Posts Tagged ‘Project’

Magomatic Brute Forcing?

Sunday, April 5th, 2009

I was writing up the page for the Magomatic and started on the improvements section.  I realized I started going on and on about a possible brute-forcing function and I decided that it would be better suited for a post instead of putting it on the page.  So prepare yourself, as I am about to dump everything I can think of regarding brute forcing magstripe card door locks.

I was thinking that since I can just read card data with a computer,  I should be able to read a room number off the card, alter that data to another room number, and put that information on my emulator.  This would work in theory, but what if the card contains encrypted data?  Then you would not know what represents the room number.  What’s more, what if the card does not conform to the track 2 standard?  They could use their own protocol.  Either way, all I will see are 1’s and zeros.

Since the encrypted data is still only 1’s and 0’s, you could potentially try every possible combination of 1’s and 0’s until you found a combo that worked. Analyzing multiple cards of the same type, (door keys for example) you could potentially see how much data changes from room to room or date to date.  You could then lower the amount of bits you would have to brute force to just the number of bits that change.  This may be impractical seeing that to brute force each bit would mean that the total number of possible combinations is equal to 2^n where n is equal to the number of bits required to brute force.  That means for just 10 bits you would have to try 2^10 = 1024 combinations.  It would probably take the magstripe reader about 1.5 – 2 seconds to deny a card.  If it took 2 seconds, that means brute forcing 10 bits would take (1024 * 2) / 60 = 34.13 minutes.  That might not be worth the time.

Another option for brute forcing is to brute force each byte, rather than each bit.  This will only work if the magnetic stripe key follows valid track protocol and is not encrypted.  In this case, you could just read the data on your computer and alter whatever you wanted, however what if you wanted a hand held device to do everything for you automatically?  It is rather cumbersome to hook up a reader to a laptop, scan the card, alter the data, program a microcontroller, put the micro in your emulator, and then open a door.  It would be much nicer to have a device that could just brute force open any door.

If one of these cards follows valid track 2 format, then you could just brute force every 5 bits (there are 5 bits in a byte in track 2 format) rather than every single bit.  However, now you have more possibilities for each byte.  It’s not just either a one or a zero.  Each byte can represent 11 different characters (0-9, =).  I found this information by consulting this resource.  Track 2 also states that there are 37 data bytes between the start and end sentinal values.  This means that the total possible combinations you would have to brute force would be 11^37= way too many to be worth the time.  In this case, the best thing to do would be to analyze the data on a computer, figure out where the room number and/or expiration date is stored, and then program a microcontroller to try every possible room number while keeping the other data the same.  It could then make sure that the date was some date way in the future to ensure it would work.  Better than this, you could put an interface on the device to program the exact room number.  Using a serial LCD and a few buttons, you could view the data after it is scanned into the device.  Then the buttons can be used to alter the data or just punch in the room number.

Brute forcing these things seems mostly impractical due to the fact that it would take forever to brute force all the data on a card but in the event of encryption, it may be necessary.  If you can narrow down just a few bits that need brute forcing it would be worth it.  I’ll have to experiment once I have some data to analyze.

Tags: , , ,
Posted in Project, security | No Comments »

Magstripe Emulator Device Complete

Saturday, April 4th, 2009

I first became interested in magstripes a few years back.  I found a few resources online that explained how you can build a primitive magstripe reader using just a magnetic readhead from a walkman and a headphone jack.  You can use custom software to look at the waveform that is created and decode the binary data.  I never was able to get that working right, most likely due to now being able to swipe the read head over the card in the exact right spot.  A few weeks back I finally decided to bite the bullet and just buy a magstripe reader online so I could play with magnetic stripes.

After reading through the StripeSnoop site I decided to buy a 30$ TTL magstripe reader.  These seem to be the simplest to use and they work with StripeSnoop.  However, StripeSnoop requires a gameport or parallel port connection, and most computers nowadays do not have either of those.  I wanted to be able to use my reader on any system.  I found this guide that shows how to make a sort of USB adapter for the TTL reader.  It basically reads the TTL signals from the magstripe reader, and then “types” them into the computer as though it is a keyboard.  If you have a notepad window open it will just dump a long string of 1’s and 0’s into the window.  StripeSnoop has a -i option that takes input from the keyboard so all of this should work together.  I purchased one of the adapter boards along with the magstripe reader. Five days later they both showed up at my door and in about an hour I had everything hooked up on my computer and functioning.  My reader only reads track two, although I cold read track one if I put a small piece of plastic in the bottom of the reader to raise up my cards by exactly one track size.  For now, reading just track two will work fine since my research showed that most cards use that track anyway.

Enter the idea for the magomatic.  I’ve had this idea for a while but it keeps changing slightly in my mind.  I essentially want the ability to read a magstripe card and then emulate it back.  This is different from cloning a magstripe card onto another card.  This is basically “recording” the magstripe data and then “playing” it back as though it is coming from a magstripe card, even though it is not. I first thought that the easiest way to accomplish this goal would be to record the magstripe data as audio, and then play it back out through an amplifier, into an electromagnet.  I had found this instructable where someone did something similar and prooved that it works.  This person would scan in the data, and then put it into a C program.  The c program would encode the binary data into a wav file.  He could then put the wav file on his iPod, play it out through an amplifier and into an electromagnet.  He included a video to proove that the concept works.  This is how I started the project.

I had to proove to myself that his idea worked. I created an electro magnet and downloaded his source code.  I also purchased a small battery powered amplifier from RadioShack that was able to boost an audio signal pretty loud.  I wasn’t able to get the C program to work correctly so I ended up changing some of the code around.  I altered it so I could just paste the raw binary data from my card into an array in the program.  It would then encode that data, rather than converting symbols and letters into binary data and having to generate valid checksums.  After some fiddling with the code and with volume settings I was able to get this working.  I could play the audio file out of my headphone jack, through the amplifier, into the electromagnet, and then into the card reader.  The card reader thought I had swiped my card.  Success.

The next step was figuring out how I could store the data on something portable.  I didn’t want to have to lug around a computer.  My idea was to have a small, handheld device that could read a card and then instantly play it back.  I bought a small picture frame from RadioShack that included a 10 second voice recording module.  It is supposed to be used to store a message along with your photograph.  I had other plans.  I ripped that picture frame appart and pulled out the small recording module.  I removed the microphone and the speaker and just left some wires attached.  To test the module, I hooked my computer’s headphone port up to the microphone wires of the circuit using some aligator clips and a 1/8 inch mono jack.  I pressed the record button on the module and then played the working wav file through the headphones.  I then moved the aligator clips to the speaker wires and plugged the headphone jack into the audio amplifier.  I then had another set of clips going from the amplifier to the electro magnet.  After fiddling with the volumes for recording and playback, I had it working.  I now knew that it was possible to record magstripe audio data onto this module and play it back without losing the data.

The last step was to create my own simplistic reader from a magnetic read head.  I bought an old Walkman from the local Goodwill for $4.  The read head was not difficult to remove.  Unfortunately, I had a terrible time figuring out how to build a mechanism that would line up the read head exactly to track two of the magstripe card and swipe in a nice, straight line.  I tried a few things but everything failed.  I could tell it was picking up data but I never knew what track(s) it was from.  Eventually, after all that work, I had to give up on the audio idea.

It was time to come up with a new plan.  How else could I record the data and play it back though?  I had already been thinking it would be nifty to be able to record the data digitally, rather than via an analog signal.  Having the actual data would allow the possibility of data manipulation.  Why would it be good to manipulate the magstripe data?  One application is in hotels.  Most hotels use magstripe cards as room keys.  What if that data was not encrypted?  What if I could just read the data, see the room number in the data, and then change it to another room number?  I could open any room in the hotel!  I could even put a number pad on the device to allow me to choose what room I wanted to enter.  This is just one interesting application that I thought of.  But how could I accomplish this?

I pretty much instantly thought of using a microcontroller.  I assumed that a Basic Stamp would be too slow to read the magstripe data, and also, Basic Stamps are expensive at around $50 a pop.  My next thought was the use the Parallax SX chip, since it’s the only other microcontroller that I have used and have a programmer for.  To prevent myself from re-inventing the wheel I Googled around to see if anyone else had interfaced a magstripe reader to an SX chip before.  I got lucky and found one article where someone did just that.  He also used the easier to understand SX/B code rather than assembly so it worked rather well for me.

