Midnight Research Labs

Wifi Theremin
aaron posted in most unnecessary, wifi on January 19th, 2009
comments:15

A theremin, for those who don’t already know, is a musical instrument that varies the pitch based on your proximity to an antenna, and varies the volume based on your proximity to another antenna. It’s a touch-less device, and you’d probably recognize the sound from old sci-fi movies (listen to the vibrato whistling sound in the background).

Here’s an example of a theremin:


So what does this have to do with anything? I wrote up a script that has the same functionality that uses a wifi device and its signal strength to control the frequency and volume. Yeah, pretty useless, but yet here it is. We actually did this a couple years ago at MRL, but that version was even more of a hack. This version will actually interpolate the pitch as the signal strength jumps around and is threaded so the sound is a little smoother. This version also allows for a second control (wifi interface) that corresponds with the volume so it is a little bit more like a real theremin. There’s still a decent amount of latency though, so you can’t really use it to create useful music.

Here’s a short sample of what it sounds like when you run it from my system. Now isn’t that a beautiful sound, .

I started creating this on my mac book pro, but after realizing the embedded antenna is pretty difficult to control the signal strength from, I added support for linux. It’s not doing anything fancy for reading signal strength (just parsing CLI utils), so I’m not sure how portable it really is. Also, it does have a couple dependencies on audio libraries, but they’re pretty easy to install (in case you really care).

Anyway, Have fun!

(Script to) Locate Any WiFi Router By Its MAC Address
aaron posted in wifi on September 12th, 2008
comments:8

I saw a slashdot post earlier today about a not-so-secret API from SkyHook Wireless to Locate Any WiFi Router By Its MAC Address. I thought this was pretty cool and useful, so I wrote up a quick python hack/script that would use the API, and I thought that I’d add this as a wicrawl plug-in shortly. It takes the BSSID as an input, and outputs all of the information it finds, and also can output a google earth KML file to import the location.

I found the information amazingly and scarily accurate so far. When I check for my local Access Point it gives me my physical address (in addition to the coordinates) within two street numbers.

Here’s some anonymized output from the script:

./get-coordinates-from-bssid.py 00:11:22:33:aa:c6 ~/tmp/output.kml
 [*] City: Boston
 [*] Country: United States
 [*] Address: Fancy Pants Rd
 [*] Longitude: -70.17905
 [*] County: Middlesex
 [*] State: Massachusetts
 [*] Output KML File: /Users/aaronp/tmp/output.kml
 [*] Street Number: 1337
 [*] Postal Code: 02138
 [*] Latitude: 40.3823964
 [*] Finished..

Let me know if you find it in any way useful. I would guess though now that it’s been slashdot’d that the service will likely change as soon as people really start using it. Hopefully not though,

black hat video archive
aaron posted in wifi on December 31st, 2006
comments:8

I think a few of these videos have been posted here before, but I just ran across the official Black Hat Video Archive. Some really good stuff is there, I hope 2006 will be posted soon.

Milpitas has wireless (free)
aaron posted in wifi on December 31st, 2006
comments:0

People living near Milpitas should be getting free wireless during a test run of the the earthlink wireless setup. Have fun!

Transbay wi-fi link day
aaron posted in meetings, wifi on December 14th, 2006
comments:0

Here’s the schedule for MRL this Friday. Most of it is in preparation for the transbay wi-fi connection we’re going to attempt on Saturday Dec 16th. If you’re interested in helping, you know of anyone that has done this already, or know of good locations to try it from, let us know.

                Fellow Hackers, Slackers, and Code-crackers:

        On Friday December 15th at 7pm PST we will be holding our monthly
        official Midnight Research Labs meeting.

        In preparation for our trans-bay wi-fi link connection attempt, we'll
        be watching a video from CCC on establishing long distance wi-fi
        connections.  We'll also finalize the start locations, pick gear and
        teams for each side of the link.  The plan is still to attempt the link
        on the 16th (Saturday), but at this point it looks like a 50/50 chance
        that the weather will cooperate (we'll decide one way or the other
        Friday, and reschedule if necessary).

        We have our bi-quad antennas to finish up as well.  Also making an
        appearance will be some freshly home brewed beer for those interested
        (it will be its debut, so I'm not sure how it turned out yet,  .

        As always, anyone with cool toys, or interesting project ideas, bring
        them along.

        Light refreshments, pizza and beer will be served.

