This blog post will discuss the implementation of Codegrabbing / RollJam, just one method of attacking AM/OOK systems that implement rolling codes (such as keeloq) — these systems are commonly found on modern vehicles and entry systems such as gates and garages. This technique has been used and spoken about for a number of years (Marko Wolf describes it in “Security Engineering for Vehicular IT Systems” from 2009).
However the advancement in easy to use and cheap hardware has made this a readily available research path for almost anyone. Samy Kamkar showed it at Defcon 2015, you can read about that and his device at http://www.wired.com/2015/08/hackers-tiny-device-unlocks-cars-opens-garages/. This blog entry will be more discussing the integral parts of how it works and how easy it is to do.
I was optimistic that the 2015 talk @elasticninja and myself did at zacon on this topic would be published so that I could lazily just link to the video instead of having to write it up, but alas, here we are! ;)
Naturally its important to have a spoiler before the long boring text. Here is a video carefully crafted by my friend Roelof Temmingh showing us opening a VW car with two YS1 (YardStick One):
Its been absolutely ages since I’ve posted anything on the blog, not that I havent been doing things, just really not many things I felt good enough to write an entry about. I got a lot of feedback regarding my previous entry about Hacking Fixed key remotes and I decided to build on that slightly.
One of the pains of the previous method was that it was a rather tedious to do the following:
* Finding the key for the remote essentially it was broken into:
* Finding the signal with RTLSDR
* Saving demodulated .wav
* Running a script to decode that audio
* Replay remote with RFCat
* Transmitting the remote also meant another piece of hardware (RFcat) and then taking the signal from the decoded script into a format RFCat understands.
So much like the sex pistols album I am also going to be flogging a dead horse, this time the AM/OOK one. In this blog post I will explore discovering signals as well as replaying them with RFCat.
It has been absolutely ages since I have written a blog post – genuinely I really havent simply been slacking off, i’ve just been busy! Anyway, figured it was time to do a writeup on some stuff I have been working on. (Please note this is almost the exact same post from the Paterva blog).
Predominately I want to show you some of the work we had to do for Blackhat 2013 – my first BH talk ever! My section of the work was what we ended up calling ‘KingPhisher’ as well as the multi-threaded Python script to crawl websites for some parts of ‘Teeth’ (Roelof’s offensive Maltego transforms).
A common Paterva office treat is that if you make a mistake or if the other person can catch you out at anything you have to make tea (the amount of times I make tea is inversely proportional to how long I have been at Paterva!). This included phishing. Many years ago we would try trick each other into clicking on links. Most security people will agree with us when we say that if you have enough context on a person you can craft an email and include a link on which they *will* click. Additionally we have used Maltego to gain context on people for a while, specifically using social networks (including transforms provided commercially via the SocialNet package). We also accept that there are certain types of mail we seldomly check (in terms of headers/other), we have been semi-programmed by automatic spam filtering and anti-virus to notify us if something is bad. Bottom line — we don’t inspect every link on every mail and we doubt if you do too.
So with this in mind we decided to integrate the two sides – 1) targeted phishing attacks and 2) information gathering in Maltego.
I really should have written this after ZaCon (november last year), but I’m lazy. However I have been asked to give a brief overview of the same talk at ITWeb this year so I figure I may as well finish this article and get it out :P
So in the first blog post I discussed the basics of Magnetic stripes and how the tech works. I like it because its fundamentally simple (perhaps like myself ;).
This entry is going to cover spoofing, from building a spoofer to having something read the entries. Ideally you want to have a magreader at this stage, either one of the nifty USB ones that act as an HID device or one that you built that can read the tracks you are interested in. Below is a cheap TTL reader I got (cost about R150, thats ~$20):
This is really just so that you can “listen” to what your spoofer can generate. Magnetic stripe spoofers have been done all over the place, so please don’t think I did this, you can see some great examples HERE and HERE. Essentially however the system is dead simple, you have the ‘sound’ that you wish to play (as discussed previously), an amplifier that can crank up the volume to the level that its going to get picked up and an electromagnet (it sounds fancy, its just wire coiled around a piece of metal – more later).
