A friend of mine told me that he was going to do a presentation about the famous Rubber Ducky.

For those of you who don’t know, rubber ducky is a USB dongle that emulates a keyboard disguised of flash drive.

rubber-ducky

Obviously, this is the perfect solution for a social engineering experiment, but at 44USD it is a bit pricey given that there are a few other devices that can perform in a similar way for less than 1/4 of the price.

Today I’m going to talk about one of those alternatives: The Arduino Beetle.

arduino-beetle

The arduino beetle is a tiny solution based on the ATMEGA32U4 the same micro controller that you can find in the Arduino Leonardo. It does support USB without any external components which makes it a very good option to build these minified dongles.

 

For this reason, creating arduino sketches that emulate a keyboard is quite trivial. In fact, it is so easy that it makes this tool look a bit worthless. Nevertheless, I’ve decided to create a small tool that would allow you to convert and use the existing Rubber Ducky Payloads with this little device.

 

How to Use it?

  1. Pick a payload you like and save it to a file. For instance this one: https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload—osx-youtube-blaster
  2. Call rubberduino-convert and pass the payload file as the first argument. Pipe the output to a new file.
  3. Open your favourite arduino IDE and paste the contents of the file previously created.
  4. Upload the sketch to your arduino leonardo/beetle
  5. Enjoy 🙂

 

Issues

This is a very alpha version the code is not polished at all. Even though it does work pretty well there are a few issues:

  • Symbol handling – Special symbols will depend on the keyboard layout that you’re using. Currently it is working with portuguese layouts but it needs to be adjusted in case you have a different one. The way I did it was to run a test sketch that would show you the output of each char mapped between 1 and 100. I then picked them and created a dictionary called symbol_ids inside the python module to map the char. ( e.g. {“/”: 39, “ç”: 11, “&”:24 } and so on ).
  • The sketches are loooooongBecause of the issue mentioned above, I have to rely on keyboard.write to send a char at the time. This can make the sketches look big and makes it uncomfortable to troubleshoot but it was the easiest way for me to do it. Feel free to improve it. This was improved by 15% ( the size of the compiled sketch ).
  • Delay handling – The payloads can be produced either by using a default DELAY command that will stay between actions or by explicitly adding them to the code. Currently I always add a DELAY command between the actions which means that I might be introducing more delays than I should ( e.g. the payload you provided already has them ).

Feel free to check out the code here: https://github.com/zatarra/rubberduino

You can get the Beetle for less than $6 on Aliexpress ( thanks deine0ma! )

PS: You can follow an interesting discussion on reddit

I love to travel.

Because of this, I can spend lots of time searching for the best deal I can find on a given destination. Fortunately there are several web ninjas that simplify this hard task for you. Some of these ninjas, are the guys from Fly4Free.

Checking on their website on a regular basis is quite trivial and they do have everything categorized, but I wanted to take it one step further to the ultimate lazy level 🙂

Actually, I was also looking for an excuse to learn how to create Chrome extensions and this sounded like the perfect one.

 

Screen Shot 2016-09-14 at 12.12.03

The workflow is pretty simple:

a) Download the RSS feed.

b) Look for interesting keywords ( you can customize which ones ) such as destinations.

c) Create a notification with this information.

d) Store the current information for later presentation.

 

 

The chrome extension is open source, so feel free to improve it or just check it out either on the chrome store or on github

This is going to be a quick one.

Remember ZSUN Wifi Card reader? It seems that there’s a new device that does the same thing. In fact it does look like a clone:

 

EAGET

 

I just bought one of these from a Chinese supplier. It costed $7.5 USD and it does exactly the same. Using NMAP to scan for open ports I get the same results. So it was not surprising when I got access to it using the very same password “zsun1188”.

Screen Shot 2016-04-21 at 20.40.08

 

In order for you to flash the existing firmware you need to edit /etc/producttype and replace the A50 for SD100.  The rest of the process should be pretty straight forward.

 

Enjoy your dirt cheap new router 🙂

zsun

I was one of the guys that got the Zsun fever 🙂

I’m not going to get into details. For those you can check the Warsaw Hackerspace’s website. Those guys did an awesome job compiling information related to this tiny yet powerful device.

