FIGURE 11-1: AP games hardware: laptop computer, wireless client adapter,
wireless access point, and GPS receiver.
Chapter 11 " Playing Access Point Games

An external antenna can be attached to many different wireless adapters and will significantly
increase range. Omnidirectional antennas are preferred for 360-degree sweeping coverage,
while a unidirectional antenna, such as the famous cantenna you built in Chapter 3, can be used
for focused, directional coverage.

The Basics of AP Gaming
The idea of access point gaming is that you are out to find and log wireless access points. These
access points can be placed beforehand as with a treasure hunt, placed to seed a playing field as
with a traditional AP hunt, or set up in specific locales to create a real-world social networking
The game coordinator will design the rules, layout, and boundaries of the game being played.
Briefly, the games described in this chapter are:

Foxhunt”Find the hidden access point
AP-Hunt”Discover the most access points in a set amount of time
Treasure Hunt”Step through a planned route where each new discovery gives you a clue
to the next destination
Capture the Flag”Find all the “enemy” access points and return to base with your booty,
a log file showing their locations
Virtual Real-Space Tours”Bridge the digital and the real with location-aware content fed
to visitors within a matrix of access points. (Not quite a game, but very entertaining!)

In order to be successful while playing the games covered in this chapter, you will be constantly
refining your skills in pinpointing the location of access points. Pinpointing access points can
be achieved by using two standard methods:

Drive-by detection

Both methods are valuable in different circumstances, and you may even employ both methods
during the same game.

Detecting an Access Point on a Drive-By
This is the traditional war driving scenario. As you travel past an access point, the war driving
software detects the access point and logs its position. As you drive around, the signal level will
grow stronger or weaker”usually indicating that you are closer or further from the access point.
Figure 11-2 shows a diagram of this process. The access point is in a building and different
signal levels help to betray its approximate location. As your detection computer comes within
close proximity of the access point, the signal strength gets higher.
Part III " Playing with Access Points

Access Point


Weak Strongest Weak
Signal Signal Signal

FIGURE 11-2: A drive-by detection locates access points through

Always play AP games with at least one passenger (the more the merrier). The task of driving
safely while managing the computer in an AP game may well be impossible. As the driver, it™s
your job to assign the task of detection and navigation to the passenger(s) and stay safe.

Finding an Access Point by Triangulation
Triangulation may well be the oldest radio-wave positioning method known. Triangulation is a
method of taking a directional sample of a radio source, moving some distance and taking
another directional sample. If all went well, the two directions you sampled should end up
pointing to a single third location, making a triangle.
Figure 11-3 shows a triangulation pattern using a directional antenna. Directional antennas
are the easiest way to detect an access point by triangulation. The cantenna, a panel
antenna, or a Yagi antenna is usually sufficiently directional to aid in pinning down an
access point.
When you™re discovering access points by triangulation, you can get a misreading due to the
nature of wireless reflections and the concept of multipath signals. It™s possible to receive a
stronger signal bouncing off of, say, a building than when you point directly at the access point.
Keep this in mind and perhaps add more points to your “triangle.”
Chapter 11 " Playing Access Point Games

Access Point




FIGURE 11-3: The three points of a triangulation discovery pattern.

Crazy Like a Foxhunt
Foxhunt is a challenging and exciting access point game that requires the setup of a remote
access point (The Fox) in a location unknown to the participants of the game. After general
boundaries are set, the participants set out with the objective of pinpointing the exact location
of the hidden access point. The first participant or group to pinpoint the access point wins.
This AP game is quite simple, and probably the easiest to coordinate and start playing.

1. Get a fox
2. Send the fox out running
3. Wait some amount of time
4. Chase the fox

The Fox
The heart of this game is based around an access point, The Fox, and the components that
enable its operation. Although the placement and setup of The Fox is ultimately your choice,
a modular setup is preferable. Being able to place it in a variety of locations will enhance
gaming immensely.
Part III " Playing with Access Points

FIGURE 11-4: A look at the inside of The Fox.

Figure 11-4 shows a simple “Fox” setup. Notice careful attention paid to the organization of
the access point, battery pack, and power inverter, as well as the cleanly run wiring. This atten-
tion to detail helps prevent unforeseen outages during the game.
This game does not necessarily employ a special SSID. But a unique, pre-determined SSID
will help the hunters easily identify the target.

An SSID of “Fox” is too simple and you may easily come across it in the wild. Try an SSID of “LA-
FoxHunt-Aug2004” or some sort of named and date-stamped SSID. You may find it amusing to
later discover The Fox listed on an online war driving database!

A standard modular access point setup includes (see Figure 11-5):

Access Point”A standard 802.11b access point is the heart of The Fox.
12-volt Battery Pack”A 12-volt battery pack supplies the power to the unit. The bat-
tery is the key to the modularity of The Fox.
Power Inverter”A power inverter is used to convert the voltage of the battery to that of
the access point.
Chapter 11 " Playing Access Point Games

FIGURE 11-5: The Fox ready for game play.

