tag:blogger.com,1999:blog-6659681589128679452012-02-16T17:58:52.139-08:00Anything that's too big to fit on Twitter!Matthieu Tournehttp://www.blogger.com/profile/15561687382086661669noreply@blogger.comBlogger21100tag:blogger.com,1999:blog-665968158912867945.post-47293639952998166662009-01-05T06:26:00.000-08:002009-01-05T07:01:20.270-08:00It's fairly easy to go around most ip geolocation systems like on pandora.com, you just need a proxy located in the US.<br /><br />But hulu.com made it a bit trickier, by using Flash's RTMP connection to get the real IP of the viewer. Using a socks proxy inside your browser won't be enough to get around this. We need a way to "socskify" transparently the whole browser. This way all the tcp connection (including flash RTMP) will appear to come from the US.<br /><br />I tried tsocks/dsocks/dante from macports, none of them worked well.<br />I finally found <a href="http://www.proxifier.com/">proxifier</a> a native cocoa application which let you tunnel a whole application through various kinds of proxies.<br /><br />Let's see how this works:<br />A friend of mine gave me an access to a ssh server in the US. I use it as a local socks proxy.<br />But you can probably use any public http or socks proxy located in the US.<br /><br />First create an local socks proxy on the port 8800 using ssh. In a terminal type :<br /><span style="font-style: italic;">ssh -D 8800 USER<user>@SSH_SERVER_IN_THE_US</user></span><br />Leave the terminal open.<br /><br />Then go to Proxifier > Options > Proxy Settings > Add<br />Add the address, port, andtype of the proxy you want to use.<br />In this case,<span style="font-style: italic;"> localhost:8800</span> and socks5<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_a-lfYIcHO0g/SWIehDcTloI/AAAAAAAABx0/cbEUJbn0o2w/s1600-h/Picture+6.png"></a><div style="text-align: left;"><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_a-lfYIcHO0g/SWIdXjGQewI/AAAAAAAABxs/PG7lBJdO8Es/s1600-h/Picture+4.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 196px; height: 200px;" src="http://3.bp.blogspot.com/_a-lfYIcHO0g/SWIdXjGQewI/AAAAAAAABxs/PG7lBJdO8Es/s200/Picture+4.png" alt="" id="BLOGGER_PHOTO_ID_5287821202882067202" border="0" /></a><br />Finally go to Proxifier > Options > Proxification Rules<br />Select "<span style="font-style: italic;">Process Only the Following</span>" option and add a rule for the applications you want to tunnel through the proxy (by default it'll try to socksify everything, and in my case I need the ssh connection to be direct).<br />The configuration should look somewhat like that :<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_a-lfYIcHO0g/SWIfOju2kCI/AAAAAAAAByE/MGRtPm61F_o/s1600-h/Picture+6.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 400px; height: 283px;" src="http://1.bp.blogspot.com/_a-lfYIcHO0g/SWIfOju2kCI/AAAAAAAAByE/MGRtPm61F_o/s400/Picture+6.png" alt="" id="BLOGGER_PHOTO_ID_5287823247456768034" border="0" /></a><br />That should do the trick, you can now enjoy your favorite series.<br /></div><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_a-lfYIcHO0g/SWIe19vNQDI/AAAAAAAABx8/gx3tf77b7QM/s1600-h/Picture+6.png"><br /></a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/665968158912867945-4729363995299816666?l=mattourne.blogspot.com' alt='' /></div>Matthieu Tournehttp://www.blogger.com/profile/15561687382086661669noreply@blogger.com7tag:blogger.com,1999:blog-665968158912867945.post-55580625224471047632008-10-14T12:42:00.000-07:002010-03-06T19:12:30.621-08:00DISCLAIMER: This discussion is only for academic research around the model of security implemented by WEP. I do not encourage you to break the law and gain unlawful access to protected network.<br />The source code provided is only a demonstration, and is not by any mean a practical attack.<br /><br />During the ToorCon 9, security researcher Vivek Ramachandran exposed an innovative attack to compromise wep protected WiFi networks.<br /><br />This attack called <a href="http://toorcon.org/2007/event.php?id=25">Caffe Latte</a> targets clients of the network instead of the AP, also there is no need to be close to the network to recover the wep key.<br />Let say you have the wep network you usually connect to on top of your preferred network and you boot your computer next to a "Caffe Latte enabled" laptop, in a starbucks for example it will lure the client into thinking it's the AP of that network. Then in about 7 minutes, the time it will take you to drink your coffee the wep key can be recovered.<br /><br />Here is my attempt to make my own working implementation of Caffe Latte :<br /><span style="font-size: 130%;"><br />How it works</span><br /><br />Here you can download the <a href="http://www.airtightnetworks.com/fileadmin/ppt/Toorcon.ppt">presentation</a> made at ToorCon by Vivek.<br /><br />To summarize :<br /><ol><li>First you need to lure the client into associating with your wep enabled AP, it needs to have the same SSID.</li><li>Once the connection is established a Windows box will try several different things untill it will send a <a href="http://wiki.wireshark.org/Gratuitous_ARP">Gratuitous ARP</a></li><li>Even though the packet is encrypted, it is easy to determine that it's the Gratuitous ARP (destination address, size of the packet)</li><li>Using the techniques described in <a href="http://tapir.cs.ucl.ac.uk/bittau-wep.pdf">The Final Nail in WEP's Coffin</a>, we can change bits in this packet and still have a valid packet (we still ignore the key). We then craft an ARP that the client will respond too.<br /></li><li>We then send this crafted packet over and over, in order to gather several thousands of responses.</li><li>Using tools such as <a href="http://www.aircrack-ng.org/">Aircrack-ng</a> we can there recover the key.</li></ol><br /><span style="font-size: 130%;">How I implemented it</span><br /><br />This will most likely work only with wifi adapter using the madwifi-ng driver.<br /><ol><li>The first part is to lure the client into associating with us, I used a patch for the madwifi-ng driver from <a href="http://blog.trailofbits.com/karma/">KARMA</a> (a rogue access point project), which will allow the creation of an 802.11 Access Point that responds to any probed SSID. (I modified the patch to work with the actual driver)</li><li>Another patch needs to be applied in order to be able to inject 802.11 frame with the network adapter, this one is found in the <a href="http://www.aircrack-ng.org/">Aircrack-ng</a> suite.</li><li>I then used <a href="http://802.11ninja.net/lorcon/">Lorcon</a> which is a "generic library for injecting 802.11 frames, capable of injection via multiple driver frameworks" to develop the real Caffe Latte attack.</li></ol>Here you can <a href="http://www.tsunanet.net/~mtourne/cafe-latte.tgz">download</a> a demo implementation of this, including source code, patches and directions if you want to try it.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/665968158912867945-5558062522447104763?l=mattourne.blogspot.com' alt='' /></div>Matthieu Tournehttp://www.blogger.com/profile/15561687382086661669noreply@blogger.com0