I was going to have to edit the code, though.  He was using a serial LCD for output but I don’t have one of those.  My only real option was to set WATCH’s on the variables that hold the data and then poll for the variables while debugging.  After a few days of fiddling, frustration, code editing, etc I had to give up for a bit.  I was having a terrible time making that code work with my reader.  The author had used a similar, yet different reader and his code just wasn’t working right for me.  At this point I had changed pretty much all of it and simplified it as much as possible and still wasn’t getting anywhere.  I decided to focus my attention on the emulation part of the project.

I figured it would be a waste of time to finally get this reader working, only to find out that I was unable to emulate magstripe data with the SX.  Emulating the data turned out to be a piece of cake.  I created two SX/B functions to output either a one or a zero depending on which function was called.  You essentially have the electromagnet hooked up to two SX pins.  If you want to output a one, you just turn one pin off, and the other on, then after about 1ms you switch them.  For a zero, you turn one pin on and the other off, but after the 1ms delay you leave them in the same position for 1 ms.  You can then “flip the pins” to make the current travel through the electromagnet in the other direction.  I wrote a simple program to output a fake credit card number, including the start sentinal, end sentinal, checksum bits, and the LRC byte.  The extra information was necessary for StripeSnoop to properly decide data.  More information on magstripe protocols can be found at this great resource.

Now it was time to get back to the card reader.  It took another 2-3 days of fiddling before I finally got this part working, but I did.  I was able to store the credit card information in a byte array, and then play it back through an electromagnet into my computer.  StripeSnoop thought I swiped my credit card.  Victory at last!  But I still had to merge the reader function with the emulation function.

Initially, the reader function would specifically wait for the start sentinal character and then collect data in 5 bit intervals.  This is how the typical stripe 2 protocol works.  After thinking about it, though, I realized that hotel systems and other systems might not follow that protocol.  They could very well use their own system.  That’s when it occured to me that for simply replaying the data, I didn’t even have to collect it in such a tedious manner anyway.  That is only benneficial if I want to view the data in a way that I can read it.  Instead, I altered the code to just fill up each byte all the way, instead of only the first 5 bits.  I ended up with two 16-byte arrays.  As you swipe the card, it stores the binary data in each bit of those arrays.  Once the data is stored in the variables you just put the magnet inside the card reader, press a button, and it reads through the variables bit by bit and powers the electromagnet as necessary.  Everything worked as it should.  I now had a working magstripe emulator.

I spent all morning and early afternoon drawing up a schematic, collecting parts, soldering, and troubleshooting.  After a few hours I had a working circuit board.  About 4 hours ago I was able to fit everything into a project box the way I wanted.  I did one last test with everything fitted to make sure it still worked and it worked just fine.  My goal of having a portable, battery operated device capable of cloning magstripe cards is now a reality.  I’m heading to Las Vegas in one week for a short vacation with my family.  I can’t wait to test this thing out.  I’m hoping that the hotel uses track two so I won’t have to try and read tracks one or three and mess with my reader.  I’m also hoping that the keys are encrypted in any way.  This might let me program the SX with my laptop to open other doors.  I’ll post an update once I get back with the results of my experiment.

I’ll also take some photos of the device and post them on the project page.  If I am able to get it to open my hotel room door I’ll definitely post up a video as well.

Tags: , , , ,
Posted in Project, security | No Comments »

New Project Completed

Thursday, May 22nd, 2008

It’s been a while since I posted on here. There are several reasons for that. The main reason is that my latest project has been taking all my spare time and it was a secret. I didn’t log any of it until just a few minutes ago because I didn’t want the secret to get out. It is an anniversary present for my girlfriend. You can check out the project page for more details on that.

The second reason is that my web server has been down and I haven’t fixed it until recently. My server rebooted one day when I lost power and Apache refused to start for some reason. Rather than sitting down to fix that, I just spent all my time working on the anniversary project. It turns out there was some other instance of httpd running in the background hogging port 81. I have no idea why this was. I’ll have to reboot the system again to see if the problem occurs again. At least I’ll know what the problem is.

In other news, I have started the Near Space class at school last week. I am really excited for this class. We will be sending a balloon equipped with computer, science experiments, and a camera into near space in just a few months. Ryan is splitting the class into teams and should have them posted on the e-shell this weekend at some point. Hopefully I’ll have access to the shell soon. I just e-mailed a local enthusiast to see if he wants to come to class to share his experiences and offer some words of wisdom. Hopefully that will go over well.