        Agenda:
                Phase 0x0: Bootstrapping
                  - Greetings and welcome
                  - MRL updates and status
                  - MRL projects update
                Phase 0x1: Initialization
                  - CCC long distance wi-fi video
                  - bi-quad antennas
                  - beer tasting
                Phase 0x2: Local exploits
                  - Food
                  - Off topic tools, toys and other shiny things -- If anyone
                    has any interesting to show off or play with, please bring
                    it.
                  - Whatever till whenever -- This is the more social
                    part of the event.  People are invited to stay and
                    hack and have a couple drinks till whenever this
                    phase is no longer self-sustaining, =)

More wireless vulns
aaron posted in exploits, wifi on November 15th, 2006
comments:5

As expected, there are a couple more wireless driver vulnerabilities that have been released as part of the month of kernel bugs run. A good description and FAQ on the Broadcom vunlerability are available here. This exploit was written by Johnny Cache, and here is the ported (by HD) metasploit module for it.

The second vulnerability is for the D-Link DWL-G132. The ususal suspects were involved, and the metasploit module is here. The MOKB post has details and download links for the patched driver versions.

p.s. Sorry about the lack of posts this week — I’ve been travelling and haven’t had much extra time. Maybe this weekend as I go through my RSS backlog I’ll have a few new posts

An actual wi-fi driver vulnerability
aaron posted in wifi on November 1st, 2006
comments:0

Well, it looks like the month of kernel bugs is starting off well with an actual apple wi-fi driver vuln. This is pretty interesting since it’s been several months since the David Maynor/Johnny Cache/Secure Works/Apple “is the vuln real or a hoax” debacle that’s been all over the news started. I was pretty disappointed that they didn’t give their speech at toorcon this year, certainly it would have been interesting. Johnny Cache doesn’t try to hide (well maybe a little) the fact that he’s not happy with the current situation. I find it funny how polarized everyone is on the subject. Certainly this will help to clear up the technical aspects of things, but releasing an exploit for an unpatched vulnerability isn’t exactly the way to make everyone friends again. I’m sensing another maclash (you know, like a backlash from mac-heads) on the horizon.

A post from HD Moore on the full-disclosure list shows this has already hit the news in few places already.

The Apple Airport driver provided with Orinoco-based Airport cards (1999-2003 PowerBooks, iMacs) is vulnerable to a remote memory corruption flaw. When the driver is placed into active scanning mode, a malformed probe response frame can be used to corrupt internal kernel structures, leading to arbitrary code execution.

Here’s a link to the metasploit module. Since this is an unpatched issue so far, going wired for a while probably isn’t a bad idea, . I’m guessing this isn’t the last wi-fi driver bug we’ll see this month.

This week in MRL
aaron posted in tools, wifi on October 17th, 2006
comments:0

Sorry for the lack of updates, we’ve been pretty busy with wicrawl and catching up with life after Toorcon and Security Opus. We had a great time at both conventions, and the presentations went well (at least I think they did, .

We had a pretty great week so far for wicrawl. Our friend Eliot at HackADay.com posted on wicrawl and the toorcon presentation which he edited very well and posted the whole video on the new netscape video site. (Thanks Eliot,

We also got mentioned as the “tool of the week” from the very cool security podcast PaulDotCom.com. We met Twitchy and Joe at Toorcon, and I guess they actually remembered us afterwards, . Anyway, give it a listen here, it’s worth putting on the podcast queue.

Also, we got a posting on Wi-Fi Net News, which I’ve linked to a few times in the past. If you’re keeping up on wi-fi developments, it’s a good blog to read (I’ve been reading it for a while now).

That’s it for now! Hope to see everyone Friday.

wicrawl updates
aaron posted in tools, wifi on October 8th, 2006
comments:16

A few updates for wicrawl:

– First, we released a new package for wicrawl 0.3a that fixes some build issues in the previous release.

– I also added a new plugin based on pickupline which tries to bypass captive proxies by spoofing an already authenticated MAC/IP address pair.

— There is a new wicrawl-users mailing list for any wicrawl users. I expect it will be pretty low traffic, but if you have any questions, or if you just want updates, please feel free to subscribe.

Please let us know how it’s working for you, especially if you’re having any issues with it.

Thanks.

wicrawl release 0.2a
aaron posted in tools, wifi on October 3rd, 2006
comments:0

It’s finally here. wicrawl is finally being released in alpha. Officially we released it this weekend at Toorcon after my talk, but I’m just now getting around to posting the source (sorry for the delay). Let us know if you have any issues with it, or what you think of it. You can send mail directly to wicrawl-cvs [@] midnightresearch.com (you can also jump on #mrl on efnet). Thanks to the other developers who have worked hard on this, and also to anyone who came out to see my talk. Toorcon, as always, was a great time.