Building a UsaBUSe – Part 1

So a while ago, I was watching some of the Defcon 24 videos and presentations, one of the ones that caught my eye was by a couple of guys at Sensepost, it was basically a USB device (arduino avr) that emulates devices and performs USB HID attacks coupled with an ESP8266 acting as a WI-FI bridge.

They used an $11 Cactus Micro Rev2 with some custom firmware to hack a windows 8.1 box.You can see more at their blog post on it here, there is also the code needed to build it on their github repo here.

So I started with a Ubuntu 14.04 LTS install and recvursively cloned the repository of the code.

Next you have to put the files from the releases section of the github repo in the following places shown in the pictures below:-

Create the firmware directory in esp-vnc and put user1.bin in it.

user1.bin

The file KeyboardMouseGeneric.hex in avr/KeyboardMouseGeneric

KeyboardMouseGeneric

Program_ESP.hex in the Program_ESP directory

Program_ESP.hex

Lastly do the following in the root of the repo.

$ wget --content-disposition "http://bbs.espressif.com/download/file.php?id=1046"

$ unzip ESP8266_NONOS_SDK_V1.5.1_16_01_08.zip

To give you this:-

UsaBUSe files 1

Now you can plug in the Cactus and program the firmware for the ESP8266 and the arduino remembering to press the reset  button twice at the appropriate points. If all goes well, the output should be similar to below.

In part 2, we shall move onto functional testing and see how we go.

Regards

Cyberkryption

 

 

How to build Metasploitable 3

I haven’t blogged in a while for many reasons, but I hope to add some more posts during the next few months.

In this post, I will show you how to build the new Metasploitable VM from Rapid7.

I will build the virtual machine on Windows 10 on which I had previously installed virtualbox.

You need the following

The vagrant version is important as if you use a latter version, the build will fail.

Once you have the tools installed, make sure they are added to the system path. I stored mine in c:\users\<username>\temp.

You should now be able to execute them without specifying the whole path. Next, from an administrative command prompt install the vagrant reload command with the command ‘vagrant plugin install vagrant-reload

Once, you have the reload plugin installed, now head over to the Github Metasploitable3 repository at https://github.com/rapid7/metasploitable3. Download the zip file and extract it to a directory of your choosing.

Now change into the directory within your admin command prompt, enter the commands below to build the vm.

  1. packer build windows_2008_r2.json
  2. vagrant box add windows_2008_r2_virtualbox.box –name=metasploitable3
  3. vagrant up

The first command will take some time as it has to download the base vm. If all goes well you should have a nice new vm as shown below.

meta3-start4

Cheers

Cyberkryption

 

 

 

Digital Jersey Medical Hackathon

This my story of entering the Digital Jersey Medical Hackathon which took place over last weekend, now that I have recovered from lack of sleep.

The Concept

To build a low cost open source messaging platform using a Raspberry Pi, MQTT broker and a custom version of Android with a web app to monitor air quality. The name of the project was called “Health Stage”

Friday Night

I got to Digital Jersey  early on friday evening to setup, I choose one of the side rooms as it has a wall mounted TV with a good sized desk. As you can see, I had quite a bit of equipment with me for the build.

INITIAL sETUP

At 20:00 hours, the hackathon started, so I started my build of Android whilst soldering the pcb daughter board for the Raspberry Pi. By just after 11:00, the pcb was soldered, so next came polarity checking to make sure it was all good.

Yeah, we have a powered board that did not go bang!!!

Working Board

So I had basic hardware build out of the way, but this is when I hit “the software wall”. A mix of library issues, caused sensors  to provide no data, as well as not seating boards correctly. Also the Android build had an issue, which could not be corrected remotely correctly. At just before 2 a.m, I decided that was it, time to go home to kick off the Android build and get some sleep at about 02:30 a.m.

Saturday

I woke up at about 07:30 a.m, checked my Android build on my server at home, it had completed. Next, I had some breakfast, transferred it to the phone and tried to “boot it”. The phone booted fine after a cache wipe, so that was another objective completed, the “about phone ” screen is shown below:-

Build state rom

On returning back to DJ at  around 11:30 a.m, it was obvious that some people had pulled an “all-nighter”, @JerseyITGuy was still in the corner seat where I had left him the night before. The the next few hours were spent breaking and fixing various software libraries. I ended up writing some custom python to get one of the sensors (AM2302 Temperature and Relative Humidity) working. I went out to lunch with the family and then returned to start building the Health Stage website, as I now had sensor data going to the internet.

At this point, I still had to build the MQTT broker, website and dashboard. It became clear that I would have to abandon building the broker  in order to get over the finishing line. So the point I want to make, is that you should have a plan that is flexible enough to cope with road blocks induced by time and or other factors.

So I set about building the website. Around 7 p.m, the majority of the website was uploaded. Lastly, there was the dashboard to code. I had allowed the whole of Saturday afternoon to code it, as I had recognised it was my weakest area of the build. I then had to reassess my plan once again, using freeboard.io directly for the dashboard rather than integrating it in the website.

By 10.00 p.m, I decided to stop and let the system settle down as I had live data on the dashboard at http://www.healthstage.co.uk/live.html with the web application left to finish. A few of the hackathon competitors, decided to adjourn for a beer / cider across the road. I walked home after that to bed.

Working Dashboard.

Sunday

I got to DJ just after 8 a.m, I decided to get my submission out of the way and then concentrate on the web application. I had a basic shell of an application to build and then I hit more software issues with the Android SDK, it became clear I was not going to solve it before the presentations.

At around this time, I saw Bendict who came in to see how the project was going. I showed him the project running with the light level, that I was going to demonstrate. Suddenly,to mu surprise, Benedict picked up his vape stick and blew on the contaminant sensor, it reacted crazy showing a large decrease in air quality. I asked Benedict, if he would not mind polluting the sensor during my presentation.