My dad should be sending me another radio, antenna and a Tiny Trak 3 module next week. I can’t wait to get that stuff. I want to start messing with APRS tracking as soon as possible to get a feel for it before we actually do a launch. I’m hoping to be on the tracking and telemetry team for the near space class.

I suppose that’s enough updating for now. I have to take some photos of the anniversary lamp to stick on that page, as well as get a schematic up. Man, I still need to get a schematic up on the graduation hacks page… I’ll get on that soon. I’ll also post a video of the lamp in action. Until then.

Tags: , , , , , ,
Posted in Project, Update | No Comments »

Laser Annoyance Device

Friday, April 25th, 2008

The other day I was working on a final project with some friends at school when we had a brilliant idea.  We used a laser pointer from one of the projector remotes to mess with people in the commons at school from a small window in an upstairs classroom.  When the student we were messing with started looking around to see where the source of the light was coming from, we would quickly duck out of site.  A few people would watch the students react on the UAT webcam.  When we could see that the students stopped looking around to see who was shining the laser, we would pop out again and shine it.  They could NOT figure out where the laser was coming from.  Hilarity ensued.

This lead to a project idea.  Recently I procured an RC car with a video camera and headset.  This thing is really quiet and really cool.  I’m thinking I should be able to re-mount the camera on dual-axis servo rig.  This would let me aim the camera in any direction I want.  Also, I want to mount a laser on top of the camera so I can remotely shine it at people from this little car.  It would be so much harder for people to spot this quiet little black car than a giggling college student.  Yes, I know this project is ridiculous but I think it would be fun.  It also gives me another reason to learn a microcontroller other than a BS2.  I’ll just call it a social experiment.  I’ve added this project to the Ideas section.

Tags: , , , , ,
Posted in Project | No Comments »

VU Meter Tie

Thursday, April 10th, 2008

I just started working on the VU meter tie.  Today has been a productive day.  I got the main meter circuit up and running in no time.  Now I just need to get it working with a microphone.  Once I have that running, all I’ll need to do is assemble it on a PCB and stick it in a tie.

Check it out in the Works in Progress section.

Tags: , , ,
Posted in Project | No Comments »

E-mail Harvest

Thursday, April 10th, 2008

I’m starting to work on the E-mail harvesting program now. The other day I went to myspace and took a look around. Guess what? No e-mail addresses are visible anywhere. There’s no specific place to pull e-mail addresses from. That’s when I decided to go check out facebook. These guys are crafty. They include your e-mail address but they include it as an image. That way you can’t just copy and paste the text. Well I think to think that I am craftier. I started doing a little Google research on linux-based OCR software. For those that don’t already know OCR stands for optical character recognition. This software will read an image and turn the text located within it into an actual editable text document.

I found this awesome article comparing many different OCR engines designed for linux. I’ve decided that gocr is the simplest solution that should do everything I need it too. I just need a program I can send an image too and have that program send me back text. That is exactly how gocr works. Now i just have to get it installed on CentOS.

I found the source for gocr at http://jocr.sourceforge.net. I just run the command:

wget http://prdownloads.sourceforge.net/jocr/gocr-0.45.tar.gz

Then I extract the file:

tar -xzvf gocr-0.45.tar.gz

configure, make, and install:

./configure
make
sudo make install

The image files on facebook are png images. gocr uses a utility called pngtopnm to convert the image to a format it can understand. This utility is included in the netpbm package.

sudo yum install netpbm
sudo yum install netpbm-progs

Now that everything is installed I can just try running the program with a downloaded facebook email image.

gocr -i test.png

The image I gave it contained my email address “ricosgoo@uat.edu”. The result: “ricgoouat.edu”. It seems as though gocr didn’t pick it up correctly. I’m pretty sure the reason is that the ‘o’ and the ’s’ in the image are touching each other. gocr probably thinks it is one character and cannot recognize it so it is just leaving it out. Also, it missed the @ symbol. I tried a different facebook image and the @ sign was missing from that as well. It would seem as though gocr does not support the @ sign in its dictionary. I might need to try a different OCR program.

