Tuesday, July 22, 2014

Gadget Review : Xperia M2 (value for money)

I usually don't blog much about gadgets. But my phone had become too antique and hot (anybody still using Iphone 4?) . TImes changes, IOS is getting boring, and exploitation knowledge need to gear up a little bit.

So after quick review with my master. Xperia M2 seems to be the right choice. Let's not bother about specs quality since it's not really dat important whether it's JB or ICS ,. Dalvik or Art or 21 mega pixel versus 5 mega pix..   kernel latest or not... for me it doesn't matter.

What matters for me.


1. Rootable and Bootloader Unlocked. Checked!



Rooting and Unlockable Bootlader is a must if we want to access most of the internal hardware capability provided by this phone.

2. Support Android Hacker Keyboard

Swipe/ Touchwiz craps?  Hacker Keyboard is mandatory for me.



3. NXP Based NFC.

This is the best NFC suitable for Malaysia Enviroment, cough cough.


4. Brick Resistence. 

In Xperia M2, there's a hidden switch besides the Sim Card and MMC  that can restore the phone to original factory state.Use it with caution.


5. The Lord of Internet.

Can we combine LTE + Wimax + Wifi all together and create a happy NAT balancing? U bet!!




Sunday, June 8, 2014

Why is a raven like a writing desk? IE8 plain/text MIME Type or Media Type Issues

P/S: This might not be a new issue at all (But I documented it so I won't forget or at least know where to look )


 from Alice in Wonderland

My life have it ups and downs . But last week was quite interesting,  I was fortunate enough to be given a  chance to conduct some lightning/bizzare art of  penetration testing technique at a prestigious organization that can block PornHub.

During my class on pwning a Win7 box I noticed that IE8 have some bizzare behaviour MIME type intepreation behaviour.

On a plain/text Mime IE8  will CSS Javascript Input under CompatabileView Mode. (Default mode).

Well dat just sucks right?

POC.


Dat was expected. plain/text Mime was interpreted correctly.

Now on IE8


I trip and spray :(
 Can we steal cookies?


Solution?
1. Disable Compatible View if you are not a developer..
2. Upgrade to the latest IE
3. Don`t use IE at all



Sunday, April 13, 2014

Immutable Data and Memory Sensitivity..

Considered this python code snippets

import hashlib
while True:
   print("Enter your password")
   s = raw_input('--> ')
   print(s)
   print("Now the md5sum")
   s = hashlib.md5(s).hexdigest()
   print(s)

By any means it's relatively a simple code to understand, we use s as a placeholder for our incoming data string, compute it's md5sum and replace the s value with a hexdigest.. In short s now contain the md5sum in hex right? So any plaintext that we've entered should vanished and and flush out by the garbage collector in python VM right?

Let's give it a test.


So most people would think any previous plaintext value would be washed out from the memory. The String DogFood  won`t exist right? Let's attach this current script on a debugger ('Im using edb debugger , the best thing besides windbg sorry stallman gdb just sux!!!!');


I like using edb debugger, it helps for example binary search string. Since we have replace the s value from DogFood to a hex string. We shouldn`t see any DogFood string in the memory right? Unfortunely that is entirely not true :(




DogFood in Hex
 High-level languages often have data types that are immutable. The program can only write to an immutable object once, at creation time. In other words s is just a label and the string maybe be stored in the same address or  anywhere in the memory. (Noted to self, heap/stack/bss/dss/ is actually some sort of label the computer generated to ou  give it some of approximate understanding on a specific region in the memory) 

Let's search for the md5sum string. 36f65df05afee9fb079943b7ba5d9617



The string was stored in a different address!!


So in a High Level Language,  there is no gurantee your initial plaintext data in an address would be overwrite with a encrypted blob/binary . The only way to ensure overwrite is 100% is to use either mutable data structure that are capable of replacing dynamics element.

So why did u see a chunk of the unencrypted/crypted data in the heartbleed heak leak? Not a surprise anymore right?




Thursday, April 10, 2014

Epilogue Pentest: Forget about Heartbleed and Enter the Reality of Volatile Memory

From XKCD..



Yeah there's lot of buzz on heartbleed as the worst bug ever. My opinion? It is a serious bug due to the fallacy of the way C works . Despite the hype memory leakage is not exactly something new and skillful botnet/attackers/pentesters have exploited  it for years.

What can we learn from this bug?.. At the Beginning and at the End of an Encrypted Connection lies the encrypted data. Don`t the trust user input in one thing, but trusting your server memory and hands behind it is also well sucks.

