what you mentioned is actually a very common method for various kinds of active and passive Radar systems . certainly doing it in an active fashion needs legal permission from local regulatory but law is different when it comes to passive collection , specially when its wideband . i think once Dave mentioned that SILICA like other immunityinc's product is based on Python and it comes with source which makes it a very good candidate to "connect" to stuff like GNU Radio and make use of cheap stuff like USRP to build Wifi locationing systems .
after my first email , i got two response from two members of the list , that are actually government contractors who sell wifi locationing systems and interestingly both of them work based on Signal strength , which means you move around , you see signal level goes higher , it means you are in the right direction and then you do this a lot from different places until you get a sense of where your target might be located . this is not only fundamentally flawed , in reality , its useless , respectfully for hacking purposes , lets say to find an AP and flash its firmware with our own custom-made firmware to do a certain kind of stuff . it also will not work for real world SIGINT operations , say , to locate where the Russian agent is sitting ( yeah , if he is not obviously sitting in a cafe right in front of Russian embassy - hats off to FBI counterintelligence dudes and huge respect to Russian intelligence by the way ) current most accurate method to locate Radio emitters specially in these freq bands is by using several receivers , connected together and sync in time by nano-sec precision and use TDOA techniques to be able to "pin point" the actual Radio . other claims are either false or have serious drawbacks , even AOA ( on precision specially in a Radio-crowded area ) Regards On Thu, May 5, 2011 at 12:09 AM, Tracy Reed <[email protected]> wrote: > On Wed, May 04, 2011 at 09:15:27PM +0430, Mohammad Hosein spake thusly: > > at the risk of being very off-topic i got a question which can be > relevant to > > SILICA at some points . i've read all sorts of crap about direction > finding of > > Wifi targets from people who dont know what they are talking about > including > > DF/TDOA would be a really nice capability. Way back in 2002 I did this > warflying thing: > > http://tracyreed.org/Writings/warflying > > > http://www.computerworld.com/s/article/73901/War_flying_Wireless_LAN_sniffing_goes_airborne > > I did it in San Diego and then TechTV invited me up to San Jose. I flew > the plane up and appeared on their show and took their reporter for a > demo flight and found massive numbers of APs. There would surely be even > more today. > > It was fun but and I have occasionally considered doing it again but > aside from the obvious facts that it works and you can see a lot of APs > from a couple thousand feet up we didn't learn much so I haven't seen > any good reason to try again. Back then we were mostly just interested > in unsecured APs. Now of course we would be interested in unsecured and > weakly encrypted (WEP etc). Those who are so inclined might be > interested in actually cracking the weak encryption and discovering the > keys and perhaps even exploring the networks. We passively received and > did not transmit on our flights to avoid legal ambiguity. > > Time over target can get expensive when aircraft are involved although > it can be kept down to as low as $50/hr or maybe even less so it > wouldn't take much to discover every AP in a whole metro area. A > smallish haul of card numbers resulting from the flights would easily > cover it: I always consider how much an attacker would stand to gain > when considering how likely they are to do something as outlandish as > aerial wireless recon. > > Hmm...I just realized something: A few months ago I attended a briefing > by SoCal Approach TRACON. This graphic was presented: > > http://imgur.com/ul5d6 > > These are the tracks of all of the aircraft going into and out of CRQ > during a 12 hour time span. > > You can seee the blue tracks inbound for landing coming in from the > right (east), the green tracks departing to the left (west), and the > tracetrack of the traffic pattern connecting the departures and > arrivals. > > Notice the parallel orange lines left to right (east to west) all up and > down the image. Looks like a search pattern. This seems likely to be > mostly one aircraft's track, you can almost see the turnarounds on each > end. When I first noticed it I wondered what the heck this guy might be > doing. Now I have one more thing to add to the list of possibilities. > :) > > Being able to collect semi-accurate location data on the actual AP > (instead of just recording the GPS location of the aircraft when the AP > was detected which just results in a plot of the aircraft path) would be > very nice for aerial discovery and exploration followed by driving to > the area for more lengthy probing. Someone with automation like SILICA > could open up and explore networks for vulnerabilities and recon a lot > of networks fast. > > It's a shame a good samaritan cannot legally do this kind of mass-recon > for the purposes of writing a paper or offering consulting services to > improve the security posture of vulnerable networks. Instead they will > just have to wait to be notified by their acquiring bank that they have > a problem. > > Making money by flying while also improving the state of computer > security is my dream job. > > > On Wed, May 4, 2011 at 8:12 PM, dave <[email protected]> wrote: > > So SILICA has been around for a while - essentially automating > wireless > > attacks in > > I don't see a buy link on that page... Does one have to call? > > -- > Tracy Reed > > _______________________________________________ > Dailydave mailing list > [email protected] > https://lists.immunityinc.com/mailman/listinfo/dailydave > >
_______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
