Dailydave mailing list archives
Re: Without Wires
From: Mohammad Hosein <mhtajik () gmail com>
Date: Thu, 5 May 2011 02:36:15 +0430
what you mentioned is actually a very common method for various kinds of active and passive Radar systems . certainly doing it in an active fashion needs legal permission from local regulatory but law is different when it comes to passive collection , specially when its wideband . i think once Dave mentioned that SILICA like other immunityinc's product is based on Python and it comes with source which makes it a very good candidate to "connect" to stuff like GNU Radio and make use of cheap stuff like USRP to build Wifi locationing systems . after my first email , i got two response from two members of the list , that are actually government contractors who sell wifi locationing systems and interestingly both of them work based on Signal strength , which means you move around , you see signal level goes higher , it means you are in the right direction and then you do this a lot from different places until you get a sense of where your target might be located . this is not only fundamentally flawed , in reality , its useless , respectfully for hacking purposes , lets say to find an AP and flash its firmware with our own custom-made firmware to do a certain kind of stuff . it also will not work for real world SIGINT operations , say , to locate where the Russian agent is sitting ( yeah , if he is not obviously sitting in a cafe right in front of Russian embassy - hats off to FBI counterintelligence dudes and huge respect to Russian intelligence by the way ) current most accurate method to locate Radio emitters specially in these freq bands is by using several receivers , connected together and sync in time by nano-sec precision and use TDOA techniques to be able to "pin point" the actual Radio . other claims are either false or have serious drawbacks , even AOA ( on precision specially in a Radio-crowded area ) Regards On Thu, May 5, 2011 at 12:09 AM, Tracy Reed <treed () ultraviolet org> wrote:
On Wed, May 04, 2011 at 09:15:27PM +0430, Mohammad Hosein spake thusly:at the risk of being very off-topic i got a question which can berelevant toSILICA at some points . i've read all sorts of crap about directionfinding ofWifi targets from people who dont know what they are talking aboutincluding DF/TDOA would be a really nice capability. Way back in 2002 I did this warflying thing: http://tracyreed.org/Writings/warflying http://www.computerworld.com/s/article/73901/War_flying_Wireless_LAN_sniffing_goes_airborne I did it in San Diego and then TechTV invited me up to San Jose. I flew the plane up and appeared on their show and took their reporter for a demo flight and found massive numbers of APs. There would surely be even more today. It was fun but and I have occasionally considered doing it again but aside from the obvious facts that it works and you can see a lot of APs from a couple thousand feet up we didn't learn much so I haven't seen any good reason to try again. Back then we were mostly just interested in unsecured APs. Now of course we would be interested in unsecured and weakly encrypted (WEP etc). Those who are so inclined might be interested in actually cracking the weak encryption and discovering the keys and perhaps even exploring the networks. We passively received and did not transmit on our flights to avoid legal ambiguity. Time over target can get expensive when aircraft are involved although it can be kept down to as low as $50/hr or maybe even less so it wouldn't take much to discover every AP in a whole metro area. A smallish haul of card numbers resulting from the flights would easily cover it: I always consider how much an attacker would stand to gain when considering how likely they are to do something as outlandish as aerial wireless recon. Hmm...I just realized something: A few months ago I attended a briefing by SoCal Approach TRACON. This graphic was presented: http://imgur.com/ul5d6 These are the tracks of all of the aircraft going into and out of CRQ during a 12 hour time span. You can seee the blue tracks inbound for landing coming in from the right (east), the green tracks departing to the left (west), and the tracetrack of the traffic pattern connecting the departures and arrivals. Notice the parallel orange lines left to right (east to west) all up and down the image. Looks like a search pattern. This seems likely to be mostly one aircraft's track, you can almost see the turnarounds on each end. When I first noticed it I wondered what the heck this guy might be doing. Now I have one more thing to add to the list of possibilities. :) Being able to collect semi-accurate location data on the actual AP (instead of just recording the GPS location of the aircraft when the AP was detected which just results in a plot of the aircraft path) would be very nice for aerial discovery and exploration followed by driving to the area for more lengthy probing. Someone with automation like SILICA could open up and explore networks for vulnerabilities and recon a lot of networks fast. It's a shame a good samaritan cannot legally do this kind of mass-recon for the purposes of writing a paper or offering consulting services to improve the security posture of vulnerable networks. Instead they will just have to wait to be notified by their acquiring bank that they have a problem. Making money by flying while also improving the state of computer security is my dream job.On Wed, May 4, 2011 at 8:12 PM, dave <dave () immunityinc com> wrote: So SILICA has been around for a while - essentially automatingwirelessattacks inI don't see a buy link on that page... Does one have to call? -- Tracy Reed _______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- Without Wires dave (May 04)
- Re: Without Wires Mohammad Hosein (May 04)
- Re: Without Wires Tracy Reed (May 04)
- Re: Without Wires Mohammad Hosein (May 04)
- REĀ : Without Wires Marc OLANIE (May 05)
- Re: Without Wires Kristian Erik Hermansen (May 05)
- Re: Without Wires Tracy Reed (May 04)
- <Possible follow-ups>
- Re: Without Wires Kristian Erik Hermansen (May 04)
- Re: Without Wires Mohammad Hosein (May 04)