If you are one of the CISO fans well PCI  often said "End-to-End Encryption" .. which means data + communication channel are supposed to be well encrypted.. Which is good

But there's one catch...

Suppose an attacker/sysadmin managed to get hold on a server with a privileged access (or decided to abused it anyway). Hypothetically something like this.



So we have root privileged. Yes in most tutorial no doubt people will start dumping /etc/shadow and yadax2 implement fake/website blax3.

Suppose that all data is encryted and there's no way to see it in plaintext form.. If you understand the bug in heartbleed , it tells us that unencrypted related data  lies in the process memory closely at at the heap/free store..

Pick up one process 5356 in this example and examine the maps.


Data memory leaked in heart bleed relies on how the heap was align/rebased/mapped blax3.,


We can use  gcore or  Folks from Rohitab  have created one nice tool similar to procdump in Windows :)




And it's a gold mine..





Do you trust your sysadmin? I know I don`t.  And dark tips. Don`t trust your router memory either...

What about dumping in Windows? It's as easy as .




Volatile memory are dangerous... 








Sunday, April 6, 2014

Transform your Dir-615 TM into a Wifi Dumper/Cracking Machine

My health is not that good lately, for some reason , I was diagnosed for  asthma  few days ago. 

During Wireless Penetration Testing analysis , i often found that people love to talk about some china/brand wireless card such as SignalKing/Alpha etcx3. While those card might work , it's not portable enough due to the fact you need a PC/Notebook nearby in order to powered up those devices. Which is not good for professional lazy pentester. 

 

So the solution? Turn your antics DIR-615 into a portable wireless monster machine!!!

Disclaimer (If you screw somewhere along the way), well too bad

Steps.1  Flash DIR615 with this firmware ..http://downloads.openwrt.org/attitude_adjustment/12.09/ramips/rt305x/openwrt-ramips-rt305x-dir-615-d-squashfs-factory.bin

To flash you are required to turn off your DIR-615 machine, and hold the reset button for a few seconds, u set your IP to 192.168.0.x>1 , go to 192.168.0.1 and you will be redirected to the firmware upgrade page.


Upload the firmware.

Step2. 
  • Download the sysupgrade firmware http://downloads.openwrt.org/attitude_adjustment/12.09/ramips/rt305x/openwrt-ramips-rt305x-dir-620-a1-squashfs-sysupgrade.bin 
  • Setup openwrt initially
  • Push sysupgrade into openwrt via scp to /tmp
  • ssh into your openwrt and use the sysupgrade  -v openwrt-ramips-rt305x-dir-620-a1-squashfs-sysupgrade.bin

Step 3
  • If you have luci you can set the wifi into Monitor mode via Luci HTTP.
  • or modified /etc/config/wireless to be something like this

  • Tips your openwrt should`t have Internet connection, opkg relies on wget which respect http_proxy env,, I used polipo proxy so to make opkg works i usually use ssh root@192.168.1.1 -R8123:localhost:8123 

After that install  opkg install aircrack-ng kmod-usb-storage kmod-fs-vfat wireless-tools screen . Try not to install too much stuff since space is very limited.

And that's it. use screen to deamonized your stuff.


Knowledge about dumping to your usb drive and airocrack usage is left for your own exercise..

By the way, It is illegal to steal Wifi in Malaysia.  .. This is just a simple tutorial on how yet to built your own powerful portable wifi-pentesting machine.



Wednesday, March 19, 2014

Poor man Tablet Wimax Yes 4G... (Probably the first one in Malaysia)

Note: Just because i criticized YES services, doesn't mean that I hate em. . In fact their network performance would make P(2-1) looks like pea one.. But there's always room for improvement. After all real hacker  innovate , mutate, making bidaah hasanah for the greater good and fun.


After the PoC of turning your rasp pi into a fullblown Yes Zoom.  I just browse one day to see what the YTl/Yes Guys are up to.
It's great they are giving free *(with conditional surrender/subscribtion)  tablet for 99 lucky people. However those tablet doesn`t come with a built-in WIMAX features which is a sad thing. We have 3g, 4g but meany capitalistic industrialist make Wimax as a foster child ..

So my favpurite guru poisoned me with the idea , make it work with tablet.

Hardware Requiremnet
1. Samsung Galaxy Tab 10.1 P7500
2. Yes4G Dongle
3. OTG cable with External Power (5V 2A) type explain later.

1. You can us any ROM that you like but my choice would be plain stock cynogen with tun enabled and also access to libusb. This is important as gctwimax driver require user space.

