What is hacking and what is network engineering? We’re not sure where exactly to draw the lines, but [Artem]’s writeup of pivoting is distinctly written from the (paid) hacker’s perspective.
Once you’re inside a network, the question is what to do next. “Pivoting” is how you get from where you are currently to where you want to be, or even just find out what’s available. And that means using all of the networking tricks available. These aren’t just useful for breaking into other people’s networks, though. We’ve used half of these tools at one time or another just running things at home. The other half? Getting to know them would make a rainy-day project.
Is there anything that
socat can’t do? Maybe not, but there are other tools (
Rpivot) that will let you do it easier. You know how clients behind a NAT firewall can reach out, but can’t be reached from outside?
ssh -D will forward a port to the inside of the network. Need to get data out? There’s the old standby
iodine to route arbitrary data over DNS queries, but [Artem] says
dnscat2 works without root permissions. (And this code does the same on an ESP8266.)
Once you’ve set up proxies inside, the tremendously useful
proxychains will let you tunnel whatever you’d like across them. Python’s
pty shell makes things easier to use, and
tsh will get you a small shell on the inside, complete with file-transfer capabilities.
Again, this writeup is geared toward the pen-testing professional, but you might find any one of these tools useful in your own home network. We used to stream MP3s from home to work with some (ab)use of
ssh. We keep our home IoT devices inside our own network, and launching reverse-proxies lets us check up on things from far away without permanently leaving the doors open. One hacker’s encrypted tunnel is another man’s VPN. Once you know the tools, you’ll find plenty of uses for them. What’s your favorite?
Thanks [nootrope] for the indirect tip!
[Nathan] is a mobile application developer. He was recently debugging one of his new applications when he stumbled into an interesting security vulnerability while running a program called Charles. Charles is a web proxy that allows you to monitor and analyze the web traffic between your computer and the Internet. The program essentially acts as a man in the middle, allowing you to view all of the request and response data and usually giving you the ability to manipulate it.
While debugging his app, [Nathan] realized he was going to need a ride soon. After opening up the Uber app, he it occurred to him that he was still inspecting this traffic. He decided to poke around and see if he could find anything interesting. Communication from the Uber app to the Uber data center is done via HTTPS. This means that it’s encrypted to protect your information. However, if you are trying to inspect your own traffic you can use Charles to sign your own SSL certificate and decrypt all the information. That’s exactly what [Nathan] did. He doesn’t mention it in his blog post, but we have to wonder if the Uber app warned him of the invalid SSL certificate. If not, this could pose a privacy issue for other users if someone were to perform a man in the middle attack on an unsuspecting victim.
[Nathan] poked around the various requests until he saw something intriguing. There was one repeated request that is used by Uber to “receive and communicate rider location, driver availability, application configurations settings and more”. He noticed that within this request, there is a variable called “isAdmin” and it was set to false. [Nathan] used Charles to intercept this request and change the value to true. He wasn’t sure that it would do anything, but sure enough this unlocked some new features normally only accessible to Uber employees. We’re not exactly sure what these features are good for, but obviously they aren’t meant to be used by just anybody.
Your web traffic is being logged at many different levels. There are a few different options to re-implement your privacy (living off the grid excluded), and the Tor network has long been one of the best options. But what about when you’re away from you home setup? Adafruit has your back. They’ve posted a guide which will turn a Raspberry Pi into a portable Tor proxy.
The technique requires an Ethernet connection, but these are usually pretty easy to come by in hotels or relatives’ homes. A bit of work configuring the Linux network components will turn the RPi into a WiFi access point. Connect to it with your laptop or smartphone and you can browse like normal. The RPi will anonymize the IP address for all web traffic.
Leveraging the Tor network for privacy isn’t a new subject for us. We’ve looked at tor acks that go all the way back to the beginnings of Hackaday. The subject comes and goes but the hardware for it just keeps getting better!
As weird as it might sound, there’s a way to use Google documents as a web proxy. The image above is a screenshot of [Antonio] demonstrating how he can view text data from any site through the web giant’s cloud applications. Certain sites may be blocked from your location, but the big G can load whatever it wants. If all you need is the text, then so can you.
The hack takes advantage of the =IMPORTDATA() function of Google Spreadsheet. We guess the command is meant to make import of XML data possible, but hey, that’s pretty much what HTML data is too, right? But what good it the raw webpage code in a spreadsheet? This is where [Antonio] made a pretty brilliant leap in putting this one together. He authored a bookmarklet that provies a navigation interface, hides the raw code which is stored in the spreasheet, and renders it in the browser. This ties together a user supplied URL, reloading data on the hidden spreadsheet and refreshing the window as necessary. See for yourself in the clip after the break.
Continue reading “Using Google documents as a web proxy”
[Pete] has an iPhone 4s and loves Siri, but he wishes she had some more baked-in capabilities. While the application is technically still in beta and will likely be updated in the near future, [Pete] wanted more functionality now.
Since Apple isn’t known for their open architecture, he had to get creative. Knowing how Siri’s commands are relayed to Apple thanks to the folks at Applidium, he put together a proxy server that allows him to intercept and work with the data.
The hack is pretty slick, and doesn’t even require a jailbreak. A bit of DNS and SSL trickery is used to direct Siri’s WiFi traffic through his server, which then relays the commands to Apple’s servers for processing. On the return trip, his server interprets the data, looking for custom commands he has defined.
In the video below, he gives a brief overview of the system, then spends some time showing how he can use Siri to control his WiFi enabled thermostat. While the process only works while Siri is connected to his home network via WiFi, it’s still pretty awesome.
Continue reading “Siri proxy adds tons of functionality, doesn’t require a jailbreak”
Many G1/ADP1 owners have been using the app Tetherbot to get internet access on their laptop via USB to the phone’s data connection. The app relied on the Android Debug Bridge to forward ports. It worked, but people wanted a solution better than a SOCKS proxy. The community figured out a way to create a properly NAT’d connection using iptables and then [moussam] rolled them up into easy to use applications. There’s one for setting up a PAN device on Bluetooth and another for adhoc WiFi networking. It requires you to have root on your phone, but hopefully you’ve achieved that and are already running the latest community firmware.
tircd is an ircd proxy for talking to the Twitter API. It should work with any standard IRC client. After running the Perl script, you authenticate to the IRC server using your Twitter username as your /nick. Join the room #twitter and the /topic will be set to your last update. Any message you type will update Twitter and the room’s topic. All of the people you are following show up in the room as users and post messages as they tweet. If you private message one of them, it will become a direct message on Twitter. Other commands work too: /whois to get a person’s bio, /invite to start following, and /kick to unfollow. The project is brand new and will be added new features in the future like Search API support. Follow @tircd for updates.