My Custom Power Pwn

 Hardware Hacking  No Responses »
Aug 042012
 

See the Security Bsides Atlanta talk (when it gets posted) at http://www.securitybsides.com/w/page/58266249/BSidesATL-2012.  Powerpoint slides can be found here.

The people over at PwnieExpress are coming out with a neat device called the Power Pwn.  This device follows up on the Pwn Plug and the PwnPhone (Nokia N900). With my experience as a penetration tester and junior hardware hacker I’ve been working on my own “pwn” hardware. I have a Nokia N810 as well as an Alix 6f2 (PCEngines.ch). I purchased an APC BE650R Battery Backup Power Strip off of Ebay and gutted the inside to fit the Alix board. I integrated the Alix connectors for the serial, ethernet, and external antenna connectors with the existing APC coax, rj45, and rj50 ports. The setup has an internal Xpal portable netbook charger that can run the Alix board for over 4 hours.  However, the main power to the board is integrated with the APC power strip.  Plugging in the APC will run power to the Xpal battery which in turn powers the Alix.  Four of the eight plugs on the APC are also functional.  I created a simple DB9 to RJ45 adapter for the serial connection so I can properly configure the device before use.  Since the Xpal battery powers it for 4 hours I have plenty of time to get it configured and to its final pwnage destination.  I didn’t take any photos of the gutting of the APC but it involved a lot of dremel, plastic nipper, and xacto knife work.  I do have photos of everything fitting together.  The only missing item is the internal RP-SMA to female F pigtails.  But as you can see in the photos you can fit some rubber duck antennas inside the APC with no problems.  Also, the best part about the Alix 6f2 is that you can add a mini-pci express GSM card for out of band cellular access to the device.  You don’t see the card installed on the Alix in the pictures.  I currently have the card in a Mini PCI-E WWAN to USB Adapter for testing.

The software I run on the PCEngines Alix is Debian-for-Alix where I contributed to the wiki with instructions on how to install all the tools.
Continue reading »

TP-Link WR703N Custom Pwn Plug

 Hardware Hacking  5 Responses »
Nov 192012
 

I was wandering the aisles of Fry’s Electronics and spotted a display of Westinghouse Outlet Valet’s for under $10.  The second I saw this I knew I my TP-Link wr703n was destined to be stuffed into it.  I also picked up an Inland USB Hub because I know it has the smallest foot print of any hub I’ve seen.  I’ve actually been able to place it under the wr703n board in the original housing.  I also picked up a Kingston 16GB micro SD card which comes with a small footprint USB reader.  Couple that with a Samsung OEM wall charger I had and we got the makings of a computer hiding in plain sight.

I created a Coppermine Photo Gallery album with some pictures I took of the device as it was being made.

 

Continue reading »

Mobile Devices and Airbase-ng Attacks

 FYI  No Responses »
Oct 102012
 

I don’t feel that this issue gets enough coverage so I am adding my voice to the mix in the hopes that someday the makers of our popular mobile operating systems will FIX THE ISSUE!  What I’m going to discuss is a wireless association vulnerability that was first discovered by Max Moser (site here and his full disclosure) way back in 2004 for Windows XP.  Using airbase-ng (part of the Aircrack-ng suite of tools) this same attack works against the latest versions of iOS5 and iOS6 (iPhone and iPad), Blackberry OS, and Android.  Apple’s iOS, from AT&T Wireless, even comes with a helpful default profile so you can attack a device right out of the box (see Tweet by HD Moore).  The only mobile OS that does not have this issue is Windows 8 on the new Nokia phones.  I don’t know a soul that has one of these phones so I hung out in an AT&T Wireless store to conduct my testing.  Those Microsoft devices will not associate with any Airbase-ng APs that mimic APs from the device’s probe packets.  Some individuals have tried to tell the world about this issue.  A great Youtube video was created by Jeffery Wilkins demonstrating this issue.  Vincent Costagliola at patctech.com wrote this article mentioning the same issue.

My testing has shown that an iPhone will connect to airbase-ng even if it is already connected to a WPA encrypted access point.  Just as described by Max Moser in 2004.

