WPS attack?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
http://code.google.com/p/reaver-wps/
I was looking for the youtube video on skyhook to trace MACs, but  
stumbled upon a video for "reaver". This looks like hacker code that  
exploits WPS.

Re: WPS attack?
For mon0, does that mean you run kismet, or is there another monitor  
program.

I don't have backtrack, but I did find a repo with reaver, so I have  
wash now.

It is always a good idea to hack yourself. At any one time, there is  
probably some bored teenage boy within wifi reception range. Not to  
mention bored adults with time on their hands. Oh, and NSA field agents.






Re: WPS attack?

Quoted text here. Click to load it

For capturing packets, I use Kismet on Linux.  

When I feel like tinkering on Windoze, I use NetMon 3.4.
<http://www.microsoft.com/en-us/download/details.aspx?id=4865
<http://blogs.technet.com/b/netmon/archive/2007/06/15/wireless-capturing-with-network-monitor-3-1.aspx
<http://support.microsoft.com/kb/933741
<http://blogs.technet.com/b/netmon/
etc...

Quoted text here. Click to load it

Want me to snail mail a DVD to you?

Quoted text here. Click to load it

Yep.  Most of the security problem I find on my own systems were
created while testing something else.

Quoted text here. Click to load it

"Only the paranoid survive".  
(Andy Grove)


--  
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558

Re: WPS attack?

Quoted text here. Click to load it
Given the growth of Arm, I guess somebody at Intel wasn't paranoid enough.

Oh I can always download Backtrack. I just never saw the need to have  
the entire package. I know there are live-cds as well. But I rather just  
put the one or two programs I need in my own linux. Otherwise you have  
to learn the quirks of another distribution.

I'll fire up kismet. I was looking for the kismet "capable" dongle when  
I did the previous post but now I remember I had stashed it in the car.  
Someone wanted a kismet demo so I set up the high gain patch antenna and  
sniffed from the Berkeley hills where we were doing some other radio stuff.

Even in 2013, you still find people using no encryption or WEP, which I  
suppose is like no encryption, though few people would actually WEP  
crack a router that they didn't own. That is, most people do this stuff  
for the education.

My new phone has RFID, so I was sniffing it with a HF radio today. RFID  
is a decent beacon. A portable radio can hear it about 5ft away.  
Obviously you could do better with a tuned loop. Time to go back and  
look at those old Defcon videos.....








Re: WPS attack?

Quoted text here. Click to load it


True.  I'm wondering what John McAfee has against McAfee Anti-Virus,
which is owned by Intel.  I don't think anyone saw that coming:
<
http://www.youtube.com/watch?v=bKgf5PaBzyg


Quoted text here. Click to load it

Backtrack 5 R3 hasn't changed for the last 9 months.  Of course, it
probably will be updated as soon as you learn the quirks and tricks.

Quoted text here. Click to load it

Open source RFID receiver and decoder:
<http://www.openpcd.org

Note the antenna:
<http://www.openpcd.org/RFID_Sniffer_Hardware

HF antenna cookbook from TI
<http://www.ti.com/rfid/docs/manuals/appNotes/HFAntennaCookbook.pdf>
Amazing...

--  
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558


Re: WPS attack?
Quoted text here. Click to load it

The TI doc is a good one. I'm not sure why a copper tape antenna is  
better than just plain copper wire. You may recall Gertrude Stein's  
commentary that "a loop is a loop is a loop."

I have a number of North Hills 1301LB transformers.
Quoted text here. Click to load it

The datasheet is tough to read, but it is on the list. Basically it is  
75 ohms unbal to 124 ohm bal from 1kHz to 20MHz.

I was thinking of a small coil to couple to the phone, one of the  
transformers, some TV coax, another transformer, then a big ass loop  
antenna. That way I don't have to mess with any software since the phone  
can read and program tags.

Most of the phones with NFC have the coil on the inside of the back  
cover. You can get to the coil contacts with the back off, well if you  
are ballsy enough to connect directly to the phone. But I think the  
inductive connection is safer.

Probably air core on the phone side and ferrite rod on the far end.

Re: WPS attack?