Doing some more google research, I found that many people feel that HP’s tesseracr-ocr is one of the best open-source OCRs there is. That was my next logical step. I followed this guide again to get the software up and running.

wget http://tesseract-ocr.googlecode.com/files/tesseract-2.01.tar.gz
tar -xzvf tesseract-2.01.tar.gz
cd tesseract-2.01
./configure
make
sudo make install

Now I have to install the English language dictionary files for tesseract.

wget http://tesseract-ocr.googlecode.com/files/tesseract-2.00.eng.tar.gz
tar -xzvf tesseract-2.00.eng.tar.gz
cd tesseract-2.00.eng
sudo cp * /usr/local/share/tessdata/

I also needed to install ImageMagick so that I can convert the facebook images to tiff files. I have to do this because tesseract-ocr only supports tiff images right now.

sudo yum install ImageMagick.i386

Now I convert the image to a tiff file.

convert test.png test.tiff

Now I try out the OCR.

tesseract test.tiff test.txt

No good.  I get error messages.  Here is Tesseract’s output:

Tesseract Open Source OCR Engine
name_to_image_type:Error:Unrecognized image type:test.tiff
IMAGE::read_header:Error:Can’t read this image type:test.tiff
tesseract:Error:Read of file failed:test.tiff
Signal_exit 31 ABORT. LocCode: 3  AbortCode: 3

I have to take a break from all this now, so I’ll deal with these problems later.

Tags: , , , ,
Posted in Project, security | No Comments »

Another new idea and a cantenna update

Tuesday, April 8th, 2008

Today I only went to one class: Law370. Normally, I really hate the thought of going to the class, but it’s always a lot of fun. That professor really knows how to teach. I always learn something new from that class. Today, we were separated into groups and each group had to research a specific law regarding cyber-crime. This whole activity spawned a new project idea.

My group was assigned the CAN-SPAM act of 2003. This act basically has all these rules regulating how spam e-mail can be sent. I’m not going into that because it’s long, it’s complicated, and it really doesn’t matter for my project idea. My project basically will be a script that will crawl social networking sites like Facebook and MySpace to collect e-mail addresses. It gets more diabolical than that, though. The script will log onto someone’s MySpace account and get their e-mail. Then, the script will log onto each of that person’s “Top 8″ friends and get THEIR e-mail addresses. Now, the script can send a phishing e-mail to each of the friends on the “Top 8″ list and spoof the e-mail that it originates from to look like it is coming from the original person. I think this would be an awesome and fun proof of concept. I would never use actually use this for my own malicious purposes, although I would be interested to see how well it would actually work. I really just want to write this script just to do it. It would give me an excuse to brush up on my scripting and programming skills.

I think I’ll get started on this idea soon, seeing as it won’t cost me any money.

Another update here. I started working on the cantenna project some more. I bought the pigtail that I need, cut off one end and soldered it to the PCMCIA card. I’ve also soldered the piece of copper wire to the jack that attaches to the can. All I need now is a can to attach this thing too. The solder points on the PCB were so small, I’m not sure that the connections will be good enough. Hopefully I’ll find out tomorrow. I don’t have any class so I have the entire day off. I plan on getting a can either form the cafe at school or from the supermarket. I shall update the cantenna page as time permits.

Tags: , , ,
Posted in Project, Update | No Comments »

New Idea

Monday, April 7th, 2008

Working for a company like CCBill gives me perspective on something that I hope to never have happen to me. Identity theft. I usually talk to at least a few people every day who are claiming that their credit card has been stolen. Some of these people don’t even realized it’s happened for over a year after it happens. Most of these unauthorized charges could have been prevented if the person had just checked their credit card statement more often. This makes me realize that I need to check my statement more often. Well, I’m lazy like everyone else and I often don’t think to check my statement. Hence, a new project idea was born.

Most banks or credit card companies have some feature where they will notify you if they see suspicious activity on your account. It’s obviously not always available and if it is, it’s not foolproof. I was thinking today that I should be able to write a script to check my bank account daily. This script would send me an e-mail alert or text message alert if it sees suspicious activity. I think to start out “suspicious” will equate to a sum of money over a certain amount. Eventually it could have complicated algorithms programmed in to determine if something is in my normal spending habits. Things like gas and food under certain amounts of money would be alright, whereas movies and internet subscriptions of any dollar amount would be flagged.

Also, on the topic of security I found a few websites that describe ways to secure Wordpress. I’ll have to go through these tonight to beef up my security. Here are the links:

Wordpress security plugins

Wordpress security tips

Tags: , , ,
Posted in Project, security | No Comments »