Originally it comes with a custom firmware that provides you with an access point that can be used to share files ( it has a microsd slot ). By flashing OpenWRT it allows you to unleash all it power and use it to several different things (access point, range extender, file server using different protocols, IoT, Tor server,  you name it), but since you can only access it via wifi ( there’s a physical ethernet port that you can use if you don’t mind tearing apart the case and solder an ethernet jack)  it can be very easy to lose access to the devices.

I’ve seen some people talking about a trick using the sd card slot during boot to force a software reset but it didn’t work for me, so I just decided to do something different.

 

The approach is easy. Create a script  that is loaded on boot and checks for a file on the memory card. If it’s there, then it issues a firstboot command to reset everything. This is similar to the update process of several gadgets and it’s easy to implement.

 

1º Flash the OpenWRT firmware ( check the hackerspace link )

2º Open the web interface. Enable the SD card automount feature and mount it on /mnt/sda1 (this should be the default). Enable enable SSH.

3º Log on using SSH. Create a file called restore inside /etc/init.d/ and dump the following contents there:

 

#!/bin/sh /etc/rc.common
# Copyright (C) 2009-2012 OpenWrt.org
 
START=50
 
start() {
  if [ -f "/mnt/sda1/restore" ]
  then
    echo "y" | /sbin/firstboot
    rm /mnt/sda1/restore
    /sbin/reboot
    echo "Rebooting to apply changes"
  fi
}
 
stop() {
  echo "Stop action not used."
}
 
reload() {
  echo "Reload action not used."
}
 
shutdown() {
  echo "Shutdown action not used."
}

 

4º Save the file and change the permissions to 755 ( chmod 0755 /etc/init.d/restore )

5º Enable the script on boot. To do so execute the following command: /etc/init.d/restore enable

And that’s it. If for any reason you mess up the wireless interface and lose access to the device, all you have to do is create a blank file inside the SD card called restore and the next time you boot the device it will detect this and force the reset.

Warsaw Hackerspace: https://wiki.hackerspace.pl/projects:zsun-wifi-card-reader

 

Winter is coming!

A few days ago I started a new project to help me take care of my peppers. Winter is coming ( pun intended ) and unfortunately it’s a bit harsh here in Portugal for people who likes to grow peppers, specially tropical strains that are used to good weather.

For that reason, it all started as simple thermostat that could tell me the temperature over the internet but soon lots of other ideas started to pop up in my mind. So I started developing a tiny appliance that could allow me to control a few things and that’s how this project started.

I don’t plan on creating something super fancy and for that reason these are the initial hardware requirements:

  • NodeMCU
  • DHT11 – Temperature and Humidity sensor
  • Digital light sensor
  • 3v Relay module with four relays
  • 16×02 LCD module with an I2C adapter

The idea is very simple: The NodeMCU will create a tiny web api that can be used to retrieve data about the sensors and trigger the relays. That information can also be seen on the LCD so that you can check the sensors when you enter the greenhouse.

The webapp will output the information in json format so that you can easily integrate it with another application.

NodeMCU Greenhouse Controller

I’ll post the rest of the howto in the next days but feel free to check the repository containing the code. If you can contribute with ideas or some code, feel free to! 🙂

https://github.com/zatarra/nodemcu-greenhouse-controller

Netflix was launched here in Portugal one day ago. I was really excited because I was finally going to be able to get an account and start enjoying all the contents that they have to offer.

That was until I checked the catalog…

Currently the catalog has 354 movies or tv shows which is a very poor selection. I didn’t want to turn to VPNs or DNS services that could route traffic through their services but unfortunately I had no choice. Since I work in security, I know how these things can turn south like people found out recently.

But the truth is that I need to trust in a foreign node at some point because without a US IP address netflix wouldn’t show me the full catalog. Searching for netflix and DNS the first link that popped up seemed exactly what I was looking for except that I didn’t want to use their DNS servers for all the requests ( again, security ringing a bell ) a vector for Pharming attacks.

