SquidBlackList - the world's largest porn blacklist! HAX Radio - The stream the FBI Listens to! Offensive Security Wireless Professional PWNIE 2012 Nominations The Hip-Hop Realm

Archive for the ‘WiFi Hacking’ Category

WARCARRIER for Android Version 1.1

Saturday, March 1st, 2014

Almost complete. WARCARRIER for Android Tablets.

This is the main screen at startup, including the menu options.

Click on “catchMeNG! in the settings bar at the top right and you can input a string to troll for. This includes Bluetooth devices, BSSIDs, ESSIDs, etc.

You can also choose “Plot Waypoint” to plot a new way point onto the Google Map:

If you long-press on a any field (as the “Help” dialog shows from the Settings menu) You can find more information on the specific data that is presented.

And as of 1.1 Beta, you can plot and scan for Bluetooth devices:

This will make my life so much easier as I only have to write this Java code to run on one specific hardware type. Anything that goes wring is the SDKs fault, or the manufacturer for not using standard or compliant hardware (e.g. for radios).

Time to catch up on some R&R

WARCARRIER 802.11 Probe Request Scanner for Android

Monday, February 24th, 2014

The Application

I just finished up coding a simple 802.11 scanning application for Android that uses Probe Requests to ask for all AP info in the vicinity. A station sends a probe request frame when it needs to obtain information from another station. It’s considered an “active” scan since it’s sending a request – using RFMON on your radio is passive and only sniffing. What’s cool about this type of scan is that it is easier to scan for networks when already associated to a service set. In passive scanning, with software like Airodump-ng, you get this same data from the APs just in 0×08 subtype Beacon Frames. I also added some CatchMeNG! functionality as well for searching for devices.

This is the main screen you see above. It is a simple TableLayout (actually two since one is programmatically destroyed upon returning scan results.) within a RelativeLayout user interface. When you start the application, it checks to see if WiFi is enabled and if so it will scan the area using Probe Requests. This is very similar to how the old NetStumbler application worked. The EditText field you see is for CatchMeNG! in which you can troll for any specific string you wish: BSSID, ESSID, channel, WEP, etc.

In this image above I am initializing CatchMeNG! which turns the label green once the “Enable” button is pressed. I had a hard time with the EditText stealing the focus of the app when the onCreate(); method was initially called, but was able to stop that programmatically.

In the screenshot above you can see that the label has turned green for CatchMeNG! inidicating that it is on. I did this simply by creating a TextView object with the Integer ID of the actual Resources ID. e.g.: ““.

In the above screenshot you can see what is shown when the object is found. I gave more details so that the RSSI can maybe be used as an indicator for signal strength. Just like in older versions of CatchMeNG!, a sound is played also to alert the users attention. Scanning takes place by hitting the Refresh AP List menu item in the applications menu in the top right side and not automatically.


Add automatic scanning.
Add case insensitivity.
Create a new section in Programming for Android and cover in depth details on how this project was created.


Harness Unused WiFi Signals for Power with Metamaterials

Tuesday, November 12th, 2013

I recently saw this article ( from a comment iBall made on FaceBook.

First, this isn’t that new. It’s been worked on for about a decade now and founded/hypothesized back in 1968. And yeah, from 1968 to about 1999 most of the work was “theoretical.” What I am talking about is a material designed to “catch” electro[magnetism].

In Physics, there is something called the “index of refraction” which is measured by how electro[magnetic] energy changes velocity in a new material. A simple example of refraction is in the case of light into glass or water. Have you ever seen a long rigid pole go into water and thought that it looked bent?

This refraction is the cause for that bend. Light bends as it enters a denser material. This is also true with other forms of electromagnetism including WiFi. If we have an orthogonal normal and send light straight down it from air into glass, we will see the light bend to the left, for example. This would be normal refraction. If the light bent in the opposite direction into a material away from the orthogonal normal, it is said to be a negative index of refraction since it bends into the negative side of our point of reference.

A lot more diffraction/refraction/reflection physics goes on behind the scenes, but for generalization purposes, let’s use these simple examples. Now for a negative refraction to occur, the permittivity and permeability BOTH need to be negative. This is unusual, and doesn’t occur naturally in nature. Some metal materials can have negative permitivity at lower wavelengths of radiation, but to achieve negative permeability, the “meta” material needs to be align and designed to do so. A material which has one, but not both of these negative refraction properties will not allow WiFi’s electro[magnetism] to pass through it.

