"Carlton Red. Um maço por dia. Danem-se as campanhas com fotos chocantes. Restaurantes sem alas de fumantes são sumariamente eliminados da minha lista.(...). Mas repito aqui o que meu falecido avô costumava dizer: "prefiro viver pouco fazendo tudo o que gosto a viver muito privado dos pequenos prazeres que meus vícios proporcionam".
As I wrote in a previous blog post, I had an engagement last year where my task was to exfiltrate data from a workstation on some sort of storage media. The twist in that task was Lumension Sanctuary Device Control, and the version was 4.3.2, but I am not sure how newer version work and this seems to be a more general problem with device control solution, for example with Symantecproducts.
But what is a device control solution? In short, they audit I/O device use and block the attempts to use unauthorized devices. This includes hardware such as USB, PS/2, FireWire, CD/DVD so basically every I/O port of a computer. In my opinion, these are pretty good things and they offer a better looking solution than de-soldering the I/O ports from the motherboards or hot-gluing them, but on the other hand, they can be bypassed.
Bypass
OK, so what is the problem? Well the way these device control solutions work is that they load a few kernel drivers to monitor the physical ports of the machine. However... when you boot up the protected computer in safe mode, depending on the device control solution software, some of these drivers are not loaded (or if you are lucky, none of those modules will be loaded...) and this opens up the possibility to exfiltrate data.
In theory, if you have admin (SYSTEM maybe?) privileges, you might as well try to unload the kernel drivers. Just do not forget, that these device control solutions also have a watchdog process, that checks the driver and automatically loads it back if it is unloaded, so look for that process and stop or suspend it first.
In my case with the Lumension Sanctuary Device Control, I have found that when I boot the Workstation protected by the device control software in Safe Mode where, software's key logger protection module is not running... so I was still unable to use a USB stick, or a storage media, but I could plug in a keyboard for example...hmmm :)
As some of you probably already figured it out, now it is possible to use a pre-programmed USB HID, for example a Teensy! : ) I know about three different project, that uses this trick like these two mentioned in a Hackaday post, or this one. Unfortunately, the site ob-security.info no longer seems to be available (well, at least it is no longer related to infosec :D ), but you can still find the blog post and the files with the Wayback Machine.
I have to note here that there are other ways to bypass these device control solutions, like the method what Dr. Phil Polstra did with the USB Impersonator, which is basically looks for an authorized device VID/PID and then impersonates that devices with the VID/PID.
Mitigation
Most probably, you will not need safe mode for the users, so you can just disable it... I mean, it is not that easy, but luckily there is a great blog post on how to do that. BTW, the first page of the post is for Windows XP, but you are not using XP anymore, aren't you? ;)
Alternatively, as I mentioned at the beginning, you might as well use some physical countermeasure (de-soldering/hot-gluing ports). That shit is ugly, but it kinda works.
Conclusion
Next time you will face a device control solution, try out these tricks, maybe they will work, and if they do, well, that's a lot of fun. :)
But don't get me wrong, these device control solutions and similar countermeasures are a good thing and you should use something like this! I know that they make doing business a bit harder as you are not able to plugin whatever USB stick you want, but if you buy a pile of hardware encrypted flash drives, and only allow those to be plugged in, you are doing it right ;)
There are more competing web browsers than ever, with many serving different niches. One example is Brave, which has an unapologetic focus on user privacy and comes with a radical reimagining of how online advertising ought to work.
Brave is based on Chromium, the open-source code that forms the basis for Google Chrome. But is it any good? And for those using Google Chrome, is it worth switching to Brave?
A Brief History of Brave
When Brendan Eich and Brian Bondy founded Brave in 2015, they wanted to address what they perceived as the biggest problem with the modern internet: intrusive advertising.
Advertising is the fuel that powers the modern internet, allowing websites and digital creatives to monetize their content without charging users for each article read or every video watched. That said, Eich and Bondy think it's got some pretty significant downsides, citing the potentially privacy-harming nature of advertising trackers, as well as the negative impact it has on the overall user experience.
Brave's first release came about amidst two significant trends, which ultimately defined the new browser.
