Don’t like Dropbox? We’ve got a cross-platform alternative. How does Google Maps find your location without GPS? And can it be spoofed? Random password scripts, bash tips and more this time on Hak5!

Download HD Download MP4 Download WMV

Spoofing the W3C Geolocation API

Google Maps “Show My Location” feature uses the W3C Geolocation API.

It’s an application programming interface designed by the World Wide Web Consortium as a standard for retrieving a client’s geographical location. The client will gather geographic information by IP address, WiFi access points, GSM and CDMA cells and GPS. The accuracy depends on the data available. If only IP address is known you’ll likely only narrow the location down to your town. If WiFi data is available you’re more likely to get within a block. GPS should be pretty spot on.

The API has been implemented in modern browsers; Firefox since version 3.5, Opera since 10.6, Internet Explorer since 9 and of course Google Chrome.

We can test the API with either some example javascript or the Google Maps feature “”Show My Location””

Determining a location based on wireless access points is done by referencing a database of known wifi base stations and their characteristics, such as the unique BSSID or MAC address. The technique of collecting these databases is called War Driving and I’m sure you’re familiar with it. Our favorite tools for the job are NetStumbler for Windows, Kismet on Linux and Kismac on OSX.

On such company that collects and maintains WiFi station location databases is Skyhook. They provided the location information for the iPhone until iOS version 3.2, at which point Apple started using their own database.

Another database maintainer is Google, who formerly collected locations from Street View cars and currently using anonymous data captured by Android devices. The former is an opt-in feature of the Android OS.

Of course Skyhook, Apple and Google’s databases are for the most part proprietary. There is however an open database. Wigle.net maintains a huge map and database of wireless access points and cell stations submitted by community members wardrive findings.

With all of this in mind, today we’re attempting to spoof our location with faked access point information using a Faraday Cage and an MDK3 beacon flood.

SpiderOak, is it better than Dropbox?

Are you sick of using lame backup and recovery programs that cost way too much? Perhaps you’re just not a fan of the new terms of service with Dropbox? Well, I found one that might float your boat! SpiderOak is a tool made specifically for backing up, syncing, and recovering your files through Windows, Mac, and Linux. SpiderOak was made by geeks for geeks, especially for the hacker minded. It’s more customizable, storage is cheaper, and the privacy is much better than certain backup programs out there because they take a “”zero knowledge”” approach to all data. With that said, though, you’re screwed if you forget your password!

There are a lot of features to be had:

Storage Redundancy Savings- SpiderOak will detect redundant copies of the same file and the extra copies wont take up any extra space. For example, if you have the same song uploaded to SpiderOak from your home computer and your work computer, the second one won’t take any space.
Multi platform synchronization lets you sync files and data from several different types of computers and mobile devices.
It’ll save historical file versions, just in case you save over something important.

In place of FTP to share and upload files for family and friends, SpiderOak lets you make anything you want public, and you can create a ShareRoom to be accessed via a web URL.

You can retrieve files from any device that’s connected to the internets.
And my favorite, the comprehensive zero knowledge data encryption. Most online storage systems only encrypt your data during transmission, meaning anyone with physical access to the servers your data is stored on (such as the company’s staff) could have access to it. Or, even if your data is encrypted during storage, your password (or set of encryption keys) is often stored along with your data, thus making its easily decoded by anyone with local access to those servers. With SpiderOak, you create a password on you rPC, not a web form. The password is entrypted so even physical access does nothing. This is why if you lost your password, you’re screwed.

Now, pricing isn’t too bad. It’s less than other backup programs out there! 2 GB are free, or you can get 100 GB for $10 a month which increases per every 100 GB thereafter.

On to playing with the program! So there are several versions, including a 64 bit one. Just download the one that corresponds to your computer from the SpiderOak website. ”

I’m going to be playing with SpiderOak in this Ubuntu VM just to see how it works in Linux. I am going to download the 32bit version for Ubuntu and go through the installation process. So, as you can see, the installation process is plain and simple. Just follow the on screen instructions. You’ll find SpiderOak under Applications–>Internet folder. When you first open it, you’ll need to hop over to the website and create a new account. You’ll enter your username and verification code (which gets emailed to you) into the program. Then, from the program, you can create a password.

If you’ve already created your account you can choose Existing User and just enter your UN and PW. It may take a few seconds to completely let you log in because during this process your information is being decrypted.
Next you’ll be able to install a new device (which means you’ll name it, like mine is called Linux VM).

When you first log in, you’ll get this nice listing that basically divides all of your files into categories. I prefer advanced mode, so I can choose exactly what I want to back up… My photo can be found on the desktop, so I’ll choose it, then click save. Now, if I go to status I can watch the progress of the back up. Under the view tab, you can view all youre backups as well as view ongoing downloads with the downloads manager tool. The Sync tab will let you synchronize filetypes of your choice across various folders. This would be a good thing to use if you have a photo folder on your Linux computer and your Windows machine, and want to sync up both of the folderes to match so you don’t have to go from one comp to the other.

Last is the share option. First create a name for your new share folder. Then choose ‘New’ to create the Shared link. Go through the on screen instruction and you’ll see a link to the left side. This can be emailed, copied, and forwarded to other recipiants.
So you can tell that SpiderOak is generally a very easy to use program but it’s still packed with all the goodies that you’d need when uploading and syncing files.

Faraday Cages and Wireless Cards!

If you’re not familiar with a Faraday Cage it’s basically a metal or mesh box that blocks, among other things, radio waves. It was invented back in the 1836 by the English scientist Michael Faraday.

My little faraday cage here is built from an IKEA picture frame and before we get any further: Stand Down HAM Radio Operators!

MDK3 is a tool that exploits weaknesses in 802.11 protocols. It was created by ASPj with the help of the aircrack-ng team and libraries. MDK3 can be found at Pedro Larig’s homepage and is built in to the latest version of BackTrack from backtrack-linux.org

Using the MDK3 beacon flood attack mode and information gathered from the Wigle.net database for the old HakHouse in Williamsburg, VA we’ll attempt to spoof our location.

If you’re into Hak5 you’ll love our new show by hosts Darren Kitchen and Shannon Morse. Check out HakTip!

Whether you’re a beginner or a pro, HakTip is essential viewing for current and aspiring hackers, computer enthusiasts, and IT professionals. With a how-to approach to all things Information Technology, HakTip breaks down the core concepts, tools, and techniques of Linux, Wireless Networks, Systems Administration, and more

And let’s not forget to mention that you can follow us on Twitter and Facebook, Subscribe to the show and get all your Hak5 goodies, including the infamous WiFi Pineapple over at HakShop.com. If you have any questions or suggestions please feel free to contact us at feedback@hak5.org.

Being in IT and not using the right tools to get the best results for your clients ñ Is like a surgeon not using the best, most reliable medical equipmentÖHow can you expect your clients to work with you?
Thatís why I use GoToAssist Express by Citrix ñ the BEST remote support tool available. GoToAssist Express is designed with speed and usability in mind which makes it easy to get in, diagnose and resolve the problem ñ fast!
And with Unlimited Use ñ you can support all you want for one flat fee! Hak5 viewers can try GoToAssist Express FREE for 30 Days. For this special offer visit GoToAssist.com/Hak5.

If you want to build a video site or if your website has a play button, I recommend getting a dot TV domain. A dot TV website lets you showcase your original content and create a unique site, not just another YouTube channel.
Just go to domain.com and search for the perfect dot TV domain for your new idea. Then use coupon code Hak5 at checkout to save an extra 15%.
If you need to host your dot TV website, donít forget about Domain.comís web hosting plans. Theyíre less than six bucks a month and have everything you need to build, maintain, and promote your site.
Remember ñ when you think domain names, think domain.com.
Got a great idea? It all starts with a great domain. domain.com

Only suckers pay full price. If you love alternative apparel brands like Kidrobot, Hurley, and Stussy but hate wasting all your cash on them, listen up! You can score these premium brands at UP TO 80% OFF every day.
There’s a new invite-only shopping club just for guys called JackThreads, serving up street, skate, and surfwear brands at prices that will melt your brain. There’s a wait-list to join, but if you head to jackthreads.com/hak5 you’ll get instant access to all the killer hook-ups. GO NOW Oh, and did we mention that it’s free to join? Hit up JackThreads.com/hak5 and you’ll instantly start saving without having to leave the house.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

32 Comments

  • Shogun 3 years ago

    For the location thing, did you have a San Francisco IP when you were asking it to find your location? I have no clue how the API works, but surely looking up your IPs location would be a first step to determine physical location?

    Love the show!

  • Bigbear700 3 years ago

    u can’t do geo do to the adapter it is ip over eth not the wifi info
    Iunles u set up a apoint to run off that looks like the same as bsid map down to the make wep key type
    For the geo t to work if it don’t just use the ip frome the real wifi point. Ps Did this at 1:36 am est on a I phone

  • Before we start signing up to Spideroak, I had question. Would you guys be willing to send out a HAK5 invite to your fans from a HAK5 Spideroak account? This way you can get your 50Gb free spideroak account and if you have any cool files/tools it would make it easier to share with your fans.

  • on.verra 3 years ago

    Hello Shannon,
    I used to be seriously interested in security watching the Hack5 but now
    I fall in love when I see you on the screen (please dont wear tight dress)
    * Do you see as a problem I am already married and I have two kids and one dog? When you will be in europe I would like to meet you.

    Now seriously, I am fun of you both, please keep technical line on profesional level (little jokes are allowed)

    I am missing “troubleshoter section” about wifi
    * what is wrong when aireplay-ng –arpreplay doesnt increase data transfer.
    Can you explain in action prerequsities of arpreplay attack
    * in general how to trace a problem (in my case client was associated so MAC filtering is out of scope, inject test –test passed, i am using alfacard with existing drivers in bt5

    bye!

    bye!

  • Nomad 3 years ago

    Nice to see the occasional one not work. Makes the show more real :)

  • Cormac 3 years ago

    I am sure that google is using the external IP address of your service provider to locate you in general. I would be willing to bet that if there is a conflict between what wireless access points it “sees” and the actual incoming internet connection to the page, the incoming connection takes priority. In all likelyhood Google bases the initial location off the external IP address, then narrows it down by using the wireless access points in the area.

    It is also possible that google could care less about the wireless access points, and just traces the IP back to its source for the location.

    Anyway that would be my thoughts on the subject.

    • This is fairly simple to disprove. Use the Google maps ‘find my location’ feature, note how accurate the location is. Repeat when using a proxy server, I’d bet it is still as accurate.

      Google would be foolish to rely on IP for location services, what about all the corporate users that use a VPN – do they all get results that say they are at work?

      I have used Google gears to pin down the location of a user who was recording Backtrack wifi hacking. You just need the list of BSSID’s & the signal strength.
      Triangulation is all about the signal strength.

  • Brooke Hedrick 3 years ago

    Hey,

    You can see a clock over the right shoulder of Darren that says 2:39AM. Are you guys really recording at 2:39am?!

  • Sinager 3 years ago

    Hey Gang,
    I had an idea for the Hack Darren was trying to do. What if you use 2 rigs for this? One rig running the monkey, and another running the ALFA. Get the monkey running BEFORE you boot up the rig running the ALFA. Maybe a fresh OS start will do the trick. (You know, like leaving your house and going on a road trip and powering on your rig at a hotel) I would also clear all data before shutting the rig down before you do this test..

    I love the shows, keep up the good work gang

  • drmaq 3 years ago

    Why not try pogoplug or tornido for personal free storage.

  • Dustin 3 years ago

    I would bet cash money it’s figuring out where you are based on your IP. Since your refreshing Google Maps, you’ve got to be tapped into the actual internet.

    http://www.ipaddresslocation.org/ (Scroll down to see location city)

  • To get fake location data you need to know the signal strengths of the BSSID’s.
    Faking a bunch of Access Points from one wifi transmitter will give you all the same signal strength for all AP’s and shouldn’t work unless the database has scanned somewhere in that area that all the AP’s have the same signal strength.

    Why do you even need the faraday cage & two wifi cards. Isn’t it easier to parse the data from Wigle.net search & then try submitting that to Google gears location API.

    Once you have scan data that is a real location you could try modifying the Gmaps webpage with javascript to pass over the changed scan data. Or do some arpspoofing etc to inject the new location data to the request.

    Look at Prey’s Geo module (preyproject.net or github for the source shell scripts) for an example of the scan data to send to Google gears.

    Love the show, but this seems like a newbie mistake :)

  • hello pplz,

    i like the show !!!

    @darren how exactly should this work? i mean how is your web-browser able to list available wireless accesspoints? for me it looks like a conceptional error.

    all the best
    fog

    • Google uses Geolocation API. It is part of HTML5. Previously you needed Google gears in your browser before the spec was standardised.

  • Hi guys,

    Google won’t show you the fake location because they see the IP of your provider and know that you can’t be anywhere too far away.

    Cheers

  • Micah Bucy 3 years ago

    Nice use of an ipad for remote teleprompting control.

  • hello again, parasites. Here’s a question for you: If you were on a desert island, who would be the most useful person…

    The guy who knew about what plants where poisonous or not? The person who could build a shelter out of whatever was lying on the island? Or…. the guy who known alot about computers? I’ll give you a clue… the last one would be the first person we fucking killed and calved up for food.

    Lets face it, everyone in I.T is just another parasite looking for an easy life… Compare yourself to people who spend their lives down mine shafts: These people have to actually wok for a living, while you lot just spend your lives sucking up to your fucking stupid bosses and spouting bullshit jargon no one wants to hear!

    We have survived 1000′s of years without computers, we do not need any of you! You really should man-up and find some proper work!

    Americans did not invent the internet.. The fucking British did! The only thing Americans are good for is killing innocent people (Indians, Afgans, etc) who cannot defend themselves, and steal their natural resources!

    • Jason Conley 3 years ago

      I find it very ironic that you had to use a computer to write this rant.

  • phillip 3 years ago

    I think the real question is, “What happens when your public IP and your neighbor BSSID’s do not identify the same location?” What will the API do then?

    I really think your public IP is the issue. You can test this theory by shutting off your WiFi radios all together and ping your location on G-Maps again. If google maps is honestly 100% client side and looking solely at BSSIDs then it should not be able to ascertain your location — right? But I have a feeling it’s still going to show your location — based on your public IP.

    Perhaps a VPN or a proxy may help.

    Do I think you should try to continue this project? Absolutely! The only way to learn troubleshooting is to do it – or at least watch the real deal.

    • I have no Wifi card in this desktop machine. Google Maps disables the ‘get location button’. IP addresses are a poor method for getting a users location. My IP is listed to My ISP’s datacenter 200 miles away.

      I have managed to get the location of a user who recorded a backtrack wifi hacking session. I simply used the Google Gears API with data gleaned from a video (my machine had no Wifi).

      Seems conclusive to me. I’m fairly certain you need signal & noise data so the 2 cards Darren is using need to somehow provide correct signal data too.

      The only way I can see it working is if you can gather some scan data in different locations & use that instead of the faraday cage method. You may be able to inject the data into the data that is sent to Google.

      • phillip 3 years ago

        I find it hard to believe that the signal/noise ratio is what’s causing a discrepancy of thousands of miles. If it had returned “VA” or something – okay….but it looks like the browser never updated his location data.

        I agree that IP address are a poor location indicator – but somehow Google figured out his location with the radios in the faraday cage – seeing nothing else local. The browser is saving your wifi data periodically.

        From Chrome’s website:”Google Chrome saves your location information so that it can be easily retrieved. This information is periodically updated; the frequency of updates depends on changes to your local network information.”

        Here’s google’s response to, “How we determine your location.”

        “The local network information used by Google Location Services to estimate your location includes information about visible WiFi access points, including their signal strength; information about your local router; your computer’s IP address.”

        So I think if you set up a slightly larger faraday cage which can hold two radios and a pineapple – something to establish a connection. The pineapple would need to emulate one of the access points while mon0 sprays the other BSSIDS. Then see if you can get the browser to update the local location data.

        I don’t have a pineapple so I cannot try this.

        • You could go the faraday cage route but really what is the point? It is complex and cumbersome to set up and doesn’t translate to other devices. A simple text file with the scan data readings could be enough.

          Google maps is responding to data sent over http therefore it is far easier to inject the required data into the webpage, potentially via javascript (anyone working on a bookmarklet?), or via a local proxy that is designed to rewrite the data. Check out netzgewitter links I think he is onto something.

          I suspect you are correct that the data didn’t update on Darren’s map but I think the reason for no update was that the algorithm said it wasn’t possible to find a match. If all the BSSID’s had high signal values it wouldn’t be possible to approximate the location.

          I’d suggest anyone with decent sniffing skills should look at the data sent to Google & compare that from different locations.

          • Exactly, however sniffing would probably be hard to impossible, since data is transmitted over https to the Google Geolocation Service. However, that’s only done so nobody in between can listen.

            There is absolutely not secret in what is sent and received to/from the Google Geolocation Service. Just set the Firefox pref setting geo.wifi.logging.enabled to true (e.g. with about:config) and all the transmitted data is logged in plain text to the console.

            As I wrote in a comment below, I implemented a Firefox extension in the mean time, which let’s you override the reported geo location altogether. Maybe I will add a toolbar button in a future version, where you can display a log window containing the data sent to Google. That would come in handy for debugging situations.

            The plugin is here btw:
            http://www.netzgewitter.com/georelocate/

          • Exactly, however sniffing would be hard to impossible since all the data is sent over https to the Google Geolocation Service. But that’s only done so nobody in between can listen.

            There is absolutely no secret in what is transmitted to/from Google on the client side. One only needs to set the Firefox pref setting geo.wifi.logging.enabled to true (e.g. with about:config) and all the transmitted data is logged to the console in plain text.

            As I wrote in a comment below, I implemented a Firefox extension in the mean time, which lets you override the reported geo location altogether. I might add a toolbar button in a future version, for displaying a log window containing all the data being transferred to/from Google. That would come in handy for debugging.

            The extension can be downloaded here btw:
            http://www.netzgewitter.com/georelocate/

          • Sorry about the double post. Darn.

  • I went a different way by successfully modifying Firefox to produce fake geo location results.

    Check it out:
    Spoofing W3C Geolocation from a Different Angle

    It also contains some information about how to debug the geo location API with Firefox and how to request the geo location information with a simple stand alone python script. This might be helpful regarding Darren’s problem.

  • The last couple days I spent on learning how to create Firefox extensions. I was able to package my modifications as a Firefox Extension, which anybody can use the change the coordinates reported by the geo location API. Check it out:

    http://www.netzgewitter.com/georelocate/

    The xpi (which is actually only a zip file) is not very big and does not contain any compiled code. It’s all just plain human readable javascript, xul and xml. The most important part happens in componets/GeoRelocationProvider.js.

    • Well done netzgewitter.

      It looks like you have cracked it.

      :^)

      Can it the JS be turned into a bookmarklet to make it work on any browser?
      I can’t edit the XPI, it looks encoded in TextMate on the Mac.

      Well done.

      • The XPI is actually only a ZIP file. I am no Mac user, so I am not sure what you need to use to unpack it. Maybe renaming it to .zip might help.

        I will look into the bookmarklets. But I have my doubts. Even though the heart of the FF extension is just plain old Javascript, it intervenes with some core components of FF, by replacing an XPCOM object, which is very specific to Firefox.

        Btw. many thanks for trying it out. Now I know that it also works with FF on a Mac. I’ve only tested it on Linux and Win so far.

        • I didn’t see the reference to the zip in the earlier comment. Just adding .zip allowed it to unzip ok.

          Hopefully Darren will get around to trying it, I have no idea if his original requirements were meant intentionally make it a system level hack.

          I should look at the JS if I get chance, I guess other browsers use other API’s instead of the XPCOM.

          Wireshark freaks should be able to unpick the requests, there must be some around here? :)