Canvas Duffle Bag”A canvas duffle bag will serve as the platform to house all of the
equipment required in one simple package and allow The Fox to be moved from one
location to another quickly and easily.

A tip about batteries: A 7.0 ampere-hour (Ah) battery will run for one hour at 7 A, or 7 hours at
1 A. In tests, a broadcasting access point connected to an inverter while running on battery
power was pulling 900 mA or 0.9 A, and ran for over 9 hours on a single 7.0-Ah battery. This
came out to about 8.1 Ah, somewhat better than the 7.0 Ah rating.

Variations of a Foxhunt
Although the general game play and rules are the same throughout, there are a few variations
of an AP games Foxhunt:

Standard Foxhunt
Mobile Foxhunt
Room Service Foxhunt
Part III " Playing with Access Points

The standard variation of the game is usually played with two to six players. Standard Foxhunt
requires that the participants of the game track The Fox solely on foot. A smaller set of bound-
aries is usually required, typically a few hundred yards square, as it would be no fun to have to
search an overly large area on foot. A mid-sized park is optimal, as The Fox may be hidden in
many places, such as small brush.
The Mobile Foxhunt is a variation of Foxhunt in which two to six teams comprised of two to
four participants each track The Fox using automobiles. A larger set of boundaries is required
for Mobile Foxhunt, as the use of automobiles permits a much greater relative scale. A good set
of boundaries is 20 to 40 blocks square. The Fox is typically placed in a host automobile and
parked in a remote location.
Room Service Foxhunt is a great variation of Foxhunt intended for fun on vacation, but can be
played anytime and can host a number of participants ranging from 2 to 40. Room Service
Foxhunt is best played in a hotel setting. It is a good general rule of thumb when playing this
variation of Foxhunt to have a maximum of two to four times the number of participants as
there are floors in the hotel. The boundaries can range from inside the hotel itself to the entire
area of the hotel depending on the size of the group, courtesy to other hotel guests, and toler-
ance of hotel management. The Fox is typically hidden in a room or a common area.

A GPS and mapping software may prove to be invaluable in quickly pinpointing The Fox while
playing variations of Foxhunt with a larger set of boundaries such as Mobile Foxhunt.

Foxhunt Tips
Set up rules ahead of time. Determine the boundaries and timeframe for success. As the game
coordinator, stay in contact with The Fox either by cell phone or radio. Also, ensure you have
all of the participants™ contact information in case the game has a problem and must be
aborted. As a player, there™s nothing more annoying than looking for an access point that isn™t
Determine the winner. Perhaps the winner is the person or team that finds The Fox in the least
amount of time. Or perhaps the first team to return with a digital picture of The Fox is the
winner. Are GPS coordinates enough or does the team need an address? Or perhaps a visual
description is more suitable (for example, “Building 4 in the bushes near the South Entrance”)?
There is probably an unlimited number of variations on this AP game. The foxhunt is an old
tradition which has carried over into HAM radio, CB radio, and now wireless access points.
Uphold the tradition and host a foxhunt this weekend!

Finding Mass Quantities of Access Points
This game, AP-Hunt, is an access point game inspired by the famous pasttime of war driving.
AP-Hunt simply requires basic wireless hardware and software and a means of transportation.
The objective is to accumulate the most number of points. Generally, the more access points
discovered, the more points awarded.
Chapter 11 " Playing Access Point Games

Points are awarded based on a specific scoring system weighted towards awarding unique and
hard-to-discover access points. To help prevent cheating, only access points with associated
GPS coordinates will score points.
To reduce the chance of cheating, the game coordinator may seed the area before the game.
This entails setting up a number of access points with a unique SSID in the playing area
beforehand, and switching them to another SSID during game play. If a team™s results include
the “before” SSID, they are submitting a log from before the contest timeframe. Also, a team
must discover one of the seeds during game play to ensure the data is not from days or weeks
prior to the contest.
The team with the highest number of points wins.

Scoring System
The essence of a contest is in determining a winner. To make things interesting, an AP-Hunt
game should have some sort of scoring system beyond simply finding “the most.”
This scoring system here was inspired by the DefCon Wardriving Contest of 2003. The
DefCon contest is a type of access point game with a set of rules created to distinguish hard-
core participants from the casual wardriver and encourage unusual war driving techniques.
A basic AP-Hunt scoring would look like this:

One point for each AP discovered
One extra point for each AP with the default SSID
Two extra points for each AP with WEP enabled
Three extra points for each unique AP (your team is the only team that detected the
AP). This score is optional and implementing it will make sense only with a high num-
ber of participants
Variations: Add points for local wireless landmarks such as schools, stores, coffee shops,
and so on. Add points for furthest AP from the contest starting line. Or possibly, add
points for off-road APs.

Obviously, scoring is up to the game coordinator. Maybe in your first time out, just try to find
the most access points in a given time, like 1 hour. Then return to base and have pizza while
comparing results. The winner gets bragging rights.

