Building a UsaBUSe – Part 1

So a while ago, I was watching some of the Defcon 24 videos and presentations, one of the ones that caught my eye was by a couple of guys at Sensepost, it was basically a USB device (arduino avr) that emulates devices and performs USB HID attacks coupled with an ESP8266 acting as a WI-FI bridge.

They used an $11 Cactus Micro Rev2 with some custom firmware to hack a windows 8.1 box.You can see more at their blog post on it here, there is also the code needed to build it on their github repo here.

So I started with a Ubuntu 14.04 LTS install and recvursively cloned the repository of the code.

Next you have to put the files from the releases section of the github repo in the following places shown in the pictures below:-

Create the firmware directory in esp-vnc and put user1.bin in it.


The file KeyboardMouseGeneric.hex in avr/KeyboardMouseGeneric


Program_ESP.hex in the Program_ESP directory


Lastly do the following in the root of the repo.

$ wget --content-disposition ""

$ unzip

To give you this:-

UsaBUSe files 1

Now you can plug in the Cactus and program the firmware for the ESP8266 and the arduino remembering to press the reset  button twice at the appropriate points. If all goes well, the output should be similar to below.

In part 2, we shall move onto functional testing and see how we go.





AV Evasion using on Kali Linux

A little while ago, I came across a script from Mike Czumak from SecuritySift here.

It was written as an experiment in AV Evasion as part of Mike’s OSCE course, but it has uses for defenders as well such as being able to dump sections of a Windows PE file.

The script can be downloaded from the SecuritySift here. It has three requirements, these are pefile, pydasm and SectionDoubleP.

The script uses a modified version of python’s pefile, so If you have that installed, then un-install it. After you have uninstalled it, modify the code as shown below:-


Add lines 2222-2225


Add line 2254


Now change to the pefile directory and do the usual ‘python install’ to install the module as shown below:-


You should also bear in mind, that the modified version may not be compatible with other tools using pefile.

Next we need pydasm, which is part of the libdasm project on googlecode here. Next download the zip file, extract it to a directory of your choice, change to the ‘libdasm-beta’ directory and run ‘python ./ install’, the output should be similar to below.


Now browse to the SectionDoubleP git repository here. Now click on ‘snapshot’ link, save the tar.gz archive to the same folder as pefile, extract the SectionDoubleP.y file to be in the same folder as as shown below.


Now to test if we can create an pecloaked file, first create a meterpreter binary and put it in the same directory making sure it is writeable. Let’s try to cloak it.


Happy pecloaking!!!!!

Planes,TV Tuners and Kali Linux

For a number of years, I worked within aviation as an engineer looking after flight systems such as Radars, Voice Switches and Aeronautical Radio. A while ago, I bought a Nooelec DVB-T TV tuner to play with Software Defined Radio (SDR), but I never quite got around it due to life.

Anyway, this post is about testing it to receive ADSB signals from aircraft.

The first stage is to blacklist the kernel driver ‘dvb_usb_rtl28xxu’ in /etc/modprobe.d/blacklist.local.conf.

Simply add the following to the file

blacklist dvb_usb_rtl28xxu

Now reboot your kali box and plug in your NooElec tuner, run ‘dmesg’ and you should get something like shown below.


Now git clone the rtl-sdr repo and build the software as root.

git clone git://
cd rtl-sdr/
mkdir build
cd build
cmake ../
make sudo
make install
sudo ldconfig

You can now run the rtl_adsb utility to test your configuration, the output should be as below.

Now that your DVB-T tuner is working you can run the command ‘rtl_adsb -V’ to do a basic test to see if you can receive any ADSB signals from aircraft. Assuming that is good then you can git clone the dump1090  repository and set it up as follows:-

git clone
cd dump1090

Now run the dump1090 program in interactive mode using the command ‘dump1090 –interactive’.

Below is a screen shot taken today.


As you can see ADSB provides quite a lot of information.

Kali Linux 1.10 on a Pi-2 Update

Hi, this is an update on Kali 1.10 after my last post. It appears Muts(@kalilinux) and the Offensive Security crew have updated their github repo. Within the kali-arm-build-scripts is a new script for the Raspberry Pi-2 called The stages to build the image are as follows:-

  • gitclone the offensive security repository
  • put the the kernel image file in the kernel configs directory from here, making sure it is called ‘rpi-3.1.8.config’.
  • run the ‘rpi2/sh. 1.1.10’
  • burn the image to your sdcard

In bash, it goes something like this :-

mkdir arm-stuff
cd arm-stuff
<code>git clone
export PATH=${PATH}:/root/arm-stuff/gcc-arm-linux-gnueabihf-4.7/bin</code>
git clone
cd kernel-configs
wget -O rpi-3.1.8.config
cd ..
./ 1.10
dd bs=4M if=kali-image-name of=/dev/mmcblk0

The good news, is that the image has a patch for wireless injection for the 3.18 kernel and we should not need to copy the /lib/modules across as we have had to in previous builds. The only extra task, I would consider is to copy a config.txt to the boot directory to assign more graphics memory from the XFCE desktop. You can get one here.



