robo_geek

Members
  • Content count

    14
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by robo_geek

  1. Un-flipping-believeable!!! The uuber-stupidity of this is that there are TWO attack vectors. Since anybody can sniff the BSSID, that's a no-brainer. But wait, there's more...the other vector is: Are you familiar with OUIDs? The first three octets are assigned by manufacturer by IEEE. http://standards.ieee.org/cgi-bin/ouisearch So if you know (or guess) the maker of the device, you've got the first, second, and third octets as a gimmee. For example, if the rocket-scientists at Verizon are using Actiontec, then 00:34:95 is going to be the first half of tens of thousands of pass-phrases. From there the rest of the pass-phrase is a simple six character combination of 0-9 and A-F. 470,184,984,576 combinations, or around 70 minutes at 500,000 PPS. In reality you would create a ~600mb rainbow table with the values pre-populated, and it would take less than 20 minutes (since mac addresses are pairs of hex digits, it would be a smaller pool). The blinding irony of this is that the keyspace for the AES encryption of WPA2 is gi-normous. Unless you're NASA with a room full of FPGAs, you are not going to ever get within a galaxy of brute-forcing AES. And yet, some Telco leaves the key under the mat.....
  2. the head mechanism is a 'voice coil actuator', so the head can and will make music if you feed it a signal that is more 'music like'. I could see how OCing a southbridge could scramble the data, but to really kill a drive would take heat/power, afaik. Maybe the power supply was not up to the task and went low-current....or maybe something on the mobo went pop??
  3. Sometimes the internal reset switch had been effectively torn off the circuit board, or somebody has pushed the switch in so hard that it had cracked the circuit board. I would open it up and see if you can reset it by shorting the switch contacts. Also make sure that somebody did not plug it into the wrong power supply, as this may make it flaky (low voltage/current) or toasty (too much voltage).
  4. I use Adito, which is a port of the SSL-explorer product. This gives you a browser-based SSL VPN, and then I use both a ultraVNC and RDP plugin for it. get the windows installer at: lars.werner.no Though not quite ipsec, ultraVNC with the DSM encryption plug-ins are reasonably secure if you pick a non-standard port hide it behind a firewall.
  5. As a long time user of Cisco Security Agent, which is a 'cousin' of CCA,code wise, I would not put great faith in the security of CCA. CSA is not very difficult to subvert, so I doubt that CCA is any better. Cisco Security Advisory: Cisco Clean Access Unauthenticated API Access http://www.cisco.com/en/US/products/products_security_advisory09186a00804f3127.shtml http://en.wikipedia.org/wiki/Cisco_NAC_Appliance Device Posture Spoofing At Blackhat 2007, Michael Thumann demonstrated how the security posture and assessment of a device by the Cisco Trust Agent can be spoofed programatically. As Thumann suggested in his presentation NACATTACK, the fundamental problem with Cisco's approach to Access Control is that in essence an untrusted device/user is being asked to validate its own posture.[1] Cisco took the unusual step and officially answered those allegations by pointing out that the NACATTACK presentation only dealt with posture spoofing and left out the authentication step into a network.[2]
  6. I think when you cross-connect two phone lines you are creating a massive impedance mismatch, which loads up the line, causing attenuation.... http://massis.lcs.mit.edu/archives/technical/how.phones.work
  7. Cool Mini paper. I will give this a shot when I get a spare minute. I admit that it's been awhile since I've cracked wep, and am itching to see how WPA/WPA2 secured devices hold up. It's interesting the work that Elcomsoft is doing with nVidia GPUs to 'recover lost WPA or WPA2 keys'.
  8. Windows works in mysterious ways. I have not used the tool listed below, but it was given high marks in another forum on data recovery http://www.cgsecurity.org/wiki/TestDisk
  9. What *nix are you running? on most posix compliant systems you have to run ./configure before make http://tldp.org/LDP/LG/current/smith.html
  10. I scoff when everybody says they can crack WEP in two minutes. You can on some hardware, but you can't on some others. And if there are no clients on the WLAN, you can't do a deauth attack, because you can't deauth what's not authenticated. There are a lot of 'it depends' issues. Doing a traditional passive air-snort style WEP crack can be done quickly only on a VERY busy network, and some vendors (e.g. Cisco) implemented WEP better than others, so you can pass 45 gigs of data thru a Cisco AP running WEP and you'll get around 100 IV collisions. Without enough interesting packets, you can't crack WEP, period. As they say in the South, ya'll can't get there from here. You can only generate enough traffic by forcing deauthentication with aireplay, but if there are no clients on the WLAN at the time, there's nothing to deauth. Now if it's a garden-variety Netgear or Symbol box, and it's got a couple of clients, that's another story, because you get plenty of IV collisions to wor with. The real speed happens when you start forcing traffic with tools like aircrack-ptw which deals with ARP packets only. I'm not a Cisco bigot, but most of their APs are an embedded *NIX box, and these boxes can send SNMP traps alerts to your IDS console. So if somebody is deauth attacking a Cisco AP running WEP or WPA on a managed WLAN, it's gonna be setting off alarms, big time, at the console.
  11. Note the numbers 4110 on the upper left of the PCB What you have is a version of the Ademco 4110. http://forum.doityourself.com/electronic-alarms-home-security-devices/256230-identify-my-system-then-reset.html
  12. http://www.greentechmedia.com/articles/read/smart-meter-security-a-work-in-progress/ Black Hat: Smart Meter Worm Attack Planned http://www.blackhat.com/ why use a sledgehammer when the key is under the mat?
  13. Not to question what you're doing, but the CMTS router is not going to provision a new unknown MAC address, nor would a DOCSIS CM allow the burned-in mac address to be changed from the subscriber end.