广岛秋泽
TA的个人档案
广岛秋泽个人页面-阿里云开发者社区
文章
218
问答
0
个人介绍
暂无个人介绍
擅长的技术
- 高分内容
- 最新动态
- 文章
- 问答
-
发表了文章 2017-11-25
利用Excel分析IC卡校验码,另附突破金额655.35教程
我得说,这篇文章不讲怎么从卡里读出数据,不讲怎么提取有效数据,因为大家动动脑子就知道可以用acr122u pm3 之类的搞定密钥,然后找变化位确定校验位,二分法快速确定有效位,等,搞不定密钥的话我也没办法。 首先先看一个基本事实,当线性数据与定值进行 按位与 按位或 按位异或 时,其产生的结果也会呈现一定的规律,如下。 也就是说,结果中,按位与的图像基本呈现为周期性图像,按位或和按位异或的图像是与原图像总体趋势相同。 其他的按位取反、一次函数、二次函数同理。 这样的一个情况可以被我们引申一下。 金额 => (周期)线性数据校验位 => (按位与|按位或|按位异或|函数)结果图像 (同样可以引申到具有一定变化规律的非定值) 找金额位 一般方法1 最普遍的没有技巧的方法,可能是通过多次刷卡,寻找改变的地方,然后转化为10进制看是否是金额。 其实这个方法可以简化,即方法2。 一般方法2 金额其实是非常好找的,因为金额位很多时候可能并不加密,最多是前后位调换一下。 比如我卡里有23.45元,那么转换成hex就是929,即0929,寻找一下0929或者2909,基本就可以找到了。 Excel 在拥有足够连续金额的样本的前提下,我们可以将确认有影响到金额的数据块导出为文本,再导入excel。然后对同一块区(block)数据进行排列,转化为十进制再处理。像这样。 我们清楚地知道,数字都是满进制然后向前进一,而本身清零,也就是说,在有可能进位的地方,图像是这样的,呈现周期性线性关系。 没有产生进位的话,应该是看不出周期性的,就像这样。 因此,在需要至少两个位才能表示金额的情况下(一般就是金额大于2.55的情况),我们可以寻找前后两个(多个)图像呈线性关系及周期性线性关系的地方,其中周期越小则金额位越低。 由此,在金额位不加密的情况下,我们可以快速定位金额位。如上图数据就是C列B列合起来为金额。 找校验位 在金额位改变时明显有变化的,测试一下就知道是不是校验位了。 计算校验位 计算校验位,我用excel。(这里的表格数据已与上方有所不同,仅供参考) 为了数据样本的纯净,我们可能需要较多的等金额差的样本,比如73 70.2 67.4这样,数据间隔相同。 根据上面的理论,在获取一定数量的数据样本之后,我们可以得到这样的表格。 从迷你折线图里可以非常清晰的看到,CDR三列有明显的变化。 根据上面的理论以及计算,可以知道CD列为金额位,则R列为校验位。 观察折线图,我们发现R列数据也是呈现周期性变化,甚至峰值与C列非常接近,考虑到数据间隔粒度影响(间隔2.8而不是0.01),可以猜测R列数据峰值与C列相同,甚至,事实上,我们可以直接猜测,最小值为0,最大值为255。那么,也就是说,可能存在一个周期函数f(x),使得f(C)=R,并且在周期内,函数是线性相关的。 如果的确在周期内是线性相关的,那么在同一个周期内,两个值的差值应该是一样的。 于是我们需要寻找同一个周期内活动的金额位和校验位,比如 测试发现差值略有偏差,而且不同差值间隔为1,因此考虑D列的影响,这三行数据的D列刚好间隔都为1。 那么函数就变成了f(C)±D=R,或者是f(C±D)=R。 接下来就是做数学题了。 从数据上来看,一个周期应该是256,也就是0-255/00-FF这256个数字构成一个周期,主要是因为一个字节只能放下这么多数字。 我们尝试去除周期影响,得到如下数据。 再计算CD列和R列的差值。 结果如A列所示。 到这里,基本已经接近尾声了,稍微处理一下就好了。 根据以上数据,推出公式:R=(C+D-135)%256 推出的计算结果与校验位完全一致。 进阶 现在我们可以更改卡内数据了。但是由于目前金额位只显示了两位,也就是FFFF,因此目前被限制在655.35元。 先让我们尝试一下改成655.35吧。 依然是万能的excel。 测试成功。 因为金额显示的是扣款后的金额,每次扣款2.8元,652.55+2.8=655.35。 接下来尝试突破位数限制,有两条路可走:1.去充值,2.猜。 在很多时候,充值并不是一个好的建议,容易引起工作人员怀疑,另一方面,我这张卡是复制来的,由于某种原因,充值不了。 所以就猜吧。 突破位数限制 由于新增了一位,因此我们需要重新考量相关的计算。 可以利用已有数据进行合理猜测,比如金额为73时,前三位为841C00。 让新的公式可以符合已有数据即可。 金额 之前在考虑逆序规则,其实仔细想想,规则肯定是左到右,低位到高位。 即01869F=>9F8601 校验位 校验位原公式为R=(C+D-135)%256,那么需要加入E位,并确保E位为0的时候,f(C,D,E)=f(C,D)。 因此,E的加入不能带入新的常数,最多只能带入系数,也就是说常数还是-135,而E的系数可以不为1。 简单猜测一下,公式R=(C+D+E-135)%256。 计算结果:9F86010000001106020C36150900009F 测试一下。 完成。 测试一下最大值是不是999.99 最大值是1000,再高就无法读取了。 实验数据:RFID数据分析.zip
-
发表了文章 2017-11-12
Inside a low budget consumer hardware espionage implant
The following analysis was performed on a S8 data line locator which replied to the hidden SMS command for version query (*3646655*) with: Ver=MTK6261M.T16.17.01.10 build=2017/01/10 17:33 Introduction A while back Joe Fitz tweeted about the S8 data line locator1. He referred to it as “Trickle down espionage” due to its reminiscence of NSA spying equipment. The S8 data line locator is a GSM listening and location device hidden inside the plug of a standard USB data/charging cable. It supports the 850, 900, 1800 and 1900 MHz GSM frequencies. Its core idea is very similar to the COTTONMOUTH product line by the NSA/CSS [1] in which an RF device is hidden inside a USB plug. Those hidden devices are referred to as implants. The device itself is marketed as a location tracker usable in cars, where a thief would not be able to identify the USB cable as a location tracking device. Its malicious use-cases can, however, not be denied. Especially since it features no GPS making its location reporting very coarse (1.57 km deviation in my tests). It can, e.g., be called to listen to a live audio feed from a small microphone within the device, as well as programmed to call back if the sound level surpasses a 45 dB threshold. The fact that the device can be repackaged in its sliding case, after configuring it, i.e. inserting a SIM, without any noticeable marks to the packaging suggests its use-case: covert espionage. S8 data line locator capabilities The S8 data line locator has several eavesdropping, espionage and spying capabilities. A SMS message log could look like this: Listen in Calling the S8 data line locator for 10 seconds establishes a call and allows you to listen to the microphone feed from the device. Call back Sending 1111 via SMS to the device enables voice activated call back. It is acknowledged via the following SMS reply: DT: Set voice monitoring, voice callback and sound sensitivity:400 Once the audio level goes above 40 dB the device calls back the number that send the 1111 command. Sending 0000 disables the audio triggered call back. It is replied by: DT: Voice monitoring cancelled successfully. Query location Accoding to the manual sending ‘dw’ via SMS to the device yields a reply SMS with the location. This reply is in the form: Loc:Street, ZIP City, Country http://gpsui.net/u/xxxx Battery: 100% The ‘xxxx’ are replaced with characters ‘0-9,A-Z,a-z’ and the Street, ZIP City, Country line with the appropriate street, ZIP, city and country. The link to http://gpsui.net can be accessed without authorization. It forwards to Google maps. The location was never more accurate than 1.57 km off. During the query the device will use a mobile data connection to an unknown endpoint (presumably gpsui.net). This is confirmed by a “MMS/Internet” charge by my provider. My provider does not discern MMS and Internet, but it is save to assume there is an Internet connection established during location query. This issue was the stepping stone for this analysis. Because the device sends unknown data to an unknown third party it can not - at least with a clear conscious - be used in, e.g., a penetration test. You simply can not use a potentially pre-owned tool. I therefore tried to analyze and eliminate this phone-home “feature”. Hardware To gain access to the devices innards we first tear of the metal shield of the USB connector: S8 data line locator removing USB connector shield. Next, we remove the plastic cover: S8 data line locator