JerryGamblin.com.

Researcher. Builder. Hacker. Traveler.

Blog Posts

A Reverse DNS Function for Google Sheets.

Publish Date5191 Views

Often in my job I am given spreadsheets of IP addresses that look like this:
Screen Shot 2016-04-03 at 4.16.11 PM
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
One of the first things I always want to do is find if they have a FQDN.   Sadly Google keeps forgetting to build a reversedns function into sheets so with the help of a  HackerTarget API I hacked this together today:
Screen Shot 2016-04-04 at 6.45.21 AM
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
The configuration is pretty easy (although this took me way longer than I want to admit.)
The cells are setup like this:
A2: IP Address
B2: =“http://api.hackertarget.com/reversedns/?q=”&(A2)
C2: =IMPORTDATA(B2)
D2: =SPLIT(C2,” “)
E2: FQDN (Finally
Here is a link to the sheet so you can copy it and play with it. Hopefully this can help someone else out in the future as I know I have spent way too much time manually looking this information up.
Here is a gif of it in action:

Finding Weev-Able Printers.

Publish Date506 Views

This weekend the infamous hacker and troll Weev decided it would be hilarious if he printed fascist flyers  on open printers around the united states using this top secret APT string:
cat payload.ps |netcat -q 0 ipadreess 9100
A lot of Colleges and Universities seem to have a problem with this.   While I strongly disagree with the content that Weev printed I was interested in how many printers were “vulnerable”  to this attack.
Using Censys.io (my favorite internet host search tool) to search for the following string “location.country_code:US AND telnet AND HP Jetdirect” I found 15,237 printers in the US that are “weev-able”.

Screen Shot 2016-03-28 at 6.56.52 AM
While 15,237 printers on the public internet is ridculous searching for “location.country_code:US AND “HP JetDirect Password is not set”” displays 5,683 printers that have no passwords set at all.
This is so ridiculous this is the only way I know how to end this post:
giphy (1)

Please Scan My Towel

Publish Date1702 Views

My friend Scott pointed out the towels in most hotels now have RFID tags to help with inventory control:
Screen Shot 2016-03-01 at 10.21.06 AM
I also knew that my RSA Conference  badge would have an RFID tag in it so it could be scanned on the expo floor:
2016-03-01 09.47.14
Since I never leave home without my Proxmark3 in my assault pack it was time to get to work:
2016-03-01 09.48.25
What I found out next is something I wasn’t expecting that made this whole thing a lot more interesting.
Using the Proxmark I was able to tell the hotel towel and my RSA tag uses the same MIFARE Ultralight C  tags: 
Screen Shot 2016-03-01 at 10.08.41 AM
So from there I was able to clone my RSA pass to my hotel towel since the towel had a re-writeable tag.
I will be demoing the walkthrough of this at  First  in Amsterdam in April. 
So now I am at the point where you can scan my towel and get the same UID.  Which will allow me to have people scan my towel and get the same information they would have gotten off my badge.
Which allows me to quote one of my favorite lines from the Hitchhikers Guide.
towel
 
*No hotel towels have been permanently harmed and  will be returned to my room with the correct UID rewritten to them. 

Make Your iPhone “FBI Proof”

Publish Date540 Views

The FBI has recently sued Apple to make them unlock the iphone of the San Bernardino Shooter (Here is Apple’s response.).
The reason Apple needs help is because the phone has “Erase All Data After 10 Failed Passcode Attempts” turned on.   Without that feature the government would have just built this robot to brute force the password and this wouldnt have been an issue:
ku-xlarge
What this means for the general public is that we now know that the FBI can not bypass this setting so if you care about your privacy you should enable it.
Doing so is fairly easy:
Settings > Touch ID & Passcodes > Erase Data > Enable.
IMG_0407 IMG_0409 IMG_0410
While this is a “dangerous” setting getting the phone to actually erase the data is actually pretty hard.  You have to wait through the following timeouts so that your toddler (or a malicious jerk) will not accidently erase your phone:
Screen Shot 2016-02-17 at 9.04.10 AM
 
You get used to seeing this screen a lot:
2016-02-17 08.01.04
After the 10th attempt this happens:

 

Proxmark3 V2

Publish Date952 Views

I have been meaning to pick up a Proxmark3 for the last couple of months to round out my RFID testing kit (while waiting for the chameleon mini to be released this summer).
The problem is that most of the known suppliers are selling the Proxmark3 for around $420.  I then found that Elechouse has their internal version of the Proxmark3 V2 for only $200 ($220 with a battery to make it truly portable).
So of course I ordered and built one: 2016-02-10 19.28.28 2016-02-10 20.30.32
Building it was fairly simple and Chris Merrett has an awesome github package put together to make installing it on OSX painless.
Once built and tested cloning HID Prox Cards (which open most corporate doors) is this easy:
proxmark
I am really looking forward to getting this out into the wild and showing people why they shouldn’t trust their door locks at their business or in their hotel room.

