Re: Without Wires

[Mohammad Hosein <mhtajik () gmail com>]

what you mentioned is actually a very common method for various kinds of
active and passive Radar systems . certainly doing it in an active fashion
needs legal permission from local regulatory but law is different when it
comes to passive collection , specially when its wideband . i think once
Dave mentioned that SILICA like other immunityinc's product is based on
Python and it comes with source which makes it a very good candidate to
"connect" to stuff like GNU Radio and make use of cheap stuff like USRP to
build Wifi locationing systems .

after my first email , i got two response from two members of the list ,
that are actually government contractors who sell wifi locationing systems
and interestingly both of them work based on Signal strength , which means
you move around , you see signal level goes higher , it means you are in the
right direction and then you do this a lot from different places until you
get a sense of where your target might be located . this is not only
fundamentally flawed , in reality , its  useless , respectfully for hacking
purposes , lets say to find an AP and flash its firmware with our own
custom-made firmware to do a certain kind of stuff . it also will not work
for real world SIGINT operations , say , to locate where the Russian agent
is sitting ( yeah , if he is not obviously sitting in a cafe right in front
of Russian embassy - hats off to FBI counterintelligence dudes and huge
respect to Russian intelligence by the way )

current most accurate method to locate Radio emitters specially in these
freq bands is by using several receivers , connected together and sync in
time by nano-sec precision and use TDOA techniques to be able to "pin point"
the actual Radio . other claims are either false or have serious drawbacks ,
even AOA ( on precision specially in a Radio-crowded area )

Regards

On Thu, May 5, 2011 at 12:09 AM, Tracy Reed <treed () ultraviolet org> wrote:

> On Wed, May 04, 2011 at 09:15:27PM +0430, Mohammad Hosein spake thusly:
> > at the risk of being very off-topic i got a question which can be
> relevant to
> > SILICA at some points . i've read all sorts of crap about direction
> finding of
> > Wifi targets from people who dont know what they are talking about
> including
>
> DF/TDOA would be a really nice capability. Way back in 2002 I did this
> warflying thing:
>
> http://tracyreed.org/Writings/warflying
>
>
> http://www.computerworld.com/s/article/73901/War_flying_Wireless_LAN_sniffing_goes_airborne
>
> I did it in San Diego and then TechTV invited me up to San Jose. I flew
> the plane up and appeared on their show and took their reporter for a
> demo flight and found massive numbers of APs. There would surely be even
> more today.
>
> It was fun but and I have occasionally considered doing it again but
> aside from the obvious facts that it works and you can see a lot of APs
> from a couple thousand feet up we didn't learn much so I haven't seen
> any good reason to try again. Back then we were mostly just interested
> in unsecured APs. Now of course we would be interested in unsecured and
> weakly encrypted (WEP etc). Those who are so inclined might be
> interested in actually cracking the weak encryption and discovering the
> keys and perhaps even exploring the networks. We passively received and
> did not transmit on our flights to avoid legal ambiguity.
>
> Time over target can get expensive when aircraft are involved although
> it can be kept down to as low as $50/hr or maybe even less so it
> wouldn't take much to discover every AP in a whole metro area.  A
> smallish haul of card numbers resulting from the flights would easily
> cover it: I always consider how much an attacker would stand to gain
> when considering how likely they are to do something as outlandish as
> aerial wireless recon.
>
> Hmm...I just realized something: A few months ago I attended a briefing
> by SoCal Approach TRACON. This graphic was presented:
>
> http://imgur.com/ul5d6
>
> These are the tracks of all of the aircraft going into and out of CRQ
> during a 12 hour time span.
>
> You can seee the blue tracks inbound for landing coming in from the
> right (east), the green tracks departing to the left (west), and the
> tracetrack of the traffic pattern connecting the departures and
> arrivals.
>
> Notice the parallel orange lines left to right (east to west) all up and
> down the image. Looks like a search pattern. This seems likely to be
> mostly one aircraft's track, you can almost see the turnarounds on each
> end. When I first noticed it I wondered what the heck this guy might be
> doing. Now I have one more thing to add to the list of possibilities.
> :)
>
> Being able to collect semi-accurate location data on the actual AP
> (instead of just recording the GPS location of the aircraft when the AP
> was detected which just results in a plot of the aircraft path) would be
> very nice for aerial discovery and exploration followed by driving to
> the area for more lengthy probing. Someone with automation like SILICA
> could open up and explore networks for vulnerabilities and recon a lot
> of networks fast.
>
> It's a shame a good samaritan cannot legally do this kind of mass-recon
> for the purposes of writing a paper or offering consulting services to
> improve the security posture of vulnerable networks. Instead they will
> just have to wait to be notified by their acquiring bank that they have
> a problem.
>
> Making money by flying while also improving the state of computer
> security is my dream job.
>
> > On Wed, May 4, 2011 at 8:12 PM, dave <dave () immunityinc com> wrote:
> >     So SILICA has been around for a while - essentially automating
> wireless
> >     attacks in
>
> I don't see a buy link on that page... Does one have to call?
>
> --
> Tracy Reed
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunityinc com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave