Portable Packet Logger / Filterer?

[dr0p]

Okay, so last night I went laser tagging with some friends because we were bored and hadn't done it in forever, and while we were listening to the guy announce the rules for the millionth time in my life, I noticed that the gun was connected to the pack by a standard cat5 cable. Then after the match started, I unplugged it for the hell of it and noticed that I could no longer be hit (either on the gun sensors or pack sensors) which meant that before the packets were sent out over whatever wireless protocol (I'm guessing WiFi b/g) to the other players & the server on the network the gun and pack somehow had to talk to eachother. I was thinking that if I made a small enough packet logger / filterer I could simply place it inbetween the gun and the pack, log all of the traffic, go home, analyze it, write a filter, and come back with godmode and screw with the other people for a round :3

My question is does anyone know of any commercial products like this, or have any designs so that I could make my own?

[digip]

Kevin Mitnick used to have a packet sniffer on his PDA. Not sure if it is some Wireshark derivitive, but any TCP dumper that formats in something like pcap file can be used and then opened on your PC with wireshark for later analysys. Just need a device that can capture the data. Alernatively, if you drive over to the place and sit outside with a laptop, linux, and a card in monitor mode, you could try capturing it without evern entering the building, but not sure how the distance would work against you.

Plus, these guns are using (most likely) infared and not wifi to communicate.

[dr0p]

Kevin Mitnick used to have a packet sniffer on his PDA. Not sure if it is some Wireshark derivitive, but any TCP dumper that formats in something like pcap file can be used and then opened on your PC with wireshark for later analysys. Just need a device that can capture the data. Alernatively, if you drive over to the place and sit outside with a laptop, linux, and a card in monitor mode, you could try capturing it without evern entering the building, but not sure how the distance would work against you.

Plus, these guns are using (most likely) infared and not wifi to communicate.

First off, you must know that my most portable device that I own is my PS3. So I was looking for a sub-$50 device or something I could make myself to do these two basic things. Second, I realize that they use IR to communicate who shot who, but it all has to get to one central computer that they use to print out a score-sheet for each user somehow, so that part can't be IR.

Thanks again for any and all suggestions.

[digip]

Might be of interest to you: http://www.lazerrunner.com/mod.php?mod=use...&page_id=30

Help you figure out what is going on and how their setup works. :)

Just read the PDF on how it works. and I quote:

to play the game.

Player #2, being deactivated, must first find a “recharge station”

located somewhere in the playing arena. In an attempt to “get back

into the game” he frantically searches for the recharge station, running

throughout the playing arena (running is bad – it causes accidents and

your insurance company doesn’t like that too much).

The game continues…

· Player #2 finds the “recharge station” and puts his phaser into it to

get “recharged” and back into the game. His phaser is activated

again.

Here is what really happens behind the scenes…

The real reason that Player #2 actually has to find a recharge station

and put his phaser into it is to “download information”. You see, the

equipment is not intelligent enough to do this by itself because it is oldstyle

Infrared equipment. When Player #2’s Phaser is put into the

“recharge station” the information stored in it (I got hit by Player #1) is

downloaded into the main computer which is keeping score.

Huh? How primitive. After this tedious task, Player #2 is ready to

resume playing the game.

The game continues…

Now, I haven't played Laser Tag in years, so not sure if they even make you have do the old slide the gun in here to reactivate it measure, but the last time I played, thats what we did. There was no other way to reactviate the gun when I played. Is this the same method you use today? Do you have to put the gun in one of several recharge points to get back in the game?

It also goes on to say that Lazer Runner uses RF to update scores in realtime, not using the recharge system way of doing it, so if you play at a place that does not use the recharge system to download the information, then chances are you can capture that RF data. What form it is in, that is another story.

[gcninja]

bluetooth perhaps

[dr0p]

Might be of interest to you: http://www.lazerrunner.com/mod.php?mod=use...&page_id=30

Help you figure out what is going on and how their setup works. :)

Just read the PDF on how it works. and I quote:

Now, I haven't played Laser Tag in years, so not sure if they even make you have do the old slide the gun in here to reactivate it measure, but the last time I played, thats what we did. There was no other way to reactviate the gun when I played. Is this the same method you use today? Do you have to put the gun in one of several recharge points to get back in the game?

