NAT Slipstreaming allows an attacker to remotely access any TCP/UDP service bound to any machine behind a victim's router, bypassing the victim's NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website.

NAT Slipstreaming exploits the user's browser in conjunction with the Application Level Gateway (ALG) connection tracking mechanism built into NATs, routers, and firewalls by chaining internal IP extraction via timing attack or WebRTC, automated remote MTU and IP fragmentation discovery, TCP packet size massaging, TURN authentication misuse, precise packet boundary control, and protocol confusion through browser abuse.

This attack takes advantage of arbitrary control of the data portion of some TCP and UDP packets without including HTTP or other headers; the attack performs this new packet injection technique across all major modern (and older) browsers, and is a modernized version to my original NAT Pinning technique from 2010 (presented at DEFCON 18 + Black Hat 2010). Additionally, new techniques for local IP address discovery are included.

Click here for more info.

MagSpoof is a device that can spoof/emulate any magnetic stripe or credit card. It can work "wirelessly", even on standard magstripe/credit card readers, by generating a strong electromagnetic field that emulates a traditional magnetic stripe card. It can disable Chip-and-PIN, correctly predicts Amex credit card numbers + expirations, and can be created from a few inexpensive parts.

Click here for more info.

I experimented with diffracting waves of sound and light and considered if food itself could be cast as a diffraction grating of visible light, and was finally successful with an easily manufacturable and repeatable process for producing edible, iridescent chocolate at home within vacuum.

Additionally reported on in The New York Times and The Takeout.

I’m finally getting some decent results producing 100%-edible iridescent tempered chocolate. The colors are from the chocolate (not any ingredient or coating) diffracting light after being forcefully molded onto a diffraction grating in vacuum. pic.twitter.com/6wpbsIKh5C

Samy Kamkar (@samykamkar) May 9, 2020

After failures attempting lasing gratings, finally designed mold in @adskFusion360, laser cut acrylic plates (variable thickness) w/@glowforge, turned rods w/Grizzly G0765, CNCd diffraction grating w/@Inventables Carvey, tempered+pressure injected chocolate, pulled vacuum @ 4torr pic.twitter.com/pKsS1tuV7e

Samy Kamkar (@samykamkar) May 11, 2020

Low cost, low weight, gesture controlled, and individually wirelessly addressed LED helium balloon network. This was a project, including PCB design, fabrication, assembly, firmware, software, visual design, and custom radio frequency mesh designed as a sound reactive, floating, light up balloon installation for friends' birthday party in the desert. Demo above, Hackaday Superconference technical talk below, Hackaday write-up here, and code+design on github.

Hackaday Technical Talk

Glitchsink is a tool demonstrating a new technique I've developed in order to perform voltage glitching, bypassing microcontroller bootloader/debugger protections in order to extract secure / protected firmware and access memory debugging features without target board modification. No bypass capacitor removal is required as it exploits internal charge drain by acting as larger, external parasitic capacitance during glitching.

Additionally, while I initially built glitchsink in Verilog using the Artix-7 XC7A35T FPGA, I've ported it to a ~$20 microcontroller in C++ with ARM assembly for the precise timing components, demonstrating that costly FPGA boards are not required for state-of-the-art glitching techniques against modern microprocessors.
Was first designed to extract secret keys from protected chips inside of acccess control locks without breaking plastic or altering PCBs and works across a wide range of manufacturers and models, examples such as the LPC1343, ATmega328P, and others.

Click here for more info.

OpenSesame is a device that can wirelessly open virtually any fixed-code garage door in seconds, exploiting a new attack I've discovered on wireless fixed-pin devices. Using a child's toy from Mattel. OpenSesame exploits not only the limited key space of most fixed pin wireless garages and gates, but employs a new attack I've discovered reducing the time it takes to open any garage by over 95%. This means most garages will take only seconds to open. OpenSesame uses the Radica Girltech IM-ME texting toy from Mattel, as it sports all the equipment we need to pull off the attack -- an effective TI CC1110 sub-GHz RF chip, an LCD display, keyboard, backlight, and more. And it's pink.