removing USB connector shield. Chips After opening the device we can identify the chips: It features: MediaTek MT6261MA: Low budget chip often used in cheap Chinese smartwatches. No official documentation nor information about the chip is available from MediaTek. RDA 6626e: “a high-power, high-efficiency quad-band front-end Module […] designed for GSM850, EGSM900, DCS1800, PCS1900 handheld digital cellular equipment.” Connections So far I could identify 3 different avenues to connect to the device: USB (passthrough) The USB A-connector and the Micro-B cable are not connected to the MT6261MA. They merely pass the signal from one to the other: UART The next connection is a UART: Interfacing with it yields, approximately 3 seconds after booting the device: screen /dev/ttyUSB0 115200 # 8N1 F1: 0000 0000 V0: 0000 0000 [0001] 00: 1029 0001 01: 0000 0000 U0: 0000 0001 [0000] G0: 0002 0000 [0000] T0: 0000 0C73 Jump to BL ~~~ Welcome to MTK Bootloader V005 (since 2005) ~~~ **===================================================** Bye bye bootloader, jump to=0x1000a5b0 However, the output stops there. Input to the device is ignored. It is likely there exist a different firmware version that accepts AT modem commands2. The boot banner of that alternate firmware references “ZhiPu”3 (some file names of the FAT12 in the firmware flash of my device contain this string as well, so the device firmware is likely related to that other firmware). USB (MTK) The DP and DM pads on the USB connector are not connected to the D+ and D- lines of the USB connector. However, the V and GND pads are. The DP and DM pads are instead routed to the MT6261MA processor as illustrated here: Next, a USB cable must be soldered to these connectors as follows: The device will then be recognized as an MediaTek phone USB endpoint with the following data: ID 0e8d:0003 MediaTek Inc. MT6227 phone This is often called the “MTK boot repair”, “MTK DM DP flash”, etc. It will allow us to interface with the device and dump the firmware ROM and flash. Dumping firmware To dump the firmware I use the open source Fernvale research OS [2]. It was initially targeted for the MT6260 processor. It has, however, been ported to the MT6261 and also works on the MT6261MA. Obtaining and building fernly’s MT6261 branch A suitable fork of fernly by Urja “urjaman” Rannikko can be obtained and build as follows: git clone https://github.com/urjaman/fernly git clone https://github.com/robertfoss/setup_codesourcery.git sudo setup_codesourcery/setup.sh /usr/local/bin/codesourcery-arm-2014.05.sh cd fernly git checkout fernly6261 make CROSS_COMPILE=arm-none-eabi- exit cp 95-fernvale-simple.rules /etc/udev/rules.d/. Dumping ROM To dump the flash we run: echo "data = [" > rom.py fernly/build/fernly-usb-loader /dev/fernvale fernly/build/dump-rom-usb.bin >> rom.py echo " ] f = open('rom.bin','wb') for s in data: f.write(chr(int(s,16))) f.close() " >> rom.py python rom.py The file rom.bin will now (at least according to the fernly repository documentation) contain the devices ROM. Dumping flash To dump the flash of the device we need to patch flashrom as follows: git clone https://github.com/flashrom/flashrom cd flashrom/ git checkout c8305e1dee66cd69bd8fca38bff2c8bf32924306 patch -p0 < ../fernly/flashrom-fernvale.patch # manually fix Makefile.rej to complete patching The patch does not cleanly apply so you need to fix the rejected Makefile (Makefile.rej) manually yourself. Once this was done we can first load the fernly firmware into the devices RAM via: fernly/build/fernly-usb-loader -w /dev/fernvale fernly/build/stage1.bin fernly/build/firmware.bin Next, we can use the fernvale_spi programmer we patched into flashrom. We first let it recognize the flash via: flashrom/flashrom --programmer fernvale_spi:dev=/dev/fernvale And then read the flash via: flashrom/flashrom --programmer fernvale_spi:dev=/dev/fernvale -c "MX25L3205(A)" --read flash.dat flash.dat will now contain the devices flash memory. Writing flash attempt Writing the flash can be performed via: flashrom/flashrom --programmer fernvale_spi:dev=/dev/fernvale -c "MX25L3205(A)" --write flash.dat However, the flash seems to be block protected and the block protect bits can not be disabled by flashrom. I have not (yet) found a way to disable the block protect. Analysis Mostly for my personal education I did some more analysis then the obligatory firmware dump. SIM sniffing (via SIMtrace) First, I sniffed the communication between the device and the SIM. Interestingly, it accessed all records of the telephone book and SMS storage. More specifically it accesses the following files, which are not needed to provide the services rendered by the device itself: ADF EF(ECC) EF(EXT2) EF(SMS) DF(TELECOM) DF(PHONEBOOK) EF(ADN) EF(ANRA1) EF(SMS) Other SIM accesses seems to be normal. This is probably not an elaborate scheme to harvest phone numbers and send them to China, but rather the way the default manufactured SIM code was implemented and it was never trimmed down to the needs of this device. Nevertheless, I found it interesting seeing how the device is accessing virtually everything on the SIM. GPRS sniffing attempt (via OpenBTS) Next, I tried to sniff the Internet traffic to figure out what is send to whom via the mobile data connection. To this end, I used a Ettus B100 with OpenBTS. Unfortunately, the S8 data line locator did not connect to the GPRS. This caused the following alternative response to the dw location command: Loc:Please link:http://gpsui.net/smap.php?lac=1000&cellid=10&c=901&n=70&v=7100 Battery:67% Flash contents The most interesting things could be found in the dumped flash. OS Strings in the flash.dat suggest the device is probably running Nucleus RTOS: $ strings -a flash.dat Copyright (c) 1993-2000 ATI - Nucleus PLUS - Version ARM 7/9 1.11.19 