First, the cryptocurrency revolution was in full swing. Companies and individuals alike—like the pseudonymous Satoshi Nakamoto—were creating their own decentralized cryptocurrencies, which quickly reached billion-dollar market capitalizations. Second, ad-blocking technology entered the mainstream. By the decade's halfway point, millions of people were blocking ads online across all browsers, desktop, and mobile.
Brave was one of the first browsers to include built advertisement and tracker blockers, leapfrogging the likes of Opera. It also came with its own cryptocurrency, called BAT (or Basic Attention Token), allowing users to reimburse the sites and creators they like.
Essentially, Brave wants to re-imagine how the Internet works: not just on a usability level, but on an economic level. It's an undeniably radical vision, but you wouldn't expect any less, given its founding team.
Brendan Eich is the inventor of the JavaScript programming language and co-founded the Mozilla Foundation, which created the popular Firefox web browser. He also briefly served as the foundation's CEO before resigning following a bitter controversy over his political donations. Brian Bondy is also ex-Mozilla, and spent time at education startup Khan Academy.
Beyond that, Brave is a reasonably standard browser. Like Edge, Chrome, and Opera, it's built upon the Blink rendering engine, which means webpages should work as you expect. Brave is also compatible with Chrome extensions.
To Track or Not to Track?
The Brave browser is characterized by an unapologetically pathological focus on user privacy. Its primary mechanism for delivering this is something called Brave Shields, which combines traditional tracker-blocking technology, paired with several under-the-hood browser configuration tweaks. This feature is turned on by default, although users can easily de-activate it should it cause websites to break.
As you might expect, Brave blocks trackers based on whether they appear in several public blocklists. Going beyond that, it also uses cloud-based machine learning to identify trackers that slipped through the net, in addition to browser-based heuristics.
Brave Shields also forces sites to use HTTPS, where both an encrypted and unencrypted option is available. By forcing users to use an encrypted version of a website, it makes it harder for those on your network to intercept and interfere with the content you visit. While this sounds abstract, it's more common than you think. Public Wi-Fi hotspots, like those found in airports, routinely inject their own ads into websites being visited. Although upgrading to SSL isn't a silver bullet against all security and privacy, it's a pretty significant security upgrade.
Separately from Shields, Brave also includes a built-in TOR browser. TOR allows users to circumvent local censorship — like that which occurs on a national or ISP level — by routing traffic through other computers on its decentralized network.
The tool, which was funded by the US Department of Defence, is frequently used by dissidents living under authoritarian governments to escape surveillance and censorship. Both Facebook and the BBC offer their own TOR 'onion' sites for this reason. Somewhat of a double-edged sword, it's also used by bad actors — drug dealers, hackers, and other online criminals — to operate free from the scrutiny of law enforcement.
Going Batty for BAT
As mentioned, Brave uses its own cryptocurrency, called BAT, for rewarding websites for the content they appreciate. Microtransaction-based tipping is nothing new. Flattr pioneered it almost a decade ago. What's different about BAT is both the implementation and the scale.
While Flattr used traditional fiat-based currencies (by that, I mean currencies like pounds, dollars, and euros), Flattr has its own fungible (essentially, convertible) cryptocurrency based on the Ethereum blockchain. And, as a browser with mainstream aspirations, Brave can deliver this concept to millions of people.
So, let's talk about how it works. Firstly, it's entirely optional. Users can choose to use brave without even touching the BAT micropayments system. By default, it's turned off.
If you decide to opt-in, users can purchase BAT through a cryptocurrency exchange, like Coinbase. They can also earn it by viewing "privacy-respecting" ads. Rather than traditional banner-based advertising, these present as push notifications. Users can choose to dismiss a notification or view it in full-screen.
Unlike traditional advertising networks, the calculations determining what advertisements to show you are performed on your own device. This means the advertiser isn't able to build a profile of you and your interests.
Of all advertising revenue that Brave receives, it shares 70 percent with users, keeping a 30 percent share. It's also worth noting that Brave's advertising program is only available in a handful of countries, mostly scattered across Europe and the Americas, plus Israel, India, Australia, South Africa, the Philippines, Singapore, and New Zealand.
Once you have some BAT, you can spend it. You can choose to automatically contribute to specific sites or tip creators on an ad-hoc basis. You can even tip individual tweets. When you open Twitter through your browser, Brave will automatically add a button to each post within your newsfeed. Pressing it will open a drop-down window, where you confirm your tip.
The sites accepting BAT include The Guardian, The Washington Post, and Slate, as well as popular tech publications like Android Police and The Register. Brave also plans to allow users to spend their rewards for more tangible rewards: like hotel stays, gift cards, and restaurant vouchers. At the time of publication, this system isn't yet available.
How Does Brave Compare to Google Chrome?
Google Chrome commands the majority of the browser market, with other competitors, including Brave, trailing behind. Independent figures about Brave's adoption aren't readily available. It doesn't show on NetMarketShare or W3Counter, as it uses Chrome's user-agent string. In October, however, the company behind Brave reported eight million monthly active users and 2.8 million daily active users.
While that's pocket change in the broader Internet ecosystem, it's still fairly impressive for a young company that's trying to disrupt a market dominated by a small handful of well-entrenched players, like Mozilla, Google, Microsoft, and Apple.
Brave promises to be faster and less energy-intensive than rival browsers, and it delivers on this. Scientific benchmarks, plus my own anecdotal experiences, pay testament to this. Furthermore, when you open a new tab, Brave shows you how much time you've saved by using it.
However, there are small annoyances you perhaps wouldn't get with other browsers. Functionality that comes standard in Chrome, like the ability to automatically translate webpages, is only available through plug-ins.
You also occasionally encounter webpages that force you to "drop" your shield to access it. And while this isn't Brave's fault, it does highlight the fact that a huge part of the conventional Internet isn't quite prepared to embrace its utopian vision of how content should be monetized.
A Brave New World?
Should you ditch Google Chrome for Brave? Maybe. There's a lot to appreciate about this browser. While it's generally fast, it also feels extremely polished. I appreciate the fact that it comes with both light and dark themes and the ease in which it allows users to protect their privacy from cross-site trackers.
But Brave is more than a browser. It's a statement about how the Internet should work. And while most people will agree that the pace and scale of online tracking should be rolled back, many may disagree whether cryptocurrencies are the best way to monetize content that is otherwise funded by traditional in-browser advertising. And are push notification-based advertisements on your desktop really a less irritating form of advertising?
Ultimately, the question is whether you agree with Brave's approach or not.
What is BurpSuite? Burp Suite is a Java based Web Penetration Testing framework. It has become an industry standard suite of tools used by information security professionals. Burp Suite helps you identify vulnerabilities and verify attack vectors that are affecting web applications. Because of its popularity and breadth as well as depth of features, we have created this useful page as a collection of Burp Suite knowledge and information.
In its simplest form, Burp Suite can be classified as an Interception Proxy. While browsing their target application, a penetration tester can configure their internet browser to route traffic through the Burp Suite proxy server. Burp Suite then acts as a (sort of) Man In The Middle by capturing and analyzing each request to and from the target web application so that they can be analyzed.
Everyone has their favorite security tools, but when it comes to mobile and web applications I've always found myself looking BurpSuite . It always seems to have everything I need and for folks just getting started with web application testing it can be a challenge putting all of the pieces together. I'm just going to go through the installation to paint a good picture of how to get it up quickly.
BurpSuite is freely available with everything you need to get started and when you're ready to cut the leash, the professional version has some handy tools that can make the whole process a little bit easier. I'll also go through how to install FoxyProxy which makes it much easier to change your proxy setup, but we'll get into that a little later.
Requirements and assumptions:
Mozilla Firefox 3.1 or Later Knowledge of Firefox Add-ons and installation The Java Runtime Environment installed
Download BurpSuite from http://portswigger.net/burp/download.htmland make a note of where you save it.
on for Firefox from https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
If this is your first time running the JAR file, it may take a minute or two to load, so be patient and wait.
Video for setup and installation.
You need to install compatible version of java , So that you can run BurpSuite.
About Osueta? Osueta it's a simple Python 2 script to exploit the OpenSSH User Enumeration Timing Attack, present in OpenSSH versions <= 7.2 and >= 5.*. The script has the ability to make variations of the username employed in the bruteforce attack, and the possibility to establish a DoS condition in the OpenSSH server. Read more:OpenSSH User Enumeration Time-Based Attack The bug was corrected in OpenSSH version 7.3. Authors of Osueta:
Open CMD or PowerShell window at the Osueta folder you have just unzipped and enter these commands: pip install python-nmap paramiko IPy python osueta.py -h
Advice:Like others offensive tools, the authors disclaims all responsibility in the use of this script. Osueta help menu:
Osueta's examples: A single user enumeration attempt with username variations: python2 osueta.py -H 192.168.1.6 -p 22 -U root -d 30 -v yes A single user enumeration attempt with no user variations a DoS attack: python2 osueta.py -H 192.168.1.6 -p 22 -U root -d 30 -v no --dos yes Scanning a C class network with only one user: python2 osueta.py -H 192.168.1.0/24 -p 22 -U root -v no Scanning a C class network with usernames from a file, delay time 15 seconds and a password of 50000 characters: python2 osueta.py -H 192.168.1.0/24 -p 22 -L usernames.txt -v yes -d 15 -l 50
This will be a Mini Course on Attacking Devices with RF from a hackers perspective
I wanted to learn about hacking devices using radio frequencies(RF) as their communication mechanism , so I looked around the Internet and only found a few scattered tutorials on random things which were either theoretical or narrowly focused. So I bought some hardware and some tools and decided to figure it out myself. The mission was to go from knowing nothing to owning whatever random devices I could find which offer up a good target with multiple avenues of attack and capability for learning. The devices and tools needed are posted below. As we attack more devices, we will post more info on those devices. You can follow us online at the following if your really bored: Twitter: @Ficti0n , GarrGhar
I brainstormed with a friend the following attack avenues for this device:
Ring the doorbell(Our Hello World)
Trigger the motion sensors
Remotely disable the motion sensors
Jam frequencies for Denial Of Service
This blog will cover all of the attacks performed, including code, data captures, so you can follow along even if you don't have all of the exact devices but want to play around with it yourself. These are the the topics covered so you can decide if you want to read further or watch the associated videos linked below.
Using HackRF for RF Replay attacks
Using Yardstick One for Replay attacks
Demodulating and decoding signals for use with RF attacks
Discovering and troubleshooting issues
Coding tools in python and RFCat
RF Jamming Attacks
Video Series PlayList Associated with this blog:
Initial Profiling of our Device:
What does our device do in normal operation?
Taking a look at all the components, there is a receiving station which sets off alarms based on opening doors, motion from a motion sensor and the pressing of a doorbell.
How do they Connect?
All of these devices are only connected to each other via wireless, they are not connected to any sort of local network or wires. So they are all communicating in an unknown frequency we need determine before we can start hacking them.
Determining the Frequency:
To profile our device for the frequency its transmitting on we can use the FCID located on the back of any of the transmitters. We can do this by going to https://fccid.io/ and typing in the FCID from the back of our device. This will provide data sheets, and test reports which contain the information needed to sniff our devices radio transmissions. This site also contains internal device pictures which are useful if you wanted to try hardware hacking. For example looking for Integrated Circuits(IC) numbers or debug interfaces. In this case we only care about the RF frequencies our device is using which happens to be the 315MHz as show below from the fccid website.
Replay attacks with HackRF To Trigger / Disable Sensors:
Armed with the frequency range only and no other information we decided to see if we can just blindly capture and replay a transmissions raw form to perform actions without the legitimate transmitters and without understanding anything.
Below is a photo of the HackRF One hardware used in the first attack and linked above.
Install HackRF Software:
Install on OS X for HackRF is as simple as using Brew install, on Linux use the package manager for your distro:
brew install hackrf
Plug in HackRF and type hackrf_info to confirm its working
Our Hello World attack is a simple replay attack of a raw capture to perform a normal operation initiated by HackRF instead of the device. We can perform this attack without understanding anything about the capture and decoding of signals.
With the HackRF device and 2 simple commands we will capture the transmission and then replay it as if it was from the initial device in its raw format.The following 2 commands are listed below.The -r is used to receive and the -t is used to transmit (RX, TX) you will also notice a -R on the transmit command which continuously repeats in TX mode denoted by "Input file end reached. Rewind to beginning" within the transmit output below. We use this in case the first transmission is not seen by the device. The other switches are for gain.
By using these commands we can capture the motion sensor transmission and replay it in raw format to create a false alarm, we can also capture the doorbell transmission and trigger an alarm.Output of the commands needed to do this are shown below. The video associated with this blog shows the audio and visual output from the alarm system as well as a video form of this blog.