Its taken a lot of motivation to start writing this, and I hope its okay, I have a mental block that I need to write this and the second post about magstripes before moving on to some new things with my plants I want to try.
My friend Roelof Temmingh (@Roeloftemmingh) made this cool video for my talk, check it out below or at http://vimeo.com/51228567. Please note we had permission to test out the door at Senseposts’ old office :)
Previously I discussed using my RTL-SDR to merely listen for analog audio signals. In this entry I’ll discuss using it to decode digital signals (this example on fixed remote signals often used for garages / gates ) so that they can be replayed/brute forced with something like the RFCat project (based on TI’s CC1111EMK module). This has probably been done to death already but I figured since I struggled with it maybe this will help someone else do it a lot quicker (and mostly cause I think its cool).
The basic components are:
* RTL-SDR on a windows machine with the HDSDR application installed (really easy to use — saves me doing hard work)
* Audio application to look at demodulated stream (I like the open-source project Audacity )
* RFcat under linux for easy transmission of data – find more about RFcat at http://code.google.com/p/rfcat/
Then there are 3 basic steps to a replay/bruteforce attack:
* Capture Signal: Figure out what frequency it is on, figure out what modulation is used
* Decode Captured Signal: Decode the signal to data you can work with so you can replay it and if possible brute force similar ones
* Transmit Signal: Send off your data for epic-winness (okay its not that complex, but it still feels cool)
I am going to assume at this stage that you have access to the remote (otherwise it may be illegal, I think.. lets just go with that). The easiest thing to do firstly is try and identify your remote, here is my garage remote for the complex that I live in (with many garages all of the same type):
A few weeks ago (I’ve been meaning to do this post for ages, few weeks ago is give or take 2 months) there was a post on reddit regarding a new software defined radio that cost around $20. After reading a few topics on the discussion (now all avail at http://www.reddit.com/r/RTLSDR now http://rtlsdr.reddit.com) my interest was peaked. RF was a whole new world of WTF for me. I think it offers the same awe and wonder that I had putting a tape into my very first tape into my vomit brown fischer-price tape player:
The basic gist of how it all works is as follows:
* There is a common chip found in video cards known as an RTL2832U
* This chip is commonly used for specific frequencies used for Television signals (and then software decodes this so you could watch TV on your pc)
* A bunch of cool guys ™ found a way to read the data coming into the card directly with drivers
* These cards also offered some tuners that allowed tuning beyond the basic TV ranges
So there are 2 basic sections:
* RTL2832U chips – reading data
* Tuner (E4K,other) – allows changing frequencies to various ranges
With such I started hunting around in Centurion for a Video card that had these options, after phoning a few places (read 5/6) I eventually found a TV card known as a Compro VisionMate U650F. It costs around R250 from pcpalace in centurion which offers a RTL2832U as well as the E4K tuner (the best one at this stage). *update* the cheaper visionmates (without remote) go for about R100 less than this!
* I can tune to frequencies from around 55MHz to 1800Mhz
* For R250!
This was super, ordered my card and a few days later it arrived!
Following some _really_ easy guides for installing a few tools in windows:
* HDSDR, WRPlus, ExtIO, zadig ( http://spench.net/ has all the info but at time of writing was having some issues, try one of these: http://rtlsdr.org/ http://rtlsdr.reddit.com)
And on linux:
* GnuRadio (install guide: http://gnuradio.org/redmine/projects/gnuradio/wiki/InstallingGR)
Off the bat I loaded up HDSDR (after all the config and setup – zadig for drivers, extIO copied) and immediately got that sinking feeling of ‘I know absolutely nothing’:
So its been nearly a month since I last put a blog post up and I have been working on some stuff in my free time between work (been traveling to the US and took a weekend off to visit some friends in Canada). I’m not particularly in the mood to write a new post, but you know how it is, if I don’t start writing it I’ll never get round to it.