2. According to OTG 1.0 specification the device  plugged in are using current between  8ma to 100mA . It couldn`t drive more power due to design/current limit (*on nexus 7 it's the kernel)  ... And unfortunely Yes4G Dongle use at least 500mA . We can verified this by going to Device Manager and check the power.

3. So yeah we need an OTG cable with extra power. a simple powerbank should be sufficient.

4. I`m using linuxonandroid to ease the development . Compiling gctwimax is straightforward once u chroot into it.. but problem occured  when you try to run the gctwimax dialer.

5. The solution that i used is a very one hell bad hack.

$bbox mount --bind /dev/bus $mount/dev/bus
$bbox mknod  $mnt/dev/net/tun c 10 200

6. You also need to run dhcpd wimax0 outside of the chroot enviroment. If nesscary dns server can be set using setprop command.. If everything goes well!! Congratulation  u r one of the luckiest bast&^d using wimax on a tablet natively.


Everything works perfectly. U can see Wifi is turned off and of course i didn`t have any sim card.


USB Device are detected correctly and Intepret correctly as a Modem instead of Mass Storage.

IP are being deligated properly.

Yeap it's working..


P/S: This is probably the first Tablet with Yes4G powered natively in Malaysia. Can someone submit it to the Malaysia book of Record (Do we still have that crap? ) Lolz.


List To DO:

1. Make this thing cleaner.
2. Using ScriptManager to automate stuff.






Friday, March 7, 2014

Poor man Yes4G Huddle.

Yes4g Huddle is bloody pricey . Anything that is more then RM300  is expensive in my own devices pricing schema ... I do not know what's the justification for that kind of price.



As a poor Malaysian living in a terrible times. What should I do? Relying on Facebook/KingJason/Politician  Photoshop/news is not going to help . Time to start our simple hacks!




Hardware Requirement
1. One Unit Raspberry Pi
2. Yes Go Dongle
3. TP Link MR3040 Portable 3G/4G Router  configurable as our wifi broadcaster + portable powerbank
4. 8GB Sdcard
5. RJ-45 cable .
6.  A Micro-Usb cabled to power up the USB Pi.


Software Requirement

1. Arch Linux as the OS
2. gctwimax  driver
3. dnsmasq
4. iptables rules

Instruction ..

1. Copy  Arch Linux ARM image to our sdcard ... If you are using Windows . you can use Fedora ARM Installer.

2. Compile gctwimax should be easy 

3. configure dnsmasq.. Quite easy in my case 4 lines .only

no-resolv
bind-interfaces
interface=eth0
dhcp-range= 192.168.150.10,192.168.150.100

U might also need to actually set the eth0 static on next boot. this can be accomplished by changing /etc/netctl/eth0 to  static and give it 192.168.150.1


4. sysctl net.ipv4.ip_forward =1 

5. Create two  systemd scripts seperately. First script is to lauch gctwimax code so that it will give us wimax0.. 

gctwimax will read configuration from /usr/share/gctwimax/gctwimax.conf like this

gctwimax -C /usr/share/gctwimax/gctwimax.conf

U need to change the following config to this config below

cert_nv=0
anonymous_identity="RANDOM@yes.my"
username="yourownusername@yes.my"
password="yourownpassword"

6. Second script is to load dnsmasq configuration. We also need to add an iptables rule to forward all our request to wimax0. This can be accomplished by MASQUERADE it.

iptabes -t nat -A POSTROUTING -o wimax0 -j MASQUERADE.


6. Configure TP-LINk Portable router into a WAN Mode.

7.  You are ready.!!!

How much does this  cost compared to Yes Huddle?

Yes Huddle~RM399
Feeling~ Crap

Mine:

  • Raspberry Pi ~ RM110
  • YesGo ~ RM40
  • TP-LINK MR3020 ~ RM99
  • Random SD card class10 ~RM16
  • Awesomeness ~ Priceless
  • Total=  RM265
  • Saved= RM134
  • And we have HDMI output how f**&U* cool is dat?




Screenshots of success .
wimax0 is up and working correctly.

Infinite power cycle (Kididng)

Working perfectly at our secret mapley.

Rooms for improvement.
  • Getting a good nano wifi card to setup as a hotspot.. Cables are messy.
  • Implementing 16x2 LCD for lulz.
  • Understanding conditional systemd. I miss sys-v/init but hey systemd is not dat bad in fact it's easier.
I've already make a plain backup images but unfortunately the size of my backup image is 8GB which is quite big. I`m uploading it at mega. Once finished i update the links to my image here.

Cheers for No4G..


Update:

Here's the link for my image archlinuxyes4g.bin