While this is a good POC that we can communicate with the door alert system, this did not provide much of a learning opportunity nor did it drastically reduce the effectiveness of the security system. It only provides false alarms of standard functionality. Lets try doing this the more complicated way by profiling the device a bit more, capturing traffic, reducing the wave patterns to binary, converting to hex and then sending it over another device for a bit more precision and learning opportunity.This will also open up other attack vectors. This sounds complicated, but honestly its not complicated just a bit tedious to get right at first.
Further Profiling our Devices Functionality:
We are easily able to replay functionality when initiating actions ourselves with our HackRF, but what else is going on with the radio transmissions? In order to monitor the transmissions in a very simple way we can use tools such as GQRX with either our HackRF device or an inexpensive SDR Dongle and view the 315MHz radio frequency to see whats happening.
GQRX Install:
You can grab GQRX from the following location for OSX,on linux whatever package manager your distro uses should be sufficient for installing GQRX:
Plug in your SDR dongle of choice (HackRF or RTL-SDR, load up GQRX, and select your device, in this case a cheap 19 dollar RTL SDR:
Select OK and the interface will load up, I made the following changes.
I changed the mode under receiver options on the right hand side to AM for Amplitude modulation.
I changed the MHz at the top to 315000000 since that is what we saw on the fccid.io data sheets.
I then hit play and could view the 315 MHz frequency range.
When triggering any of the transmit devices I saw a spike in the frequency close to the 315 MHz range.I then held down the doorbell button since this transmit device would just keep replaying over and over while pressed. While this was repeating I dragged the bar to match the frequency exactly. Which was actually roughly 314.991.600 give or take.
I then triggered the motion sensor and saw a similar spike in frequency, but I also noticed the motion sensor transmitter sends a 2nd transmission after about 6 seconds to shut off the light on the receiver hub that no more motion is happening. A little testing showed thiswill disable the alarm from triggering during a limited time period.
Can we replay the Motion Sensor Turn off??
I tried to repeat the simple replay attack of turning off the motion sensor with HackRF, however unless your capture timing is perfect to reduce any extra data the sensor disable is rather spotty and still sometimes triggers an alarm. Even with a short capture the raw file was 40mb in size. If you were to try to breach a building and disable its sensors there is a 50% chance or so the motion sensor will be triggered.So this is not a sufficient method of disabling the motion sensor alarm. I only want a 100% chance of success if I was to try to bypass a security system.So we need another technique.I read online a bit and found something about decoding signal patterns into binary which sounded like a good way to reduce the extra data for a more reliable alarm bypass and decided to start with the simple doorbell as a test due to its ease of use, prior to working with less reliable transmissions based on motion and timing.
Decoding Signal Patterns for Sending With The YardStick One:
Below is a picture of the yard Stick tool used in the following attacks
Documented Process:
Based on my online research in order to capture a signal and retransmit using a yardstick we need to do the following:
Record the transmission with the SDR dongle and GQRX
Demodulate and Decode with Audacity into binary (1s & 0s)
Convert the Binary to Hex (0x)
Replay with YardStick in python and RFCat libraries
Troubleshooting Extra Steps:
However I found a few issues with this process and added a few more steps below. I am not trying to pretend everything worked perfectly. I ran into a few problems and these trouble shooting steps fixed the issues I ran into and I will list them below and explain them in this section as we walk through the process:
Record your YardStick Replay with GQRX and adjust the frequency again based on output
Compare your transmission waveform to that of the original transmitters waveform to insure your 1's & 0's were calculated properly
Add somepadding in form of \x00 to the end of your Hex to make it work.
Adjust the number of times you repeat your transmissions
Record Transmission with GQRX:
OK so first things first, load your GQRX application and this time hit the record button at the bottom right side prior to triggering the doorbell transmitter. This will save a Wav file you can open in audacity.
Install Audacity:
You can download audacity at the following link for OSX as well as other platforms. http://www.audacityteam.org/download/You should also be able to use your distro's package management to install this tool if it is not found on the site.
