Fun with 802.11b at Kroger's (Spring, 2003) ------------------------------------------- By Kairi Nakatsuki This guide assumes you already have a working wardriving setup on a *nix machine. This isn't necessarily meant to be a guide to hacking your friendly neighborhood Kroger's location. Though I do hope that this information will be of use in case you stumble upon a Kroger's location where an 802.11b network is present. Remember, don't be evil children! Info The particular Kroger's I did most of my dirty work at didn't have a terribly great security model, as you might expect. Evidently, management doesn't care much about their data being broadcast in clear text over the airwaves for 100 feet in every direction, though they seem to think that cloaking their ESSID would suffice. Since Kroger's wifi network(s) are mainly set up to allow their POS terminals to telnet into a SCO OpenServer machine, it is expected that these machines will have to be rebooted from time to time; so if the ESSID is not "kroger/barney" at your Kroger's, then it would be easy to obtain within short order. This particular network resides on 30.112.16.0. Despite the fact that all of 30.0.0.0 is owned by the DoD, none of the addresses within that network are Internet routable (I confirmed this personally). So, I'm guessing that their address assignment scheme is purely coincidence. There was a DHCP server that gladly gave me an IP address. I was able to resolve names that are on the Internet, though I wasn't able to get a default route anywhere. Tools Used * Kismet 2.8.1 * Ethereal 0.9.9 * Paketto Keiretsu 1.0 * AirSnort * Linux laptop and a backpack (Disclaimer: I don't know what you would have to do to use Kismet under Windows, though you can use Ethereal on Windows to read packet dumps from Kismet just fine.) I used Kismet 2.8.1 to initially discover the networks. After confirming that there were only three or so networks, I made Kismet only scan on the channels those networks resided on, doing something like this: # killall kismet_hopper # kismet_hopper -s 2,4,6 # assuming that channels 2, 4, 6 are where the # networks reside; do this while kismet_server is # running Setting kismet_hopper to hop only those channels increases the amount of packets you receive. Be sure to scan from lowest channel to highest channel, as to avoid the pitfalls of overlapping frequencies. Start kismet_server in its own terminal so you can see what IP addresses are found, in real time. I used scanrand from Paketto Keiretsu to stealthily do a portscan on the nodes I found. Mostly Windows boxes with open SMB shares. Going In After you have played around a little and have confirmed that your Kroger's has a wireless network, it's time to get down to business. You can associate with their network and use Ethereal to do a packet capture in promiscuous mode, if you feel like using an Ethereal capture filter. This isn't as effective as using Kismet to channel hop and sniff in rfmon mode, however. Now put your laptop in your backpack. Go up real close; walk back and forth across the storefront. Hell, pretend to fumble through your change pocket and buy your favorite soft drink from a vending machine. I don't suggest going in, however, since people wearing backpacks in a store is kind of frowned upon. Back at Base After you feel you ve gotten your fill of captured packets, it's time to open the Kismet packet dumps with Ethereal. Use the display filter telnet; expand the Telnet tree. Scroll through the packets; a lot of them will be '\033', but you'll eventually find the good shit. This is a mere sample of what I found: SCO OpenServer(TM) Release 5 (xxx.xxx.kroger.com) (ttyp3) You can telnet into the machine that this prompt came from to see how many cash registers are in use; just use the ttypx as a clue. It counts from ttyp0 up. The POS terminals at Kroger's are used for a lot of things, from the obvious cash register functions, to ordering shelf labels, to entering UPC codes and item names. I don't suggest that you log in if you capture username/password combinations; resist the urge! Miscellaneous I did find a single WEP-encrypted network. I wasn't able to stay close enough to the signal, though. If you're brave enough, you can let your car sit in the parking lot long enough to capture enough packets to crack this, if you have a good antenna. You can continue to use Kismet to keep the packets flowing, but I suggest using AirSnort to do the packet capture on a single channel, so you'll be able to see how far you're coming along. Here's a recap, findings may be different: ESSID: "kroger/barney" (Barney Kroger owns the chain) Class C subnet: 30.112.16.0 Servers: 30.112.16.1, 30.112.16.2; running SCO OpenServer If anybody can share information on the actual terminal interface used, let us know; I would be more than glad to write a follow-up article. Obligatory Disclaimer Have fun with this information. And remember, go to school, don't do drugs, and stay out of trouble! I can't take responsibility for your actions. It's your choice to follow my example, after all.