A friend of mine told me that he was going to do a presentation about the famous Rubber Ducky.

For those of you who don’t know, rubber ducky is a USB dongle that emulates a keyboard disguised of flash drive.

rubber-ducky

Obviously, this is the perfect solution for a social engineering experiment, but at 44USD it is a bit pricey given that there are a few other devices that can perform in a similar way for less than 1/4 of the price.

Today I’m going to talk about one of those alternatives: The Arduino Beetle.

arduino-beetle

The arduino beetle is a tiny solution based on the ATMEGA32U4 the same micro controller that you can find in the Arduino Leonardo. It does support USB without any external components which makes it a very good option to build these minified dongles.

 

For this reason, creating arduino sketches that emulate a keyboard is quite trivial. In fact, it is so easy that it makes this tool look a bit worthless. Nevertheless, I’ve decided to create a small tool that would allow you to convert and use the existing Rubber Ducky Payloads with this little device.

 

How to Use it?

  1. Pick a payload you like and save it to a file. For instance this one: https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payload—osx-youtube-blaster
  2. Call rubberduino-convert and pass the payload file as the first argument. Pipe the output to a new file.
  3. Open your favourite arduino IDE and paste the contents of the file previously created.
  4. Upload the sketch to your arduino leonardo/beetle
  5. Enjoy 🙂

 

Issues

This is a very alpha version the code is not polished at all. Even though it does work pretty well there are a few issues:

  • Symbol handling – Special symbols will depend on the keyboard layout that you’re using. Currently it is working with portuguese layouts but it needs to be adjusted in case you have a different one. The way I did it was to run a test sketch that would show you the output of each char mapped between 1 and 100. I then picked them and created a dictionary called symbol_ids inside the python module to map the char. ( e.g. {“/”: 39, “ç”: 11, “&”:24 } and so on ).
  • The sketches are loooooongBecause of the issue mentioned above, I have to rely on keyboard.write to send a char at the time. This can make the sketches look big and makes it uncomfortable to troubleshoot but it was the easiest way for me to do it. Feel free to improve it. This was improved by 15% ( the size of the compiled sketch ).
  • Delay handling – The payloads can be produced either by using a default DELAY command that will stay between actions or by explicitly adding them to the code. Currently I always add a DELAY command between the actions which means that I might be introducing more delays than I should ( e.g. the payload you provided already has them ).

Feel free to check out the code here: https://github.com/zatarra/rubberduino

You can get the Beetle for less than $6 on Aliexpress ( thanks deine0ma! )

PS: You can follow an interesting discussion on reddit

Netflix was launched here in Portugal one day ago. I was really excited because I was finally going to be able to get an account and start enjoying all the contents that they have to offer.

That was until I checked the catalog…

Currently the catalog has 354 movies or tv shows which is a very poor selection. I didn’t want to turn to VPNs or DNS services that could route traffic through their services but unfortunately I had no choice. Since I work in security, I know how these things can turn south like people found out recently.

But the truth is that I need to trust in a foreign node at some point because without a US IP address netflix wouldn’t show me the full catalog. Searching for netflix and DNS the first link that popped up seemed exactly what I was looking for except that I didn’t want to use their DNS servers for all the requests ( again, security ringing a bell ) a vector for Pharming attacks.

So the idea was to use one of those DNS providers that route traffic through their servers whenever we wanted to access netflix, but only for netflix related requests. Sure I could just setup a DNS server and create a custom zone for netflix but that seemed an overkill. That is how I discovered that OSX supports a feature which allows you to do exactly that: the “/etc/resolver/” folder.

The idea is simple, you just create a folder ( if it doesn’t exist already ) and create a file inside it using the name of the domain that you want to use custom DNS servers. Inside that file you just put the address of the custom DNS servers for that domain and you’re all set!

laptop:resolver xxxXXXxxx$ pwd
/etc/resolver
laptop:resolver xxxXXXxxx$ ls -altr
total 8
drwxr-xr-x  95 root  wheel  3230 Oct 22 09:31 ..
-rw-r--r--   1 root  wheel    51 Oct 22 09:32 netflix.com
drwxr-xr-x   3 root  wheel   102 Oct 22 10:14 .
laptop:resolver xxxXXXxxx$ cat netflix.com
nameserver 46.101.36.120 
nameserver 46.101.149.135
laptop:resolver xxxXXXxxx$

In this case I used the IP addresses of tvunblock but you can try other ones.