Hunting Equipment
There are some factors that can affect your game play and ultimately your overall success while
AP-Hunting: hardware, antenna, software, and vehicle selection.
Hardware selection is a vital issue. It can mean the difference between detecting an access point
or not, and thus winning or losing. There are two basic types of supplemental hardware
involved with hunting: a wireless adapter and an external antenna. To be amongst the top ranks
Part III " Playing with Access Points

of competitors, a wireless adapter has two essential elements: power output (and, therefore,
receiver sensitivity) and the ability to accept an external antenna.
A standard wireless adapter has a power output of about 30 mW, while an enterprise adapter
will usually have 100 mW. And carrier-grade adapters boast an output of 200 mW. In general,
the higher powered adapter will also have a more sensitive receiver, which directly relates to
how well the adapter can “pull in” a weak signal and log the access point.
Once you™ve selected a suitable wireless adapter, the next step is to choose an external antenna. If at
all possible it is best to have both an omnidirectional and a highly-directional antenna for all fore-
seeable scenarios. You should have at least an external, vehicle-mounted omnidirectional antenna.
Figure 11-6 shows an example of an AP-Hunt setup including wireless adapter, omnidirec-
tional, and highly directional patch panel antenna.
While playing AP-Hunt, users of Kismet Wireless will have a considerable advantage because
Kismet can detect access points that are not broadcasting their SSID or beacon signals.
Oftentimes, sheer numbers may be the pivotal factor between winning and losing.

Transportation plays a great role in AP-Hunt. Traditionally, automobiles are used in conjunction
with GPS mapping software to sweep the area as it approaches, detecting access points along the
way. Although this is still the most widely accepted method of transportation, several

FIGURE 11-6: A typical AP-Hunt hardware setup.
Chapter 11 " Playing Access Point Games

nonconventional methods have proven to provide much broader coverage than an automobile could
hope to achieve. Recently, helicopters and private airplanes have been used to scan large swaths of
the landscape to pick up dozens more access points outside the range of ground-based vehicles.

Using airborne vehicles while scanning for access points is known as “warflying.” Perform a Web
search for warflying, and among the usual combat aircraft Web sites will appear many sites on
war driving with aircraft.

AP-Hunt in action: The DefCon Wardriving Contest
For the past eleven years at the beginning of August, thousands of the world™s most fervent
hackers, security professionals, and even government officials have converged on the city of
Las Vegas to participate in what has become one of the largest underground security and
technology conferences in existence, fondly named “DefCon.”
Although DefCon began simply as an underground hacking conference, it has evolved into
something much greater. In the past few years emerging wireless technologies have made their
way into the conference, spawning entirely new facets such as the DefCon Wardriving Contest.
The DefCon Wardriving Contest has grown to become a cutthroat battle royale of wireless net-
work detection, pushing war driving and access point gaming in an ever-improving direction.
In recent years, participants armed with laptops, wireless adapters, and external antennas have
used everything from standing still on top of a building, to vans, cars, and motorcycles in order
to claim the title of DefCon Wardriving Contest champions. DefCon Wardriving contest par-
ticipants have even gone to the extent of renting a private helicopter, allowing them to detect
access points typically unreachable through traditional AP-Hunting methods. Who knows
what strategies and tactics will be used at the next contest?

An Access Point Treasure Hunt
Treasure Hunt is an access point game in which teams search for access points based on clues
discovered in the SSID. As the game unfolds, each access point discovered leads the team to
the next access point, and so on until the trail ends. There are two main categories of play in
the Treasure Hunt access point game.

Best Time”The winner of the “Best Time” category will be the team that is able to
complete the course in its entirety in the least amount of time possible.
Best Signal”The winner of the “Best Signal” category will be the team that is able to
record the highest Signal-to-Noise Ratio for each of the given access points.

Playing Treasure Hunt
Treasure Hunt is one of the most rewarding access point games but it also requires much setup
and planning. When organizing a treasure hunt, several access points are required to be spread
out over a relatively large area. It is best to organize the field of play based on several maps
Part III " Playing with Access Points

sliced into grids. Often a local paper-based street map will have a grid coordinate and a well-
known page numbering system.

If the game participants do not have a local map publication, create a simple map layout using
mapping software to generate the map, and an image editing program to divide the map into
squares covering about one-half mile each. Print these out for each participant.

Each access point should be spread apart by a significant distance and each access point SSID
will contain the clue necessary to determine the location of the next access point. Each access
point should contain a similarly formatted SSID in order to provide clues.
A sample SSID might be:
The first section, “TH0504” is a unique game name (TH) and date (May 2004). The second
section, “P5” means page 5 in a pre-determined map handout, booklet, or publication. “J-4”
represents the grid coordinates on that map (see Figure 11-7). And the final section “03” means
this is clue number three (numbering is optional, but it™s nice to have).
This SSID points to where the next access point can be found on the map. Each access point is
a link pointing to the next site to discover and proceed from there. Figure 11-8 shows a dia-
gram of how this contest works. Plan the path of travel to help avoid participants finding clues
out of order.


Simi Fwy


San Die

