Pentesting Hack Chat This Wednesday

May 11, 2020 by Dan Maloney 3 Comments

Join us on Wednesday, May 13 at noon Pacific for the Pentesting Hack Chat with Eric Escobar!

Ask anyone in this community to name their dream jobs and chances are pretty good that penetration tester will be somewhere on the shortlist. Pentesters are allowed — nay, encouraged — to break into secure systems, to test the limits and find weak points that malicious hackers can use to gain access. The challenge of hacking and the thrill of potentially getting caught combined with no chance of prosecution? And you get paid for it? Sounds good to us!

Professional pentesting is not all cops-and-robbers fun, of course. Pentesters have to stay abreast of the latest vulnerabilities and know what weaknesses are likely to exist at a given facility so they know what to target. There are endless hours of research, often laborious social engineering, and weeks of preparation before actually attempting to penetrate a client site. The attack could be as complex as deploying wireless pentesting assets via FedEx, or as simple as sprinkling thumb drives in the parking lot. But when it comes, a pentest often reveals just how little return companies are getting on their security investment.

As a consultant for a security firm, Eric Escobar gets to challenge companies on a daily basis. He’s also a regular on the con circuit, participating in challenges like Wireless CTF at DEF CON… until he won too many times. Now he helps design and execute the challenges, helping to share his knowledge with other aspiring pentesters. And he’ll stop by the Hack Chat to do the same with us, and tell us all about the business of keeping other businesses in business.

Our Hack Chats are live community events in the Hackaday.io Hack Chat group messaging. This week we’ll be sitting down on Wednesday, May 13 at 12:00 PM Pacific time. If time zones have got you down, we have a handy time zone converter.

Click that speech bubble to the right, and you’ll be taken directly to the Hack Chat group on Hackaday.io. You don’t have to wait until Wednesday; join whenever you want and you can see what the community is talking about. Continue reading “Pentesting Hack Chat This Wednesday” →

An Open Hardware Rubber Ducky

July 24, 2019 by Tom Nardi 12 Comments

No it’s not an open source version of Bert’s favorite bathtime toy (though seriously, let us know if you see one), the PocketAdmin by [Radik Bechmetov] is intended to be an alternative to the well-known “USB Rubber Ducky” penetration testing tool from Hak5. It might look like a standard USB flash drive, but underneath that black plastic enclosure is a whole lot of digital mischief waiting to spill out.

The general idea is that the PocketAdmin appears to the host computer as either a USB Human Interface Device (keyboard, mouse, etc) or a USB Mass Storage Device. In either event, the user has the ability to craft custom payloads which can exploit the operating system’s inherent trust in locally connected devices. The most common example is mimicking a USB keyboard that starts “typing” once connected to the computer.

You can even configure what vendor and product IDs the PocketAdmin advertises, allowing you to more accurately spoof various devices. [Radik] has included some other interesting features, such as the ability to launch different payloads depending on the detected operating system. That way it won’t waste time trying to bang out Windows commands when it’s connected to a Linux box.

The hardware is designed to be as easy and cheap to replicate as possible. The heavy lifting is done by a STM32F072C8T6 microcontroller, coupled with a W25Q256FVFG 32MiB flash chip to store the payloads. Beyond that, the BOM consists mainly of passives and a few obvious bits like the male USB connector. [Radik] has even provided a link to where you can buy the convincing looking USB “flash drive” enclosure.

We’ve seen low-cost DIY versions of the USB Rubber Ducky in the past, but PocketAdmin is interesting in that it seems like [Radik] is looking to break new ground with this project rather than just copy what’s already been done. This will definitely be one to watch as the 2019 Hackaday Prize heats up.

“Watch Dogs” Inspired Hacking Drone Takes Flight

May 27, 2018 by Tom Nardi 19 Comments

They say that life imitates art, which in modern parlance basically means if you see something cool in a video game, movie or TV show, you might be inclined to try and build your own version. Naturally, such things generally come in the form of simple props, perhaps with the occasional embedded LED or noise making circuit. It’s not as if you can really build a phaser from Star Trek or a phone booth that’s bigger on the inside.

But after seeing the hacking quadcopter featured in the video game Watch Dogs 2, [Glytch] was inspired to start work on a real-world version. It doesn’t look much like the drone from the game, but that was never the point. The idea was to see how practical a small flying penetration testing platform is with current technology, and judging by the final build, we’d say he got his answer.

All the flight electronics are off the shelf quadcopter gear. It’s running on a Betaflight OMNIBUS F4 Pro V2 Flight controller with an M8N GPS mounted in the front and controlling the 2006 2400KV motors with a DYS F20A ESC. Interestingly [Glytch] is experimenting with using LG HG2 lithium-ion cells to power the quad rather than the more traditional lithium-polymer pack, though he does mention there are some issues with the voltage curve between the two battery technologies.

But the real star of the show is the payload: a Hak5 Pineapple Nano. As the Pineapple provides a turn-key penetration testing platform on its own, [Glytch] just needed a way to safely carry it and keep it powered. The custom frame keeps it snug, and the 5 Volt Battery Eliminator Circuit (BEC) on the DYS F20A ESC combined with a female USB port allows powering the Pineapple without having to make any hardware modifications.

We’ve seen quadcopters with digital weaponry before, though not nearly as many as you might think. But as even the toy grade quadcopters become increasingly capable, we imagine the airborne hacking revolution isn’t far away.