Other strings that may help identify the OS are: $ strings -a flash.dat | grep "\.c" psss\components\src\bl_Secure_v5.c psss\components\src\SSS_secure_shared_v5.c hal\system\bootloader\src\bl_Main.c hal\system\bootloader\src\bl_Main.c hal\system\bootloader\src\bl_FTL.c hal\system\bootloader\src\bl_FTL.c hal\system\bootloader\src\bl_FTL.c hal\storage\flash\mtd\src\flash_disk.c hal\system\bootloader\src\bl_Main.c hal\peripheral\src\dcl_pmu6261.c hal\system\cache\src\cache.c hal\peripheral\src\dcl_rtc.c hal\peripheral\src\dcl_pmu6261.c hal\system\bootloader\src\bl_FTL.c hal\system\bootloader\src\bl_FTL.c hal\peripheral\src\rtc.c hal\peripheral\src\rtc.c hal\peripheral\src\rtc.c hal\peripheral\src\rtc.c hal\peripheral\src\rtc.c hal\peripheral\src\rtc.c hal\storage\flash\mtd\src\flash_mtd_sf_dal.c hal\peripheral\src\dcl_pmu_common.c hal\peripheral\src\dcl_f32k_clk.c hal\peripheral\src\dcl_f32k_clk.c hal\peripheral\src\dcl_gpio.c hal\peripheral\src\dcl_pmu_common.c hal\system\cache\src\cache.c hal\peripheral\src\dcl_f32k_clk.c hal\peripheral\src\dcl_gpio.c hal\peripheral\src\gpio.c hal\system\bootloader\src\bl_FTL.c hal\peripheral\src\rtc.c hal\peripheral\src\bmt_hw.c hal\peripheral\src\dcl_pmu6261.c hal\storage\flash\mtd\src\flash_mtd.c hal\peripheral\src\gpio.c custom\common\hal\combo_flash_nor.c hal\peripheral\src\dcl_rtc.c hal\peripheral\src\dcl_rtc.c hal\storage\flash\mtd\src\flash_disk.c custom\common\hal\combo_flash_nor.c hal\storage\flash\mtd\src\flash_mtd_sf_dal.c hal\system\emi\src\emi.c sss\components\src\SSS_secure_shared_common.c alice.c ddload.c plutommi\Framework\GDI\gdisrc\gdi.c C.cKi hal\audio\src\v1\audio_service.c ddload.c ddload.c plutommi\Framework\GDI\gdisrc\gdi_image_hwjpg_v2.c plutommi\Framework\GDI\gdisrc\gdi_image_hwjpg_v2.c plutommi\Framework\GDI\gdisrc\gdi_util.c plutommi\Framework\GDI\gdisrc\gdi_util.c hal\audio\src\v1\audio_service.c ddload.c FAT12 filesystems (?) Searching the flash.dat for the FAT12 file systems that are supposedly present in on MediaTek phones, we get: $ hexdump -C flash.dat 002c1e20 00 00 00 00 00 00 00 00 00 ef cd 4e 4f 20 4e 41 |...........NO NA| 002c1e30 4d 45 20 20 20 20 46 41 54 31 32 20 20 20 00 00 |ME FAT12 ..| 002c1e40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 002c1e50 00 00 00 00 00 00 00 00 00 00 4d 4d 4d 4d 4d 4d |..........MMMMMM| 002c1e60 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d |MMMMMMMMMMMMMMMM| * 002c1ff0 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 55 aa |MMMMMMMMMMMMMMU.| [...] 002d8400 eb 58 90 46 69 6c 65 53 79 73 20 00 02 01 01 00 |.X.FileSys .....| 002d8410 01 80 00 9b 01 f8 02 00 01 00 01 00 01 00 00 00 |................| 002d8420 9b 01 00 00 80 00 29 00 00 21 30 4e 4f 20 4e 41 |......)..!0NO NA| 002d8430 4d 45 20 20 20 20 46 41 54 31 32 20 20 20 00 00 |ME FAT12 ..| 002d8440 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 002d8450 00 00 00 00 00 00 00 00 00 00 4d 4d 4d 4d 4d 4d |..........MMMMMM| 002d8460 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d |MMMMMMMMMMMMMMMM| * 002d85f0 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 55 aa |MMMMMMMMMMMMMMU.| [...] 002dbc00 ff ff ff ff ff de 9e 68 00 00 00 00 00 50 ba ff |.......h.....P..| 002dbc10 55 93 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |U...............| 002dbc20 00 00 00 00 00 00 00 00 00 ef cd 4e 4f 20 4e 41 |...........NO NA| 002dbc30 4d 45 20 20 20 20 46 41 54 31 32 20 20 20 00 00 |ME FAT12 ..| 002dbc40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 002dbc50 00 00 00 00 00 00 00 00 00 00 4d 4d 4d 4d 4d 4d |..........MMMMMM| 002dbc60 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d |MMMMMMMMMMMMMMMM| * 002dbdf0 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 4d 55 aa |MMMMMMMMMMMMMMU.| However, two of the partitions do not appear to be valid FAT12 file systems: $ fls -o 5646 flash.dat -f fat12 Invalid magic value (Not a FATFS file system (magic)) $ fls -o 5826 flash.dat -f fat12 v/v 6531: $MBR v/v 6532: $FAT1 v/v 6533: $FAT2 d/d 6534: $OrphanFiles $ fls -o 5853 flash.dat -f fat12 Invalid magic value (Not a FATFS file system (magic)) And the middle FAT12 block seems to be corrupted as well, i.e. only orphan files: $ fls -o 5826 flash.dat -rp -f fat12 v/v 6531: $MBR v/v 6532: $FAT1 v/v 6533: $FAT2 d/d 6534: $OrphanFiles -/r * 469: $OrphanFiles/MP0B_001 -/r * 470: $OrphanFiles/ST33A004 -/r * 471: $OrphanFiles/ST33B004 [...] An attempt was made to extract the files: fls -o 5826 flash.dat -Frp -f fat12 | while read line; do path=$(echo "$line" | awk -F':' '{print $2}') mkdir -p $(dirname $path); icat -o 5826 flash.dat $(echo "$line" | grep -oE "[0-9]+" | head -n1) > $path done But most files are empty. The results are also very inconsistent, i.e., when changing SIM cards there are significant changes to the files listed by The Sleuthkit. This indicates that those are either not FAT12 partitions or a modified FAT12 variant. Further analysis was hence done using hexdump. Configuration data The flash also contained some configuration data. First, the IMSI of the inserted SIM and the number that is used to remote control the device could be found in the flash: $ hexdump -C flash.dat 002e2ad0 00 00 00 00 32 xx xx xx xx xx xx xx xx xx xx xx |....2xxxxxxxxxxx| 002e2ae0 xx xx 37 00 00 01 00 01 00 00 00 00 00 00 00 00 |xx7.............| 002e2af0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 002e2b10 00 00 00 00 00 00 00 00 00 00 00 2b 34 39 31 xx |...........+491x| 002e2b20 xx xx xx xx xx xx xx xx 00 00 00 00 00 00 00 00 |xxxxxxxx........| 002e2b30 00 00 00 00 00 00 00 00 00 00 00 00 00 67 70 73 |.............gps| 002e2b40 75 69 2e 6e 65 74 00 00 00 00 00 00 00 00 00 00 |ui.net..........| 002e2b50 00 00 00 00 00 00 00 00 00 00 00 00 00 67 70 73 |.............gps| 002e2b60 75 69 2e 6e 65 74 00 00 00 00 00 00 00 00 00 00 |ui.net..........