If you open up your wav file and zoom in a little with Command+1 or the zoom icon you should start to see a repeating pattern similar to this:
We need to decode one of these to trigger the doorbell. So we will need to zoom in a bit further to see a full representation of one of these patterns.Once we zoom in a bit more we see the following output which is wave form representation of your transmission. The high points are your 1's and the low points are your 0's:
Decode to binary:
So the main issue here is how many 1's and how many 0's are in each peak or valley?? Originally I was thinking that it was something like the following formatted in 8 bit bytes, but this left over an extra 1 which seemed odd so I added 7 0's to make it fit correctly.(Probably incorrect but hey it worked LOLs)
What the above binary means is that the first high peek was One 1 in length, the first low peek was One 0 in length and the larger low and high's were Three 111s in length. This seemed reasonable based on how it looks.
Try converting it yourself, does it look like my representation above?
Convert to Hex:
In order to send this to the receiver device we will need to convert it to hex. We can convert this to hex easily online at the following URL:
Or you can use radare2 and easily convert to hex by formatting your input into 8 bit byte segments followed by a "b" for binary as follows and it will spit out some hex values you can then use to reproduce the transmission with the yardstick:
In order to send this with the YardStick you will need to use a python library by the name of RFCat which interfaces with your Yardstick device and can send your Hex data to your receiver.We can easily do this with python. Even if you do not code it is very simple code to understand.In order to install RFCat you can do the following on OSX:(Linux procedures should be the same)
Plug in your device and run the following to verify:
rfcat -r
Setting up your python Replay Attack:
First convert our hex from 0xB8 format to \xB8 format and place it in the following code:
Hex Conversion for the python script:
\xb8\x8b\xb8\x88\x8b\xbb\x80
I provided a few notations under the code to help understanding but its mostly self explanatory:
#--------Ring the doorbell--------#:
from rflib import *
d = RfCat() #1
d.setFreq(315005000)#2
d.setMdmModulation(MOD_ASK_OOK) #3
d.setMdmDRate(4800) #4
print "Starting"
d.RFxmit("\xb8\x8b\xb8\x88\x8b\xbb\x80"*10) #5
print 'Transmission Complete'
#--------End Code --------#
#1 Creating a RfCat instance
#2 Setting your Frequency to the capture range from your GQRX output
#3 Setting the modulation type to ASK Amplitude shift keying
#4 Setting your capture rate to that of your GQRX capture settings
#5 Transmit your Hex 10 times
Ring Doorbell with Yardstick (First Attempt):
Plug your YardStick into the USB port and run the above code. This will send over your command to ring the doorbell.
Destroy:ficti0n$ python Door.py
Starting
Transmission Complete
However, this will fail and we have no indication as to why it failed. There are no program errors, or Rfcat errors. The only thing I could think is that that we sent the wrong data, meaning we incorrectly decoded the wave into binary. So I tried a bunch of different variations on the original for example the short lows having Two 1's instead of One and all of these failed when sending with the Yardstick.
Doorbell with Yardstick (TroubleShooting):
I needed a better way to figure out what was going on. One way to verify what you sent is to send it again with the Yardstick and capture it with your RTL-SDR device in GQRX. You can then compare the pattern we sent with the yardstick, to the original transmission pattern by the transmitter device.
The first thing you will notice when we capture a Yardstick transmission is the output is missing the nice spacing between each transmission as there was in the original transmission. This output is all mashed together:
If we keep zooming in we will see a repeating pattering like the following which is our 10 transmissions repeating over and over:
If we keep zooming in further we can compare the output from the original capture to the new capture and you will notice it pretty much looks the same other then its hard to get the zoom levels exactly the same in the GUI:
Hmmm ok so the pattern looks correct but the spacing between patterns is smashed together. After a bit of searching online I came across a piece of code which was unrelated to what I was trying to do but sending RF transmissions with \x00\x00\x00 padding at the end of the hex.This makes sense in the context of our visual representation above being all mashed up. So I tried this and it still failed.I then doubled it to 6 \x00's and the doorbell went off. So basically we just needed padding.
Also I should note that you can put as much padding as you want at the end.. I tried as much as 12 \x00 padding elements and the doorbell still went off. I also then tried a few variations of my binary decoding and some of those which were slightly off actually rang the doorbell. So some variance is tolerated at least with this device.Below is the working code :)
Our Hello World test is a SUCCESS. But now we need to move on to something that could bypass the security of the device and cause real world issues.
