Samy Kamkar’s Proofs Of Concept (Evercookie, NAT Pin, NAT Pwn)

Site

samy.pl

Menu

Articles

iPhone/Android Tracking Research + Wardriving Database

Code at http://samy.pl/androidmap
I discovered that both the Apple iPhone and Google Android phones constantly send geolocation/GPS and wifi router information back up to Apple and Google. The iPhone does this even when the user has chosen to turn GPS/Location Services off. Since my release of this research, Apple and Google have both testified in front of Congress and are now involved in various lawsuits due to potential invasion of privacy. Besides the companies tracking the locations of all of these phones, I’ve created a tool that exposes not only the GPS data, but the wifi data Google has been collecting from virtually all Android devices and street view cars, using them essentially as global wardriving machines. When the phone detects any wireless network, encrypted or not, it sends the BSSID (MAC address) of the router along with signal strength, and most importantly, GPS coordinates up to the mothership. My tool allows you to ping that database and find exactly where any wifi router in the world is located. You can enter any router BSSID/MAC address to locate the exact physical location of the router. Try it here.

posted on 2011-04-21

evercookie: Extremely persistent virtually-irrevocable cookies

Code at http://samy.pl/evercookie
evercookie is a javascript API that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they’ve removed standard cookies, Flash cookies (LSOs), and others. It currently stores cookies in standard HTTP cookies, Local Shared Objects (Flash Cookies), storing in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out, storing in web history, HTML5 Session Storage, HTML5 Local Storage, HTML5 Global Storage, and HTML5 Database Storage via SQLite.

posted on 2010-09-20

The MySpace Worm: the fastest spreading worm in history

Code at http://namb.la/popular
I developed the MySpace worm, the first XSS worm based on AJAX which proliferated through the MySpace network. Learn how I made over one million friends in less than 24 hours.

posted on 2009-12-20

peepmail: Discover private email addresses

Code at http://samy.pl/peepmail/
Peepmail is a tool that allows you to discover business email addresses for users, even if their email address may not be publicly available or shared.

posted on 2011-04-20

jiagra: Website+Javascript Performance Enhancement API

Code at http://samy.pl/jiagra
jiagra is a stand-alone javascript API for automatic website performance enhancement. It currently features cross-browser pre-rendering/pre-fetching (allowing pages on your site to load in the background before the user has clicked on them), advanced setTimeout and setInterval control (detecting which timers/intervals are still running, have been cleared, or fired) which can allow for greater understanding of when *all* requests of a page have completed, and improved script tag support, allowing you to enter Javascript code in a single script tag that calls out to a remote URL, where the inline Javascript gets executed after the remote JS is executed, e.g.
< script src="path/to/script.js" >
this_is_called_after_script_is_loaded();
< /script >

posted on 2011-06-15

phpwn: Attack on PHP sessions and random numbers

Code at http://samy.pl/phpwn
Studying PHP’s LCG (linear congruential generator, a pseudorandom number generator), I discovered that there are weaknesses that reduce the complexity of determining the sequence of pseudorandom numbers. What this means is that PHP is severely deficient in producing random session IDs or random numbers, leading to the possibility of stealing sessions or other sensitive information. The initial seed can be reduced from 64-bits to 35-bits, and with PHP code execution, can be reduced further down to just under 20-bits, which takes only seconds to recreate the initial seed.

posted on 2009-08-20

proxmark3: RFID penetration testing tool

Code at http://code.google.com/p/proxmark3/wiki/HomePage
I’m one of the primary developers of the proxmark3, a penetration testing tool for low and high-frequency RFID tags and readers, developed on an ARM7 microprocessor and Xilinx Spartan II FPGA. The device is capable of doing such things as read tags, simulate tags (such as HID badges), eavesdrop on transactions between another reader and tag, analyze a tag or signal passively, and more.

posted on 2009-12-20

NAT Pinning: Forcing Remote Routers to Port Forward

Code at http://samy.pl/natpin
My NAT Pinning technique is a method that forces a user’s router or firewall, unbeknownst to them, to port forward any port number back to the user’s machine, simply by the user visiting a web page. If the user had FTP/ssh/etc open but blocked from the router, it can now be forwarded for anyone to access (read: attack) from the outside world. No XSS or CSRF required.

