If you payed attention to the comments on our story about a Magnetic stripe card emulator you would have seen Abend announce his Shmoocon talk. It was a pretty interesting talk about the basics of mag cards and some of the tricks employed by companies to obfuscate the data. To get the feel for the talk I suggest you listen to SploitCast #004 which features Abend as a guest. That combined with his slides and tools should give you a fine crash course in the technology. He also recommend’s Count Zero’s “A Day in the Life of a Flux Reversal“. Billy Hoffman, who did the Covert Crawler, has also worked with mag stripes and developed the program Stripe Snoop.

Continue reading “Shmoocon 2006: A Young Gentleman’s Primer On The Reading And Emulation Of Magnetic Cards” →

Franck Veysset and Laurent Butti, both from France Telecom R&D, presented several proof-of-concept tools at Shmoocon that use 802.11 raw injection. The first is Raw Fake AP. The original Fake AP is a script that generates thousands of fake access points. It is easy to spot because of tell-tale signs like the BSSID showing the AP has only been up for a couple milliseconds. Raw Fake AP tries to generate legitimate access points by modifying BSSIDs and sending beacon frames at coherent time intervals.

Raw Glue AP is designed catch probe requests from clients scanning for a preferred ESSID. It then tries to generate the appropriate probe responses to keep the client occupied.

Raw Covert was the final tool. It creates a covert channel inside of valid ACK frames. ACK frames are usually considered harmless and ignored by wireless IDS. The tool is really basic right now, there is no encryption and it doesn’t handle dropped frames.

Continue reading “Shmoocon 2006: Wi-Fi Trickery Or How To Secure, Break And Have Fun With Wi-Fi” →

The Church of WiFi gave a presentation on some of their recent projects. The first was coWPAtty, a program for brute forcing WPA-PSK. To speed up the process they created a table for pre-hashed WPA-PSK. WPA-PSK is seeded using the SSID of the router, so they grabbed the top 1000 SSIDs from Wigle.net and calculated the hashes when using a 170,000 word dictionary. Now they are able to check 18,000 keys/sec instead of just 12 keys/sec.

The next project was Evil Bastard, a custom WRT firmware. It is similar to Rogue Squadron which is a firmware designed to spoof an access point and collect user information by phishing. Evil Bastard has even more tools like Aircrack and Driftnet. It even features a “Point ‘n 0wn” interface that lets you just click on the target you want to automatically spoof.

The CoWF is also responsible for Kiswin, Kismet for Windows, which saves you from having to install Cygwin.

Continue reading “Shmoocon 2006: The Church Of Wi-Fi Presents: An Evil Bastard, A Rainbow And A Great Dane!” →

Billy Hoffman has built a site crawler that can hide its activity within normal web traffic. Crawling a website is one of the easiest ways to find exploitable pages, but the systematic nature of the crawl makes it stand out in logs. Billy set out to design a crawler that would behave like a normal web browser. It follows more popular links first (think “news”, not “legal notice”) and it doesn’t hit deep linked pages directly without first creating an appropriate Google referrer. There are tons of other tricks involved in making the crawler look “human” which you’ll find in Billy’s slides over at SPI Labs. You can also read about the talk on Wired News.

Continue reading “Shmoocon 2006: Covert Crawling: A Wolf Among Lambs” →