In a further development, I received a comment from comment from YunHui Fu about a script that he has developed which not only builds Kali Linux but also Arch Linux with the wireless patches as well. YunHui github repo is here and you can build it as follows:-

git clone
cd arch-kali-rpi2


In order to build by YunnHui method, you need to use a Ubuntu host or soething similiar with Glibc > 2.14 otherwise the build will fail, a good choice would be Ubuntu 14.04.

You will need to make sure that you have alll the dependancies sorted, so use the ‘’ script from the kali arm repository above. Note ‘boot-umakeimage’ is now superseeded by ‘u-boot-tools’ and ia32libs is replaced by a number of packages, these are lib32z1,lib32ncurses5 and lib32bz2-1.0 respectively.

I am currently building Yunn Hui’s build and will post some screen shots on here.



Simple Screen Recorder on Kali Linux

I needed a screen recorder for some upcoming video tutorials that I might put together, but found that normal recorders such as recordmydesktop did not do the job well. After some ‘googling’, I can across Simple Screen Recorder, but there were no packages in the Debian or Kali repo’s. However, the developer’s github page has all that you need here.

The compile it, do the following:-

sudo dpkg --add-architecture i386
sudo apt-get update
sudo apt-get install build-essential pkg-config qt4-qmake libqt4-dev libavformat-dev libavcodec-dev libavutil-dev libswscale-dev libasound2-dev libpulse-dev libjack-jackd2-dev libgl1-mesa-dev libglu1-mesa-dev libx11-dev libxfixes-dev libxext-dev libxi-dev g++-multilib libx11-6 libxext6 libxfixes3 libxfixes3:i386 libglu1-mesa:i386
cd /usr/lib/i386-linux-gnu
sudo ln -s
sudo ln -s
sudo ln -s
sudo ln -s
sudo ln -s
sudo ldconfig

Now clone the developer’s repo , so that you have a local copy.

git clone
cd ssr

If you run in Kali as root (which is considered a bad security practice) then you need to comment out the root check in the install script as shown below:-


Now simply run the install script..



Kali-1.1.10 on a Raspberry Pi-2

I’m back and building Kali 1.1.10 for my raspberry Pi-2 with  the kernel from the latest raspbian image at the time of writing, which is 2015-02-16-raspbian-wheezy.img. The video below shows the actual image running, apologies for tint in the video.

The procedure is pretty much the same as per my previous post here, so if you have not read it, please read it first.

The kernel configuration was taken from the above raspbian image and is pastebin’ed here. Simply save it in the kernel configs directory within the kali-arm build system.

Update – 23/02/2015

I would also recommend modify the kernel configuration as per Step 10 here, although I did not do this in my initial build.

Now go ahead and run the script and go get a cup of something as you will have to wait a while..

Now that it is built and you have burned it to your sd card, a word or two about the ‘modules’ problem.

‘Modules’ problem

On my Pi-2, the normal raspbian image has the following modules loaded shown below


Now, if you do the same on your kali image, you will find that no modules are loaded. The upshot of this is that when you try to ‘startx’ everything will freeze. The solution to the problem is shown below:-

  1. mount the raspbian image,
  2. delete the contents of lib/modules directory on your kali image that is burned to your sd card
  3. copy the contents of lib/modules from raspbian image to kali image.

Mounting the raspbian is easy and is shown below:-


Now use your favourite graphical file manager to do the rest. The problem is that during the build process, the kernel was patched for wireless injection. Copying the files from the raspbian image breaks this, leaving us with a kernel not patched for injection. In order to resolve this, we patch the running kernel on the Pi-2, recompile and install the kernel.

Kernel Recompilation

The procedure for recompiling the kernel goes like this

sudo apt-get install linux-source
sudo apt-get install bc gcc gcc-4.6 libc-bin libc-dev-bin libc6 libc6-dev linux-libc-dev make manpages-dev
git clone --depth=1
cd linux
zcat /proc/config.gz > ~/linux/arch/arm/configs/pi_defconfig
mkdir -p ../patches
wget -O ../patches/mac80211.patch
patch -p1 --no-backup-if-mismatch < ../patches/mac80211.patch
make pi_defconfig
make modules
make modules install
sudo cp /boot/kernel.img /boot/kernel-bup.img
sudo cp arch/arm/boot/Image /boot/kernel.img

So now, we havewireless injection working.

 [Optional] – Raspi-Config Package

In order to add the raspi-config package to overclock etc. Simply watch the video and down load the deb packages and install in the correct order.

From the command line, it goes something like this, but I just downloaded them using my browser on the Pi-2.

dpkg -i triggerhappy_0.3.4-2_armhf.deb
dpkg -i lua5.1_5.1.5-4+deb7u1_armhf.deb
dpkg -i raspi-config_20150131-1_all.deb

Enjoy, That’s all Folks