Code at http://samy.pl/androidmap
I discovered that both the Apple iPhone and Google Android phones constantly send geolocation/GPS and wifi router information back up to Apple and Google. The iPhone does this even when the user has chosen to turn GPS/Location Services off. Since my release of this research, Apple and Google have both testified in front of Congress and are now involved in various lawsuits due to potential invasion of privacy. Besides the companies tracking the locations of all of these phones, I’ve created a tool that exposes not only the GPS data, but the wifi data Google has been collecting from virtually all Android devices and street view cars, using them essentially as global wardriving machines. When the phone detects any wireless network, encrypted or not, it sends the BSSID (MAC address) of the router along with signal strength, and most importantly, GPS coordinates up to the mothership. My tool allows you to ping that database and find exactly where any wifi router in the world is located. You can enter any router BSSID/MAC address to locate the exact physical location of the router. Try it here.
Code at http://samy.pl/evercookie
Code at http://namb.la/popular
I developed the MySpace worm, the first XSS worm based on AJAX which proliferated through the MySpace network. Learn how I made over one million friends in less than 24 hours.
Code at http://samy.pl/peepmail/
Peepmail is a tool that allows you to discover business email addresses for users, even if their email address may not be publicly available or shared.
Code at http://samy.pl/jiagra
< script src="path/to/script.js" >
< /script >
Code at http://samy.pl/phpwn
Studying PHP’s LCG (linear congruential generator, a pseudorandom number generator), I discovered that there are weaknesses that reduce the complexity of determining the sequence of pseudorandom numbers. What this means is that PHP is severely deficient in producing random session IDs or random numbers, leading to the possibility of stealing sessions or other sensitive information. The initial seed can be reduced from 64-bits to 35-bits, and with PHP code execution, can be reduced further down to just under 20-bits, which takes only seconds to recreate the initial seed.
Code at http://code.google.com/p/proxmark3/wiki/HomePage
I’m one of the primary developers of the proxmark3, a penetration testing tool for low and high-frequency RFID tags and readers, developed on an ARM7 microprocessor and Xilinx Spartan II FPGA. The device is capable of doing such things as read tags, simulate tags (such as HID badges), eavesdrop on transactions between another reader and tag, analyze a tag or signal passively, and more.
Code at http://samy.pl/natpin
My NAT Pinning technique is a method that forces a user’s router or firewall, unbeknownst to them, to port forward any port number back to the user’s machine, simply by the user visiting a web page. If the user had FTP/ssh/etc open but blocked from the router, it can now be forwarded for anyone to access (read: attack) from the outside world. No XSS or CSRF required.
Code at http://samy.pl/quickjack
Quickjack is a tool developed to easily create pages with the capability to clickjack users no matter where they click on the page. The tool has an extremely intuitive interface and is literally a point-and-click tool. It also allows frame slicing and other features such as referral scrubing and more.
Code at http://samy.pl/pwnat
pwnat allows full client-server tunneling and proxying even when both server and client are behind separate NATs with no port forwarding and no DMZ setup on their routers to directly communicate with each other. There is no middle man, no proxy, no 3rd party, and the server side requires no information on the client.
Code at http://samy.pl/chownat
chownat allows two peers behind two separate NATs with no port forwarding and no DMZ setup on their routers to directly communicate with each other. There is no middle man, no proxy, no 3rd party, and the application runs as an unprivileged user on both ends.
Code at http://samy.pl/mapxss
By using XSS exploitation of a user’s router, I’ve created a proof of concept which acquires the MAC address of the router of a web surfer, then uses the Google Service API to acquire geographic coordinates of the user (determined by the Google van driving around and seeing MAC address while tying it to coordinates.) This emulates Firefox’s Location-Aware Browsing without requiring any permission from the user or requiring Firefox.
Code at http://samy.pl/packet
Packet is a suite of portable Perl modules for encoding, decoding, injecting and sniffing low-level network packets. Packet also provides functionality for other low-level network tasks such as retrieving network device information and working directly with ARP cache tables..
Code at http://samy.pl/airsamy.pl
airsamy provides a simple interface to quickly and automatically crack a WEP network in minutes. It displays a list of available WEP networks and once selected, it automatically places your driver in monitor mode, tests packet injection, fake authenticates with the AP, captures IVs for cracking, captures ARP packets and replays them to introduce more IVs into the network, and cracks using the PTW attack.
Code at http://samy.pl/oryx-attack.pl
I’ve implemented the ORYX stream cipher and a cryptanalytic attack able to recover the 96-bit internal key state in less than 2^20 ORYX operations. The ORYX stream cipher is used to encrypt data transmissions for the North American Cellular system.
Code at http://samy.pl/anti-mitma.pdf
I’ve described a simple method for authentication based protocols (e.g., ssh) to prevent man in the middle attacks. Rather than establishing a potentially MITMA’d connection, then authenticating, you can authenticate the initial key exchange. More details in the pdf.
Code at http://samy.pl/weap
I’ve implemented a version of Shamir’s attack on WEP, easily recovering a WEP key from encrypted wireless traffic due to weak keys and poor IV mixing into the RC4 key.
Code at http://samy.pl/ains/
AI::NaturalSelection provides a series of Perl modules using Genetic Algorithms to allow breeding and mutation to arise and emulate natural selection. Resultant honing can minimize the work required to solve certain fitness-testable problems.
Code at http://samy.pl/sql++/
sql++ is an easily configurable, feature-rich, portable command-line SQL tool. It can be used with many different databases and in place of other command line tools such as MySQL’s mysql-client, Microsoft SQL, PostgreSQL’s psql, and Oracle’s sqlplus. It has features such as multiple connections, multi-database interfacing, subselects for all databases, regardless of whether the database has native subselects or not, and much more.
Code at http://samy.pl/diss.zip
DISS (Download iTunes Shared Songs) automatically hooks into iTunes’ memory (winsock) on Windows and downloads any shared music you play into the DISS playlist. No user intervention is required for this to happen, it’s entirely automatic and typically only takes a second or two per song. Full C++ source and Windows binary included.