The following updated code will ring the doorbell using padding:
Ok so originally our simple HackRF replay had about a 50% success rate on turning off the motion sensor due to extraneous data in the transmission replay and timing issues. Lets see if we can get that to 100% with what we learned about decoding from the doorbell. We will instead decode the signal pattern sent from the transmitter to the receiver when shutting off the alert light, but without extra data. We will send it directly with a Yardstick over and over again and potentially use the devices own functionality to disable itself. This would allow us to walk past the motion sensors without setting off an alert.
The question is can we take the transmission from the Motion Sensor to the Receiver Hub which says motion has ended and use that to disable the Motion Sensor based on a slight delay between saying "there is no motion" and being ready to alert again and bypass the motion sensors security.Lets give it a try by capturing the "motion has ended" transmission with GQRX when the motion sensor sends its packet to the receiver 6 seconds after initial alert and decode the pattern..
Below is a screenshot of the "Motion has ended) transmission in audacity:
So this sequence was a bit different, there was an opening sequence followed by a repeating sequence.Lets decode both of these patterns and then determine what we need to send in order to affect the devices motion turnoff functionality.Below is the zoomed in version of the opening sequence and repeating sequence followed by an estimation of what I think the conversion is.
The opening sequence appears to have all the highs in single 1's format and most of the lows in 3 000's format, below is the exact conversion that I came up with adding some 0's at the end to make the correct byte length…
See what you can come up with,does it match what I have below?
Next up is our repeating pattern which has a similar but slightly different structure then the opening pattern. This one starts with a 101 instead of 1000 but still seems to have all of its 1's in single representations and most of its lows in sets of 3 000's. Below the screenshot is the the binary I came up with.. Write it out and see if you get the same thing?
Hex Conversion:(Used the online tool, R2 didn't like this binary for some reason)
\xA2\xA2\x88\xA2\x8A\x28\xA8\xA2\x8A\x28
Testing / Troubleshooting:
I first tried sending only the repeating sequence under the assumption the opening sequence was a fluke but that did not work.
I then tried sending only the opening sequence and that didn't work either.
I combined the first part with a repeating 2nd part for 10 iterations
The alert light immediately turned off on the device when testing from an alerting state, and from all states stopped alerting completely
Note(My light no longer turns off, I think I broke it or something LOL, or my setup at the time was different to current testing)
In order to send the first part and the second part we need to send it so that we have padding between each sequence and in a way that only the second part repeats, we can do that the following way:
Add the second patterns HEX values and add that with 6 \x00
Now multiply the second part by 10 since in the wave output this part was repeating
Below is the full code to do this, it is the same as the doorbell code with the new line from above and a While 1 loop that never stops so that the device is fully disabled using its own functionality against it :)
SUCCESS
As a quick test if you intentionally trip the sensor and immediately send this code the BEEP BEEP BEEP will be cut short to a single BEEP also the light may turn off depending how its configured. In all cases the motion sensor capability will be disabled. If you turn this script on at any time the sensor is completely disabled until you stop your transmission:
Bypassing the sensors worked, but then I got thinking, so what if the company puts out a new patch and I am no longer able to turn off the sensors by using the devices functionality against itself? Or what if I wanted to bypass the door alert when the door is opened and it breaks the connection?The door alert does not have a disable signal sent back to the receiver, it always alerts when separated.
RF Jamming and the FCC:
One way we can do this is with RF Jamming attacks. However, it should be noted that Jamming is technically ILLEGAL in the US on all frequencies. So in order to test this in a Legal way you will need a walk in Faraday cage to place your equipment and do some testing. This way you will not interfere with the operation of other devices on the frequency that you are jamming.
"We caution consumers that it is against the law to use a cell or GPS jammer or any other type of device that blocks, jams or interferes with authorized communications, as well as to import, advertise, sell, or ship such a device. The FCC Enforcement Bureau has a zero tolerance policy in this area and will take aggressive action against violators. "
Notes On the reality of Criminals:
It should also be noted that if a criminal is trying to break into your house or a building protected by an alert system that uses wireless technologies, he is probably not following FCC guidelines. So assume if you can attack your alarm system in the safety of a Faraday cage.Your alarm system is vulnerable to attack by any criminal. A fair assumption when penetration testing an alarm system your considering for install.You may want devices which are hardwired in as a backup.
