WIR-101 Week 11 — Wireless Reconnaissance, Wardriving, and the Engagement Report

"The most dangerous wireless vulnerability is the one you didn't know was there." — VCA WIR-101 lecture notes

Lecture (50 min)

11.1 Wardriving: History and Modern Practice

Wardriving (originally "wardialing" for analog phone lines, adapted for 802.11 in 1999-2001) is the practice of mapping wireless networks from a moving vehicle or on foot using a laptop and a Wi-Fi NIC in monitor mode.

The term carries an adversarial connotation but the technique itself is neutral: the same passive scan that builds a network map for a penetration test also builds the city-wide AP census that Wi-Fi positioning systems (Google, Apple, Skyheed) use for GPS-less location. WiGLE.net has cataloged over 1.2 billion unique networks as of 2026.

Legal context: in the US, passive wardriving (receive only, no association) does not violate the CFAA. The Electronic Communications Privacy Act's wiretapping provisions (18 U.S.C. § 2511) exempt "readily accessible to the general public" broadcasts, which unencrypted 802.11 traffic qualifies as. Capturing encrypted traffic is a legal gray area in some jurisdictions; attempting to decrypt it without authorization crosses into CFAA territory. Active attacks (deauth, association, injection) require authorization.

Modern wardriving tools: Kismet (Linux, active development), WiGLE Android app, GPS receiver for coordinate tagging.

11.2 Kismet: Architecture and Logging

Kismet is a passive 802.11 (and multi-protocol) sensor framework. It separates:

Sources: hardware interfaces in monitor mode (one or multiple NICs on different channels) Core: channel hopping, deduplication, device tracking, alert generation Logging: .kismet database (SQLite), PCAP, KML, CSV, JSON

# Basic launch with single NIC
sudo kismet -c wlan0mon

# Multi-source (dual-band simultaneous -- requires two NICs)
sudo kismet -c wlan0mon:type=linuxwifi -c wlan1mon:type=linuxwifi

The Kismet web UI runs at http://localhost:2501 by default. Key views:

• Device list: all observed APs and clients, RSSI, first/last seen, encryption
• Channel usage: channel distribution heatmap
• Alert list: Kismet WIDS rules (deauth floods, BSSID spoofing, etc.)

For wardriving, pair with gpsd for coordinate tagging:

sudo gpsd /dev/ttyUSB0 -F /var/run/gpsd.sock

Kismet auto-detects gpsd and tags captures with GPS coordinates.

11.3 Wireless Reconnaissance Report Structure

A professional wireless reconnaissance report follows the same structure as the penetration test report but with wireless-specific findings.

What to capture in a wireless recon survey:

Key findings to highlight in a recon report:

1. Open networks: critical finding. Any device connecting leaks cleartext traffic.
2. WEP or WPA-TKIP: critical. Crackable.
3. WPA2-PSK without MFP: medium. Deauth + handshake capture is feasible.
4. SSID broadcasting internal naming conventions: low/info. "ACME-CORP-HQ-INFRA-MGMT" reveals organizational structure.
5. Rogue AP candidates: BSSIDs on the observed channel plan that are not in the authorized inventory.
6. Excessive client probe requests: clients broadcasting legacy SSIDs they are looking for (pre-iOS 14 / pre-Android 9 devices).

11.4 CVSS for Wireless Findings

CVSS v3.1 vector string format: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

For wireless findings:

• Attack Vector: typically AV:A (Adjacent Network) for RF-range attacks; AV:N only if the vulnerable system is reachable over the internet
• Attack Complexity: AC:L for WPA2-PSK with weak passphrase (trivial dictionary); AC:H for Dragonblood timing attack (requires precise measurement)
• Privileges Required: PR:N for unauthenticated attacks (PMKID, deauth)
• User Interaction: UI:R if a client must connect (4-way handshake capture); UI:N for PMKID
• Scope: S:U unless compromise of the AP leads to cross-network pivot (e.g., corporate VLAN)

Example: WPA2-PSK with weak passphrase (dictionary-crackable): CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N = 7.1 (High)

11.5 Defense Recommendations That Actually Help

A wireless security report is only as valuable as its remediation section. Avoid vague recommendations:

Not useful: "Use a strong password." Useful: "Replace the current 8-character passphrase with a 20+ character randomly generated passphrase managed in a corporate password vault (e.g., 1Password Teams, Bitwarden Business). Rotate the passphrase quarterly or immediately following any personnel change with AP access."

Not useful: "Upgrade to WPA3." Useful: "Enable WPA3-SAE on all 802.11ax-capable APs (which includes the Cisco Catalyst 9100 series already deployed). For legacy clients that do not support WPA3, enable WPA3 Transition Mode (simultaneous WPA2/WPA3) and track migration progress via RADIUS authentication logs."

Not useful: "Enable IDS." Useful: "Configure Cisco WLC rogue AP detection with alert thresholds: more than 3 deauthentication frames per second from any BSSID triggers a wired-side hunt to locate the rogue AP via port MAC address tables."

11.6 Course Review: The Wireless Engagement Lifecycle

Week 11 closes the loop on the engagement lifecycle introduced in the course outline:

Lab Preview

Lab 11 is the wardriving and reporting lab. You will conduct a passive wireless survey of the approved area using Kismet, export the results, and produce a 4-page findings report covering at least three distinct findings from the survey. See Lab 11 file for full instructions.

Homework

Reading (45 min): Read the OWASP Wireless Security Testing Guide (WSTG) Wireless Network Testing section (linked from course portal). Compare its methodology to what you have practiced in this course. Identify one OWASP test case not covered in WIR-101 and explain what you would need to add to your toolkit to run it.

Hands-on (60 min): Review your Lab 1-5 deliverables. Self-grade your weakest lab against the published rubric. Write a 1-page improvement memo: what would you do differently now that you have completed the course? This is not graded on the answer, only on whether you completed it.

Toolchain Diary Entry

First-introduce this week: Kismet (full use), gpsd, WiGLE, OUI lookup

kismet -c wlan0mon --log-prefix /tmp/survey: launch Kismet with monitor interface, log to /tmp/.

gpsd /dev/ttyUSB0 -F /var/run/gpsd.sock && cgps -s: run GPS daemon and verify fix before survey.

wigle.net/search: community Wi-Fi AP database. Useful for correlating captured BSSIDs against known deployments.

OUI lookup: macchanger --list | grep OUI_PREFIX or use IEEE OUI registry at regauth.standards.ieee.org/iad/. Critical for identifying vendor/model from BSSID.

Key Terms

• Wardriving: passive wireless network mapping from a mobile position using a NIC in monitor mode + GPS; legal in US for receive-only passive scanning
• Kismet: open-source passive 802.11 (and BLE/Zigbee) sensor; multi-source capable; outputs SQLite, PCAP, KML; runs WIDS alerting
• BSSID inventory: complete list of authorized APs in a target environment; used to identify rogues during a wireless assessment
• OUI: Organizationally Unique Identifier; first 24 bits of a MAC address; identifies the NIC manufacturer; searchable at IEEE registry
• WIDS: Wireless Intrusion Detection System; monitors for anomalous 802.11 behavior (deauth floods, BSSID collisions, hidden SSID probes)
• Rogue AP: AP present on a wireless survey that is not in the authorized BSSID inventory; may be unintentional (employee plug-in) or malicious (insider backdoor / evil twin)