The Pitch

The four minute pitch went well, with the demo working perfectly, demonstrating the light level and Benedict’s pollution.

The Judging

I did not envy the judge’s task, as all the pitches were of an incredible standard with an amazing amount of variety of ideas. Everyone waited for the decision. Third place was awarded to MyGP, for their app which enabled better patient and doctor communication. Next second place. Boom, it was awarded to my project. I collected my prize (“a green laser printed robot trophy” plus £500) feeling immense. Now it was just time to see who had won.  The winner were Beacon, an app to help people call emergency services to their location. Here is my cool green robot trophy.

A Cool Trophy

The Future

The project is currently running as an indoor sensor with a thirty second update interval. I hope to move it outside, in an enclosure soon.

I will continue to work on the project, as I want to finish the web application part. In the next few weeks, I will putting up a detailed build guide and software configuration in the cyberkryption github repository. I intend to redesign the pcb, so that the modified sensors can be properly installed with jumper wires.

In the near future, I hope to get my hands on a “ehealth” shield and a set of sensors with a view to integrating it all with the new raspberry pi touchscreen. I also hope that we can get the air monitoring live in a few locations as well.

A Final Thank You

Finally, I would just like to thank the event sponsors and  Digital Jersey for a great event.

Regards

Cyberkryption

AV Evasion using PeCloak.py on Kali Linux

A little while ago, I came across a script from Mike Czumak from SecuritySift here.

It was written as an experiment in AV Evasion as part of Mike’s OSCE course, but it has uses for defenders as well such as being able to dump sections of a Windows PE file.

The script can be downloaded from the SecuritySift here. It has three requirements, these are pefile, pydasm and SectionDoubleP.

The script uses a modified version of python’s pefile, so If you have that installed, then un-install it. After you have uninstalled it, modify the code as shown below:-

pefile-mod3

Add lines 2222-2225

pefile-mod1

Add line 2254

pefile-mod2

Now change to the pefile directory and do the usual ‘python setup.py install’ to install the module as shown below:-

pefile-install-success

You should also bear in mind, that the modified version may not be compatible with other tools using pefile.

Next we need pydasm, which is part of the libdasm project on googlecode here. Next download the zip file, extract it to a directory of your choice, change to the ‘libdasm-beta’ directory and run ‘python ./setup.py install’, the output should be similar to below.

pydasm

Now browse to the SectionDoubleP git repository here. Now click on ‘snapshot’ link, save the tar.gz archive to the same folder as pefile, extract the SectionDoubleP.y file to be in the same folder as pecloak.py as shown below.

pecloak-final

Now to test if we can create an pecloaked file, first create a meterpreter binary and put it in the same directory making sure it is writeable. Let’s try to cloak it.

pecloak-sucess

Happy pecloaking!!!!!

Planes,TV Tuners and Kali Linux

For a number of years, I worked within aviation as an engineer looking after flight systems such as Radars, Voice Switches and Aeronautical Radio. A while ago, I bought a Nooelec DVB-T TV tuner to play with Software Defined Radio (SDR), but I never quite got around it due to life.

Anyway, this post is about testing it to receive ADSB signals from aircraft.

The first stage is to blacklist the kernel driver ‘dvb_usb_rtl28xxu’ in /etc/modprobe.d/blacklist.local.conf.

Simply add the following to the file

blacklist dvb_usb_rtl28xxu

Now reboot your kali box and plug in your NooElec tuner, run ‘dmesg’ and you should get something like shown below.

dmesg-noelec

Now git clone the rtl-sdr repo and build the software as root.

git clone git://git.osmocom.org/rtl-sdr.git
cd rtl-sdr/
mkdir build
cd build
cmake ../
make sudo
make install
sudo ldconfig

You can now run the rtl_adsb utility to test your configuration, the output should be as below.
rtl_test

Now that your DVB-T tuner is working you can run the command ‘rtl_adsb -V’ to do a basic test to see if you can receive any ADSB signals from aircraft. Assuming that is good then you can git clone the dump1090  repository and set it up as follows:-


git clone https://github.com/flightaware/dump1090_mr
cd dump1090
make

Now run the dump1090 program in interactive mode using the command ‘dump1090 –interactive’.

Below is a screen shot taken today.

live-flights7

As you can see ADSB provides quite a lot of information.

Jersey Hackathon Entry – A Ossec Hids and Simple Phishing console

I have been participating in the jersey hackathon held at the Digital Jersey hub in Jersey. My entry is a secure responsive console for ossec hids with simple phishing toolkit based on the poplular Bootstrap framework

Here the pitch

The cybersecurity malware industry costs the UK alone 27 billion pounds.Increasingly, we see that anti virus fails to protect our systems.

Recently, in the Channel Islansds, the Dridex banking trojan has been circulating which has been passing under the radar of anti virus solutions. This is where host intrusion detection comes into play as a second layer of defense for fintech systems. The ossec system is capable of performing not only intrusion detection but also file integrity monitoring enabling businesses to satisfy regulatory reguirements such as PCI-DSS.The system supports all major operating systems as well firewall / security applinaces from all major vendors. It is also possible to create alerts should a system try to contact a malware domain.

Whilst, technical solutions are great, they ignore the human factors. This is addressed with the solution by using a spear phishing toolkit. This enables fintech companies to train their users to prevent virus / malware infection at source.

The inclusion of these technologies in a single responsive console provides a complete solution for all device types for the fintech industry.

Furthermore, it would be possibly to deploy the console in a cloud environment as all communications are secured.

So thats the pitch, heres the screenshots

Console for users with policy information

security1

Ossec Hids and Simple Phishing console for admin users

security2 security3

Wish me luck

Cyberkryption