| 002e2b70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * In the above flash segment you can also see a reference to gpsui.net. This is presumably the remote server which is contacted to turn the MCC, MNC, LAI and CID codes into street, city and country information as well as the link to gpsui.net which forwards to Google maps. However, because writing to the flash could not be achieved this hypothesis could not be confirmed. Hidden commands Eventually, there was a small find potentially making this effort worthwhile. Searching the flash.dat for the dw,1111 and 0000 commands reveals more hidden commands: $ hexdump -C flash.dat 00069530 8c ae 00 00 8d ae 8e ae 72 65 73 74 6f 72 65 00 |........restore.| 00069540 00 00 00 00 00 00 00 00 01 00 00 00 68 68 68 00 |............hhh.| 00069550 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 |................| 00069560 69 6d 73 69 00 00 00 00 00 00 00 00 00 00 00 00 |imsi............| 00069570 03 00 00 00 74 69 6d 65 7a 6f 6e 65 00 00 00 00 |....timezone....| 00069580 00 00 00 00 04 00 00 00 74 69 6d 65 00 00 00 00 |........time....| 00069590 00 00 00 00 00 00 00 00 05 00 00 00 61 71 65 00 |............aqe.| 000695a0 00 00 00 00 00 00 00 00 00 00 00 00 06 00 00 00 |................| 000695b0 61 71 63 00 00 00 00 00 00 00 00 00 00 00 00 00 |aqc.............| 000695c0 07 00 00 00 73 65 72 76 65 72 00 00 00 00 00 00 |....server......| 000695d0 00 00 00 00 08 00 00 00 64 64 64 00 00 00 00 00 |........ddd.....| 000695e0 00 00 00 00 00 00 00 00 09 00 00 00 72 65 67 00 |............reg.| 000695f0 00 00 00 00 00 00 00 00 00 00 00 00 0a 00 00 00 |................| 00069600 61 71 62 00 00 00 00 00 00 00 00 00 00 00 00 00 |aqb.............| 00069610 0b 00 00 00 71 71 71 00 00 00 00 00 00 00 00 00 |....qqq.........| 00069620 00 00 00 00 0c 00 00 00 64 77 00 00 00 00 00 00 |........dw......| 00069630 00 00 00 00 00 00 00 00 0d 00 00 00 6c 6f 63 00 |............loc.| 00069640 00 00 00 00 00 00 00 00 00 00 00 00 0e 00 00 00 |................| 00069650 66 61 61 00 00 00 00 00 00 00 00 00 00 00 00 00 |faa.............| 00069660 0f 00 00 00 66 66 66 00 00 00 00 00 00 00 00 00 |....fff.........| 00069670 00 00 00 00 10 00 00 00 31 31 31 31 00 00 00 00 |........1111....| 00069680 00 00 00 00 00 00 00 00 11 00 00 00 30 30 30 30 |............0000| 00069690 00 00 00 00 00 00 00 00 00 00 00 00 12 00 00 00 |................| 000696a0 72 70 74 00 00 00 00 00 00 00 00 00 00 00 00 00 |rpt.............| 000696b0 13 00 00 00 67 62 72 70 74 00 00 00 00 00 00 00 |....gbrpt.......| 000696c0 00 00 00 00 14 00 00 00 74 72 61 63 6b 00 00 00 |........track...| 000696d0 00 00 00 00 00 00 00 00 15 00 00 00 6d 6f 6e 69 |............moni| 000696e0 74 6f 72 00 00 00 00 00 00 00 00 00 16 00 00 00 |tor.............| 000696f0 73 6f 73 6f 6e 00 00 00 00 00 00 00 00 00 00 00 |soson...........| 00069700 17 00 00 00 73 6f 73 6f 66 66 00 00 00 00 00 00 |....sosoff......| 00069710 00 00 00 00 18 00 00 00 73 6f 73 00 00 00 00 00 |........sos.....| 00069720 00 00 00 00 00 00 00 00 19 00 00 00 71 63 73 6f |............qcso| 00069730 73 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 |s...............| 00069740 6c 65 64 6f 6e 00 00 00 00 00 00 00 00 00 00 00 |ledon...........| 00069750 1b 00 00 00 6c 65 64 6f 66 66 00 00 00 00 00 00 |....ledoff......| 00069760 00 00 00 00 1c 00 00 00 66 6c 69 67 68 74 6f 6e |........flighton| 00069770 00 00 00 00 00 00 00 00 1d 00 00 00 66 6c 69 67 |............flig| 00069780 68 74 6f 66 66 00 00 00 00 00 00 00 1e 00 00 00 |htoff...........| 00069790 65 73 69 6f 6e 6f 77 00 00 00 00 00 00 00 00 00 |esionow.........| 000697a0 1f 00 00 00 65 73 69 6f 61 64 64 72 00 00 00 00 |....esioaddr....| 000697b0 00 00 00 00 20 00 00 00 68 62 74 6f 6e 00 00 00 |.... ...hbton...| 000697c0 00 00 00 00 00 00 00 00 21 00 00 00 68 62 74 6f |........!...hbto| 000697d0 66 66 00 00 00 00 00 00 00 00 00 00 22 00 00 00 |ff.........."...| 000697e0 65 73 69 6f 6c 6f 63 61 74 65 74 79 70 65 00 00 |esiolocatetype..| 000697f0 23 00 00 00 65 65 65 00 00 00 00 00 00 00 00 00 |#...eee.........| 00069800 00 00 00 00 24 00 00 00 73 6e 64 73 74 6f 70 00 |....$...sndstop.| 00069810 00 00 00 00 00 00 00 00 25 00 00 00 64 64 65 00 |........%...dde.| 00069820 00 00 00 00 00 00 00 00 00 00 00 00 26 00 00 00 |............&...| 00069830 66 6f 72 6d 61 74 74 66 00 00 00 00 00 00 00 00 |formattf........| 00069840 27 00 00 00 68 65 6c 70 00 00 00 00 00 00 00 00 |'...help........| 00069850 00 00 00 00 28 00 00 00 2a 65 38 31 2a 00 00 00 |....(...*e81*...| 00069860 00 00 00 00 00 00 00 00 29 00 00 00 2a 65 38 30 |........)...*e80| 00069870 2a 00 00 00 00 00 00 00 00 00 00 00 2a 00 00 00 |*...........*...| 00069880 2a 72 65 62 6f 6f 74 2a 00 00 00 00 00 00 00 00 |*reboot*........| 00069890 2b 00 00 00 2a 33 36 34 36 36 35 35 2a 00 00 00 |+...*3646655*...| 000698a0 00 00 00 00 2c 00 00 00 69 6d 65 69 73 65 74 00 |....,...imeiset.| However, most of those commands do not function correctly. It seems the devices firmware is shared among several such location tracking and listening devices, e.g., there are commands referring to LEDs and a TF card, both of which this device do no feature, however, other devices available online do. An incomplete list of the found commands and there replies is: help: replies with the following commands: dw: Locate qqq: Device binding 1111: Sound Alarm Monitor on 0000: Sound Alarm Monitor off ddd: Reset all tasks aqb: Get Username Password eee: Recording saved dde: Cleanup TF card hhh: Device status loc: same as dw imsi: Query IMEI and IMSI faa: “DTMG: Set voice monitoring, SMS reply and sound sensitivity successfully:40”, “DTMG: Unusual sound detected” fff: “DT: Set voice monitoring, voice callback and sound sensitivity successfully:40” 1111: “DT: Set voice monitoring, voice callback and sound sensitivity