Bear in mind that if you use tvunblock, you need to open their website from time to time to keep active your IP address.

Enjoy your improved list of contents 🙂

A couple of guys asked me to create a simple python script to allow the iClass cards to be read and extract their UID to control a few other devices. I thought of sharing with you since there are a few other people asking for the same on the Internet.

from smartcard.CardType import AnyCardType
from smartcard.CardRequest import CardRequest
from smartcard.util import toHexString, toBytes
from smartcard.CardMonitoring import CardMonitor, CardObserver
from smartcard.util import *
import urllib2
import time
 
class printobserver( CardObserver ):
    """A simple card observer that is notified
    when cards are inserted/removed from the system and
    prints its uids. The code is not pretty but it works!
    """
 
    def update( self, observable, (addedcards, removedcards) ):
        apdu = [0xff, 0xca, 0, 0, 0]
        for card in addedcards:
          try:
            cardtype = AnyCardType()
            cardrequest = CardRequest( timeout=1, cardType=cardtype )
            cardservice = cardrequest.waitforcard()
            cardservice.connection.connect()
            response, sw1, sw2 = cardservice.connection.transmit(apdu)
            tagid = toHexString(response).replace(' ','')
            print tagid
            #urllib2.urlopen("http://your_web_servers_waiting_for_card_data/?uid=%s" % tagid, None, 3)
          except Exception as e:
            print "Exception detected: %s" % e
 
print "Card Monitor started..."
cardmonitor = CardMonitor()
cardobserver = printobserver()
cardmonitor.addObserver( cardobserver )
while True:
  time.sleep(3600)

It was tested using an Omnikey 5321 v2 USB reader and it was working perfectly. I know that I’m doing two calls to the device (the first one detects it and the second one requests the UID) and this could probably be done in a single pass. If you know how to do it, please step forward 🙂

PS: It was also shared on github: https://gist.github.com/zatarra/75df47c8bd5a8d913cb4

Last weekend I’ve decided to create a new Android application. The idea is very simple and all I wanted was something that could show me which football games were going to be aired by TV channels available in Portugal.  There are some websites that have this information available but I wanted something easier to use. And that’s how this tiny app was created.

Main screen from Futebol na TV

It is very simple to use. All you have to do is make sure you have Internet access and press the refresh button. That it 🙂

Ok, este vai ser um post simples. Existe outra forma de desactivarem o hotspot da PT-WIFI do vosso router e apenas precisam de um cliente de telnet.

1º Acedam via telnet ao endereço IP do router. Utilizem o nome de utilizador sumeo e a password bfd,10ng

telnet 192.168.1.254

2º Executem os seguintes comandos:

wireless
mssid
iflist

Neste momento irá ser listada a lista de SSIDs que são propagados pelo vosso router. Em teoria deverão ser três (dois da PT-WIFI e um da vossa rede).

Para apagar basta usar o comando ifdelete usando a seguinte sintaxe:

ifdelete
ssid
radio

O único valor que muda é o do ssid pois o radio (que identifica a placa de rede associada é sempre o mesmo: 0). Os SSIDs começam no zero o que significa que para apagar o terceiro deveriam usar o seguinte commando:

ifdelete
ssid_id = 2
radio_id = 0

Basta portanto apagarem todos e no final salvar a configuração com:

saveall

E por fim sair:

exit

If you run a blog you are probably one  of the people that is affected by SPAM originating in servers from a company called ubiquityservers. If you google it you will find hundreds of complaints and unfortunately it seems that people at ubiquityservers will always look the other way regarding this issue.

I have searched for all the subnets registered by ubiquityservers and here it is the results. Just open your .htaccess and add this information to it:

 

order deny,allow
deny from 70.32.32.0-70.32.32.255
deny from 69.147.236.0-69.147.236.255
deny from 64.120.2.0-64.120.2.255
deny from 173.208.32.0-173.208.39.255
deny from 64.120.16.0-64.120.19.255
deny from 173.234.12.0-173.234.15.255
deny from 23.19.32.0-23.19.35.255
deny from 173.234.88.0-173.234.89.255
deny from 108.62.56.0-108.62.63.255
deny from 173.234.80.0-173.234.83.255
deny from 23.19.168.0-23.19.171.255
deny from 70.32.34.0-70.32.34.255
deny from 174.34.151.0-174.34.151.255
deny from 174.34.144.0-174.34.145.255
deny from 173.234.180.0-173.234.183.255
deny from 64.120.4.0-64.120.7.255
deny from 173.234.188.0-173.234.188.255
deny from 108.62.192.0-108.62.195.255
deny from 108.62.152.0-108.62.159.255
deny from 23.19.80.0-23.19.83.255
deny from 23.19.84.0-23.19.87.255
deny from 108.62.200.0-108.62.203.255
deny from 108.62.252.0-108.62.255.255
deny from 23.19.124.0-23.19.127.255
deny from 23.19.128.0-23.19.131.255
deny from 23.19.248.0-23.19.251.255
deny from 23.19.184.0-23.19.187.255
deny from 23.19.216.0-23.19.219.255

# Servers @ Nobis (related to UbiquityServers)

deny from 70.32.32.0-70.32.47.255
deny from 67.201.48.0-67.201.49.255
deny from 72.37.145.0-72.37.145.255
deny from 173.208.0.0-173.208.127.255
deny from 69.174.60.0-69.174.63.255
deny from 174.34.128.0-174.34.191.255
deny from 173.234.0.0-173.234.255.255
deny from 108.62.0.0-108.62.255.255
deny from 72.37.224.0-72.37.231.255
deny from 23.19.0.0-23.19.255.255
deny from 72.37.237.0-72.37.237.255
deny from 72.37.218.0-72.37.219.255
deny from 72.37.222.0-72.37.223.255
deny from 72.37.221.0-72.37.221.255
deny from 67.201.0.0-67.201.7.255
deny from 72.37.242.0-72.37.243.255
deny from 67.201.40.0-67.201.40.255
deny from 72.37.246.0-72.37.247.255
deny from 216.6.224.0-216.6.239.255
deny from 72.37.204.0-72.37.204.255
deny from 69.147.224.0-69.147.255.255
deny from 64.120.0.0-64.120.127.255

allow from all

You can check it one by one to confirm, but these are all OK. Say goodby to UbiquitySpam 🙂

Enquanto testava o reencaminhamento de portas para a minha rede interna verifiquei uma serie de factos assustadores.

Provavelmente este assunto já foi debatido pela Internet fora mas nunca me tinha apercebido. Quem tem um router wireless Thomson TG784n espero que saiba que por defeito o acesso à consola de administração está aberto a partir do exterior e como se não bastasse as credenciais de acesso são estáticas e iguais para todos! Ou seja, em vez de terem criado passwords aleatórias tal como fazem com as chaves do acesso wireless, resolveram correr toda a gente com as passwords 3!play e meo para as contas Administrator e meo respectivamente.

Resolvi então fazer um varrimento de pequena subnet onde me encontrava e constatei algo ainda mais assustador, é que esta situação é GERAL em todos (OK, talvez não sejam todos mas pelo menos os Thomson e Zyxel que testei eram)!

Os portadores de routers Zyxel fornecidos pela Sapo não só possuem credenciais de acesso semelhantes como ainda são brindados com toda a informação relativa às credenciais de acesso à Internet e Wifi completamente escarrapachadas para qualquer um ver! basta digitarem https://[vosso IP externo] para se depararem com algo como isto:

Numa análise mais cuidada ao código fonte é possível verificar que a password do acesso à internet encontra-se cifrada, mas o nome de utilizador não! PIOR… a chave de acesso ao wireless não é cifrada tal como poderão ver nesta imagem o que compromete e muito a segurança da rede!


E isto é apenas para falar do que salta logo à vista, pois há outro tipo de possibilidades como por exemplo descobrir a topologia da rede, escutar a propria rede (vulgo sniffing) ou até mesmo usar essa mesma rede como tunel para executar outro tipo de tarefas ilicitas em terceiros.

O conselho que dou é: Se possuem algum equipamento adquirido a um ISP então tratem de ou mudar as credenciais de acesso ou então bloquear o acesso ao interface de gestão a dispositivos provenientes do exterior da rede.

Não digam que não vos avisei!

As a sysadmin, I should always search and check for errors on every machine that I manage. Unfortunately one of them has an Adaptec 5405 which I forgot to monitor using nagios and just like Murphy’s Law says – “Anything that can go wrong will go wrong” – something went wrong and I have lost information. Not a really big problem because I have backups of everything but it could have been avoided if I had monitored the status of the Adaptec just the way I do with software raid arrays (/proc/mdstat rules!).

