Decoding HID Proximity Cards

HID proximity cards encode a facility code and internal card number in hex on most cards.  Decoding it is extremely easy and should take less than a minute.
Equipent Needed:
Omnikey Reader (I like the 5025CL)
RFIDIOT
BRIVO Card Calculator
Steps:
Run isotype.py from the RFIDIot tool kit and copy the ID:
Terminal_004
Past the ID into the BRIVO decoder:
brivo
It is really that simple.  A made a quick video demo (that is tinted purple for some reason):

I have some writeable HID proximity cards on the way and will have a blog up soon on how to completely clone one.

Cloning UIDs with Chameleon

I have recently started investigating RFID security and picked up a Chameleon Mini.  It is an amazing project with a ton of potential. In these quick demo videos I will show how to clone the UID of both a Mifare 1K 4B card and a Mifare 1K 7B card using the Chameleon.
Cloning the Mifare 1K UID (Aria Card):

Cloning the Mifare 1K 7B UID  (Oyster Card):

These were both extremely simple to do.  In the future I will be demoing how to take full card dumps from an RFID card and load it on to the Chameleon Mini for a “true clone”.
Tool List: 
ACR122U
ChamelemonMini
ZTerm
LibNFC
Cardpeek
Oyster Card
Aria Card
Hardware Picture: 
2015-12-02 07.55.17
Disclaimer: While cloning the UID isnt a full spoof of the card WAY (READ:MOST) more organizations rely on UID based authentication then should.  While the tools say the UIDs have been cloned I have not tested these on any live systems and would not without permission.

Why Companies Fear Bug Bounty Programs

Yesterday Randy Westergren wrote this blog post: United Airlines Bug Bounty: An experience in reporting a serious vulnerability.  I do not know Randy and do not think he did anything wrong but his post is a perfect example of why companies I talk to are afraid of implementing bug bounty programs.
He hit the trinity of why companies fear bug bounty programs in one post:

  • Their development cycle wasn’t fast enough for the researcher.
    Screen Shot 2015-11-23 at 6.53.35 AM
    Is six months a “more than reasonable time frame”?  On the surface sure but unless you go to their planning games, know their regulatory commitments, roadmap and backlog you can not say that for sure.Most companies have enough internal and contractual pressure on their development cycles to have a researcher who is “helping” add another source.

 

  • The researcher involved the press:Screen Shot 2015-11-23 at 7.01.48 AMCompanies do not want to be in the press for having poor security.  So sure when he contacted the press they fixed the issue but it didn’t win him or security researchers any friends at United.Companies do not want to manage a bug bounty program as a fire fighting exercise. They want to intake the bugs into their regular development cycle and work them in their normal process.
  • The researcher went “rogue”:
    Screen Shot 2015-11-23 at 7.08.42 AM
    He wasn’t going to get compensated for his work since it was a duplicate so the only kind of compensation he could still get was to go public.  Companies cant pay for every duplicate bug found and it only takes one researchers to go rogue to sour a bug bounty program for a company.

While I do not fault Randy for his blog post or thought process a company gives up a lot of legal cover by running a bug bounty program.  If they do not perform to a researchers expectation and they get called out in this manner is a reason for them to think twice about their program and if it is worth it.

DigiCert Security Summit

I was invited to attend the 2015 Digicert Security Summit this week in Las Vegas.  For a one day conference it had some really amazing talks by some of the smartest people in the industry.
Gary McGraw gave an amazing talk on security software development life cycle and the Building Security in Maturity Model (BSIMM).
Emily Stark talked about the future of HTTPS everywhere and demoed the new security tab in the developer menu in chrome:
Screen Shot 2015-11-13 at 11.59.21 AM
Dan Kaminsky did Dan Kaminsky stuff.

Runa Sandvik gave an amazing humorous, thought provoking and informative talk on protecting press sources on the internet.
2015-11-13 16.31.37
Digicert also gave me this iOS controlled drone which seems to be amazingly hackable:
2015-11-14 08.09.56

Bluetooth Recon

I have been working on a Bluetooth hacking project recently and couldn’t really find a good bluetooth recon tool so I wrote btrecon to do what I need done.
Here is a quick demo:

I still have some work to do on this project as I would like to add some logging and menus but it isnt a bad start. If you have any suggestions or problems please reach out to me on twitter @jgamblin.

Compare Two Files

At work this week I needed to compare two files to see if they had the same MD5 or SHA256 hash.  After spending way too long trying to get hashdeep and md5deep to work correctly and not finding anything else to easily do this I wrote compare.py today. 

image
image

This script is the definition of utilitarian but I hope it can help you also.

RandomlyOpenCD.VBS

I got a call from a friend who was sure his PC was hacked because his CD-ROM drive kept randomly opening and closing.  After looking at the machine I found a .vbs file in his appdata folder named RandomlyOpenCD.VBS (surprisingly It randomly opens and closes the CD drive) and nothing else that looked like an APT.

After making a copy of the code, deleting the file and rebooting his PC it was fine and his CD drive was back to a non-hacked state. 

The practical joker in me makes it nearly impossible to not share the code:

Dim smax, smin, rmax, rmin, start, repeat
smax=900000
smin=300000
rmax=600000
rmin=100

Set oWMP = CreateObject(“WMPlayer.OCX.7”)
Set colCDROMs = oWMP.cdromCollection

Randomize
start=(Int((smax-smin+1)*Rnd+smin))
wscript.sleep start

do

if colCDROMs.Count >= 1 then
For i = 0 to colCDROMs.Count – 1
colCDROMS.Item(i).Eject
Next
For i = 0 to colCDROMs.Count – 1
colCDROMs.Item(i).Eject
Next
End If

Randomize
repeat=(Int((rmax-rmin+1)*Rnd+rmin))
wscript.sleep repeat

loop

Text Bombed

image

This afternoon a “hacker” decided to text bomb my phone with about 1000 text messages asking me to paypal him $100 to stop.

A couple of things:

  1. I don’t negotiate with terrorists. (I always wanted to say that.). 
  2. Part of the text bomb gave me information on how it was happening.

After getting a couple of messages I noticed they were all coming from onlinetextmessage.com.  After looking at their web page I noticed that you could block messages from their site to your phone.

Once I blocked the attack I was interested in how they did it and started to do a little bit of research. 

I am about to give you a link to a script that can do bad things. Please dont do bad things.

With a few well placed Google searches (onlinetextmessage.com sms bomb) I found this pastebin with a two year old perl script in it. I am “researching” here so I had to test out the script myself (against my own phone) and surprisingly it works really well. 

After looking at a couple of other online SMS sending website it appears the reason that onlinetextmessage.com is vulnerable to this abuse is because they dont ask for a capatcha before sending the message.  This would seem to be a pretty easy addition to their code to stop this from happening.  I have sent them a nice email asking this to make these changes. I doubt I ever hear from them.

Site Footer