successfully:400” 0000: “DT: Voice monitoring cancelled successfully.” gbrpt: “Report:Location the continuous escalation has been closed.” track: “Track:Caller answer mode the device is set to reply location.” hbton: “Hbt:Device is turned on real-time online” hbtoff: “Hbt: Device online has been closed” esionow: “…” ? esioaddr: “Setting esio addr and port fail!” esiolocatetype: “Esio:Reporting location type has been updated to 0.” server: “Setting server addr and port fail!” reg: “…” ? monitor: “Monitor:Caller answer mode the device is set to automatically answer.” eee: “Tf-Card check fails of is insufficient free space!” sndstop: “Cam:No task is running, cancel failed!” *e81*: “…” ? *e80*: “…” ? soson, sosoff, sos, qcsos: ? ledon, ledoff: ? flighton, flightoff: ? aqe: “Setting apn fail!” imeiset: “…” does not seem to set the IMEI restore: “Restore ok!” formattf: ? time: “…” ? timezone: “Setting time zone ok. Current time zone 0” age: “…” ? *3646655*: queries for version information *reboot*: reboots the device Interestingly the reply strings could not be found in the flash in plaintext. This suggests that some of the data is compressed. The message log of me trying some of the found hidden commands to populate the above list is as follows: It seems that we can use esioaddr to change the address used to lock up the location information. However, no connection to a given domain nor IP is actually made. The device will simply report the addr invalid in the location report. The server command sets a different server. Changing it does not result in the addr invalid responses, as can be seen from this second message log: Provider call logs and itemized bill Because the GPRS sniffing failed I resort to the billing of my provider to further analyze the communication habits of the S8 data line locator. Obviously reply SMS are billed. More interesting is the Internet access patterns. dw or loc commands and during idle During location queries the device will use “MMS/Internet” service. The following is a segment in which first repeated location queries were performed, then the devices was left idle: Even during idle the device sometimes uses the “MMS/Internet” service. Even though I deactivated all tracking features that I may have activated during my previous testing, I can not be 100 % sure that this is not something that I activated, maybe while stumbling through the gpsui.net website. However, I regardless of whether I activated this “feature” or not, I do not want it and would like to know what data is actually send and how to deactivate it. gpsui.net Going deeper into the gpsui.net website would probably result in a new writeup in itself. It is a very big surveillance hub, just replace the xxxx in http://gpsui.net/u/xxxx with some letters and numbers and you can see random people’s locations. The website also makes a reference to ZhiPu: It seems this is the company that makes these trackers. You can get your credentials for login by texting aqb to your S8 data line monitor. The username as well as the password are 6 digit numbers. They are also located in the flash right before the IMSI. Detection When sending data the S8 data line locator can be detected with a CC308+ (a cheap Chinese RF detector): The S8 data line locator seems to be badly shielded. A location request via the dw command causes noticeable electronic noise by the device. It seems in general to cause all sorts of RF interference. Future work While I did not (yet) succeed with my original goal to disable the mobile data phone home “feature’, it was nevertheless a fun exercise and hopefully someone finds this useful or at least educational. Future work needs to be done on several things: Issues I was not able yet to write new firmware via flashrom because I was not able to disable block protection on the flash, yet. Maybe a different avenue for flashing new firmware could be the SPFlash tool4 and/or the Flash tool. However, that would not be open source. If know something about the weird FAT12 file system used in the device or are able to flash your S8 data line locator please contact me with details! Further, I tried to capture the GPRS data connection of the device, but was unable to do so. It would not use GPRS when connected to my network. Currently, I do not know how the APN is configured. The SIM trace does not indicate that the EF(ACL) is ever accessed. However, as I found the correct APN configuration stored in the devices flash, this suggests the device acquires this information via a setup SMS by the service provider. Ideas Dremel the board smaller, e.g., you don’t need the USB connector. This way the S8 data line locator could be turned into a “modular” bug that could be placed where ever there is a 5 V 1 A power source. Appendix: Fuck up No writeup would be complete without at least one fuck up. So here it is: While using the S8 data line locator with OpenBTS I provisioned imaginary numbers. When switching SIM cards I forgot to turn of the voice activated callback. So long story short, some guy with the number 3333333 listend in on me for 2 minutes: I did not notice this until I reviewed the logs! So my resume on these little hardware espionage implants: They are stealthy and dangerous as fuck! Bibliography [1] NSA/CSS, “ANT product catalog (USB),” leaked documents (pdf: https://cryptome.org/2013/12/nsa-ant-usb.pdf). [2] A. “bunnie” Huang and S. X. Cross, “Fernvale: An open hardware and software platform, based on the (nominally) closed-source mT6260 soC,” talk at the 31st Chaos Communication Congress (slides: http://www.bunniefoo.com/fernvale/fernvale-31c3.pdf, video: https://www.youtube.com/watch?v=hpEqDPYtf9s). 原文链接:https://ha.cking.ch/s8_data_line_locator/
-
发表了文章 2017-09-21
Mac OSX 编译 LeanSDR