It also goes on to say that Lazer Runner uses RF to update scores in realtime, not using the recharge system way of doing it, so if you play at a place that does not use the recharge system to download the information, then chances are you can capture that RF data. What form it is in, that is another story.

Thanks again for your suggestion, but I know the place I go to uses IR (at least for the tagging) and there are no recharge stations (they have had the same equipment for a long time, just here and there replacing a part or set if it breaks) so I'm still not exactly sure how it dumps the info to the score keeper, but if it RF as you mentioned, would there be any way to distinguish it from anything else?

[Sparda]

How do you know they are using ethernet?

You need to figure that out first.

[dr0p]

How do you know they are using ethernet?

You need to figure that out first.

The cat5 cable going from the gun to the pack was a pretty big clue, and that's what the original question was about, but then it kinda shifted to how the information gets to the scorekeeping computer.

[digip]

I guess finding out what kind of RF system is used would be the first task. What company makes it, is there any names on the equipment, that sort of thing. Then google for some more info.

[10goto10]

This article might interest you, if I may plug my own writing: http://hak5.org/forums/index.php?showtopic=9458

This would fit in your pocket and sniff wireless traffic with any Linux tool you're comfortable with. Wireshark, Wellenreiter, Kismet, Dsniff, nmap, tcpdump, etc.

You could use a Compact Flash ethernet card and plug it in, and scan for as much info as you need.

[m0u53]

couldnt you barrow a freinds laptop run wireshark on it and capture everything that way

also does the gun and pack unit have a brand or some sort of serial number on it?

[Sparda]

The cat5 cable going from the gun to the pack was a pretty big clue, and that's what the original question was about, but then it kinda shifted to how the information gets to the scorekeeping computer.

Exactly, they are using cat5 cable, not necessarily Ethernet.

Before you plug any thing expensive in to the gun or the pack you need to figure out if it is actually Ethernet. if you don't you could end up with a dead network card/laptop/portable device if the power for the gun happens to be sent on any combination of pins 1, 2, 4 or 5.

[digip]

Exactly, they are using cat5 cable, not necessarily Ethernet.

Before you plug any thing expensive in to the gun or the pack you need to figure out if it is actually Ethernet. if you don't you could end up with a dead network card/laptop/portable device if the power for the gun happens to be sent on any combination of pins 1, 2, 4 or 5.

QFE

I would hope you weren't plugging in anything to their equipment when you still don't know what is going on. You need to find out if the RF is standard Ethernet chatter like Sparda said. And messing with their equipment might risk damaging it in the process, which is just not a necesarry risk a this point.

Do some more information gathering, social engineering with the employees. Maybe just ask them how it works, or find out the back office side of it, but before you damage your own or their equipment, be sure you know what is happening with the equipment itself first. Just because its RF, does not mean it isn't something like walkie talkie frequencies sending data on non 802.11 channels and frequencies.

Most likely it would be ethernet, but if so, linux+laptop+wireshark would at least give you some idea whats happening. I doubt that the lazer tag establishment is using any encryption with such a setup, so sniffing should be easy enough from a parked car close to the building. At minimum, get Netstumbler for windows and see if there are even any access points before going any further. You can't pentest a network that doesn't exist. If there are no wifi access points or wifi communication you can read, then you need to take it in a different direction to getting the information and understanding what is going on behind the scenes.

[vector]

i use airscanner mobile sniffer on my htc touch diamond phone. it runs windows mobile 6.1 but i believe it is compatible with earlier versions of WM.

[dr0p]

Exactly, they are using cat5 cable, not necessarily Ethernet.

Before you plug any thing expensive in to the gun or the pack you need to figure out if it is actually Ethernet. if you don't you could end up with a dead network card/laptop/portable device if the power for the gun happens to be sent on any combination of pins 1, 2, 4 or 5.

You have a really good point there, I didn't even think about that, I just thought that if it wasn't ethernet it just wouldn't work and oh well.

