler is not a "hacking" tool. (That of course is using the pejorative, an idea to which I don't subscribe.) It was designed as a free wireless networking engineering tool. Parts of it as now included with at least one very serious (and serious costing) wireless engineering tool.

A portion of the README is quoted below. You will note that only the last activity, which was something of an afterthought, is anything close to "hacking".

Re: NetStumbler

But technically netstumbler isn't much different than Windows Zero Config or other wireless card AP location programs. Both provide signal strength as well as encryption method. If you say netstumbler is a hacking tool that so is, Intel Pro Wireless Tools, Dell's Tools (Broadcom yuck) or Proxim's Tools.

I would attack your bosses argument on that basis and it will fall apart. But as someone else mentioned earlier if they simply don't like you then you have given them an excuse to get rid of you.

At a very low level most wireless cards/ap's do associate with each other whether you want them to or not. If you want technical ammo I recommend 802.11 Wireless Networks The Definitive Guide 2nd Edition by M. Gast from O'Reilly ISBN 0-596-10052-3 It really is a definitive guide.

xor

Re: NetStumbler

I'm sorry but this is really bugging me.

At what layer or point do you cross the line in the 802.11 protocol stack? If it was a piece of wire the second you tapped in either through induction, or made a physical splice you would be connected into the PHY network layer and you would be crossing that line.

Since there is no wire and the free space becomes the medium couldn't it be stated that any type of network discovery where information even low level information at the PHY layer changing hands would be a violation of privacy.

xor

Re: NetStumbler

The not necessarily enforceable line is wherever the owner decides it should be.

The enforceable line is what the law says it is based on facts.

The actual line is the intersection between the set of all thing the law specifies as illegal, and the set of all things the offended are willing and able to pursue through legal means.

There is no single answer that can provide a unilateral, 100% accepted line, other than a relative description for a line.

Proof by extreme exception: "No victim, no crime." (empty set.)

FCC could be consulted with this part. If the band in use is part of a public allocation of BW, then there are likely test cases in court that can be found where use of information passed over CB, or other public band is used in some way the "owner" never intended. New laws may, of course, obsolete old test cases.

Re: NetStumbler

Based on my experience in both the law enforcement side and what I know of wireless networking, it would it would seem that transmitting a Beacon Probe and interpreting any response is completely legal. The 802.11 protocol is designed to allow this without association (i.e. no connection to the AP or the network), and is little more that shouting "Is anyone here?" and listening for a response.

The line is crossed when someone associates with a given Access Point by configuring their equipment -or allowing it to configure itself- to use a given SSID, and then using the network without the permission of the owner. The "permission" may be expressed (Q:"Hey, Joe, can I use your wireless." A:"Sure!") or it may be implicit due to the circumstances (e.g. an SSID of "Free Public Wireless" or signs on the premises indicating public-use wireless.)

Contrary to popular belief among some people, a default, unencrypted, unsecured wireless network is NOT a public asset, nor is the permission implicit due to the fact that it is open to access without security settings. It doesn't matter if someone is using it for a low impact use ("I'm only checking my email!" seems to be the universal cry of the low lifes who do this) or they are attempting to download the Library of Congress. The association and use without permission is the 'legal line'. Most arrests and convictions both in the US and other countries have followed this principal, and it seems to be thus far universally accepted as the standard in courts both here and abroad.

Re: NetStumbler

... Well put. I could not agree more.

Re: NetStumbler

Thorn: It has been my understanding (quite possibly incorrect) that netstumbler does actually, partially associate to attain the snr stats that it calculates. If true.. this *could* be argued crossing the line. I have no good sources other than typical defcon poolside chat .. maybe I can blame chatting with kershaw back at nyc2600.. or something. But I have never actually bothered to dig deep enough to confirm.

Anyone able to authoritatively yay or nay? Mythbusters?

As law seems to pop up once every several months still, it is worth noting that people passively scanning may not be directly crossing an ethical line.. but could actually be infringing on other local ordinances depending on locale of the scan.

Re: NetStumbler

SNR is a radio receive RF function, were the Noise level is compared to the Received Signal. As such, it's all computed at the receiver (NetStumbler) end and doesn't require an association.