Researcher. Builder. Hacker. Traveler.

Category: Security

A Reverse DNS Function for Google Sheets.

Publish Date4932 Views

Often in my job I am given spreadsheets of IP addresses that look like this:
Screen Shot 2016-04-03 at 4.16.11 PM
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
One of the first things I always want to do is find if they have a FQDN.   Sadly Google keeps forgetting to build a reversedns function into sheets so with the help of a  HackerTarget API I hacked this together today:
Screen Shot 2016-04-04 at 6.45.21 AM
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
The configuration is pretty easy (although this took me way longer than I want to admit.)
The cells are setup like this:
A2: IP Address
B2: =“http://api.hackertarget.com/reversedns/?q=”&(A2)
C2: =IMPORTDATA(B2)
D2: =SPLIT(C2,” “)
E2: FQDN (Finally
Here is a link to the sheet so you can copy it and play with it. Hopefully this can help someone else out in the future as I know I have spent way too much time manually looking this information up.
Here is a gif of it in action:

Finding Weev-Able Printers.

Publish Date434 Views

This weekend the infamous hacker and troll Weev decided it would be hilarious if he printed fascist flyers  on open printers around the united states using this top secret APT string:
cat payload.ps |netcat -q 0 ipadreess 9100
A lot of Colleges and Universities seem to have a problem with this.   While I strongly disagree with the content that Weev printed I was interested in how many printers were “vulnerable”  to this attack.
Using Censys.io (my favorite internet host search tool) to search for the following string “location.country_code:US AND telnet AND HP Jetdirect” I found 15,237 printers in the US that are “weev-able”.

Screen Shot 2016-03-28 at 6.56.52 AM
While 15,237 printers on the public internet is ridculous searching for “location.country_code:US AND “HP JetDirect Password is not set”” displays 5,683 printers that have no passwords set at all.
This is so ridiculous this is the only way I know how to end this post:
giphy (1)

Make Your iPhone “FBI Proof”

Publish Date486 Views

The FBI has recently sued Apple to make them unlock the iphone of the San Bernardino Shooter (Here is Apple’s response.).
The reason Apple needs help is because the phone has “Erase All Data After 10 Failed Passcode Attempts” turned on.   Without that feature the government would have just built this robot to brute force the password and this wouldnt have been an issue:
ku-xlarge
What this means for the general public is that we now know that the FBI can not bypass this setting so if you care about your privacy you should enable it.
Doing so is fairly easy:
Settings > Touch ID & Passcodes > Erase Data > Enable.
IMG_0407 IMG_0409 IMG_0410
While this is a “dangerous” setting getting the phone to actually erase the data is actually pretty hard.  You have to wait through the following timeouts so that your toddler (or a malicious jerk) will not accidently erase your phone:
Screen Shot 2016-02-17 at 9.04.10 AM
 
You get used to seeing this screen a lot:
2016-02-17 08.01.04
After the 10th attempt this happens:

 

Proxmark3 V2

Publish Date893 Views

I have been meaning to pick up a Proxmark3 for the last couple of months to round out my RFID testing kit (while waiting for the chameleon mini to be released this summer).
The problem is that most of the known suppliers are selling the Proxmark3 for around $420.  I then found that Elechouse has their internal version of the Proxmark3 V2 for only $200 ($220 with a battery to make it truly portable).
So of course I ordered and built one: 2016-02-10 19.28.28 2016-02-10 20.30.32
Building it was fairly simple and Chris Merrett has an awesome github package put together to make installing it on OSX painless.
Once built and tested cloning HID Prox Cards (which open most corporate doors) is this easy:
proxmark
I am really looking forward to getting this out into the wild and showing people why they shouldn’t trust their door locks at their business or in their hotel room.

Xbox Account Lockout

Tags , , Publish Date348 Views

Last month I got a new iPhone. This month I realized I forgot my Xbox One password when I tried to log in to download some Games With Gold.
I didnt think this would be a problem.  I forget and rest passwords all the time.
So I go through the normal steps and have it send me an email:
Screen Shot 2015-12-16 at 9.08.22 PM
Then I get this screen:
Screen Shot 2015-12-16 at 9.10.23 PM
Did I mention I got a new phone?  When you get a new phone the authenticator app resets and you have to add back your account so I click I dont know.
Screen Shot 2015-12-16 at 9.15.30 PM
I have to take responsibility for this.  I didn’t save a recovery code on my mac so I click no and I get this screen:
Screen Shot 2015-12-16 at 9.15.41 PM
This is where this goes off the rails for me.  30 days To reset my Xbox account because I enabled 2FA?
So I call Xbox support and Jacqueline says there is nothing they can do and I have to wait until January to reset my account password.
How does this make any sense?   Without 2FA I could have reset my password in 30 seconds with no problem but since I enabled it I wont be able to use my Xbox for a month?
Microsoft couldn’t text me a one time password, or give me a call or email an alternative email?  Someone decided 30 days was the right answer?
Microsoft you are doing account management wrong.  If you need me I will be buying a PS4.
UPDATE: After 2 hours and 43 minutes on the phone and zero help from any Microsoft staff I was able to find out that you can get a new recovery code for 2FA on the actual XBoxOne console:
2015-12-17 16.41.49
After I did that I was able to reset my password and disable 2FA.