LeanSDR:Lightweight, portable software-defined radio git clone http://github.com/pabr/leansdr.git cd leansdr/src/apps LeanSDR在使用过程中需要使用X11图形框架,首次在OSX编译LeanSDR会有报错: g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable -DGUI leandvb.cc -lX11 -o leandvb || \ g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable leandvb.cc -o leandvb In file included from leandvb.cc:17: ../leansdr/gui.h:16:10: fatal error: 'X11/X.h' file not found #include <X11/X.h> ^ 1 error generated. g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable -DGUI leansdrscan.cc -lX11 -o leansdrscan || \ g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable leansdrscan.cc -o leansdrscan leansdrscan.cc:115:10: warning: comparison of unsigned expression < 0 is always false [-Wtautological-compare] if ( nr < 0 ) fatal("read"); ~~ ^ ~ 1 warning generated. ld: library not found for -lX11 clang: error: linker command failed with exit code 1 (use -v to see invocation) leansdrscan.cc:115:10: warning: comparison of unsigned expression < 0 is always false [-Wtautological-compare] if ( nr < 0 ) fatal("read"); ~~ ^ ~ 1 warning generated. g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable -DGUI leansdrcat.cc -lX11 -o leansdrcat || \ g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable leansdrcat.cc -o leansdrcat ld: library not found for -lX11 clang: error: linker command failed with exit code 1 (use -v to see invocation) g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable -DGUI leantsgen.cc -lX11 -o leantsgen || \ g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable leantsgen.cc -o leantsgen ld: library not found for -lX11 clang: error: linker command failed with exit code 1 (use -v to see invocation) g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable -DGUI leanchansim.cc -lX11 -o leanchansim || \ g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable leanchansim.cc -o leanchansim ld: library not found for -lX11 clang: error: linker command failed with exit code 1 (use -v to see invocation) g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable -DGUI leandvbtx.cc -lX11 -o leandvbtx || \ g++ -O3 -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable leandvbtx.cc -o leandvbtx ld: library not found for -lX11 clang: error: linker command failed with exit code 1 (use -v to see invocation) 查找X11目录 sudo find / -name "X.h" /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Tk.framework/Versions/8.4/Headers/X11/X.h /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/System/Library/Frameworks/Tk.framework/Versions/8.5/Headers/X11/X.h find: /dev/fd/cn0xroot: No such file or directory find: /dev/fd/cn0xroot: No such file or directory /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/System/Library/Frameworks/Tk.framework/Versions/8.5/Headers/X11/X.h /opt/local/include/X11/X.h /opt/local/share/doc/boost/libs/coroutine/example/cpp03/asymmetric/X.h /opt/metasploit-framework/embedded/include/X11/X.h /opt/X11/include/X11/X.h /System/Library/Frameworks/Tk.framework/Versions/8.4/Headers/X11/X.h /System/Library/Frameworks/Tk.framework/Versions/8.5/Headers/X11/X.h 解决方案:修改Makefile APPS = leandvb leansdrscan APPS += leansdrcat leantsgen leanchansim leandvbtx all: $(APPS) clean: rm -f $(APPS) DEPS = ../leansdr/*.h CXXFLAGS = -O3 -I.. -I/opt/X11/include -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable %: %.cc $(DEPS) g++ $(CXXFLAGS) -DGUI $< -lX11 -L/opt/X11/lib -o $@ || \ g++ $(CXXFLAGS) $< -o $@ EMBED_FLAGS= -I.. -Wall -Wno-sign-compare -Wno-array-bounds -Wno-unused-variable \ -Ofast -mfpu=neon -funsafe-math-optimizations -fsingle-precision-constant leandvb.embedded: leandvb.cc $(DEPS) g++ $(CXXFLAGS) $(EMBED_FLAGS) $< -static -o $@ || \ g++ $(CXXFLAGS) $(EMBED_FLAGS) $< -o $@ make Usage leandvb --help Usage: leandvb [options] < IQ > TS Demodulate DVB-S I/Q on stdin, output MPEG packets on stdout Input options: --u8 Input format is 8-bit unsigned (rtl_sdr, default) --f32 Input format is 32-bit float (gqrx) -f HZ Input sample rate (default: 2.4e6) --loop Repeat (stdin must be a file) --inbuf N Additional input buffering (samples) Preprocessing options: --anf N Number of birdies to remove (default: 1) --derotate HZ For use with --fd-pp, otherwise use --tune --resample Resample baseband (CPU-intensive) --resample-rej K Aliasing rejection (default: 10) --decim N Decimate baseband (causes aliasing) --cnr Measure CNR (requires samplerate>3*symbolrate) --fd-pp NUM Dump preprocessed IQ data to file descriptor DVB-S options: --sr HZ Symbol rate (default: 2e6) --tune HZ Bias frequency for demodulation --drift Track frequency drift beyond safe limits --standard S DVB-S (default), DVB-S2 (not implemented) --const C QPSK (default), BPSK .. 32APSK (DVB-S2 only) --cr N/D Code rate 1/2 (default) .. 7/8 .. 9/10 --fastlock Synchronize more aggressively (CPU-intensive) --sampler nearest, linear, rrc --rrc-steps N RRC interpolation factor --rrc-rej K RRC filter rejection (defaut:10) --roll-off A RRC roll-off (default: 0.35) --viterbi Use Viterbi (CPU-intensive) --hard-metric Use Hamming distances with Viterbi Compatibility options: --hdlc Expect HDLC frames instead of MPEG packets --packetized Output 16-bit length prefix (default: as stream) General options: --buf-factor Buffer size factor (default:4) --hq Maximize sensitivity (Enables all CPU-intensive features) --hs Maximize throughput (QPSK CR1/2 only) (Disables all preprocessing) UI options: -h Display this help message and exit -v Output debugging info at startup and exit -d Output debugging info during operation --fd-info NUM Output demodulator status to file descriptor --fd-const NUM Output constellation and symbols to file descr --gui Show constellation and spectrum (X11) --duration S Width of timeline plot (default: 60) --linger Keep GUI running after EOF Testing options: --awgn STDDEV Add white gaussian noise (slow) eanchansim --help