 Posted by at 6:32 pm

Maemo – Diablo – PHP5 – mime-support error

 Uncategorized  No Responses »
Jul 122012
 

I receive this error when trying to install PHP on my Nokia n810 device. php5-cli: Depends: mime-support but it is not installable. This is with a fresh flash and I only add the Diable Extras-Devel from repository.maemo.org so I have access to the PHP packages. I have no idea what is going on but I’m creating this post in case anybody else comes across a damn mime-support issue.
Continue reading »

 Posted by at 7:49 am

John the Ripper w/ Jumbo Patch – now with GPU support

 Compiling, Configuration Tutorials, Installing & Using Tools  2 Responses »
Jul 052012
 

JtR 1.7.9 with Jumbo 6 now offers GPU support for computationally intensive (slow-hash) password encryptions like WPA-PSK.  This POST will detail compiling JtR with OpenCL support.  I have an really old ATI Radeon HD card but it works with OpenCL so here goes.  This compile works for Ubuntu LTS 12.04 and 10.04.  You should read the doc file README.opencl for notes for more info on how to compile JtR with OpenCL support.

Continue reading »

WRT54GL is Not Dead

 Hardware Hacking  No Responses »
Apr 232012
 

Well the WRT54GL is not dead for me. Due to it’s popularity this venerable wireless router has been documented across the Internet on how to software and hardware hack it. Tinkering with this devices is a great way to learn about embedded Linux, cross-compilation, soldering, and serial communication. I continue to search for new ways to play with this router (I plan on adding some USB ports once my 12v/5v power supply arrives!).  The reason I’m documenting my experiences is because I haven’t seen many tutorials where the device has a GPS module. I’ve seen some documentation on connecting a GPS device (Garmin) to a serial port. Mine goes the extra step and includes a module in the router for a nice compact wardriving box. I’m even able to set the date and time on the device after a GPS lock is obtained.  So I’m going to put together a tutorial on the GPS module and the version of Openwrt, Kismet, and GPSd I used to allow this device to be a self contained wardriving box.

 Posted by at 10:27 am

Compiling Wireless Tools for Nokia N810

 Compiling, Configuration Tutorials, Installing & Using Tools  No Responses »
Apr 222012
 

This tutorial will help you configure the Scratchbox environment to compile the latest svn of aircrack-ng, latest stable kismet, and reaver 1.4 for the Nokia n810. A lot of love is getting sent to the N900 but the n8x0 series of devices are still great for wireless testing. With this tutorial you will be not only to compile the software but create Debian packages for easy installation on your Nokia device. Of important note were the errors I encountered while compiling aircrack-ng. The error had not been documented on the Internet. Trust me I Googled my heart out. Everyones solution was update the linux kernel headers. Well in this case that wasn’t possible. I’m not a Linux programmer but I figured out how to edit the header file to make the changed needed to get Aircrack-ng to compile.
Continue reading »

Parse Kismet NETXML for Aireplay-ng

 Scripts  No Responses »
Apr 052012
 

This post deals with gathering the information you need to use aircrack-ng to capture a WPA/WPA2 handshake for offline bruteforce attacks.  When running aireplay-ng to send out de-authentication packets you need the MAC address of the Access Point and a Client that is associated with it.  The way I would collect the information is run Kismet.  With the older version of Kismet I would monitor the client (panel view) and select (copy/paste) the access point and client MAC.  With the new version of Kismet you cannot select a MAC address.  So I wrote myself a quick Perl script to parse the Kismet NETXML file to create output with the MAC addresses of AP and associated client pairs.
Continue reading »

Compiling Nmap for Android

 Compiling, Configuration Tutorials, Installing & Using Tools  No Responses »
Feb 292012
 

Compile Nmap for Android

This tutorial will show you how to compile the latest version of Nmap for your Android device starting with a standard Ubuntu install. I will offer instructions on how to obtain two versions of compiler that I’ve had success compiling software for Android. I will show the Android NDK and the free Lite ARM compiler from Mentor (formally Code Sorcery). Hopefully you can take this instruction to try and compile other tools for Android.

The build environment and instructions come from an auditor with strong technical skills but somebody who is not a programmer or developer so hopefully my view point can help other individuals who are also not developers. I’ve built cross-compile environments for Openwrt, Nokia Maemo, Familiar Linux (iPaq) in the past but always from piecing together instructions from multiple Google queries and forum searches. I’m creating this document so it will be helpful for somebody’s future Google search.
Continue reading »

Linux Penetration Testing Laptop Setup v4 (Ubuntu 11.4 Natty Narwhal)

 Configuration Tutorials  2 Responses »
Sep 192011
 

I’m now providing an updated Linux Penetration Testing Laptop Setup document to help install popular and useful vulnerability assessment tools for the Linux operating system. You can go and obtain Backtrack but I feel that you will have more understanding of the tools and Linux in general if you install the tools yourself. You will also have the most current version available. See Configuration Tutorials for the latest document.

 Older Entries