So the idea was to use one of those DNS providers that route traffic through their servers whenever we wanted to access netflix, but only for netflix related requests. Sure I could just setup a DNS server and create a custom zone for netflix but that seemed an overkill. That is how I discovered that OSX supports a feature which allows you to do exactly that: the “/etc/resolver/” folder.

The idea is simple, you just create a folder ( if it doesn’t exist already ) and create a file inside it using the name of the domain that you want to use custom DNS servers. Inside that file you just put the address of the custom DNS servers for that domain and you’re all set!

laptop:resolver xxxXXXxxx$ pwd
/etc/resolver
laptop:resolver xxxXXXxxx$ ls -altr
total 8
drwxr-xr-x  95 root  wheel  3230 Oct 22 09:31 ..
-rw-r--r--   1 root  wheel    51 Oct 22 09:32 netflix.com
drwxr-xr-x   3 root  wheel   102 Oct 22 10:14 .
laptop:resolver xxxXXXxxx$ cat netflix.com
nameserver 46.101.36.120 
nameserver 46.101.149.135
laptop:resolver xxxXXXxxx$

In this case I used the IP addresses of tvunblock but you can try other ones.

Bear in mind that if you use tvunblock, you need to open their website from time to time to keep active your IP address.

Enjoy your improved list of contents 🙂

I’ve been learning a lot about pyQT and definitely started using Sublime as my IDE. There was just one thing that was annoying me, which was the pile of windows that were being left behind each time I called the Build Action in Sublime (I easily forget about closing them).

Fortunately Sublime is so easy and powerful, that changing this behavior was very easy.

First I changed a small file that contains the settings for the Build action for Python (This is the path for OSX, for Windows/Linux it will be different, just google for it):

~/Library/Application Support/Sublime Text 2/Packages/Python/Python.sublime-build

Instead of calling the Python interpreter directly, I’ve piped this to a simple bash script which will handle that. The json file mentioned above contains one child attribute named “cmd”. Change that to a bash script of yours. Don’t forget to keep passing the filename as argument. This is how mine looks like:

“cmd”: [“/usr/local/bin/python-sublime-build”, “$file”]

And this is the content of my python-sublime-build file:

#!/bin/bash
ps -A| grep $1 | grep -v $0 | grep -v grep | cut -d' ' -f1 | xargs kill -9
/usr/local/bin/python -u $1

Aaaaand that’s it. 🙂

There’re lots of different ways of doing it, but this one works for me. I could probably do everything in Sublime without using an external bash script but I’m feeling lazy today 😀

PS: Same principle can be applied to any other language. Just make sure that you edit the sublime build file accordingly (each language has one I think) and have a bash script for it.

A couple of guys asked me to create a simple python script to allow the iClass cards to be read and extract their UID to control a few other devices. I thought of sharing with you since there are a few other people asking for the same on the Internet.

from smartcard.CardType import AnyCardType
from smartcard.CardRequest import CardRequest
from smartcard.util import toHexString, toBytes
from smartcard.CardMonitoring import CardMonitor, CardObserver
from smartcard.util import *
import urllib2
import time
 
class printobserver( CardObserver ):
    """A simple card observer that is notified
    when cards are inserted/removed from the system and
    prints its uids. The code is not pretty but it works!
    """
 
    def update( self, observable, (addedcards, removedcards) ):
        apdu = [0xff, 0xca, 0, 0, 0]
        for card in addedcards:
          try:
            cardtype = AnyCardType()
            cardrequest = CardRequest( timeout=1, cardType=cardtype )
            cardservice = cardrequest.waitforcard()
            cardservice.connection.connect()
            response, sw1, sw2 = cardservice.connection.transmit(apdu)
            tagid = toHexString(response).replace(' ','')
            print tagid
            #urllib2.urlopen("http://your_web_servers_waiting_for_card_data/?uid=%s" % tagid, None, 3)
          except Exception as e:
            print "Exception detected: %s" % e
 
print "Card Monitor started..."
cardmonitor = CardMonitor()
cardobserver = printobserver()
cardmonitor.addObserver( cardobserver )
while True:
  time.sleep(3600)