Essentially I have always been fascinated by the idea of being able to ‘hack’ with/into physical things, whether it be the Arduino and my watering system (btw you can see those stats at http://andrewmohawk.dyndns.org/AWS/), changing data on RFID cards or being that sneaky kid jackpotting ATM machines.
I started looking at magnetic stripes, mostly because they are *everywhere*, from bank cards, customer loyalty and even parking systems.
The basic gist of the system is that there are many tiny magnets or magnetic particles (usually iron oxide) which are magnetized in a specific manner within a magstripe. Essentially you take the card (or think of it as many magnets) and put it next to a magnetic reader (card reader) which then reads the fields. These fields are then taken to good ol 1’s and 0’s and used within backend systems after a bit of decoding.
The magnetic stripe on a card is actually made up of 3 different ‘stripes’ or tracks (usually – different types of cards will have a different number of tracks), right above each other. Each of these tracks can hold different amounts of data and for the basic breakdown you can read up about em at http://www.gae.ucm.es/~padilla/extrawork/tracks.html and http://www.ded.co.uk/magnetic-stripe-card-standards/
TL;DR – Track 2/3 = Numbers, Track1 = UPPERCASE,numbers
Read more »
I know, its been forever since I posted, but I do have two things i’m working on (there are drafts, but they need to be finished) – Its just the effort to actually finishing. Its on Magstripe spoofing and using the RTLSDR -shrug-.
Anyway, a discussion started in #zacon based on a post I thought was interesting about SSL-enabled mail servers and how very very seldomly its actually used for mail: http://ritter.vg/blog-no_email_security.html. The gist of the story is that mail goes from your client via MTA to another MTA to be delivered and while you might have an SSL enabled session for your gmail interface its highly unlikely that the actual mail will be going over SSL the entire trip. In fact gmail’s SSL certs are for mx.gmail.com not aspmx.l.google.com!
But back to the Alternate DNS names. So one chap in chat ‘dru’ mentioned that he has a single cert for multiple domains, I wasn’t entirely sure this was possible as I have never seen it, however after looking a bit more closely at his SSL certificates on https://mail.sybaweb.com/ it appeared that all his other linked domains (technically DNS names) were actually in the certificate. This is a great way to find out other domains/dns names linked to your target domain.
Few minutes in PHP and I whipped up a little (but ugly) script to pull this out, check it out at https://andrewmohawk.com/SSLAssociated/
The Quick and dirty:
New PasteLert lives at http://andrewmohawk.com/pasteLertV2/
» Interface -> http://andrewmohawk.com/pasteLertV2/src/pastelertv2_Interface.zip
» Cron Tasks -> http://andrewmohawk.com/pasteLertV2/src/pastelertv2_Cron_Tasks.zip
» Scraping Script -> http://andrewmohawk.com/pasteLertV2/src/pastelertv2_Python_Scraping_Script.zip
And of course if you want everything -> http://andrewmohawk.com/pasteLertV2/src/pastelertv2_all.zip
My linode has been pretty much falling over due to the previous version of the pastebin alerts for a number of reasons:
» Scripts sometimes get blackholed (pastebin.com allows the connection but doesnt respond – due to their DDoS protection)
» Scripts sometimes were still running when the PREVIOUS script had not completed causing a chain reaction of fail
» Deletes would be happening while the above scripts where running causing MySQL to tilt
- Bypassing Rolling Code Systems
- Hacking fixed key remotes with (only) RFCat
- ZaCon V Badge [2/2]: How they work
- ZaCon V Badge [1/2]: Build Time
- ZaCon V: Badge Sneak Peak *update*
Not the quickest of cats
on the best of days.
Magnetic Stripes (2)
- February 2016
- August 2015
- April 2014
- January 2014
- November 2013
- October 2013
- March 2013
- January 2013
- December 2012
- September 2012
- July 2012
- May 2012
- April 2012
- February 2012
- November 2011
- October 2011
- September 2011
- August 2011
- June 2011
- April 2011
- March 2011
- February 2011
- January 2011
- November 2010
- October 2010
- September 2010
- March 2010
Created by Site5 WordPress Themes.
Experts in WordPress Hosting.