Click here for more info.

webscan is a browser-based network IP scanner and local IP detector. It detects IPs bound to the user/victim by listening on an RTP data channel via WebRTC and looping back to the port across any live IPs, as well as discovering all live IP addresses on valid subnets by monitoring for immediate timeouts (TCP RST packets returned) from fetch() calls or hidden img tags pointed to valid subnets/IPs. Works on mobile and desktop across all major browsers and OS's.

The below is just a screenshot, but you can see it in action for yourself here.

webscan takes advantage of the fact that non-responsive img tag sockets can be closed to prevent browser and network-based rate limiting by altering the src attribute to a non-socket URI (removing from DOM ironically does not close the socket), or by using fetch()'s signal support of the AbortController() interface.

Click here for more info.

When PoisonTap is plugged into a locked or password protected computer, it exfiltrates cookies for tens of thousands of domains, installs persistent backdoors in the browser that reach a command and control server via WebSockets over the Internet, tunnel the internal router allowing the attacker remote access to the router and internal network, and access remains persistent after unplugged. All using a $5 Raspberry Pi Zero and Node.js.

Click here for more info.

evercookie is a Javascript API that produces extremely persistent, respawning cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (LSOs), and others. It currently stores cookies in over a dozen browser mechanisms, including standard HTTP cookies, Local Shared Objects (Flash Cookies), storing in RGB values of auto-generated, force-cached PNGs using HTML5 Canvas tag to read pixels (cookies) back out, storing in web history, HTML5 Session Storage, HTML5 Local Storage, HTML5 Global Storage, and HTML5 Database Storage via SQLite.

Click here for more info.

I developed the MySpace worm, the first XSS worm based on AJAX which proliferated through the MySpace network in 2005 and is the fastest spreading computer virus in history. Learn how I made over one million friends in less than 24 hours.

Click here for more info.

KeySweeper is a stealthy Arduino-based device, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity. All keystrokes are logged online and locally. SMS alerts are sent upon trigger words, usernames or URLs, exposing passwords. If unplugged, KeySweeper continues to operate using its internal battery and auto-recharges upon repowering. A web based tool allows live keystroke monitoring.

Click here for more info.

Combo Breaker is a motorized, battery powered, 3D printed, Arduino-based combination lock cracking device. It is portable, open source, 3D models provided, and exploits a new technique I've discovered for cracking combination locks in 8 attempts or less, but in an even more exciting, automated fashion.

Click here for more info.

SkyJack is a drone using Raspberry Pi engineered to autonomously seek out, hack, and wirelessly take control over other drones within wireless distance, creating an army of zombie drones under your control.

Click here for more info.

OwnStar is a device that can locate, unlock and remote start any vehicle with OnStar RemoteLink after intercepting communication between the RemoteLink mobile app and OnStar servers. More technicals details to come at Defcon and in a future page/video.

Click here for more info.

pwnat allows full client-server tunneling and proxying even when both server and client are behind separate NATs with no port forwarding and no DMZ setup on their routers to directly communicate with each other. There is no middle man, no proxy, no 3rd party, and the server side requires no information on the client.

Click here for more info.

I developed a new technique in cracking Master combination locks that reduces the total possible combinations from 64,000 down to 8, and works on all old and new Master combo locks. Additionally, I developed a motorized, Arduino robot that can perform the entire attack for you! You can access the online tool and video here.

Click here for more info.

USBdriveby is a device you stylishly wear around your neck which can quickly and covertly install a backdoor and override DNS settings on an unlocked machine via USB in a matter of seconds. It does this by emulating a keyboard and mouse, blindly typing controlled commands, flailing the mouse pointer around and weaponizing mouse clicks, while evading certain security checks.

Click here for more info.

I've ported and improved the Inventables' Easel and created a modern driver for Linux, Mac, Windows, Raspberry Pi (x86/x86-64/ARM) with the added ability to run Easel from a remote computer (providing remote access to CNC mill). This can be used with X-Carve, Carvey, and other GRBL-based controllers including Arduino, FTDI, and CH340/CH341-based controllers. The software automatically downloads the latest driver from Inventables and augments it to allow to run across the different platforms and controllers.

Click here for more info.