It was tested using an Omnikey 5321 v2 USB reader and it was working perfectly. I know that I’m doing two calls to the device (the first one detects it and the second one requests the UID) and this could probably be done in a single pass. If you know how to do it, please step forward 🙂

PS: It was also shared on github: https://gist.github.com/zatarra/75df47c8bd5a8d913cb4

During the last days, I’ve been reading a lot about Lucid Dreaming and the several alternatives of accomplishing it. If you google the subject you’l find dozens of tiny gadgets promising the do it, but very few will really help in that because one of the key actions consists in detecting REM (Rapid Eye Movement) which only seem to be possible either by using some EEG equipment to monitor your brain or by analyzing the eye movement during sleep. The second option seems to be too complex for me because I couldn’t find any similar gadget that could be hacked.

And that’s where the Mindflex comes into play. The Mindflex is a toy developed by Mattel which uses a headband to read brainwaves and control games. It uses a processor from Neurosky very similar to the one on their official Development Kit.

Searching for the available options I’ve stumbled upon an awesome post ( http://frontiernerds.com/brain-hack ) describing in detail this little gadget and how to hook it to an arduino. This was almost perfect except that I wanted that this could remain portable and could be connected to any bluetooth enabled device directly.

 

Tools Required:

HC-06 Bluetooth module ( http://www.ebay.com/sch/i.html?_trksid=p2050601.m570.l1313.TR0.TRC0.H0.Xhc-06+module&_nkw=hc-06+module&_sacat=0&_from=R40 )

hc06

HC-06 Bluetooth mobule

Mindflex headband

500x_mindflex_headset

Bluetooth enabled device.

 

The hardware hack is fairly simple. Just connect the Pin1 of the BT dongle to the T pin on the headband, Pin2 to the R pin, Pin3 to GND and Pin4 to VCC. Just two quick side notes:

* I was lazy enough to solder the BT dongle directly to the battery header. To do a perfect job you should remove the pcb and solder the BT dongle to the power switch (so that it can be turned on/off  without removing the batteries).

* Connecting the Pin2 to the R pin is not necessary because we’re just listening  but it doesn’t hurt doing so. We never know when someone might be able to find a new feature that could require it. 🙂

 

To parse the data I had to come up with a python script to do it since I couldn’t find anything ready for use other than the arduino lib:

#!/usr/bin/python
import serial
import sys
 
latestByte  = ('c')
lastByte    = ('c')
inPacket    = False
myPacket    = []
PLENGTH     = 0
 
EEGVALUES    = []
EEGRAWVALUES = []
 
def parsePacket():
  if checksum():
    i=1
    while i < len(myPacket) - 1:
      if ord(myPacket[i]) == 0x02:
        POOR_SIGNAL = ord(myPacket[i+1])
        i += 2
      elif ord(myPacket[i]) == 0x04:
        ATTENTION = ord(myPacket[i+1])
        i += 2
      elif ord(myPacket[i]) == 0x05:
        MEDITATION = ord(myPacket[i+1])
        i += 2
      elif ord(myPacket[i]) == 0x16:
        BLINK_STRENGTH = ord(myPacket[i+1])
        i += 2
      elif ord(myPacket[i]) == 0x83:
        for c in xrange(i+1, i+25, 3):
          EEGVALUES.append(ord(myPacket[c]) << 16 | ord(myPacket[c+1]) << 8 | ord(myPacket[c+2]))
        i += 26
      elif ord(myPacket[i]) == 0x80:
        EEGRAWVALUES = ord(myPacket[i+1]) << 8 | ord(myPacket[i+2])         i += 4     print "%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d" % (POOR_SIGNAL,ATTENTION,MEDITATION,EEGVALUES[0],EEGVALUES[1],EEGVALUES[2],EEGVALUES[3],EEGVALUES[4],EEGVALUES[5],EEGVALUES[6],EEGVALUES[7])   else:     print "Invalid Checksum!" def checksum():   x = 0   for i in range(1, len(myPacket) -1):     x += ord(myPacket[i])   return ~(x&255) & 0b11111111 == ord(myPacket[len(myPacket)-1]) def readCSV():   global myPacket, lastByte, LatestByte, inPacket, PLENGTH   ser = serial.Serial(       port=sys.argv[1],       baudrate=9600,       parity=serial.PARITY_NONE,       stopbits=serial.STOPBITS_ONE,       bytesize=serial.SEVENBITS   )   ser.isOpen()   try:     while 1 :       while ser.inWaiting() > 0:
        latestByte = ser.read(1)
 
