Building a UsaBUSe – Part 1

So a while ago, I was watching some of the Defcon 24 videos and presentations, one of the ones that caught my eye was by a couple of guys at Sensepost, it was basically a USB device (arduino avr) that emulates devices and performs USB HID attacks coupled with an ESP8266 acting as a WI-FI bridge.

They used an $11 Cactus Micro Rev2 with some custom firmware to hack a windows 8.1 box.You can see more at their blog post on it here, there is also the code needed to build it on their github repo here.

So I started with a Ubuntu 14.04 LTS install and recvursively cloned the repository of the code.

Next you have to put the files from the releases section of the github repo in the following places shown in the pictures below:-

Create the firmware directory in esp-vnc and put user1.bin in it.

user1.bin

The file KeyboardMouseGeneric.hex in avr/KeyboardMouseGeneric

KeyboardMouseGeneric

Program_ESP.hex in the Program_ESP directory

Program_ESP.hex

Lastly do the following in the root of the repo.

$ wget --content-disposition "http://bbs.espressif.com/download/file.php?id=1046"

$ unzip ESP8266_NONOS_SDK_V1.5.1_16_01_08.zip

To give you this:-

UsaBUSe files 1

Now you can plug in the Cactus and program the firmware for the ESP8266 and the arduino remembering to press the reset  button twice at the appropriate points. If all goes well, the output should be similar to below.

In part 2, we shall move onto functional testing and see how we go.

Regards

Cyberkryption

 

 

AV Evasion using PeCloak.py on Kali Linux

A little while ago, I came across a script from Mike Czumak from SecuritySift here.

It was written as an experiment in AV Evasion as part of Mike’s OSCE course, but it has uses for defenders as well such as being able to dump sections of a Windows PE file.

The script can be downloaded from the SecuritySift here. It has three requirements, these are pefile, pydasm and SectionDoubleP.

The script uses a modified version of python’s pefile, so If you have that installed, then un-install it. After you have uninstalled it, modify the code as shown below:-

pefile-mod3

Add lines 2222-2225

pefile-mod1

Add line 2254

pefile-mod2

Now change to the pefile directory and do the usual ‘python setup.py install’ to install the module as shown below:-

pefile-install-success

You should also bear in mind, that the modified version may not be compatible with other tools using pefile.

Next we need pydasm, which is part of the libdasm project on googlecode here. Next download the zip file, extract it to a directory of your choice, change to the ‘libdasm-beta’ directory and run ‘python ./setup.py install’, the output should be similar to below.

pydasm

Now browse to the SectionDoubleP git repository here. Now click on ‘snapshot’ link, save the tar.gz archive to the same folder as pefile, extract the SectionDoubleP.y file to be in the same folder as pecloak.py as shown below.

pecloak-final

Now to test if we can create an pecloaked file, first create a meterpreter binary and put it in the same directory making sure it is writeable. Let’s try to cloak it.

pecloak-sucess

Happy pecloaking!!!!!

Planes,TV Tuners and Kali Linux

For a number of years, I worked within aviation as an engineer looking after flight systems such as Radars, Voice Switches and Aeronautical Radio. A while ago, I bought a Nooelec DVB-T TV tuner to play with Software Defined Radio (SDR), but I never quite got around it due to life.

Anyway, this post is about testing it to receive ADSB signals from aircraft.

The first stage is to blacklist the kernel driver ‘dvb_usb_rtl28xxu’ in /etc/modprobe.d/blacklist.local.conf.

Simply add the following to the file

blacklist dvb_usb_rtl28xxu

Now reboot your kali box and plug in your NooElec tuner, run ‘dmesg’ and you should get something like shown below.

dmesg-noelec

Now git clone the rtl-sdr repo and build the software as root.

git clone git://git.osmocom.org/rtl-sdr.git
cd rtl-sdr/
mkdir build
cd build
cmake ../
make sudo
make install
sudo ldconfig

You can now run the rtl_adsb utility to test your configuration, the output should be as below.
rtl_test

Now that your DVB-T tuner is working you can run the command ‘rtl_adsb -V’ to do a basic test to see if you can receive any ADSB signals from aircraft. Assuming that is good then you can git clone the dump1090  repository and set it up as follows:-


git clone https://github.com/flightaware/dump1090_mr
cd dump1090
make

Now run the dump1090 program in interactive mode using the command ‘dump1090 –interactive’.