Usage: leanchansim [options] < IQ.in > IQ.out Simulate an imperfect communication channel. Input options: --iu8 Interpret stdin as complex unsigned char --if32 Interpret stdin as complex float -f Hz Specify sample rate --loop Repeat (stdin must be a file) Gain options: --scale FACTOR Multiply by constant Drift options: --lo HZ Specify nominal LO frequency --ppm PPM Specify LO accuracy --drift-period S Drift +-ppm every S seconds --drift-rate R Drift with maximum rate R (Hz/s) --drift2-amp HZ Add secondary drift (range in Hz) --drift2-freq HZ Add secondary drift (rate in Hz) Noise options: --awgn STDDEV Add white gaussian noise (dB) Output options: --ou8 Output as complex unsigned char --of32 Output as complex float leandvbtx --help Usage: leandvbtx [options] < TS > IQ Modulate MPEG packets into a DVB-S baseband signal Output float complex samples Options: -f INTERP[/DECIM] Samples per symbols (default: 2) --roll-off R RRC roll-off (defalt: 0.35) --power P Output power (dB) --agc Better regulation of output power -v Verbose output leansdrcat --help Usage: leansdrcat [options] Forward from stdin to stdout at constant rate. Options: --block Pause when stdout is busy (default: '#' on stderr) --nonblock Silently ignore when stdout is busy --cbr R Set rate in bits per second --cbr8 R Set rate in bytes per second --cbr16 R Set rate in 16-bit words per second --cbr32 R Set rate in 32-bit words per second --cbr64 R Set rate in 64-bit words per second -h Display this help message and exit leansdrscan --help Usage: leansdrscan [options] [program settings] Run , cycling through combinations of settings. Example: 'leansdrscan -v cat -n,-e' will feed stdin through 'cat -n' and 'cat -e' alternatively. Options: -h Print this message -v Verbose --timeout N Next settings if no output within N seconds --rewind Rewind input (stdin must be a file) --probesize N Forward only N bytes (with --rewind) leantsgen --help Usage: leantsgen [-c PACKETCOUNT] Output numbered MPEG TS packets on stdout. Example rtl_sdr -g 0 -f 315e6 -s 1000000 /tmp/test.ts leandvb --gui -v -d -f 1000e3 --sr 500e3 --cr 1/2 --derotate -4500 --anf 0 < /tmp/test.ts > mpeg.ts https://www.rtl-sdr.com/transmitting-dvb-s-with-a-plutosdr-and-receiving-it-with-an-rtl-sdr/ http://www.pabr.org/radio/leandvb/leandvb.en.html
-
发表了文章 2017-09-19
使用Bash Bunny从被锁定的系统抓取登陆凭据
在今年早些时候,FB就对Bash Bunny做了相关的报导。这款号称“世界上最先进的USB攻击工具”的Bash Bunny,是否真的像其所说的一样是款渗透神器呢?下面,我将通过实例演示如何利用Bash Bunny QuickCreds模块,获取到目标主机上的登陆凭据。 简介 很幸运,我得到了一个Bash Bunny的硅谷优惠码,并非常期待Bash Bunny的表现。 首先,对于那些不熟悉该类攻击的人,我强烈推荐你可以先去阅读下mubix的原始帖子。 配置 首先,我需要将payload加载到设备上并使它能正常工作。 我在Windows和Mac上的尝试都遇到了许多麻烦,最终我在Kali VM成功执行了Bunny。 随着你的[sic]VM被关闭,进入到设置>端口>USB 启用usb 3.0 将bunny切换到状态1;插入并等待它完全加载 添加一个usb过滤器(+图标)并添加设备(Linux 3.4.39 sunxi_usb_udc RNDIS/Ethernet Gadget [0333]驱动) 弹出bunny 将开关调到状态2和3,然后重复步骤2-4 打开你的vm,并且保持bunny未插入状态 在vm上wget bb.sh脚本 运行`sudo bash bb.sh`并按照引导设置 当bunny不在arm模式(位置3),在第三步后插入bunny 如果你操作正确的话,脚本会在这个阶段“检测”bunny 最后一步是再次使用你刚刚的设置“connect”主菜单后按“C” 现在你应该能够ssh到bunny,并可通过ping命令测试连接状态 DNS问题 完成上述配置步骤后,我可以SSH连接到我的bunny。 不幸的是,我无法正确下载任何内容或是更新它。 经过一番折腾后,我查看了一下在设备上的resolv.conf文件。 root@bunny:~# ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=43 time=26.7 ms ^C --- 8.8.8.8 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 26.766/26.766/26.766/0.000 ms root@bunny:~# ping google.com ^C root@bunny:~# cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 8.8.8.8 nameserver 8.8.4.4 我发现我的 pfSense 被配置为阻止所有传出的DNS请求。为了后续演示的方便,这里我禁用了我的防火墙规则。 工具安装 在Bash Bunny QuickCreds payload工作之前,我需要在设备上使用Responder。 首先,我将 ToolsInstaller 包添加到switch1有效载荷中。 接下来,我将QuickCreds有效载荷添加到switch2中。 不幸的是,ToolsInstaller的安装仍然失败。 接下来,我手动创建了一个名为pentest的文件夹。 完成创建后,我手动上传了impacket和responder到设备。 但不幸的是,安装依旧失败。 固件更新 至此我意识到可能是固件的问题,因此我决定更新我的固件版本。 进入下载页面,我发现目前最新的版本为1.3。 我按照页面的更新说明,完成了对设备上的固件更新操作。 成功安装 接着,我将Responder移动到了/tools/responder并尝试了快速攻击。 但问题再次出现,Bunny并没有显示攻击成功的绿光,我相信这肯定是Responder的问题。 最后,我找到了.deb文件,并成功安装了Responder! 执行 现在到了最激动人心的时刻了,我决定拿我女朋友加密锁定的笔记本电脑作为我的渗透目标。 我将bunny插入了她的笔记本,可以看到琥珀色的灯光。 没过几秒钟灯光颜色变成了绿色,说明我们的payload成功被执行。 检查设备后我们发现,多了一个包含NTLM哈希的文件。 哈希破解 根据女友提供给我的一小点提示,我开始尝试破解哈希密码。 Rays-MacBook-Pro:testing doyler$ hashcat -a 3 -m 5600 -i --increment-min=1 --increment-max=10 hash.txt ?l?l?l?l?l?l?l?l?l?l hashcat () starting... OpenCL Platform #1: Apple ========================= * Device #1: Intel(R) Core(TM) i7-6920HQ CPU @ 2.90GHz, skipped. * Device #2: Intel(R) HD Graphics 530, 384/1536 MB allocatable, 24MCU * Device #3: AMD Radeon Pro 460 Compute Engine, 1024/4096 MB allocatable, 16MCU Hashes: 2 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Applicable optimizers: * Zero-Byte * Not-Iterated * Single-Hash * Single-Salt * Brute-Force Watchdog: Temperature abort trigger disabled. Watchdog: Temperature retain trigger disabled. The wordlist or mask that you are using is too small. This means that hashcat cannot use the full parallel power of your device(s). Unless you supply more work, your cracking speed will drop. For tips on supplying more work, see: https://hashcat.net/faq/morework Approaching final keyspace - workload adjusted. Session..........: hashcat Status...........: Exhausted Hash.Type........: NetNTLMv2 Hash.Target......: GIRLFRIEND::Girlfriend-THINK:dexxxxx...000000 Time.Started.....: Fri Jul 14 19:40:47 2017 (0 secs) Time.Estimated...: Fri Jul 14 19:40:47 2017 (0 secs) Guess.Mask.......: ?l [1] Guess.Queue......: 1/10 (10.00%) Speed.Dev.#2.....: 0 H/s (0.45ms) Speed.Dev.#3.....: 0 H/s (0.00ms) Speed.Dev.#*.....: 0 H/s Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts Progress.........: 26/26 (100.00%) Rejected.........: 0/26 (0.00%) Restore.Point....: 0/1 (0.00%) Candidates.#2....: q -> x Candidates.#3....: [Generating] Session..........: hashcat Status...........: Running Hash.Type........: NetNTLMv2 Hash.Target......: GIRLFRIEND::Girlfriend-THINK:dexxxxx...000000 Time.Started.....: Wed Jul 19 12:28:22 2017 (1 sec) Time.Estimated...: Wed Jul 19 12:28:26 2017 (3 secs) Guess.Mask.......: ?l?l?l?l?l?l?l?l?l?l [10] Guess.Queue......: 1/1 (100.00%) Speed.Dev.#2.....: 12865.7 kH/s (4.11ms) Speed.Dev.#3.....: 60526.9 kH/s (7.08ms) Speed.Dev.#*.....: 73392.6 kH/s Recovered........: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts Progress.........: xxxxxxxx/308915776 (xx%) Rejected.........: 0/88440832 (0.00%) Restore.Point....: xxxxxxxx/308915776 (xx%) Candidates.#2....: xxxxxxxxxx -> xxxxxxxxxx Candidates.#3....: xxxxxxxxxx -> xxxxxxxxxx GIRLFRIEND::Girlfriend-THINK:dexxxxx:xxxxx:xxxxx:(password here) 总结 在成功破解密码后,我成功登陆到了我女友的笔记本。 这是我在bunny上成功使用的第一个payload。 最后,如果你有其他关于payload更好的想法或建议,或尝试编写一些个人的payload,那么欢迎与我取得联系并分享你的成果。 原文链接:https://www.doyler.net/security-not-included/bash-bunny-quickcreds