Let’s not confuse refraction with reflection:

Refraction is a surface phenomenon, but remember the article I wrote addressing the leakage of WiFi and how that should NOT be labeled a “crime” to analyze incoming signals that seemingly trespass (technically it is a shared ISM/free band anyways.) into one’s own property? Well, this “Mylar” material I was speaking of, actually has an extremely low transmittance level due to it’s amazing ability to reflect radiation. In fact, if we analyze a curve or wavelength and transmittance with Mylar, we see that the closer we get to the smaller wavelengths of WiFi (2.4-5GHz) we see the transmittance percent drop completely. This means that mostly all radiation is reflected and nothing passes through. Refraction is a different concept and relies on the density and molecular structure of how the material the light goes into is structured. Permeability and Permittivity are different from refraction and are why i have outlined the word “magnetism” in “electromagnetism” in this article. They deal with how magnetism effects the internal molecular alignment. Lining a room with Mylar, or emergency blankets is a cheap way to keep radiation in and/or out using reflection!

Now, to make a material which is not affected by an external magnetic field (in our case from the electro[magnetism] within an a WiFi signal), we need to make the permeability level negative. This is done in the construction of the meta-material. The meta-material is a set, or aligned grid of SRRs, or “split ring resonators.”

These resonators are just copper split-rings that when affected by electromagnetism generate an internal looping current which in turn generates it’s own magnetism which perfectly opposes the field from the WiFi signal’s electromagnetism. These “rings” are not rings. They are non continuous with a small section removed. This small gap is not visible in the article’s image because they have the SRRs in foam to brace them, but they are there. These rings with small gaps in them allow the SRR to accept a variable of wavelengths larger than the ring itself. If the ring were closed, it would only accept a tiny amount of frequencies.

The rest of the small circuit is just a DC doubler which utilizes the bias of the diodes to direct each portion (negative and positive from the wave) of the AC current into the twin capacitors. This is an extremely simple concept and design. The paper is mostly about how they are optimizing the captured current from the current loops in the SRRs when any RF at around 900MHz is received. WiFi has been used at 900MHz, and will more openly be used at 900MHz with the new 802.11 amendment “ah” The authors are able to harness 7.4VDC at 104mA at the load. Now, if you’re thinking, “great! I could use one of these, I have a WiFi router!” You may be missing the whole picture. This is low power we are talking about here, even if we are to swallow up a large charge into, say, a battery. It would cost less to harness the power to charge that battery directly from your power source at the wall outlet. Let’s take a look at why.

Your router, by default, most likely came equipped with a dipole antenna and is spraying signal at a higher TX than needed for your application. The whole time the little batteries that the authors have designed are filling up with energy from the signal, your router is most likely using 5-12VDC at .250-3A! If we are to lower the amount of low power material our router is spraying, such as beacons which are sent out every 100ms usually, and lower our TX, or transmit power in the router, then use a proper antenna for applications which are wireless but stationary, or close to stationary – we can save more energy – obviously. Also, RF doesn’t necessarily mean 802.11 packets. It can be any radiation at 900MHz or even below (higher wavelengths) due to the simple, yet efficient design of the SRRs. Now, if you thought, “wow! I can harness the power from all RF at 900MHz” – that makes more sense!

Now, let’s scare ourselves. Imagine a low powered trolling drone equipped with a switched GPS radio that searches for a BSSID, or MAC of a phone or station that is powered by leaked RF? :) Next article up: a few WiFi device patents that I can’t afford!


Catching Pink Dolphins with Libpcap via 802.11

Monday, September 9th, 2013

Having trouble understanding libpcap with 802.11? Having a hard time finding documentation that makes you really grasp the concept of packet sniffing programmatically with 802.11?

libpcap is the libraries most commonly used for packet sniffing and generation. Most of the best network hacking tools use it and the documentation is few and far between for a newbie. I’ve actually wanted to write this for a long long time. I just finished creating a lot of C Programming tutorials and if you followed through with them, you will have no problem at all with this tutorial – so let’s put these two together.

802.11 protocol analyzer’s like Airodump-ng make use of libpcap. When designing WARCARRIER, I ended up making my own version of Airodump-NG so to not have any dependencies. I tried using scapy and lorcon with Python and even Net::PCAP with Perl, but they were just wrappers for the real thing which didn’t offer the type of control that I needed. I needed to use libpcap and C. It sounds rather daunting, because it is heavily filled with computer science and many manjor aspects of networking 802.11, C, libraries, and more need to be known, but I will cover all of these bases with you step by step and even display packets in Wireshark so to see exactly what we are doing.

I realize the code isn’t optimal, but it’s a quick start. I’ll dig into it later and make the WARCARRIER portion a lot smoother. You can click on the image above to go directly to the document. If you find any errors or need any help, feel free to email me in the address in the masthead at the top of this weblog.


ALFA RTL8187 and Dragorn’s 802.11 Protocol Analyzer with Android 4.3 Jellybean

Saturday, September 7th, 2013

For _gh0st in #lunatics — Works great and was easy to set up. No root required. This would be perfect to use when doing an on-site pentest.