Continue reading ““Watch Dogs” Inspired Hacking Drone Takes Flight” →

Seek And Exploit Security Vulnerabilities In An Infusion Pump

January 22, 2018 by Sven Gregori 16 Comments

Infusion pumps and other medical devices are not your typical everyday, off-the-shelf embedded system. Best case scenario, you will rarely, if ever, come across one in your life. So for wide-spread exploitation, chances are that they simply seem too exotic for anyone to bother exploring their weaknesses. Yet their impact on a person’s well-being makes potential security holes tremendously more severe in case someone decides to bother one day after all.

[Scott Gayou] is one of those someones, and he didn’t shy away from spending hundreds of hours of his free time inspecting the Smiths Medical Medfusion 4000 infusion pump for any possible security vulnerabilities. Looking at different angles for his threat model, he started with the physical handling of the device’s user interface. This allowed him to enable the external communication protocols settings, which in turn opened to the device’s FTP and Telnet ports. Not to give too much away, but he manages to gain access to both the file system content and — as a result of that — to the system’s login credentials. This alone can be clearly considered a success, but for [Scott], it merely opened a door that eventually resulted in desoldering the memory chips to reverse engineer the bootloader and firmware, and ultimately executing his own code on the device.

Understanding the implications of his discoveries, [Scott] waited long enough to publish his research so the manufacturer could address and handle these security issues. So kudos to him for fighting the good fight. And just in case the thought of someone gaining control over a machine that is crucial to your vitality doesn’t scare you enough yet, go ahead and imagine that device was actually implanted in your body.

Radio Controlled Pacemakers Are Easily Hacked

May 27, 2017 by Jack Laidlaw 40 Comments

Doctors use RF signals to adjust pacemakers so that instead of slicing a patient open, they can change the pacemakers parameters which in turn avoids unnecessary surgery. A study on security weaknesses of pacemakers (highlights) or full Report (PDF) has found that pacemakers from the main manufacturers contain security vulnerabilities that make it possible for the devices to be adjusted by anyone with a programmer and proximity. Of course, it shouldn’t be possible for anyone other than medical professionals to acquire a pacemaker programmer. The authors bought their examples on eBay.

They discovered over 8,000 known vulnerabilities in third-party libraries across four different pacemaker programmers from four manufacturers. This highlights an industry-wide problem when it comes to security. None of the pacemaker programmers required passwords, and none of the pacemakers authenticated with the programmers. Some home pacemaker monitoring systems even included USB connections in which opens up the possibilities of introducing malware through an infected pendrive.

The programmers’ firmware update procedures were also flawed, with hard-coded credentials being very common. This allows an attacker to setup their own authentication server and upload their own firmware to the home monitoring kit. Due to the nature of the hack, the researchers are not disclosing to the public which manufacturers or devices are at fault and have redacted some information until these medical device companies can get their house in order and fix these problems.

This article only scratches the surface for an in-depth look read the full report. Let’s just hope that these medical companies take action as soon as possible and resolve these issue’s as soon as possible. This is not the first time pacemakers have been shown to be flawed.

U.S Air Force Is Going To Get Hacked

April 30, 2017 by Jack Laidlaw 24 Comments

[HackerOne] has announced that US Dept of Defense (DoD) has decided to run their biggest bug bounty program ever, Hack the Air force.

You may remember last year there was the Hack the Pentagon bug bounty program, Well this year on the coattails of last year’s success the DoD has decided to run an even bigger program this year: Hack The Air force. Anyone from “The Five Eyes” countries (Australia, Canada, New Zealand, the United Kingdom and of course the United States) can take part. This is a change in format from the Pentagon challenge which was only open to U.S citizens and paid out a total of around $75,000 in bug bounties.

Now obviously there are rules. You can’t just hack The Air Force no matter how much you want “All their base are belong to you”. The DoD want computer hackers to find bugs in their public facing web services and are not so much interested in you penetration testing their weapons systems or any other critical infrastructure. Try that and you may end up with a lovely never-ending tour of Guantanamo Bay Naval Base.

Q Has Nothing On Naomi Wu

March 12, 2017 by Mike Szczys 185 Comments

We’re not so much fans of James Bond as we are of Q, the hacker who supplies him with such wonderful things. There is a challenger to Q’s crown, [Naomi Wu] — code name [SexyCyborg] — built an epic gadget called the Pi Palette which hides a Linux laptop inside of a cosmetics case.

You can see the covert mode of the Pi Palette below. It resembles a clamshell cosmetics case with the makeup and applicator in the base and a mirror on the underside of the flip-up lid. The mirror hides an LCD screen in the portrait orientation, as well as a Raspberry Pi 3 running Kali Linux.

The base of the case includes a portable battery beneath the wireless keyboard/touchpad — both of which are revealed when the cosmetics tray is removed. An inductive charger is connected to the battery and [Naomi] built a base station which the Pi Palette sits in for wireless charging.

She envisions this as a covert penetration testing. For that, the Pi Palette needs the ability to put the WiFi dongle into promiscuous mode. She wired in a dual dip-switch package and really went the extra mile to design it into the case. The fit and finish of that switch is just one tiny detail the illustrates the care taken with the entire project. With such a beautiful final project it’s no wonder she took to the streets to show it off. Check that out, as well as the build process, in the video after the break.