I discovered that the Apple iPhone, Google Android and Microsoft Windows phones constantly send geolocation/GPS and wifi router information back up to Apple, Google and Microsoft. The iPhone and Windows phones do this even when the user has chosen to turn GPS/Location Services off. Since my release of this research through the Wall Street Journal, Apple and Google have both testified in front of Congress and all three are now involved in various lawsuits due to potential invasion of privacy. Besides the companies tracking the locations of all of these phones, I've created a tool that exposes not only the GPS data, but the wifi data Google and Microsoft have been collecting from virtually all Android and Windows devices and Google street view cars, using them essentially as global wardriving machines. When the phone detects any wireless network, encrypted or not, it sends the BSSID (MAC address) of the router along with signal strength, and most importantly, GPS coordinates up to the mothership. My tool allows you to ping those databases and find exactly where any wifi router in the world is located. You can enter any router BSSID/MAC address to locate the exact physical location of the router. Try my Google tool here and my Microsoft tool here.

Click here for more info.

RollJam is a device I've created that attacks rolling codes in virtually every vehicle and garage as of August, 2015. It agnostically attacks the non-expiring rolling codes that are sent from a wireless remote to a vehicle or garage door. These devices typically use rolling codes to prevent a replay attack, however my device and software evade this security by jamming during the first two attempts to unlock/open, replays the first code so you successfully unlock/open your vehicle, but then saves the second code that was jammed for later use. More details in my Defcon 2015 talk, "Drive It Like You Hacked It".

Click here for more info.

ProxyGambit is an anonymization device that allows you to access the Internet from anywhere in the world without revealing your true location or IP, fracturing your traffic from the Internet/IP through either a long distance radio link or a reverse tunneled GSM bridge that ultimately drops back onto the Internet and exits through a wireless network you're no where near. After ProxyHam mysteriously disappeared, ProxyGambit aims to take its place as a more advanced, open source and free version. The device sits near a public wifi network with a GSM chip or long-range antenna and allows you to connect back over the Internet, through GSM, and then tunnel that traffic back onto the wifi network, making your traffic appear as if it's from the location of the device with no IP-related information tracing back to you.

Click here for more info.

I'm one of the original developers of proxmark3, a penetration testing tool for low and high-frequency RFID/NFC tags and readers, developed on an ARM7 microprocessor and Xilinx Spartan II FPGA. The device is capable of doing such things as read tags, simulate tags (such as HID badges), eavesdrop on transactions between another reader and tag, analyze a tag or signal passively, and more.

Click here for more info.

Quickjack is an intuitive, point-and-click tool for performing advanced and covert clickjacking and frame slicing attacks. The clickjacking frame follows the user no matter where they click on a page, automatically removes itself from the page once the click has been captured, and allows features such as referral scrubbing and frame breakout prevention.

Click here for more info.

Studying PHP's LCG (linear congruential generator, a pseudorandom number generator), I discovered that there are weaknesses that reduce the complexity of determining the sequence of pseudorandom numbers. What this means is that PHP is severely deficient in producing random session IDs or random numbers, leading to the possibility of stealing sessions or other sensitive information. Stealing a cookie can be reduced from 128-bits to 35-bits, and with PHP code execution, can be reduced further down to just under 20-bits, which takes only seconds to recreate the initial seed.

Click here for more info.

Digital Ding Dong Ditch is a device I created to hack into and ring my best friend's wireless doorbell whenever I send a text message to the device. The best part of the device is that it causes my friend, without fail, to come outside, find no one, and go back in. In this project, we'll learn not only how to create this device, but how to reverse engineer radio frequencies we know nothing about using RTL-SDR (a ~$14 software defined radio), as well as creating hardware and software using Arduino, the Adafruit FONA (GSM/SMS/2G board), an RF (radio frequency) transmitter to transmit custom signals, and even how to reverse engineer a proprietary radio signal we know nothing about!

Click here for more info.

My NAT Pinning technique is a method that forces a user's router or firewall, unbeknownst to them, to port forward any port number back to the user's machine, simply by the user visiting a web page. If the user had FTP/ssh/etc open but blocked from the router, it can now be forwarded for anyone to access (read: attack) from the outside world. No XSS or CSRF required.

Click here for more info.