Crash Safari Code

Publish Date3612 Views

Crashsafari.com is a website that overloads the browser with a self-generating text string which populates the address bar. After about 20 seconds or so it will force an iPhone to reboot, while significantly heating it up as the smartphone tries to handle the code of the site.
The code of the website appears to generate an ever-increasing string of characters, which becomes harder and harder for the browser to load, likely resulting in a memory issue and forcing the reboot of the device.
I pulled the source of the website broke it down to its smallest operable part and put it here (dont be a jerk).
 

What is in a Top Golf Golfball?

Publish Date872 Views

I have been to Top Golf for 3 different events this year and was always amazed by their RFID technology and have always left wondering “What is in a Top Golf golfball?”.
So when I saw a few “Top Golf” golf balls in the $1 ball bin at a golf store I bought them and decided to answer that question.
2016-01-23 17.54.22 2016-01-23 17.56.28 2016-01-23 18.12.01 2016-01-23 18.26.23 2016-01-23 18.32.08
That little “passive EPC Gen 2 ultrahigh-frequency (UHF) RFID” tag is what makes TopGolf so awesome.  Now all I need to do is invest in a UHF RFID reader to see what is actually on the tag.
Protip: Sawing a golf ball in half is a lot harder than it sounds.
 

Learning About SDR.

Publish Date722 Views

I have become more and more interested in hardware security lately and while I have been having a lot of fun learning about RFID Security I knew the next logical step would be to try to learn how to use a software-defined radio.
After doing a lot of reading and research over the last couple of weeks I came to learn that the best way to learn SDR is with a ~$20 HD DVB-T from Realtek called the RTL2832U.
The RTL-SDR blog sells an “upgraded” RTL-SDR on Amazon for $25 that I picked up and really like.
2016-01-21 17.34.15
Some of the projects I have started to explore include:
Tracking Airplanes Using Dump1090:Screenshot from 2016-01-22 06:49:13
Screen Shot 2016-01-21 at 6.48.51 PM
Decoding and Tracking TPMS:
Screenshot from 2016-01-22 06&%39&%52
RTLSDR-Scanner for general scanning:
rtlsdr-scanner
I have a lot more to learn with this setup but I can easily see that this will quickly turn me into dropping a few hundred dollars into a HackRF so that I can transmit as well as receive.

My Guiding Quotes of 2015

Publish Date329 Views

At the start of every month I pick a quote I like and hang it at my desk and try to use it to guide my thought process for the month and I thought I would share them here as I was cleaning off my desk for the year.
Here are the quotes I used in 2015:
January:
There is nothing more deceptive than an obvious fact.
– Doyle
February:
Never confuse movement with action.
– Hemingway
March:
You must either modify your dreams or magnify your skills.
– Jim Rohn
April:
Courage is grace under pressure.
– Hemingway
May:
The most formidable weapon against errors of every kind is reason.
– Thomas Paine
June:
If I panic, everyone else panics.
– Kobe Bryant
July:
Take time to deliberate, but when the time for action has arrived, stop thinking and go in.
– Napoleon
August:
I shouldn’t be near Vegas and have money in my pocket.
-Adam Sandler

(Let’s just say I had a lot of fun at BSides, Blackhat and Defcon this year.)
September:
If you ask me anything I don’t know, I’m not going to answer.
– Yogi Berra
October:
Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth.
– Marcus Aurelius
November:
In any moment of decision, the best thing you can do is the right thing. The next best thing is the wrong thing. The worst thing you can do is nothing.
– Theodore Roosevelt
December:
Have a strategic plan. It’s called doing things.
– Herb Kelleher
…and yes I know doing this now apparently makes me dumb.

Proxying BurpSuite through TOR

Publish Date16899 Views

From time to time I have the need to test or verify a web application vulnerability through the TOR network using BurpSuite. The easiest way to do this to use the pre-bundled TOR Browser.
Configuration is fairly easy:

  1. Download, Install and Start the TOR Browser:
    Screen Shot 2015-12-18 at 8.05.24 AM
  2. Verify that the SOCKS proxy is started on 127.0.0.1:9150
    Screen Shot 2015-12-18 at 8.06.54 AM
  3. Configure Burp (Options > Connections > Upstream Proxy Servers)
    Screen Shot 2015-12-18 at 8.09.18 AM
  4. Then…

    (Legally with proper permission of course!)

Pro Tips:
TorBrowser has to stay running while using Burp.
Verify the Proxy is still active if you have to restart Burp.
The TOR network runs slow sometimes.
Some web hosts block TOR traffic.
Dry clean only.

Older Posts
Newer Posts

Site Footer