Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Null dec 2014

1,284 views

Published on

Presentation from Null HYD December Meet.

Published in: Internet

Null dec 2014

  1. 1. Myself – Self Boasting/ Self D**ba  Authored a book at an age of 21 (2nd edition WIP)  ISO 27001:2013 ISMS LA, CEH, CCNA, ECSA , JNCIP- SEC, JNCIS-SEC etc.  Featured in Deccan Chronicle, The Hindu, The HANS India, Eenadu, Vaartha, Saakshi, AndhraJyothi, Andhrabhoomi etc.  Interviewed by HMTV news channel  Reported vulnerabilities on 100+ popular websites and got lucky with more than 2 dozen of CVE-IDs  Reported BOF on Yahoo Messenger  Trained more than 10,000 people (Corporate + Students)  Currently working with TCS as Security Analyst Enough ……….Just Stop it………!
  2. 2. Where am I taking you now?  Hell, why do I need to listen to this ?  Introduction to barcodes  Breaking down EAN – 13  Your Weapons  Here comes the “heart” of this power-point deck  My experience with Barcode cracking a) XYZ MNC well-known barcode crack b) XYZ shopping mall etc  Brief Introduction on XSS, SQL etc. attacks via Paper, yeah it’s via PAPER…! or NEWS PAPER…! OMG…!
  3. 3. With barcode cracking, you can a) Buy a costly product at the rate of a cheap one b) Free entry to parties – free beers etc c) Free parking d) Bypassing access control - Get free attendance / break your friend’s attendance etc. Disclaimer: I am no way responsible for any mis-use of this technique. I am sharing it just for informational purposes. Why do I need to listen to this ?
  4. 4.  Introduced by Joseph Woodland and Bernard Silver in 1952  First used in ACI but failed and then started commercially on Wrigley company - chewing gum  Optical representation of data to uniquely identify items  Used for tickets, market items, books , parcel tracking, parking etc  Barcodes , Scanners / Verifiers  Barcode verifier standards a)  ISO/IEC 15416 (linear)       b)  ISO/IEC 15426-2 (2D) Introduction to Barcodes
  5. 5. Classification 1. 1D a) EAN – 13 (World-wide) b) UPC (USA, Canada etc) c) Code 128 d) CodeBar e) Plessey etc 2. 2D (More information) a) QR code b) Maxi code c) Aztec code etc 3. 3D (Basing on height) - To withstand high temperature or chemical environments
  6. 6. Slide – Manideep QR code Aztec Code Code 128
  7. 7. Why EAN 13? - Everywhere Book Deodorant Shirt
  8. 8. Moisturizer Shampoo Face wash Powder
  9. 9. Breaking down EAN 13 into pieces Do I need to learn this for doing hacks based on barcode??? - Yes…!
  10. 10. Country Code - 1st two/three digits
  11. 11. Manufacturer – Product code
  12. 12. Verifying check sum digit 1. Numbers at Even position are summed to value A #0+#2+#4+#6+#8+#10 = Value A [7+0+0+4+3+1 = 15 ] 2. Numbers at Odd position are summed and multiplied by 3 3*(#1+#3+#5+#7+#9+#11) = Value B [3* (5+1+5+5+0+0) = 48 ] 3. Value A + Value B = Value C [ 63 ] 4. Remainder of (value C /10) is taken as value D [ 3 ] 5. If check digit = (10 value D), the code read by the machine is correct. [ 7 ]‐
  13. 13. Initial Bit – Part 1 – Part 2 Ever wondered, How are those lines generated? 7 - 501054 - 530107
  14. 14.  Black – 1 and white space – 0  Borders: 101 (left and right) and Center: 01010 (middle) 7 – ABABAB <left border> 101 <part generated from A/B> 0110001 0100111 0011001 0100111 0110001 0011101 +<central > 01010 +< part generated from C > 1001110 1000010 1110010 1100110 1110010 1000100 <right border> 101 Fuzzy Buzzy……
  15. 15. Finally…! 101 0110001 0100111 0011001 0100111 0110001 0011101 01010 1001110 1000010 1110010 1100110 1110010 1000100 101
  16. 16. At your own risk…!
  17. 17. Your weapons Barcode generators Online : http://www.terryburton.co.uk/barcodewriter/generator/ Offline : ByteScout barcode generator Barcode decoders http://www.onlinebarcodereader.com/ http://zxing.org/w/decode.jspx http://www.onlinebarcodescan.com/ http://online-barcode-reader.inliteresearch.com/ 1 – stop point for printers, stickers, labels, scanners etc http://www.barcodesinc.com/ http://www.3sindustries.in/
  18. 18. XYZ Shopping Mall Buy a product worth INR Rs 5000/- for INR Rs 1000/- Demo experience (Social Engineering*)
  19. 19. Other scenarios Drink beer at free of cost Access Control Magic’s Free Parking Corporate Asset Management etc
  20. 20. My Journey with “Beeeeeep” – MNC (well known) Demo Experience
  21. 21. XSS, SQL etc via PAPER…………..!  QR codes  Below QR code for <script>alert("test")</script> (Demo) http://qrcode.kaywa.com/ More demo and in-details in next talk 
  22. 22. Questions????
  23. 23. Resources: www.barcodeisland.com http://www.phenoelit-us.org/stuff/StrichAufRechnung.pdf http://en.wikipedia.org/wiki/International_Article_Number_%28EAN%29
  24. 24. How can you reach me? https://in.linkedin.com/in/manideepk mani [ dot ] konakandla [at] gmail [dot] com

×