Below is a screen shot taken today.

live-flights7

As you can see ADSB provides quite a lot of information.

Kali Linux 1.10 on a Pi-2 Update

Hi, this is an update on Kali 1.10 after my last post. It appears Muts(@kalilinux) and the Offensive Security crew have updated their github repo. Within the kali-arm-build-scripts is a new script for the Raspberry Pi-2 called rpi2.sh. The stages to build the image are as follows:-

  • gitclone the offensive security repository
  • put the the kernel image file in the kernel configs directory from here, making sure it is called ‘rpi-3.1.8.config’.
  • run the ‘rpi2/sh. 1.1.10’
  • burn the image to your sdcard

In bash, it goes something like this :-

mkdir arm-stuff
cd arm-stuff
<code>git clone https://github.com/offensive-security/gcc-arm-linux-gnueabihf-4.7
export PATH=${PATH}:/root/arm-stuff/gcc-arm-linux-gnueabihf-4.7/bin</code>
git clone https://github.com/offensive-security/kali-arm-build-scripts
cd kernel-configs
wget https://github.com/yhfudev/arch-kali-rpi2/blob/master/rpi2-3.19.config -O rpi-3.1.8.config
cd ..
./rpi2.sh 1.10
dd bs=4M if=kali-image-name of=/dev/mmcblk0

The good news, is that the image has a patch for wireless injection for the 3.18 kernel and we should not need to copy the /lib/modules across as we have had to in previous builds. The only extra task, I would consider is to copy a config.txt to the boot directory to assign more graphics memory from the XFCE desktop. You can get one here.

Screenshot

desktop

In a further development, I received a comment from comment from YunHui Fu about a script that he has developed which not only builds Kali Linux but also Arch Linux with the wireless patches as well. YunHui github repo is here and you can build it as follows:-


git clone https://github.com/yhfudev/arch-kali-rpi2.git
cd arch-kali-rpi2
./runme.sh

Update

In order to build by YunnHui method, you need to use a Ubuntu host or soething similiar with Glibc > 2.14 otherwise the build will fail, a good choice would be Ubuntu 14.04.

You will need to make sure that you have alll the dependancies sorted, so use the ‘builddeps.sh’ script from the kali arm repository above. Note ‘boot-umakeimage’ is now superseeded by ‘u-boot-tools’ and ia32libs is replaced by a number of packages, these are lib32z1,lib32ncurses5 and lib32bz2-1.0 respectively.

I am currently building Yunn Hui’s build and will post some screen shots on here.

Regards

Cyberkryption

Simple Screen Recorder on Kali Linux

I needed a screen recorder for some upcoming video tutorials that I might put together, but found that normal recorders such as recordmydesktop did not do the job well. After some ‘googling’, I can across Simple Screen Recorder, but there were no packages in the Debian or Kali repo’s. However, the developer’s github page has all that you need here.

The compile it, do the following:-

sudo dpkg --add-architecture i386
sudo apt-get update
sudo apt-get install build-essential pkg-config qt4-qmake libqt4-dev libavformat-dev libavcodec-dev libavutil-dev libswscale-dev libasound2-dev libpulse-dev libjack-jackd2-dev libgl1-mesa-dev libglu1-mesa-dev libx11-dev libxfixes-dev libxext-dev libxi-dev g++-multilib libx11-6 libxext6 libxfixes3 libxfixes3:i386 libglu1-mesa:i386
cd /usr/lib/i386-linux-gnu
sudo ln -s libGL.so.1 libGL.so
sudo ln -s libGLU.so.1 libGLU.so
sudo ln -s libX11.so.6 libX11.so
sudo ln -s libXext.so.6 libXext.so
sudo ln -s libXfixes.so.3 libXfixes.so
sudo ldconfig

Now clone the developer’s repo , so that you have a local copy.

git clone https://github.com/MaartenBaert/ssr
cd ssr

If you run in Kali as root (which is considered a bad security practice) then you need to comment out the root check in the install script as shown below:-

ssr

Now simply run the install script..