So I developed another simple script using Perl (again 😛 ) to check the status of all the available arrays.

#!/usr/bin/perl -w
use strict;
use warnings;
 
my $adaptec_tool = "/usr/src/cmdline/arcconf";
 
my $dump = `$adaptec_tool getconfig 1 ld`;
my @raids = ();
 
while ($dump =~ /Logical device name.*?:.*?([a-z0-9]+).*?raid level.*?:.*?([0-9]+).*?status of logical device.*?:.*?([a-z0-9]+)/gsi) {
        push @raids, {"name" => $1, "raidlevel" => $2, "status" => $3};
 
}
 
foreach my $raid (@raids)
{
        if ( $$raid{status} ne "Optimal" )
        {
                print "Critical: Raid not Optimal! (Array Name: $$raid{name}, Level: $$raid{raidlevel}, Status: $$raid{status})\n";
                exit(1);
        }
}
 
print "OK: All arrays in optimal shape\n";
exit (0);

You just need to download the “Adaptec Storage Manager” to connect to the RAID card and read the status. You can use this link to do it.

I believe I have found a vulnerability in ClipBucket 2.0.6 (haven’t tested with prior versions).

ClipBucket is an open source and free script that will let you start your own Video Sharing (Youtube Clone) website in matter of minutes, ClipBucket is fastest growing script with most video sharing websites and social networking features.
current version: 2.0.6

Summary:
The script handling the search features is not sanitizing user input properly making it possible to produce XSS attacks.

Proof of Concept:

Use the search box of your ClipBucket 2.0.6 installation and Input:

 <script>alert(document.cookie);</script>

This will produce an alert with contents of your cookie.

Problem:
$search->key in search_result.php (line 18) is being directly assigned to the title of the search page without sanitizing its value first.

$search->key = $_GET['query'];

Workaround:
Open file search_result.php. Go to line 39:

Replace this:

Assign('search_type_title',sprintf(lang('searching_keyword_in_obj'),$search->key,$search->search_type[$type]['title']));

By this:

Assign('search_type_title',sprintf(lang('searching_keyword_in_obj'),htmlentities($search->key),$search->search_type[$type]['title']));

The ClipBucket team was already notified and the bug was corrected. Either apply this patch or upgrade your version to 2.0.7

Hoje, cada vez mais, é necessário registar uma conta num determinado portal ou fórum para que se possa aceder aos seus conteúdos.

Existem duas formas de aceder rapidamente a um fórum/portal sem termos de passar pelo penoso processo de registo de contas :

– BugMeNot.
– UserAgent Switch.

O BugMeNot é um portal que permite obter um nome de utilizador e senha de sites que pedem informações pessoais como condição de acesso. As senhas são enviadas e partilhadas pelos utilizadores do serviço.
Além de ser possível consultar o portal do BugMeNot para localizar credenciais de acesso, existe também uma extensão para o firefox que torna as coisas muito mais cómodas bastando clicar na caixa de autenticação do website desejado com o botão direito do rato e seleccionar a opção “Login with BugMeNot”.

Existe também outra forma de aceder a áreas privadas sem registar contas mas nem sempre funciona que trata-se da modificação do user agent do browser.

O user-agent é um pedaço de texto que identifica o browser ou o software que está a ser usado para aceder a uma determinada página. Quem usa o IE8, cada vez que acede a uma página envia algo como isto :

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.2; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)

Acontece que o software utilizado pelos motores de busca que fazem o crawl de páginas possuem o seu próprio user-agent e este muitas vezes é autorizado a entrar sem inserir credenciais para que possa indexar as páginas nos motores de busca. O segredo passa então por trocar o user-agent do browser por um utilizado pelos motores de busca par indexar páginas, como por exemplo :

Googlebot/2.1 (+http://www.google.com/bot.html)

Para efectuar esta troca, podem utilizar uma extensão no firefox como a User-Agent Switcher.

 

Com esta extensão, podem simular diversos browsers ou softwares diferentes.

Podem consultar aqui uma lista de identificadores bastante extensa.
Aqui podem fazer o download do BugMeNot.
Aqui podem fazer o download do User-Agent Switcher.