Decoding HID Proximity Cards

Tags , Publish Date17888 Views

HID proximity cards encode a facility code and internal card number in hex on most cards.  Decoding it is extremely easy and should take less than a minute.
Equipent Needed:
Omnikey Reader (I like the 5025CL)
RFIDIOT
BRIVO Card Calculator
Steps:
Run isotype.py from the RFIDIot tool kit and copy the ID:
Terminal_004
Past the ID into the BRIVO decoder:
brivo
It is really that simple.  A made a quick video demo (that is tinted purple for some reason):

I have some writeable HID proximity cards on the way and will have a blog up soon on how to completely clone one.

$25 Handheld RFID Cloner

Tags Publish Date912 Views

As part of my research into RFID security I came across the “EM4100 RFID Cloner kit” by KBEmbedded  which outside of having a terrible name is an amazing low-frequency (125 kHz) self-contained RFID cloner that can store  and replay 16 cards.
2015-12-05 16.45.28
I was lucky enough to be in the Portland area this week and be able to have dinner with Kris Bahnsen who designed the board and he said the that he thinks he could rewrite the software to read and replay HID proximity cards which would make this a must have gadget for all security professionals.
As it stands now this is an awesome $25 tool that is amazingly fun to play with and you should order one!

Cloning UIDs with Chameleon

Tags , Publish Date3795 Views

I have recently started investigating RFID security and picked up a Chameleon Mini.  It is an amazing project with a ton of potential. In these quick demo videos I will show how to clone the UID of both a Mifare 1K 4B card and a Mifare 1K 7B card using the Chameleon.
Cloning the Mifare 1K UID (Aria Card):

Cloning the Mifare 1K 7B UID  (Oyster Card):

These were both extremely simple to do.  In the future I will be demoing how to take full card dumps from an RFID card and load it on to the Chameleon Mini for a “true clone”.
Tool List: 
ACR122U
ChamelemonMini
ZTerm
LibNFC
Cardpeek
Oyster Card
Aria Card
Hardware Picture: 
2015-12-02 07.55.17
Disclaimer: While cloning the UID isnt a full spoof of the card WAY (READ:MOST) more organizations rely on UID based authentication then should.  While the tools say the UIDs have been cloned I have not tested these on any live systems and would not without permission.

Why Companies Fear Bug Bounty Programs

Tags , , Publish Date272 Views

Yesterday Randy Westergren wrote this blog post: United Airlines Bug Bounty: An experience in reporting a serious vulnerability.  I do not know Randy and do not think he did anything wrong but his post is a perfect example of why companies I talk to are afraid of implementing bug bounty programs.
He hit the trinity of why companies fear bug bounty programs in one post:

  • Their development cycle wasn’t fast enough for the researcher.
    Screen Shot 2015-11-23 at 6.53.35 AM    Is six months a “more than reasonable time frame”?  On the surface sure but unless you go to their planning games, know their regulatory commitments, roadmap and backlog you can not say that for sure.Most companies have enough internal and contractual pressure on their development cycles to have a researcher who is “helping” add another source.

 

  • The researcher involved the press:Screen Shot 2015-11-23 at 7.01.48 AMCompanies do not want to be in the press for having poor security.  So sure when he contacted the press they fixed the issue but it didn’t win him or security researchers any friends at United.Companies do not want to manage a bug bounty program as a fire fighting exercise. They want to intake the bugs into their regular development cycle and work them in their normal process.
  • The researcher went “rogue”:
    Screen Shot 2015-11-23 at 7.08.42 AM    He wasn’t going to get compensated for his work since it was a duplicate so the only kind of compensation he could still get was to go public.  Companies cant pay for every duplicate bug found and it only takes one researchers to go rogue to sour a bug bounty program for a company.

While I do not fault Randy for his blog post or thought process a company gives up a lot of legal cover by running a bug bounty program.  If they do not perform to a researchers expectation and they get called out in this manner is a reason for them to think twice about their program and if it is worth it.

Older Posts
Newer Posts

Site Footer