./simple-build-and-install

Enjoy

Kali-1.1.10 on a Raspberry Pi-2

I’m back and building Kali 1.1.10 for my raspberry Pi-2 with  the kernel from the latest raspbian image at the time of writing, which is 2015-02-16-raspbian-wheezy.img. The video below shows the actual image running, apologies for tint in the video.

The procedure is pretty much the same as per my previous post here, so if you have not read it, please read it first.

The kernel configuration was taken from the above raspbian image and is pastebin’ed here. Simply save it in the kernel configs directory within the kali-arm build system.

Update – 23/02/2015

I would also recommend modify the kernel configuration as per Step 10 here, although I did not do this in my initial build.

Now go ahead and run the rpi.sh script and go get a cup of something as you will have to wait a while..

Now that it is built and you have burned it to your sd card, a word or two about the ‘modules’ problem.

‘Modules’ problem

On my Pi-2, the normal raspbian image has the following modules loaded shown below

pi-modules

Now, if you do the same on your kali image, you will find that no modules are loaded. The upshot of this is that when you try to ‘startx’ everything will freeze. The solution to the problem is shown below:-

  1. mount the raspbian image,
  2. delete the contents of lib/modules directory on your kali image that is burned to your sd card
  3. copy the contents of lib/modules from raspbian image to kali image.

Mounting the raspbian is easy and is shown below:-

mount-raspbian

Now use your favourite graphical file manager to do the rest. The problem is that during the build process, the kernel was patched for wireless injection. Copying the files from the raspbian image breaks this, leaving us with a kernel not patched for injection. In order to resolve this, we patch the running kernel on the Pi-2, recompile and install the kernel.

Kernel Recompilation

The procedure for recompiling the kernel goes like this

sudo apt-get install linux-source
sudo apt-get install bc gcc gcc-4.6 libc-bin libc-dev-bin libc6 libc6-dev linux-libc-dev make manpages-dev
git clone --depth=1 https://github.com/raspberrypi/linux
cd linux
zcat /proc/config.gz > ~/linux/arch/arm/configs/pi_defconfig
mkdir -p ../patches
wget https://raw.github.com/offensive-security/kali-arm-build-scripts/master/patches/kali-wifi-injection-3.12.patch -O ../patches/mac80211.patch
patch -p1 --no-backup-if-mismatch < ../patches/mac80211.patch
make pi_defconfig
make modules
make modules install
sudo cp /boot/kernel.img /boot/kernel-bup.img
sudo cp arch/arm/boot/Image /boot/kernel.img

So now, we havewireless injection working.

 [Optional] – Raspi-Config Package

In order to add the raspi-config package to overclock etc. Simply watch the video and down load the deb packages and install in the correct order.

From the command line, it goes something like this, but I just downloaded them using my browser on the Pi-2.

wget http://archive.raspberrypi.org/debian/pool/main/r/raspi-config/raspi-config_20150131-1_all.deb
wget http://http.us.debian.org/debian/pool/main/l/lua5.1/lua5.1_5.1.5-4+deb7u1_armhf.deb
wget http://http.us.debian.org/debian/pool/main/t/triggerhappy/triggerhappy_0.3.4-2_armhf.deb
dpkg -i triggerhappy_0.3.4-2_armhf.deb
dpkg -i lua5.1_5.1.5-4+deb7u1_armhf.deb
dpkg -i raspi-config_20150131-1_all.deb

Enjoy, That’s all Folks

Kali Linux on a Raspberry Pi 2

First git clone the kali linux arm repo from https://github.com/offensive-security/kali-arm-build-scripts

Now modify, the architecture in the rpi.sh script to read “armhf” rather “armel” as the Raspberry Pi 2 has a different processor architecture

rpi-mod1

Create our kernel configuration by copying the one that is pastebin’d here

Save the file as “rpi-3.1.8.config” in the kernel config directory.

Modify  the rpi.sh script to use our new kernel configuration.

rpi-mod2

Now run the rpi.sh command, if all goes well, you should see something like below.

kali-complete

14/02/2015 Update

You will probably encounter a problem with ‘startx’ command freezing the ‘X’ environment with the build. If this is the case, then look at the kali linux forum post here.

The solution is essentially to copy the /lib/modules directory from the Raspbian image. I will look at modifying the build script to solve this in the near future.