Jun 20

Updating RFIDler Firmware on Ubuntu 12.04.4

As a beat-my-tester for the RFIDler Kickstarter project, I got one of the first batch of these sweet LF RFID reader/writer/emulator units, straight from Zac Franken and Adam Laurie.

The RFIDler, Beta Version, and Antenna (background)

The RFIDler, Beta Version, and Antenna (background)

Although I have a Proxmark3 (actually, it’s not mine, it belongs to Larry Pesce, but he’s never getting it back), I am excited about the RFIDler as a low-cost alternative with active and exciting development.

When the RFIDler arrived it was running alpha3 firmware, which needed to be upgraded to the latest firmware in the RFIDler GitHub repository.  Flashing requires the mphidflash utility, which is available in source or binary form on Google Code.

The mphidflash tool required libhid-dev on Ubuntu, but that package has been retired for a while as abandoned by the author.  To get mphidflash working on Ubuntu, I grabbed the packages from Ubuntu 10.04 and installed them as shown:

$ wget http://mirrors.kernel.org/ubuntu/pool/universe/libh/libhid/libhid-dev_0.2.15+20060325-2.2ubuntu1_i386.deb
$ wget http://mirrors.kernel.org/ubuntu/pool/universe/libh/libhid/libhid0_0.2.15+20060325-2.2ubuntu1_i386.deb
$ sudo dpkg -i libhid0_0.2.15+20060325-2.2ubuntu1_i386.deb
$ sudo dpkg -i libhid-dev_0.2.15+20060325-2.2ubuntu1_i386.deb
$ wget http://mphidflash.googlecode.com/files/mphidflash-1.3-bin-linux.tar.gz
$ tar xfz mphidflash-1.3-bin-linux.tar.gz
$ sudo cp mphidflash /usr/sbin

After that, flashing the RFIDler becomes straightforward. First, download the GitHub repository files and change to the RFIDler/python directory, then run the setup.py script:

$ git clone https://github.com/ApertureLabsLtd/RFIDler.git
Cloning into 'RFIDler'...
WARNING: gnome-keyring:: couldn't connect to: /tmp/keyring-WsskxT/pkcs11: No such file or directory
remote: Reusing existing pack: 518, done.
remote: Counting objects: 16, done.
remote: Compressing objects: 100% (13/13), done.
remote: Total 534 (delta 1), reused 0 (delta 0)
Receiving objects: 100% (534/534), 8.90 MiB | 1001 KiB/s, done.
Resolving deltas: 100% (279/279), done.
$ cd RFIDler/python
$ sudo python setup.py install

Now you should be able to run the rfidler.py script to interact with the RFIDler hardware. Plug in the hardware and check the version on your hardware (you may need to run rfidler.py as root on your system):

$ rfidler.py /dev/ttyACM0 'VERSION'
sending 'VERSION'
0003-alpha

To update the firmware, hold the bootloader button and press “reset”. The LED07 and LED08 LED’s will start alternating amber and green.

RFIDler Prepped for Bootloader

RFIDler Prepped for Bootloader

You will also see a kernel message indicating that the device has entered into bootloader mode.

$ dmesg | grep Bootloader
[783265.119771] generic-usb 0003:04D8:003C.0006: hiddev0,hidraw2: USB HID v1.11 Device [Microchip Technology Inc. USB HID Bootloader] on usb-0000:02:00.0-2.1/input0

Now, change to the head of the RFIDler directory and flash the device (lots of the status dots have been removed below):

$ sudo mphidflash -r -w firmware/Pic32/RFIDler.X/dist/debug/production/RFIDler.X.production.hex
[sudo] password for jwright: 
USB HID device found: 503808 bytes free
Erasing...
Writing hex file 'firmware/Pic32/RFIDler.X/dist/debug/production/RFIDler.X.production.hex':..................................................................................................................................
Verifying:..................................................................................................................................
Resetting device...
$ rfidler.py /dev/ttyACM0 version
sending 'VERSION'
0019-beta

Voila!

-Josh

Jun 06

Code to Create a JD-GUI Error

When evaluating Android applications, I often use dex2jar to take an Android APK file and convert it to a Java JAR file.  With the APK-turned-JAR file I can examine the decompiled Java source for the application using JD-GUI or Mike Strobel’s Procyon.

Procyon is the far superior Java decompilation tool, which gracefully handles many conditions that JD-GUI cannot.  Still, Procyon requires a few additional steps to use as a command-line tool, while Procyon has a nice GUI interface for quick and easy analysis (to be fair, Procyon does have a third-party GUI interface as well, though it lacks some of the features in JD-GUI).

As part of an exercise I am writing for my SANS Institute SEC575: Mobile Device Security and Ethical Hacking course, I needed to force the student’s hand and require them to use Procyon.  I needed to reproduce a situation where my sample code was not decompiled by JD-GUI properly.  I lowered my standards enough to look at page 2 of Google search results, but I still could not find an example of Java code that could not be decompiled by JD-GUI.