        if ord(lastByte) == 170 and ord(latestByte) == 170 and inPacket == False:
          inPacket   = True
 
        elif len(myPacket) == 1:
          myPacket.append(latestByte)
          PLENGTH = ord(myPacket[0])
 
        elif inPacket == True:
          myPacket.append(latestByte)
          if len(myPacket) > 169:
            print "Error: Data Error too long!"
            del myPacket[:]
            inPacket = False
            del EEGVALUES[:]
          elif len(myPacket) == PLENGTH + 2:
            parsePacket()
            del myPacket[:]
            inPacket = False
            del EEGVALUES[:]
 
 
        lastByte = latestByte
 
  except KeyboardInterrupt:
    print('Exiting...')
    if ser.isOpen():
      ser.close();
    sys.exit(0)
 
if len(sys.argv) < 2:
  print "Mindflex datalogger by David gouveia <david.gouveia[at]gmail[dot]com>"
  print "Usage: %s " % sys.argv[0]
  sys.exit(1)
 
readCSV()

This will be the result (tested on OSX):

brain.py output

PS: I know that this script probably looks like crap. Feel free to improve it or check github for an updated version 🙂
https://gist.github.com/zatarra/6d2be801010c7eb844f0

Last Weekend something happened during a morning ride on my bike with some friends and my GPS device turned off for no reason. When I turned it back on I didn’t have the choice of continuing a previous ride and I had to create a new ride.

When I got home and tried to upload the information the Strava I couldn’t find any feature which could let me merge rides and fixe the issue. Instead I ended up having two different rides which really annoyed me.

I started googling around and found someone suggesting that I export the rides and merge the contents of the files. They also suggested that this could be done directly concatenating the files which isn’t true. The trick here is to extract the tracking data from the files (GPX files exported from Strava are XML based) and using the first one as the metadata template.

This was the result of a very simple GPX merger:

#!/usr/bin/env php -q
<?php
/*
* StravaMerger © David Gouveia - http://www.davidgouveia.net
* Simple script to merge tracking data from Strava's exported GPX files.
* The backtrack_limit is there because some files could not be parsed due to their size.
* Feel free to raise the limit but be carrefull not to cross the limit.
* Instead of using regex, I could have used a XML cursor to overcome the backtrack limit
* but either I would have to use the php_xml extension or build my own parser.
*/
ini_set("pcre.backtrack_limit", "10000000");
 
if ( !trim( $argv[1] ) || trim( !$argv[2] ) || sizeof($argv) < 4 )
               die("Usage:\n$argv[0] file1.gpx file2.gpx <fileN.gpx> output.gpx\n" );
 
$segments ="";
 
 
for($i = 1; $i < sizeof($argv) - 1; $i++)
{
        echo "Processing $argv[$i] ...";
        if (!is_file( $argv[$i] ) ) die( "Invalid file: $argv[$i]\n" );
 
        $gpx = file_get_contents( $argv[$i] );
        if ( $i == 1 )  preg_match( "/^(.*?)<trkseg>.*?<\/trkseg>(.*?)$/is", $gpx, $metadata );
        preg_match("/<trkseg>(.*?)<\/trkseg>/ims", $gpx, $matches);
        if( trim( $matches[1] ) )
        {
                $segments .= $matches[1];
                echo "[OK]\n";
        }
        else
                echo "[FAIL]\n";
 
}
 
$output_file = $metadata[1] . "<trkseg>" . $segments . "</trkseg>" . $metadata[2];
 
file_put_contents($argv[sizeof($argv) -1], $output_file) or die( "Unable to create destination GPX\n" );
print "File " . $argv[sizeof($argv) -1] . " successfully created.\n";

I’m going to put an online version of this script to make it easier to use. 😉