-
发表了文章 2017-09-15
剖析 GSM 加密机制以及位置更新的过程
你有没有想过打开手机时会发生什么?它是如何以安全的方式与网络进行通信?几乎所有人都知道TCP / IP,并且可能许多人还是专家,但是谈到电信方面,很少有人知道它的内部原理。 gsm中的消息结构是什么?它使用的加密类型是什么?因此,今天我们将详细介绍gsm的加密标准,以及手机如何更新移动网络的位置。 当你打开手机发生了什么? 当您打开手机时,它首先启动其无线电资源和移动管理程序。 手机通过SIM或网络接收附近地区支持的频率列表。 它根据功率级别和移动提供商在一个单元上存储。之后,它会对认证发生的网络位置,进行更新过程。位置更新成功后,手机获得TMSI,现在就可以进行其他的操作了。 现在,通过查看移动应用程序调试日志来验证上面的结论。下面的屏幕截图是来自模拟在PC上工作的移动电话的一个osmocom移动应用程序。 SIM发送的移动网络信息 camping on a cell 位置更新请求,包括它的LAI、TMSI 允许位置更新并使用可见的加密标准。 目标 我们将通过osmocom-bb用wirehark捕获gsm数据,并分析整个gsm认证和加密的过程是如何发生的。我们也会看到位置更新过程是如何发生的。 我们已经在上一篇博客中详细介绍了osmocom-bb和建立呼叫的过程。这个博客中会跳过那一部分。 GSM加密标准 A5 / 0 - 未使用加密。为了完整性。 A5 / 1-A5 / 1是用于在GSM蜂窝电话标准中提供空中通信隐私的流密码。它是为了使用GSM而指定的七种算法之一。它最初是保密的,但由于泄漏和逆向工程已经为大众熟知。密码中的一些严重弱点已经被发现。 A5 / 2-A5 / 2是用于在GSM蜂窝电话协议中提供语音隐私的流密码。它用于出口,却并非强于(事实上仍然很弱)A5 / 1。它是为使用GSM所定义的七种A5加密算法之一。 A5 / 3(Kasumi) - KASUMI是用于UMTS,GSM和GPRS移动通信系统的块密码。在UMTS中,KASUMI用于名为UEA1和UIA1的机密性和完整性算法。在GSM中,KASUMI用于A5 / 3密钥流生成器和GEA3密钥流生成器中的GPRS中。 还有一些用的较少,所以没有被提到。 GSM认证和加密是如何发生的? 每个GSM手机都有一个用户识别模块(SIM)。 SIM通过使用国际移动用户身份(IMSI)为移动电话提供独特的身份。 SIM卡就像一个钥匙,失去的话手机就无法运作。它能够存储个人电话号码和短信息。它还存储诸如A3认证算法,A8加密密钥生成算法,认证密钥(KI)和IMSI之类的安全相关信息。移动台存储了A5加密算法。 认证 认证过程检查用户SIM卡的有效性,然后判断移动台是否允许在特定网络上。网络通过使用挑战响应方法来完成用户的认证。首先,通过空中接口向移动台发送128位随机数(RAND)。 RAND被传递给SIM卡,通过A3认证算法与Ki一起发送。 A3算法的输出,经签名的响应(SRES)通过空中接口从移动台发送回网络。在网络上,AuC将SRES的值与从移动台接收的SRES的值进行比较。如果SRES的两个值匹配,认证成功,并且用户加入网络。 AuC实际上不存储SRES的副本,但是根据需要查询HLR或VLR。 生成SRES 匿名 当新的GSM用户第一次打开手机时,其IMSI将被发送到网络上的AuC。之后,临时移动用户身份(TMSI)被分配给用户。除非绝对有必要的话,否则IMSI在此之后很少传输。这样可以防止潜在的窃听者通过其IMSI识别GSM用户。用户继续使用相同的TMSI,具体取决于位置更新发生的频率。每次发生位置更新时,网络都会分配一个新的TMSI到手机。 TMSI与IMSI一起存储在网络中。移动台使用TMSI向网络报告或呼叫启动期间。类似地,网络使用TMSI来与移动台进行通信。访客位置寄存器(VLR)执行TMSI的分配,管理和更新。当关闭时,移动台将TMSI存储在SIM卡上,以确保在再次接通电源时可用. 数据的加密和解密 GSM使用加密密钥来保护用户数据和空中接口的信号。一旦用户认证,通过A8加密密钥生成算法发送RAND(从网络传送)和KI(来自SIM卡),以产生加密密钥(KC)。 A8算法存储在SIM卡上。然后使用A8算法创建的KC与A5加密算法一起加密或解密数据。 A5算法在移动电话的硬件中实现,因为它必须即时加密和解密数据。 加密密钥(Kc)的生成 使用Kc进行数据加密/解密 GSM授权/加密过程 GSM授权/加密过程 1.当您第一次打开手机时,MS将IMSI发送到网络。 2.当MS请求访问网络时,MSC / VLR通常要求MS进行认证。 MSC将IMSI转发到HLR,并请求认证Triplets。 3.当HLR收到IMSI和认证请求时,首先检查其数据库,确保IMSI有效并属于网络。一旦实现了这一点,它将把IMSI和认证请求转发到认证中心(AuC)。 AuC将使用IMSI查找与该IMSI相关联的Ki。 Ki是个人用户认证密钥。当创建SIM卡时,它是与IMSI配对的128位数字。 Ki只存储在SIM卡和AuC上。 Auc还将生成一个称为RAND的128位随机数。 RAND和Ki被输入到A3加密算法中。输出是32位签名响应(SRES)。当请求认证时,SRES本质上是发送给MS的“挑战”。 RAND,SRES和Kc统称为三元组。 HLR将三元组发送给MSC / VLR。 4.然后,VLR / MSC将只将RAND值转发给MS。 5.MS使用存储在其sim中的Ki和网络发送的RAND值来计算SRES。 MS将此SRES值发送回MSC / VLR。 6.MSC / VLR将SRES值与HLR向其发送的值进行匹配。如果它匹配,它成功授权MS。 7.一旦经过认证,移动和网络都可以通过A8算法使用Ki和RAND值来生成Kc。 8.使用具有A5加密算法的唯一生成密钥(Kc)对数据进行加密/解密。 位置更新步骤 位置更新过程 当你打开你的手机,它首先告诉网络,我在这里,我想注册到网络。之后它发送一个位置更新请求,包括它以前的LAI,它是TMSI。 收到TMSI后,如果TMSI不在数据库中,则VLR请求IMSI,收到IMSI后,VLR根据其IMSI向HLR询问用户信息。如果VLR在它的数据库里没有找到TMSI,它将使用LAI找到MS连接到的旧VLR的地址。向旧VLR发送请求,请求用户的IMSI。 VLR提供与MS发送的TMSI相对应的IMSI。请注意,IMSI可能是从移动设备获得的。这不是优先选择,因为位置更新请求被清楚地发送,因此可以用于确定IMSI和TMSI之间的关联。 HLR又要求AuC为这个IMSI的三元组。 HLR将三元组(Rand,Kc,SRES)转发到VLR / MSC。 MSC将从VLR获取详细信息,并只将RAND值传给MS。 MS将再次计算SRES,并将其发送回MSC。 MSC将验证存储在VLR中的SRES,并将与MS发送的SRES进行比较。如果两者匹配,则位置更新成功。 成功后,HLR更新发生,它将更新其当前位置,并将TMSI分配给该MS。由于在加密之后TMSI任务被发送,TMSI与用户之间的关系不能由未经授权的用户获得。 GSM手机回复表明新的TMSI分配已经完成。 现在,我们将分析wirehark中的gsm数据包,看看在空中的真实情况。 1.立即分配 - 由MS请求的无线信道和MS分配的无线信道MS提供商。我们还可以看到在这个频道中正在使用什么样的控制信道(SDCCH / SACCH)。 2.位置更新请求 - MS发送位置更新请求,其中包括以前的LAI,它是TMSI。 3.验证请求 - VLR / MSC将HLR中的RAND转发给MS。我们可以清楚地看到网络发送到移动电话中的随机值。 4.MS中的SRES生成 - MS将使用存储在sim.5中的Ki的帮助,使用A3认证算法生成SRES值。 5.认证响应 - MS将发送其计算的SRES值。我们可以清楚地看到SRES的值。 6.加密模式命令 - BSC向移动设备发送CIPHERING MODE命令。密码已经被启用,所以这个消息是通过加密传输的。手机用CIPHERED模式回复它。我们也可以看到下面的加密模式完成包。我们可以看到它正在使用A5 / 1密码。 7.接受位置更新 - 成功认证后,位置更新发生在MS向网络提供位置信息的地方。 8.TMSI重新分配完成 - MS提供商将向MS分配TMSI,并且该消息将被加密,使得没有人可以嗅探用户的身份(TMSI)。 9.无线电频道发布 - 分配的无线电频道由MS。 现在呢? 注意到有时运营商根本没有使用任何加密,以便能够处理更多的网络负载。加密/解密过程增加了开销。有时,身份验证过程的配置存在问题,攻击者可以使用它来绕过完整的身份验证. GSM安全是一个很大的的但还尚未开发的领域,还有很多工作需要探索和完成。现在,当您了解如何分析最低级别的gsm数据时,您可以阅读,分析和修改osmocom的代码,以便将任意帧发送到网络或从网络发送到手机。您可以开始模糊gsm级协议,以了解您是否可以实际破解任何网络设备。还有很多事情要做,但这需要对gsm网络有深刻理解,还有关于这方面的法律问题。我建议您创建自己的gsm网络并运行您的测试,如果你想继续这样做的话。我们将在gsm上发布更多博客文章。敬请期待! 参考资料: https://www.sans.org/reading-room/whitepapers/telephone/gsm-standard-an-overview-security-317 http://mowais.seecs.nust.edu.pk/encryption.shtml 原文链接:http://payatu.com/dissecting-gsm-encryption-location-update-process/
滑动查看更多
暂无更多信息
-
发表了文章
2015-05-29
破解火车票上的身份证号码
-
发表了文章
2015-05-29
一个简单的Dump转文本工具—Dump2Text
-
发表了文章
2015-05-29
利用烧鹅制作简单BadUSB,插谁谁怀孕
-
发表了文章
2015-05-29
KeySweeper 微软无线键盘嗅探装置
-
发表了文章
2015-05-29
GSM Sniffing入门之硬件篇
-
发表了文章
2015-05-30
GSM Sniffing入门之软件篇:GSMTAP抓取与SMS(Short Message Service)
-
发表了文章
2015-05-30
Motorola C118修改滤波器组件
-
发表了文章
2015-05-30
伪基站和空中信息拦截
-
发表了文章
2015-06-05
OpenSesame:一个能够攻击fixed-pin设备的工具
-
发表了文章
2015-06-07
Kali Linux更新源以及设置中文
-
发表了文章
2015-06-08
将PS/2接口鼠标改造成USB接口鼠标
-
发表了文章
2015-06-09
《头文字D》热门同人插画欣赏
-
发表了文章
2015-06-12
一张图让你理清渗透思路
-
发表了文章
2015-06-18
终端机的安全性
-
发表了文章
2015-06-22
Nexus设备渗透测试平台 – Kali Linux NetHunter
-
发表了文章
2015-06-26
关于站队,有深度
-
发表了文章
2015-06-30
几种开源许可证的区别
-
发表了文章
2015-06-30
[转载]三款SDR平台对比:HackRF,bladeRF和USRP
-
发表了文章
2015-06-30
[追加评论]三款SDR平台对比:HackRF,bladeRF和USRP
-
发表了文章
2015-06-30
12个有趣的 XSS Vector
滑动查看更多
暂无更多信息