There has always been Jammers for things like Cellphones, WiFi networks. With the introduction of affordable software defined radio devices an attacker can jam the 315 frequency to disable your alert system as a viable attack.A simple python script can kill a device in the 315 range and make it in-operable.
Jamming in Python:
I found the below script to be 100% effective while testing within a Faraday enclosure. Basicallythe device pauses in its current operational state, idle state or a alert light state, the device will remain in that state indefinitely until the jamming attack is stopped and the devices are manually reset.
Use a Faraday cage for your security testing:
If you use the below code make sure you use precautions such as Faraday cages to ensure the legal guidelines are met and you are not interfering with other devices in your area. You must assume that radios used by police, fire departments and other public safety activities could be blocked if you are not enclosing your signal. This code is purely for you to test your devices before installing them for the security of your assets.
I call the below program RF_EMP,not because its sending an electronic pulse but because similar to an EMP its disabling all devices in its range.Which is why you need to use a Faraday cage so as not to interfere with devices you do not own.
Below is a simple manually configurable version of this script.
#--------RF_Emp.py Simple Version --------#:
# For use within Faraday Enclosures only
from rflib import *
print "Start RF Jamming FTW"
d = RfCat()
d.setMdmModulation(MOD_ASK_OOK)
d.setFreq(315000000)
d.setMdmSyncMode(0)
d.setMdmDRate(4800)
d.setMdmChanSpc(24000)
d.setModeIDLE()
d.setPower(100)
d.makePktFLEN(0)
print "Starting JAM Session, Make sure your in your Faraday Enclosure..."
d.setModeTX() # start transmitting
raw_input("Unplug to stop jamming")
print 'done'
d.setModeIDLE() # This puts the YardStick in idle mode to stop jamming (Not convinced this works)
#--------End Code --------#
Notes on using Virtual Machines:
You can do your RF testing on a virtual machine with pre-installed tools but its kind of sketchy and you might want to throw your Yardstick against the wall in a fury of anger when you have to unplug it after every transmission. After a few fits of blind rage I decided to install it natively so my tools work every time without removing the dongle after each transmission.
Whats next:
This is it for the first blog.. Other topics will be discussed later, such as attacking devices in a blackbox assessment and configuring your own key fobs. Rolling code devices and bypassing their protections. Monitoring and attacking car components. If you have anything to add or would like to help out.. Feel free to comment and add to the discussion.
WHAT IS FOOTPRITING AND INFORMATION GATHERING IN HACKING? Footpriting is the technique used for gathering information about computer systems and the entities they belongs too. To get this information, a hacker might use various tools and technologies.
Basically it is the first step where hacker gather as much information as possible to find the way for cracking the whole system or target or atleast decide what types of attacks will be more suitable for the target. Footpriting can be both passive and active. Reviewing a company's website is an example of passive footprinting, whereas attempting to gain access to sensititve information through social engineering is an example of active information gathering. During this phase hacking, a hacker can collect the following information>- Domain name -IP Addresses -Namespaces -Employee information -Phone numbers -E-mails Job information Tip-You can use http://www.whois.com/ website to get detailed information about a domain name information including its owner,its registrar, date of registration, expiry, name servers owner's contact information etc. Use of Footprinting & Information Gathering in People Searching- Now a days its very easy to find anyone with his/her full name in social media sites like Facebook, Instragram,Twitter,Linkdedin to gather information about date of birth,birthplace, real photos, education detail, hobbies, relationship status etc. There are several sites like PIPL,PeekYou, Transport Sites such as mptransport,uptransport etc and Job placement Sites such as Shine.com,Naukari.com , Monster.com etc which are very useful for hacker to collect information about anyone. Hacker collect the information about you from your Resume which you uploaded on job placement site for seeking a job as well as hacker collect the information from your vehicle number also from transport sites to know about the owner of vehicle, adderess etc then after they make plan how to attack on victim to earn money after know about him/her from collecting information.
INFORMATION GATHERING-It is the process of collecting the information from different places about any individual company,organization, server, ip address or person. Most of the hacker spend his time in this process.
Information gathering plays a vital role for both investigating and attacking purposes.This is one of the best way to collect victim data and find the vulnerability and loopholes to get unauthorized modifications,deletion and unauthorized access.
