Raspberry Pi As A Plug-in Hash Harvester

February 14, 2013 by Mike Szczys 15 Comments

plug-in-hash-harvesting

Plug in the power and Ethernet and this Raspberry Pi board will automatically collect Windows hashes from computers on the network. With a couple of RPi boards on hand [Travis] was searching for more hacks to try with them. This made a great little test to see how the board performs with the well established attack.

To start he booted into the standard Raspbian distribution. From there he loads the Metasploit framework which brings most of the necessary tools into play. It uses the Web Proxy Auto-Discovery Protocol (WPAD) to request hashes from any Windows machines listening on the network. Some version of the OS respond with LM hashes, others don’t. The importance of this and the particulars of using rainbow tables to crack the hashes is explained in this article on the subject.

We wouldn’t mind having a little hardware hack that adds a couple of LEDs to the GPIO header so you know when the RPi is done collecting the data.

Cracking A SAM7XC Cryptographic Coprocessor

February 11, 2013 by Mike Szczys 13 Comments

attacking-RFID-crypto-coprocessor

[Adam Laurie] spent time tearing into the security of the SAM7XC chip produced by Atmel. Even if he hadn’t found some glaring security holes just reading about his methodology is worth it.

The chip is used in a secure RFID system. The chip is added to the mix to do the heavy lifting required when using encryption. [Adam] grabbed a couple of open source libraries to put it to the test. The firmware is locked down pretty tight, but his explorations into the content of the RAM yield a treasure trove of bits. After investigating the sample code for the chip he’s shocked to learn that it uses RAM to store the keys at one point. The rest of his journey has him dumping the data and sifting through it until he gets to the “Master Diversification Key”. That’s the big daddy which will let him decrypt any of the tags used.

He reported his findings to Atmel in September of 2011. Their response is that they have no way of protecting RAM from exploit. [Adam] asserts that the problem is that the sample software wasn’t designed with the vulnerability of RAM in mind. The keys should never be stored there specifically because it is vulnerable to being dumped from a running system.

Turning The Belkin WeMo Into A Deathtrap

January 31, 2013 by Brian Benchoff 93 Comments

The Belkin WeMo is a small, WiFi connected outlet controlled by a mobile device that adds Internet control to a desk lamp, coffee maker, or, if you’re feeling daring, your home server. It’s an interesting device, but of course there are a few security implications of having your electric kettle connected to the Internet. [Daniel] was able to get root on his Belkin WeMo and with full control of his Internet-connected outlet was able to turn it into a deathtrap.

[Daniel] says his exploit could be developed into a virus that will scan for WeMo devices. Once these Internet-connected devices are found, it’s easy to turn these devices on and off really fast; something not too dangerous for a desk lamp, but potentially lethal if it’s plugged into a space heater.

In the video after the break, you can see [Daniel] exploiting the WeMo with a flaw in its UPnP implementation. There’s footage of his terminal hacking and of his desk lamp being turned on and off really fast, something that could be very dangerous for higher current devices.

Continue reading “Turning The Belkin WeMo Into A Deathtrap” →

This Man Will Take Your Picture While Macing You

January 29, 2013 by Brian Benchoff 40 Comments

pepper

Odds are you don’t have a photographic memory, so if you ever have to mace someone, you probably won’t remember exactly what your attacker looks like. Compound that with talking to the police and looking at a few dozen mug shots, and it’s highly unlikely you’ll ever be able to identify the person you maced. This was the problem [John], [Cordelia], and [Adrian] chose to solve for [Bruce Land]’s microcontroller course at Cornell this semester.

The device they created, PepGuard, adds a microcontroller and a serial JPEG camera to a canister of pepper spray. When the button on top is pressed, the microcontroller flashes a LED, takes a picture with a camera, and sends that picture to a phone over a Bluetooth connection.

PepGuard is always connected to the user’s phone via Bluetooth, and this allows for some interesting possibilities. With their Android app, the team can set up the phone to call emergency services when the device is activated.

You can check out the demo of the device after the break, or read the team’s report here.

Continue reading “This Man Will Take Your Picture While Macing You” →

Breaking The MintEye CAPTCHA One More Time

January 29, 2013 by Brian Benchoff 20 Comments

minteye

A while back we saw the MintEye CAPTCHA system – an ‘are you human’ test that asks you to move a slider until an image is de-swirled and de-blurred – cracked wide open by exploiting the accessibility option. Later, and in a clever bit of image processing, the MintEye CAPTCHA was broken yet again by coming up with an algorithm to detect if an image is de-swirled and de-blurred.

It appears we’re not done with the MintEye CAPTCHA yet (Russian, translation). Now the MintEye CAPTCHA can be broken without any image processing or text-to-speech libraries. With 31 lines of Java, you too can crack MintEye wide open.

The idea behind the hack comes from the fact that blurred images will be much smaller than their non-blurred counterpart. This makes sense; the less detail in an image, the smaller the file size can be. Well, all the pictures MintEye delivers to your computer – 30 of them, one for each step of swirl and blurring – are the same size, meaning the ‘wrong answer’ images are padded with zeros at the end of the file.

There’s a 31 line program on the build page that shows how to look at thirty MintEye images and find the image with the fewest zeros at the end of the file. This is, by the way, the correct answer for the MintEye CAPTCHA, and has a reproducibility of 100%.

So, does anyone know if MintEye is a publicly traded company? Also, how exactly do you short a stock?

Extracting Data With USB HID

January 26, 2013 by Brian Benchoff 59 Comments

sd_adaptor

High security workstations have some pretty peculiar ways of securing data. One of these is disabling any USB flash drives that may find their way into a system’s USB port. Security is a cat and mouse game, so of course there’s a way around these measures. [d3ad0ne] came up with a way of dumping files onto an SD card by using the USB HID protocol.

We’ve seen this sort of thing before where a microcontroller carries an executable to extract data. Previously, the best method was to blink the Caps Lock LED on a keyboard, sending one bit at a time to a micocontroller. [d3ad0ne]’s build exploits the USB HID protocol, but instead of 1 bit per second, he’s getting about 10kBps.

To extract data from a system, [ d3ad0ne] connects a Teensy microcontroller to the USB port. After opening up Notepad, [ d3ad0ne] mashes the Caps Lock key to force the Teensy to type out a script that can be made into an executable. This executable is a bare-bones application that can send any file back over the USB cable to the Teensy where it’s stored on an SD card. Short of filling the USB ports in a workstation with epoxy, there’s really no way to prevent secure files from leaking out of a computer.