posted on 2010-01-05

quickjack: Automated Clickjack and Frame Slicing Tool

Code at http://samy.pl/quickjack
Quickjack is a tool developed to easily create pages with the capability to clickjack users no matter where they click on the page. The tool has an extremely intuitive interface and is literally a point-and-click tool. It also allows frame slicing and other features such as referral scrubing and more.

posted on 2010-02-01

pwnat: Advanced client-server NAT-to-NAT penetration

Code at http://samy.pl/pwnat
pwnat allows full client-server tunneling and proxying even when both server and client are behind separate NATs with no port forwarding and no DMZ setup on their routers to directly communicate with each other. There is no middle man, no proxy, no 3rd party, and the server side requires no information on the client.

posted on 2010-01-22

chownat: Peer-to-peer communication through NATs

Code at http://samy.pl/chownat
chownat allows two peers behind two separate NATs with no port forwarding and no DMZ setup on their routers to directly communicate with each other. There is no middle man, no proxy, no 3rd party, and the application runs as an unprivileged user on both ends.

posted on 2009-12-20

mapxss: Accurate Geolocation via Router Exploitation

Code at http://samy.pl/mapxss
By using XSS exploitation of a user’s router, I’ve created a proof of concept which acquires the MAC address of the router of a web surfer, then uses the Google Service API to acquire geographic coordinates of the user (determined by the Google van driving around and seeing MAC address while tying it to coordinates.) This emulates Firefox’s Location-Aware Browsing without requiring any permission from the user or requiring Firefox.

posted on 2010-01-04

Packet: Perl modules for low-level packet injection/sniffing

Code at http://samy.pl/packet
Packet is a suite of portable Perl modules for encoding, decoding, injecting and sniffing low-level network packets. Packet also provides functionality for other low-level network tasks such as retrieving network device information and working directly with ARP cache tables..

posted on 2009-12-09

airsamy: Automated WEP injection and cracking via aircrack

Code at http://samy.pl/airsamy.pl
airsamy provides a simple interface to quickly and automatically crack a WEP network in minutes. It displays a list of available WEP networks and once selected, it automatically places your driver in monitor mode, tests packet injection, fake authenticates with the AP, captures IVs for cracking, captures ARP packets and replays them to introduce more IVs into the network, and cracks using the PTW attack.

posted on 2009-10-24

ORYX Stream Cipher Implementation and Attack

Code at http://samy.pl/oryx-attack.pl
I’ve implemented the ORYX stream cipher and a cryptanalytic attack able to recover the 96-bit internal key state in less than 2^20 ORYX operations. The ORYX stream cipher is used to encrypt data transmissions for the North American Cellular system.

posted on 2009-10-24

Anti-MITMA: Preventing Man in the Middle Attacks

Code at http://samy.pl/anti-mitma.pdf
I’ve described a simple method for authentication based protocols (e.g., ssh) to prevent man in the middle attacks. Rather than establishing a potentially MITMA’d connection, then authenticating, you can authenticate the initial key exchange. More details in the pdf.

posted on 2009-10-15

weap: WEP (RC4) Key Recovery (Cryptanalytic Attack)

Code at http://samy.pl/weap
I’ve implemented a version of Shamir’s attack on WEP, easily recovering a WEP key from encrypted wireless traffic due to weak keys and poor IV mixing into the RC4 key.

posted on october 15, 2009-10-15

AI::NS: Perl module providing Genetic Algorithms

Code at http://samy.pl/ains/
AI::NaturalSelection provides a series of Perl modules using Genetic Algorithms to allow breeding and mutation to arise and emulate natural selection. Resultant honing can minimize the work required to solve certain fitness-testable problems.

posted on 2009-12-20

sql++: cross-database command line SQL client

Code at http://samy.pl/sql++/
sql++ is an easily configurable, feature-rich, portable command-line SQL tool. It can be used with many different databases and in place of other command line tools such as MySQL’s mysql-client, Microsoft SQL, PostgreSQL’s psql, and Oracle’s sqlplus. It has features such as multiple connections, multi-database interfacing, subselects for all databases, regardless of whether the database has native subselects or not, and much more.

posted on 2009-12-20

DISS: Download shared iTunes music automatically (Win32)

Code at http://samy.pl/diss.zip
DISS (Download iTunes Shared Songs) automatically hooks into iTunes’ memory (winsock) on Windows and downloads any shared music you play into the DISS playlist. No user intervention is required for this to happen, it’s entirely automatic and typically only takes a second or two per song. Full C++ source and Windows binary included.

posted on 2005-11-20

Footer