Looking through some APK files I had handy, I spotted an method that JD-GUI could not handle.  Reversing the same code with Procyon gave me the method source, which I was able to narrow down to just a few lines of Java.  If you are in the position where you want to stop someone from using JD-GUI to reverse-engineer a method, insert this code:

// Add these lines to your import section
import java.io.IOException;
import java.io.OutputStreamWriter;

// Add this code to a method that you want JD-GUI to generate an error on
OutputStreamWriter request = new OutputStreamWriter(System.out);
try {
	request.close();
} catch (IOException e) {
}
finally {
	request = null;
}

The block of code opens the System.out object (the stdout reference), and then closes it. The rest is just being graceful. When decompiled with JD-GUI, the user will see this error:

JD-GUI Error

Error produced by JD-GUI when decompiling the shown code.

So, the next time you need to stop people from reversing your code, add these lines to a method, and hope that they don’t know about Procyon.

-Josh

May 15

System Recovering, and a Learning Process

On Mother’s day I realized my email had stopped working. Looking into it, my hosting provider had disappeared, which stopped all DNS (including MX) and web sites from working.

I had some advanced notice that this was going to happen, but spending time on transitioning kept moving to the bottom of my TODO list.  I ended up setting up with DigitalOcean as a provider (starting at $5/month for a reasonable Linux server) and copied my site content over.

I spent some time experimenting with the Ghost blogging platform.  Ghost’s focus is on content delivery just as a blog, not as a CMS.  I’ve had my share of struggled with WordPress before, so I decided to give Ghost a shot.

Ghost laptop on desk

Ghost: Just a Blogging Platform

Ghost uses Node.js for serving up server-side JavaScript code.  It was cool to spend some time learning about how to setup Node.js servers, how to maintain them and serve content efficiently, but in the end I realized that I need a CMS, not just a blogging platform.  Thus, I’m back with WordPress.

Thanks to all the people at the SANS Security West 2014 conference this week taking the SEC575, SEC617, and SEC660 classes, who patiently waited for me to get my site back up and running so they could grab tools, papers, and presentations from my site.  If you see anything broken, please let me know.

Thanks! -Josh

Jun 21

The Mobile Malware Connection

Today was Part II of the Taste of SANS Mobile Device Security and Ethical Hacking webcast trilogy, “The Mobile Malware Connection“.  In this session we looked at the growing prevalence of mobile malware, primarily affecting Android devices but also appearing in iOS and BlackBerry devices as well.  Malware authors have been quick to realize the benefits of exploiting mobile devices, with opportunities to intercept security-related content over SMS messaging, and the ability to make a quick buck at a victim’s expense.

Check out the presentation for more fun details about Android, iOS, BlackBerry and Windows Mobile devices.  The next and final session in this trilogy will be at 1PM ET on July 19 titled “2012: A Mobile Penetration Test” where we’ll be looking at techniques for exploiting mobile devices, and their associated infrastructure to evaluate the risks to your organization.

-Josh

Jun 01

Invasion of the Mobile Phone Snatchers

Slide Title Presentation PageToday I delivered the first of a trilogy of webcasts promoting my new course with the SANS Institute “Mobile Device Security and Ethical Hacking” (Security 575). In the presentation we look at the threat of lost or stolen mobile devices, examining how an attacker can use backup tools to extract data from mobile devices, bypass PIN authentication on Apple iOS and BlackBerry devices, and how to mitigate the impact of lost devices. Check it out!

-Josh

Mar 27

The Changing Wireless Attack Landscape

I’m en-route to the SANS Orlando 2011 conference, getting ready to teach SEC617 Ethical Hacking Wireless.  I’m really excited about some new material and a changing focus on the SEC617 course.

Over the past couple of years we’ve seen a definite change in wireless hacking techniques and tools.  While we are still seeing attacks against weak deployments of WPA/WPA2 and EAP-based authentication protocols, more and more wireless attacks are targeting “other” wireless protocols.

ZigBee

For the past year I’ve been spending a good deal of time working on the KillerBee suite of tools, designed to target weaknesses in IEEE 802.15.4 and ZigBee networks.  This has been a lot of fun, and interestingly has spawned other projects taking the KillerBee framework and extending it to new tools, such as the ZigBee-Security project, as well as upcoming integrated tools in the KillerBee repository (special thanks to Ryan Speers and Ricky Melgares for their awesome work!).  In addition, a recent project published at Blackhat Europe aims to develop some additional IEEE 802.15.4 attack techniques with a useful GUI interface and extensible interface through the SenSys project.

ZigBee/IEEE 802.15.4 hacking is interesting because:

  1. It isn’t WiFi and there is a serious lack of security knowledge and analysis tools available to help people understand the threats and attack techniques;
  2. It interfaces with devices that often control kinetic systems, such as heating/cooling, mechanical systems, door lock controls and other juicy targets.
  3. Did I mention that it isn’t WiFi?

Interest in attacking ZigBee is going to continue with its vital involvement in Smart Grid efforts, home and business automation, medical devices and more.  On top of that, hacking ZigBee and IEEE 802.15.4 is a lot of fun, and is reminiscent of early WiFi security deployments.

Bluetooth

Ubertooth OneOn top of that, Bluetooth hacking is seeing a new significant supporter in the form of Mike Ossmann’s Ubertooth project.  For many years, Bluetooth hacking has been very limited despite numerous vulnerabilities in the base specification and vendor implementations.  The problem has always been the lack of a flexible hardware platform with which to sniff and transmit arbitrary packets on a Bluetooth network.  With the custom and cost-effective hardware in Ubertooth however, we are going to see a new deluge of attack techniques against the Bluetooth networks that for years have been vulnerable without a big motivator to improve Bluetooth security.

Proprietary Wireless Attacks

In addition to attacks against ZigBee/IEEE 802.15.4 and Bluetooth, we are seeing lots of interesting attacks against proprietary wireless protocols, either through the use of Software Defined Radio tools such as the USRP, or through hardware hacking techniques.  The concept here is that we leverage simple hardware devices to build our own attack tools, or re-purpose existing hardware for our own attack purposes.

Sometimes the tools we use come in funny colors.  I call to your attention the IM-ME.  Through the efforts of Dave’s Hacks, Travis Goodspeed and Mike Ossmann, we can take this Girl Power toy and turn it into a customized wireless hacking tool.  The picture below shows its use in sniffing a 475 MHz project I’m working on with a colleague that we’ll debut sometime soon.

The picture of the left is my IM-ME interfacing with a GoodFET from Travis Goodspeed.  The GoodFET provides a very flexible interface to interact with various circuits and components as well as a framework in Python controlling devices.  Included in the GoodFET sources are scripts such as “goodfet.nrf”, which allows you to use the Nordic 2401L transceiver to interact with a bunch of interesting devices.

The Changing Wireless Attack Landscape

The bottom line is that, while WEP deployments are drying up as easy targets, wireless hacking is not slowing down.  It’s not a good idea to rest with the security achievements of EAP/TLS and your Wireless IDS system, when attack techniques move to other areas where monitoring systems are nonexistent.

We can respond to the changing wireless attack landscape in several ways:

  • Understand the risks: Make sure people in your organization understand the risks associated with various wireless technologies.  All wireless systems, from the presentation remotes used by executives to wireless keyboards to connected HVAC systems should be evaluated;
  • Build skills in hardware: Since a lot of emerging wireless attacks builds on the ability to repurpose hardware systems, it’s a very good idea to build some skills with hardware attacks using tools such as the GoodFET, bus sniffing tools such as the TotalPhase Beagle, logic analyzers, etc.  More and more, attacks will start with customized hardware when targeting proprietary systems.
  • Participate in emerging projects: Keep an eye on projects such as KillerBee, UberTooth and GoodFET.  We’ll continue to see interesting attacks and new techniques using these tools against non-WiFi systems.
  • Grow your analysis skills: Make sure you can adapt your analysis skills to wireless technology beyond WiFi including protocol analysis, exploiting cryptographic failures, data decoding and analysis, authentication failures and more.

If you are interested in picking up skills like this, a great way to pick up them up is in  the upcoming SANS vLive! session for SEC617, starting April 19.  From 7-10pm ET two days a week for 6 weeks I’m live teaching the course with all the demos, interaction and hands-on lab exercises you get from a conference event.  For another few weeks when you sign up with the registration code “WISPY_VL” you’ll get a free WiSpy DBx spectrum analyzer as well, a must-have for any wireless geek.

Wireless attacks are changing, and we know that attackers are leveraging wireless creatively beyond exploiting weak WiFi networks.  Don’t miss the chance to be at the forefront of this changing landscape.

-Josh

Mar 23

Pen Test Perfect Storm 6: We Love Cisco!

Today, Kevin Johnson, Ed Skoudis and I delivered the 6th part of the Pen Test Perfect Storm Trilogy: We Love Cisco!.

In the webcast, hosted by CORE Security Technologies, we discussed attack techniques against Cisco devices, combining wireless, network and web app techniques to exploit common network architectures. Topics include:

  • Enumerating SNMP Community strings
  • Retrieving Cisco router or switch configurations over SNMP
  • History of vulnerabilities in the Cisco Wireless LAN Controller
  • Exploiting Cisco Web App interfaces with Burp Proxy and Burp Intruder
  • Exploiting Cisco Voice VLAN’s with voiphopper
  • A practical scenario, combining network, wireless and web app attack techniques

CORE is busy putting together the recording that you can download and watch at your leisure, but in the meantime you can grab the slides in the Presentations section, or directly here. All past presentations in PDF form are also available in the presentations section, or at the CORE Security Technologies webcast archive page.

Thanks to all who attended the webcast today!

-Josh

Dec 09

ISACA Review: Hacking Exposed Wireless 2nd Edition

Hacking Exposed Wireless 2nd Edition CoverA special thanks to Horst Karin for posting a great review of my new book, Hacking Exposed Wireless 2nd Edition on the ISACA website.

If you haven’t already checked it out, you can browse the book through Amazon’s Page Viewer. For the first time in print, we provided an in-depth coverage of attacking and exploiting WiFi as well as ZigBee, Bluetooth and DECT technology in the approachable and understandable Hacking Exposed style.

Be sure to check out our companion website to grab the online content and associated files for download.

-Josh