I'll borrow a friend's laptop sometime soon and see about any WiFi going on. Thanks again~

[X3N]

You have a really good point there, I didn't even think about that, I just thought that if it wasn't ethernet it just wouldn't work and oh well.

I'll borrow a friend's laptop sometime soon and see about any WiFi going on. Thanks again~

First,

Its highly unlikely that they are using Ethernet. Its probably just a pcb with a serial connection. Cat5 is a great cable that can and is used for many different applications.

Since power is probably running over it too. So it would be a good idea to hook your computer to it... hahah....

Secondly since when is it legal to sniff on a network without their permission even if the guns are communicating over wifi.

Third, how lame is it to be trying to cheat at laser tag. That's the same as cheating on CSS soooo lame.

Hacking is about finding out how things work and making things do things they arnt designed to do... not cheating at some game.

[vector]

First,

Its highly unlikely that they are using Ethernet. Its probably just a pcb with a serial connection. Cat5 is a great cable that can and is used for many different applications.

Since power is probably running over it too. So it would be a good idea to hook your computer to it... hahah....

Secondly since when is it legal to sniff on a network without their permission even if the guns are communicating over wifi.

Third, how lame is it to be trying to cheat at laser tag. That's the same as cheating on CSS soooo lame.

Hacking is about finding out how things work and making things do things they arnt designed to do... not cheating at some game.

well if its an open/unencrypted wireless connection and i capture wireless data in monitor mode without even accessing/associating the network then i dont see how that is illegal. now if i were to actually access a private open network without permission that might be a different story.

[metatron]

Your thinking into it to much. Lots of kit uses cable that looks like or is CAT5 to send any electrical signal to and from a device and even supply power. From my understanding the the way the pack/gun works is they have infrared sensors when hit they log the data to internal memory which is then just downloaded via a serial cable in the office. If they have started doing it wireless for the logging of scores. I'd say they just hooked a serial to bluetooth adapter into the pack.

[dr0p]

First,

Its highly unlikely that they are using Ethernet. Its probably just a pcb with a serial connection. Cat5 is a great cable that can and is used for many different applications.

Since power is probably running over it too. So it would be a good idea to hook your computer to it... hahah....

Secondly since when is it legal to sniff on a network without their permission even if the guns are communicating over wifi.

Third, how lame is it to be trying to cheat at laser tag. That's the same as cheating on CSS soooo lame.

Hacking is about finding out how things work and making things do things they arnt designed to do... not cheating at some game.

I am so sorry to have violated your FPS morals. Believe it or not, sometimes people do stuff just because they can.

[digip]

I am so sorry to have violated your FPS morals. Believe it or not, sometimes people do stuff just because they can.

QFE!

Its all about the hack, learning how stuff works, and not so much about being a dick on someones network. Hacking in itself gets a bad name from people who just don't see the joy in learning about something like this. They think its "oh, im gonna haxor their score board and be a dick to everyone". So what. If he can even get as far as that, then mission accomplished and my hats off to you dr0p for learning all about something like this.

I say do it, but do it for the hack and learning about something closed off to the public realm of knowledge. People should go back and start reading 2600 again. Get inspired to poke around and try something new. Push yourself. Go back and read issue 1 to present, where experiemeting with things was really about learning, not profitting malicious intent on someones network, but actually learning something!

[dr0p]

QFE!

Its all about the hack, learning how stuff works, and not so much about being a dick on someones network. Hacking in itself gets a bad name from people who just don't see the joy in learning about something like this. They think its "oh, im gonna haxor their score board and be a dick to everyone". So what. If he can even get as far as that, then mission accomplished and my hats off to you dr0p for learning all about something like this.

I say do it, but do it for the hack and learning about something closed off to the public realm of knowledge. People should go back and start reading 2600 again. Get inspired to poke around and try something new. Push yourself. Go back and read issue 1 to present, where experiemeting with things was really about learning, not profitting malicious intent on someones network, but actually learning something!

/agree (2600 is epic, I should finish reading it)

I am doing this just to learn and have some fun, it's not like I'm going to hold their company hostage (that is if I even get it working.)