Re: Without Wires

[Tracy Reed <treed () ultraviolet org>]

On Wed, May 04, 2011 at 09:15:27PM +0430, Mohammad Hosein spake thusly:
> at the risk of being very off-topic i got a question which can be relevant to
> SILICA at some points . i've read all sorts of crap about direction finding of
> Wifi targets from people who dont know what they are talking about including

DF/TDOA would be a really nice capability. Way back in 2002 I did this
warflying thing:

http://tracyreed.org/Writings/warflying

http://www.computerworld.com/s/article/73901/War_flying_Wireless_LAN_sniffing_goes_airborne

I did it in San Diego and then TechTV invited me up to San Jose. I flew
the plane up and appeared on their show and took their reporter for a
demo flight and found massive numbers of APs. There would surely be even
more today.

It was fun but and I have occasionally considered doing it again but
aside from the obvious facts that it works and you can see a lot of APs
from a couple thousand feet up we didn't learn much so I haven't seen
any good reason to try again. Back then we were mostly just interested
in unsecured APs. Now of course we would be interested in unsecured and
weakly encrypted (WEP etc). Those who are so inclined might be
interested in actually cracking the weak encryption and discovering the
keys and perhaps even exploring the networks. We passively received and
did not transmit on our flights to avoid legal ambiguity. 

Time over target can get expensive when aircraft are involved although
it can be kept down to as low as $50/hr or maybe even less so it
wouldn't take much to discover every AP in a whole metro area.  A
smallish haul of card numbers resulting from the flights would easily
cover it: I always consider how much an attacker would stand to gain
when considering how likely they are to do something as outlandish as
aerial wireless recon.

Hmm...I just realized something: A few months ago I attended a briefing
by SoCal Approach TRACON. This graphic was presented:

http://imgur.com/ul5d6 

These are the tracks of all of the aircraft going into and out of CRQ
during a 12 hour time span.  

You can seee the blue tracks inbound for landing coming in from the
right (east), the green tracks departing to the left (west), and the
tracetrack of the traffic pattern connecting the departures and
arrivals.

Notice the parallel orange lines left to right (east to west) all up and
down the image. Looks like a search pattern. This seems likely to be
mostly one aircraft's track, you can almost see the turnarounds on each
end. When I first noticed it I wondered what the heck this guy might be
doing. Now I have one more thing to add to the list of possibilities.
:) 

Being able to collect semi-accurate location data on the actual AP
(instead of just recording the GPS location of the aircraft when the AP
was detected which just results in a plot of the aircraft path) would be
very nice for aerial discovery and exploration followed by driving to
the area for more lengthy probing. Someone with automation like SILICA
could open up and explore networks for vulnerabilities and recon a lot
of networks fast. 

It's a shame a good samaritan cannot legally do this kind of mass-recon
for the purposes of writing a paper or offering consulting services to
improve the security posture of vulnerable networks. Instead they will
just have to wait to be notified by their acquiring bank that they have
a problem.

Making money by flying while also improving the state of computer
security is my dream job.

> On Wed, May 4, 2011 at 8:12 PM, dave <dave () immunityinc com> wrote:
>     So SILICA has been around for a while - essentially automating wireless
>     attacks in

I don't see a buy link on that page... Does one have to call?

-- 
Tracy Reed

Attachment: _bin
Description:

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave