HACKING WITH PAPER

By Sumedt JitpukdebodinWeb Application Security Specialist, ACIS i-Secure

LPIC-1, NCLA, C|EHv6, Sec+, eCPPT

WHO AM I?

▪ Learning Guy▪ Activities Guy▪ Writer

▫ Thai And English Article For Penetration Testing.▪ My book “Basic Hacking And Security”(THAI)▪ Gray Hat in sometimes.

▪ CITEC▫ Writer Of Linux Security In Hackazine.▫ Lecturer Of Ethical Hacking and Master Of Exploitation Courses.▫ One Of CITEC Live Team.▫ Security And Linux Consultant in the community.

MY JOB

i-Secure▪ Web Application Security Specialist▫ Security Research▫ Web Attacking Analysis▫ Web Application Firewall Engineer▫ Etc.

WHAT IS PAPER HACKING?

▪ Not new.▪ Not hard.▪ New target.▪ New way?

QR-CODE

▪ Barcode 2 Dimention▪ Japan▪ QR = Quick Response▪ Message, Contact, Picture anything that can be

the “characters” even “URL”▪ Maximum data 7089 numeric characters or

4296 alphanumeric characters = 2KB▪ Easy to read with Android and iOS Mobile and

Tablet.

QR-CODE(2)

▪ QR-Code In Korea▪ Every train station▪ Scan to buy▪ Pay by mobile

QR-CODE(3)

▪ QR-Code in Thailand▪ Magazine can talk!!!▪ http://www.youtube.com/v=X62xhsDqdBQ

TREND OF MOBILE

▪ Speed▪ Popular▪ Price

▪ Protection▪ Awareness

WHAT IS PAPER HACKING?

▪ QR-Code▪ Mobile▪ Social Engineering

STEP OF ATTACK

1. Create the evil site(s).2. Mapping the site into the real world.3. Create the QR-Code.4. Lure the people.5. Happy Time ☺

1) CREATE EVIL SITE.

▪ Android▫ Android Content Provider File Disclosure With

Metasploit▫ Android 2.0 ,2.1, 2.1.1 WebKit Use-After-Free Exploit

By MJ Keith▪ iPhone▫ iPhone MobileSafari LibTIFF Buffer Overflow

▪ Phishing▫ Gmail▫ Apple Store

1) CREATE EVIL SITE(2)

▪ Create script for detect any device with $_SERVER[‘HTTP_USER_AGENT’]▫ Redirect it to the match page.

1) CREATE EVIL SITE(3)

1) CREATE EVIL SITE(4)

iPhone

Android

Others

Evilsite:8081

Evilsite:8080

Evilsite/phishing2

2) MAPPING TO THE PUBLIC

▪ Forward Connections.▪ Dydns▪ NoIP

2) MAPPING TO THE PUBLIC

3) CREATE QR-CODE

▪ Web▫ http://qrcode.kaywa.com/▫ http://goqr.me/

▪ Android▫ QR Droid▫ QR Code Generator

▪ iPhone▫ Optiscan▫ Qrafter

3) CREATE QR-CODE(2)

4) LURE THE PEOPLE

▪ Social Engineering▫ Event▫ Interesting Word.▫ Negative Word.▫ Social Network.

5) HAPPY TIME ☺

Detect Device

Android

iPhone Others

Phishing2

Evilsite:8080Evilsite:8081

Phishing

5) HAPPY TIME ☺(1)

5) HAPPY TIME ☺(2)

5) HAPPY TIME ☺(3)

5) HAPPY TIME ☺(4)

Q&A