First off let me just say a big thank you to the MWR guys who put this CTF together, usually I don’t partake in CTFs because the skillset required is usually out of my grasp (IANAP).
To have developed this CTF in a manner that allows people who do not work with crypto/hackz0r wizardry to still have a chance of solving the problems is awesome! I didn’t solve all of the problems, but I did spend far too much of my free time and apologise to the many bars I had to let down during that time. After this writeup I shall resume my social responsibilities ;)
Each of the various problems took my many hours of frustrating, wallpunching, facepalming and omgnoobing to complete, however I will just go over the solutions to each of them without the hours of frustration — the tl;dr of each one if you will.
Challenge 1 ( GUASS RIFLE ) — A book cipher requiring you to parse various words from lines in books
Challenge 2 ( RADIATION POISONING ) — An LSB Stego QR code that needed to be decoded and then parsed
Challenge 3 — Not completed
Challenge 4 ( FACSIMILE ) — A audio fax that needed to be decoded
Challenge 5 ( GREEN SKIN ) — A literal jigsaw puzzle representing 4 sides of a puzzle piece with 3 characters
Challenge 6 ( WHIRLPOOL ) — A multiple times rotated image that needed to be ‘unrotated’
Challenge 7 ( SCORCHED EARTH ) — An Office document with a weak password
Challenge 8 ( SMOG AND SMOKE ) — A Modified playfair cipher that needed to be recronstructed based on solar systems
Challenge 9 — Not completed
Challenge 10 — Not completed
If you have the writeup to challenges 3/9/10 please let me know so I can link to them!
All the challenges/instruction text and solutions are available on the following github: https://github.com/AndrewMohawk/HackFu2016
Its been absolutely ages since I’ve posted anything on the blog, not that I havent been doing things, just really not many things I felt good enough to write an entry about. I got a lot of feedback regarding my previous entry about Hacking Fixed key remotes and I decided to build on that slightly.
One of the pains of the previous method was that it was a rather tedious to do the following:
* Finding the key for the remote essentially it was broken into:
* Finding the signal with RTLSDR
* Saving demodulated .wav
* Running a script to decode that audio
* Replay remote with RFCat
* Transmitting the remote also meant another piece of hardware (RFcat) and then taking the signal from the decoded script into a format RFCat understands.
So much like the sex pistols album I am also going to be flogging a dead horse, this time the AM/OOK one. In this blog post I will explore discovering signals as well as replaying them with RFCat.
I realise I should have done this entry a little sooner, but as everyone should be well aware of by now, I am lazy. Also I moved to Cape Town just after ZaCon V which proved rather time consuming! Please note this is gonna be a first of 2 big entries on them so if you don’t like reading, pull up now.
One of the highlights of the annual Las Vegas pilgrimage for me has always been the electronic badges, whether it’s for defcon, ninja networks or custom badges that people have built for their hackerspaces. I especially enjoy the ones that are a little more complex (more than just lights) and are hackable. I have always been in awe of security researchers such as Adam Laurie, Zak Franken, Michael Ossman, At1as and the other hardware hackers.
For ZaCon V ( www.zacon.org.za ) I built some electronic badges for the conference that are based on an Arduino framework (at least using an ATMega328 with an Arduino Bootloader) and communicate to each other via 433Mhz RF (the same that is used in remotes). The idea with the badges was to have a way to see who was interacting with whom and show it in a visual representation (Maltego — yes yes, man with a hammer etc). Additionally I needed the badges to be cheap as.. well… I am cheap :)
The badges took about 3 months to go from breadboard to finished and a large majority of that time was spent learning how electronics work (and don’t!). This however was not my first attempt at building badges, for the last 3 years I have built a design on a breadboard and then basically done nothing with it (apart from make a shakey cam video at 3am and suggest the idea).
A lot of the design actually came from me wondering around hobbyist electronic stores on the internet and coming across two really cool things namely, very cheap communication in the form of 433mhz RF chips and Nokia 5110 LCDs (also cheap :P ).
I ordered a few of the screens and RF kits and started tinkering- having a display connected to my Arduino brought all kinds of warm and fuzzy feelings. Next I started playing with the 433Mhz, originally thinking that the badges would only receive a simple message, something like who was currently speaking, from a PC near the stage. Roelof looked at it and suggested that this idea was boring and if I really wanted to do something cool I should make all the badges talk to each other. And so the tinkering began.
It has been absolutely ages since I have written a blog post – genuinely I really havent simply been slacking off, i’ve just been busy! Anyway, figured it was time to do a writeup on some stuff I have been working on. (Please note this is almost the exact same post from the Paterva blog).
Predominately I want to show you some of the work we had to do for Blackhat 2013 – my first BH talk ever! My section of the work was what we ended up calling ‘KingPhisher’ as well as the multi-threaded Python script to crawl websites for some parts of ‘Teeth’ (Roelof’s offensive Maltego transforms).
A common Paterva office treat is that if you make a mistake or if the other person can catch you out at anything you have to make tea (the amount of times I make tea is inversely proportional to how long I have been at Paterva!). This included phishing. Many years ago we would try trick each other into clicking on links. Most security people will agree with us when we say that if you have enough context on a person you can craft an email and include a link on which they *will* click. Additionally we have used Maltego to gain context on people for a while, specifically using social networks (including transforms provided commercially via the SocialNet package). We also accept that there are certain types of mail we seldomly check (in terms of headers/other), we have been semi-programmed by automatic spam filtering and anti-virus to notify us if something is bad. Bottom line — we don’t inspect every link on every mail and we doubt if you do too.
So with this in mind we decided to integrate the two sides – 1) targeted phishing attacks and 2) information gathering in Maltego.
I really should have written this after ZaCon (november last year), but I’m lazy. However I have been asked to give a brief overview of the same talk at ITWeb this year so I figure I may as well finish this article and get it out :P
So in the first blog post I discussed the basics of Magnetic stripes and how the tech works. I like it because its fundamentally simple (perhaps like myself ;).
This entry is going to cover spoofing, from building a spoofer to having something read the entries. Ideally you want to have a magreader at this stage, either one of the nifty USB ones that act as an HID device or one that you built that can read the tracks you are interested in. Below is a cheap TTL reader I got (cost about R150, thats ~$20):
This is really just so that you can “listen” to what your spoofer can generate. Magnetic stripe spoofers have been done all over the place, so please don’t think I did this, you can see some great examples HERE and HERE. Essentially however the system is dead simple, you have the ‘sound’ that you wish to play (as discussed previously), an amplifier that can crank up the volume to the level that its going to get picked up and an electromagnet (it sounds fancy, its just wire coiled around a piece of metal – more later).
Not the quickest of cats
on the best of days.