Myo-OSC is a C++ application designed to take hand gestures, accelerometer, gyroscope and magnetometer data from the Thalmic Labs Myo EMG (electromyography) BLE armband and output it over OSC. This allows incredible control of virtually any device or application just by waving or flailing your arms and hands around like a crazy person.

Click here for more info.

Peepmail is a tool that allows you to discover business email addresses for users, even if their email address may not be publicly available or shared.

Click here for more info.

jiagra is a stand-alone javascript API for automatic website performance enhancement. It currently features cross-browser pre-rendering/pre-fetching (allowing pages on your site to load in the background before the user has clicked on them), advanced setTimeout and setInterval control (detecting which timers/intervals are still running, have been cleared, or fired) which can allow for greater understanding of when *all* requests of a page have completed, and improved script tag support, allowing you to enter Javascript code in a single script tag that calls out to a remote URL, where the inline Javascript gets executed after the remote JS is executed, e.g.
< script src="path/to/script.js" >
this_is_called_after_script_is_loaded();
< /script >

Click here for more info.

chownat allows two peers behind two separate NATs with no port forwarding and no DMZ setup on their routers to directly communicate with each other. There is no middle man, no proxy, no 3rd party, and the application runs as an unprivileged user on both ends.

Click here for more info.

By using XSS exploitation of a user's router, I've created a proof of concept which acquires the MAC address of the router of a web surfer, then uses the Google Service API to acquire geographic coordinates of the user (determined by the Google van driving around and seeing MAC address while tying it to coordinates.) This emulates Firefox's Location-Aware Browsing without requiring any permission from the user or requiring Firefox.

Click here for more info.

Advanced packet sniffing and injection tool including the first ever implementation of stateless-TCP packet injection without needing to continue to monitor/MITM session, colored output, passive OS fingerprinting, TCP killing via RST packets, PCRE regular expression filtering, password sniffing, SMTP/POP/IMAP-to-mbox format generation, URL sniffing and auto-following in browser, and more.

Click here for more info.

Packet is a suite of portable Perl modules for encoding, decoding, injecting and sniffing low-level network packets. Packet also provides functionality for other low-level network tasks such as retrieving network device information and working directly with ARP cache tables..

Click here for more info.

airsamy provides a simple interface to quickly and automatically crack a WEP network in minutes. It displays a list of available WEP networks and once selected, it automatically places your driver in monitor mode, tests packet injection, fake authenticates with the AP, captures IVs for cracking, captures ARP packets and replays them to introduce more IVs into the network, and cracks using the PTW attack.

Click here for more info.

I've implemented the ORYX stream cipher and a cryptanalytic attack able to recover the 96-bit internal key state in less than 2^20 ORYX operations. The ORYX stream cipher is used to encrypt data transmissions for the North American Cellular system.

Click here for more info.

I've described a simple method for authentication based protocols (e.g., ssh) to prevent man in the middle attacks. Rather than establishing a potentially MITMA'd connection, then authenticating, you can authenticate the initial key exchange. More details in the pdf.

Click here for more info.

I've implemented a version of Shamir's attack on WEP, easily recovering a WEP key from encrypted wireless traffic due to weak keys and poor IV mixing into the RC4 key.

Click here for more info.

AI::NaturalSelection provides a series of Perl modules using Genetic Algorithms to allow breeding and mutation to arise and emulate natural selection. Resultant honing can minimize the work required to solve certain fitness-testable problems.

Click here for more info.

sql++ is an easily configurable, feature-rich, portable command-line SQL tool. It can be used with many different databases and in place of other command line tools such as MySQL's mysql-client, Microsoft SQL, PostgreSQL's psql, and Oracle's sqlplus. It has features such as multiple connections, multi-database interfacing, subselects for all databases, regardless of whether the database has native subselects or not, and much more.

Click here for more info.

DISS (Download iTunes Shared Songs) automatically hooks into iTunes' memory (winsock) on Windows and downloads any shared music you play into the DISS playlist. No user intervention is required for this to happen, it's entirely automatic and typically only takes a second or two per song. Full C++ source and Windows binary included.

Click here for more info.

Code from before I could drive.

Click here for more info.