Quoted text here. Click to load it

More surface area.  That gives it more bandwidth and less loss. That's
also why magnetic loop antennas use soldered copper pipe.  The
circulating currents are so high, that any resistive loss anywhere in
the loop, will make it unusable.

Quoted text here. Click to load it

Mobius loop?

Quoted text here. Click to load it

Looks good for 13MHz but might be a bad choice.  At 13.56Mhz, you
don't need a broadband anything.  Narrowband will work.  A tuned coil
with an inductive tap or capacitor divider might be a better choice.

Quoted text here. Click to load it

Were you planning on walking around public places with that
derrangement?  Perhaps one of the smaller loops, that are less
obtrusive, might be a better choice?

Quoted text here. Click to load it

You're going to get some loss, even so close.  The problem is that
you're building an air core transformer between the two loops, with no
way to contain the radiation on the primary side loop.  If you cram
for example 1 milliwatt from the big loop to a coupling loop, the
coupling loop will probably radiate about 9/10ths of the 1 milliwatt
in directions that do NOT cover the cell phone loop.  That's a -10dB
loss.  The re-radiated power is lost.  However, you can compensate by
building a 13.56 linear amplifier at the big antenna, or at the
coupling loop, to compensate.  The trick is to NOT turn it into an
oscillator or regenerative receiver.

Quoted text here. Click to load it

The only thing that ferrite buys you is a smaller antenna.  Everything
else about it sucks.  Try to use an air core if possible.  If you
can't make it fit, then user ferrites.
--  
Jeff Liebermann     jeffl@cruzio.com
150 Felker St #D    http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann     AE6KS    831-336-2558

Re: WPS attack?

If you listen to Steve Gibson's "Security Now", people in the EU have  
been charged on their NFC phones before they even get to the register. I  
don't have the details, just what I heard on the podcast.Steve doesn't  
trust radio because it is hard to limit in terms of distance.

In the US, those Mobile speed pay things are NFC. In the bay area, the  
Clipper is NFC. Very confusing technology since some times you just tag  
to get onboard, other times you have to tag when you leave the train  
too. The first time I used a clipper on Muni, I had no idea it was a  
freaking NFC. Where is the slot, dammit! And you kids, get off my grass.

There are some NFC geocachases in Australia. I need to get a bit more  
skilled in programming the tags before I bug the official geocache  
website. Tag203 is the one that works with the most phones.

I like planting the caches way more than finding them. In fact, I'm kind  
of bummed the hobby has turned into a who can get the most number of  
caches, or worse yet, team caches. They don't linger in the area and  
poke around, then just rush off to the next cache.

I wisely turned down being in the Chron to be the first sucker to find a  
geocache in the bay area. The reporter was watching the chatter on the  
internet and tracked me down. As it turns out, I had to do a rather  
insane climb down a hillside because the cache was placed in a car that  
rolled off a road. I didn't realize that at the time, and given that the  
GPSs were not very good at the time, I figured the cache was by the  
road, not over the cliff. Nothing like having the press document that  
you are an ass.

Much like the person who put the geocache in a junked car, I try to put  
my caches in trash. I'm not convinced that geoaaches are not litter, but  
I figure if there is trash there already, a small ammo can won't make it  
look any worse.

The highway patrol removed a number of caches near roads because they  
were causing people to park unsafely by the side of the road. I had  
figured that out as well, so the caches I planted already have a spot by  
the road. As it turned out, nothing I planted got removed.

The NFCs I got are weatherproof. One type has a hole in the middle so it  
can be screwed into something, or just use the adhesive. The other tags  
are like keytags. I figure they could hang on a branch. Incidentally,  
tags that work on metal are a special class.

While I took care of the trash aspect, these geocachers have a high  
carbon footprint. I get email from cachers that live in Europe or the US  
east coast. I suppose if they are doing other tourist stuff, it is OK,  
but when I get reports that they found 500 caches on the trip, I kind of  
think they need a new hobby.

I think the offset caches are probably the best plan. No new code to  
write on the website, plus the cacher can't completely plan ahead since  
they don't know their final destination.


Site Timeline