PwnPad, The Pentesting Tablet

March 1, 2013 by Brian Benchoff 46 Comments

pwnpad3_1024x1024

Over the last few months, we’ve seen our fair share of pentesting appliances. Whether they’re in the form of a Raspberry Pi with a custom distro, or an innocuous looking Internet-connected wall wart, they’re all great tools for investigating potential security vulnerabilites at home, in the workplace, or in someone else’s workplace. Pwnie Express, manufacturers of pentesting equipment, are now releasing one of the best looking and potentially most useful piece of pentesting equipment we’ve ever seen. It’s called the PwnPad, and it allows you to get your pentesting on while still looking stylish.

Based on Google’s Nexus 7 tablet, the PwnPad combines all the goodies of a really great tablet – the ability to read NFC tags and multiband radios – with open source tools and a USB OTG cable with USB Ethernet, Bluetooth, and WiFi adapters. Everything in the PwnPad is designed for maximum utility for pentesting applications.

Of course, for those of us that already have a $200 Nexus 7, Pwnie Express says they’ll be giving away the source for their software, enabling anyone with knowledge of make to have the same functionality of the PwnPad. Of course you’ll need to get yourself a USB OTG cable and the WiFi, Bluetooth, and Ethernet adapters, but that should only add up to about $100; combined with a $200 Nexus 7, building your own is more than just a bit cheaper than Pwnie Express’ asking pre-order price of $795.

Hacking A Radio Controlled Spy Device For Overly Attached Girlfriend.

February 27, 2013 by Caleb Kraft 47 Comments

This is the first in our series of videos meant to spread the hacking goodness far and wide on the net. As you can see, it is a pretty silly video, hopefully you enjoyed the humor. This wouldn’t be hackaday without an appropriate writeup though!

Initially the idea was to make this as a device that my boss could deploy from his Tesla Model S. Ultimately, we missed the release of SkyFall, so the whole 007 theme seemed a little flat. However, we did just happen to have a wonderful woman in the office that agreed to be an “overly attached girlfriend”. Here’s a link to the meme for those who are unfamiliar. Even though we made her look like a crazy person, she was a great sport about it (Thanks [Stephanie]!).

The Goal was to have a radio controlled device that would send live video and audio to someone and had the ability to plant a small GPS tracker on the undercarriage of a car.

Continue reading “Hacking A Radio Controlled Spy Device For Overly Attached Girlfriend.” →

Mac EFI PIN Lock Brute Force Attack (unsuccessful)

February 26, 2013 by Mike Szczys 82 Comments

[Oliver] wiped the hard drive from a Macbook Pro using the ‘dd’ command on another machine. This does a great job of getting everything off the drive, but he was still faced with the EFI PIN lock protection when he tried to put it back into the Mac. You used to be able to clear the NVRAM to get around this issue, but that exploit has now been patched. So [Oliver] set out to use a microcontroller to brute-force the EFI PIN.

You can read his back story at the link above. He had the chance to enter a 4-digit pin before the format process. Now that he’s wiped the drive the code is at least 6 characters long, which is a lot more possibilities (at least it’s numeric characters only!). To automate the process he programmed this Teensy board to try every possible combination. It worked great on a text editor but sometimes the characters, or the enter command wouldn’t register. He guesses this was some type of protection against automated attackers. To get around the issue he added different delays between the key presses, and between entering each code. This fixed the issue, as you can see in the clip after the break. Unfortunately after two 48-hour runs that tried every code he still hasn’t gained access!

Continue reading “Mac EFI PIN Lock Brute Force Attack (unsuccessful)” →

Dissecting A Firmware Image

February 22, 2013 by Mike Szczys 18 Comments

dissecting-a-firmware-image

[Leland Flynn] did a great job of picking apart the firmware image for a Westell 9100EM FiOS router. Unfortunately he didn’t actually find the information he was looking for. But he’s not quite done poking around yet either. If you have never tried to make sense of an embedded Linux firmware image this serves as a great beginner’s example of how it’s done.

He was turned on to the project after port scanning his external IP and finding a random login prompt which he certainly didn’t set up. Some searching led him to believe this is some kind of back door for Verizon to push automatic firmware updates to his router. He figured why not see if he could yank the credentials and poke around inside of the machine?

He started by downloading the latest firmware upgrade. Running ‘hexdump’ and ‘strings’ gives him confirmation that the image is based on Linux. He’s then able to pick apart the package, getting at just the filesystem portion. His persistence takes him through extracting and decompressing three different filesystems. Even though he now has access to all of those files, broken symlinks meant a dead-end on his login search.

Freezing Android To Crack The Encryption

February 20, 2013 by Mike Szczys 40 Comments

frozen-phone-encryption-hacking

Build a better lock and someone will make a tool to open it without the key. Or in this case they’ve made a tool to discover the key using a trip to through the deep freeze. The Forensic Recovery of Scrambled Telephones — or FROST — uses cold temperatures and a custom recovery image to crack Android encryption keys.

Cold boot hacks go way back. They leverage use of low temperatures to slow down the RAM in a device. In this case, the target phone must already be powered on. Booting a phone that uses the encryption offered by Android 4.0 and newer requires the owner’s pass code to decrypt the user partition. But it then remains usable until the next power cycle. By freezing the phone, then very quickly disconnecting and reconnecting the battery, researchers were able to flash their own recovery image without having the encryption key cleared from RAM. As you can see above, that recovery package can snoop for the key in several different ways.

[Thanks Rob]

HDMI Breakout Lets You Sniff HDCP Crypto Keys

February 18, 2013 by Mike Szczys 31 Comments

There’s two really useful parts to this hack which involves sniffing the HDMI protocol’s HDCP security keys. The first is just getting at the signals without disrupting communications between two HDCP capable devices. To do so [Adam Laurie] started by building an HDMI breakout cable that also serves as a pass-through. The board seen above is known as an HDMI screw terminal board. The image shows one cable connecting to itself during the fabrication process. What he did was cut one end off of an HDMI cable, then used a continuity tester to figure out which screw terminal connects with which bare wire. After all the wires are accounted for the end with the plug goes to his TV, with a second cable connecting between the board’s socket and his DVD player.

The rest of his post is dedicated to sniffing the security keys. His weapon of choice on this adventure turns out to be a Bus Pirate but it runs a little slow to capture all of the data. He switches to a tool of his own design, which runs on a 60MHz PIC32 demo board. With it he’s able to get the keys which make decrypting the protected data possible.

Turning An $8 RFID Reader Into Something Useful

February 16, 2013 by Brian Benchoff 37 Comments

[Fabien] ran across a very, very inexpensive RFID reader on Deal Extreme a while ago and with money to burn, added it to his cart. When the USB RFID reader arrived, he noticed something fairly odd about it (French, Traduction). The RFID reader presented itself to his computer as a USB HID device that spit out characters into a text editor whenever an RFID card was waved above the coil. The only problem was these characters weren’t the hex values recorded on the RFID card. So what’s going on here?

As it turns out (Anglais), this random piece of Chinese electronica sends 10 bytes of data to the computer, just like this well-documented RFID reader. Apparently, both these RFID readers take the hex value of an RFID card, convert those bytes to base 10, and pass each digit through a lookup table. Exactly why it does this is anyone’s guess, but since [Fabien] figured out how it worked, he could also figure out how to reverse the process.

Unfortunately, the RFID reader in question is currently out of stock at Deal Extreme. Seeing as how most of the electronics available there are remarkably similar and differ only in the name printed on the enclosure, though, we wouldn’t be surprised if a nearly identical RFID reader was available elsewhere.