jrsmile
-
Posts
35 -
Joined
-
Last visited
Posts posted by jrsmile
-
-
Discussion Thread for Root CA installer. (No Local Admin Rights necessary)
current development via: https://github.com/jrsmile/bashbunny-payloads/tree/master/payloads/library/rooter (TESTED and Working)
pull request waiting.
small Howto create self-signed-root-ca:
Create the Root Certificate (Done Once) Creating the root certificate is easy and can be done quickly. Once you do these steps, you’ll end up with a root SSL certificate that you’ll install on all of your desktops, and a private key you’ll use to sign the certificates that get installed on your various devices. Create the Root Key The first step is to create the private root key which only takes one step. In the example below, I’m creating a 2048 bit key: openssl genrsa -out rootCA.key 2048 The standard key sizes today are 1024, 2048, and to a much lesser extent, 4096. I go with 2048, which is what most people use now. 4096 is usually overkill (and 4096 key length is 5 times more computationally intensive than 2048), and people are transitioning away from 1024. Important note: Keep this private key very private. This is the basis of all trust for your certificates, and if someone gets a hold of it, they can generate certificates that your browser will accept. You can also create a key that is password protected by adding -des3: openssl genrsa -des3 -out rootCA.key 2048 You’ll be prompted to give a password, and from then on you’ll be challenged password every time you use the key. Of course, if you forget the password, you’ll have to do all of this all over again. The next step is to self-sign this certificate. openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem This will start an interactive script which will ask you for various bits of information. Fill it out as you see fit. You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Oregon Locality Name (eg, city) []:Portland Organization Name (eg, company) [Internet Widgits Pty Ltd]:Overlords Organizational Unit Name (eg, section) []:IT Common Name (eg, YOUR name) []:Data Center Overlords Email Address []:none@none.com Once done, this will create an SSL certificate called rootCA.pem, signed by itself, valid for 1024 days, and it will act as our root certificate. The interesting thing about traditional certificate authorities is that root certificate is also self-signed. But before you can start your own certificate authority, remember the trick is getting those certs in every browser in the entire world.
-
ah like the teensy project
indeet ... dammit there is always someone beeing faster and more elegant ;)
anyway:
here the binary converted PC part written in autoit (NOT compatible with the previous arduino code!):
$arr = stringtobase2("Dies ist ein sehr sehr langer Test 0123456789") sendarray($arr, 40) ; 40 ms pause * 2 *8 = One Character every 640 ms ! Func sendarray($arr,$speed) For $i = 1 To UBound($arr) - 1 ConsoleWrite($arr[$i] & @CRLF) $arr2 = StringSplit($arr[$i], "") For $x = 1 To $arr2[0] If $arr2[$x] = 1 Then Send("{SCROLLLOCK on}") Else Send("{SCROLLLOCK off}") EndIf Send("{NUMLOCK on}") Sleep($speed) Send("{NUMLOCK off}") Sleep($speed) Next Send("{SCROLLLOCK off}") Next EndFunc ;==>sendarray Func stringtobase2($txt) Local $src = StringSplit($txt, "") Local $res[UBound($src)] For $x = 1 To $src[0] $res[$x] = chartobase2($src[$x]) Next Return $res EndFunc ;==>stringtobase2 Func chartobase2($chr) Local $nr = Asc($chr) Local $res = "" If BitAND($nr, 128) Then $res &= "1" Else $res &= "0" EndIf If BitAND($nr, 64) Then $res &= "1" Else $res &= "0" EndIf If BitAND($nr, 32) Then $res &= "1" Else $res &= "0" EndIf If BitAND($nr, 16) Then $res &= "1" Else $res &= "0" EndIf If BitAND($nr, 8) Then $res &= "1" Else $res &= "0" EndIf If BitAND($nr, 4) Then $res &= "1" Else $res &= "0" EndIf If BitAND($nr, 2) Then $res &= "1" Else $res &= "0" EndIf If BitAND($nr, 1) Then $res &= "1" Else $res &= "0" EndIf Return $res EndFunc ;==>chartobase2
-
Hey, im one of the two main developers, if you heed help with the code feel free to ask.
-
Hi there,
i have thought about the solution transferring data via the keyboard leds back to the teensy.
first of all its a proove of concept. (so pritty slow)
what you need.
arduino ide
teensydurino addon from pjrc.com
#include <phukdlib.h> from irongeek.com
and for the sending part:
autoit from autoitscript.com
arduino code:
#include <phukdlib.h> int ascii = 0; char buf[12]; int changed = 0; void setup() { pinMode(6, OUTPUT); } void loop() { if (IsNumbOn()){ if (IsScrlOn()){ // digitalWrite(6, HIGH); changed = 1; } else { if (changed == 1){ changed = 0; ascii += 1; } // digitalWrite(6,LOW); } } else { if (ascii > 0){ char thisString = ascii; Keyboard.print(thisString); ascii = 0; } } }
and the counterpart on the pc itself, written in autoit.
Global $speed = 36 ; lesser values for faster transfer, may result in false data... sendstring("test") Func sendstring($string) Send("{SCROLLLOCK off}") Send("{NUMLOCK off}") $src = StringSplit($string, "") For $i = 1 To $src[0] ConsoleWrite($src[$i] & @CRLF) sendkey($src[$i]) Next EndFunc ;==>sendstring Func sendkey($key) Send("{NUMLOCK on}") For $x = 1 To Asc($key) Send("{SCROLLLOCK on}") Sleep($speed) Send("{SCROLLLOCK off}") Sleep($speed) Next Send("{NUMLOCK off}") Sleep($speed) EndFunc ;==>sendkey
it uses numlock to activate listening mode and sends the string as ascii codes to the teensy via scrolllock, i took those Keys to be able to type normaly during the transfer process.
i may switch to binary mode when i know more about arduinos capability to use it.
maybe using num as clock and scrolllock as data line.
what i figured out when lowering the send delay below 36ms between led iterations the arduino won't be able to keep up and misses some of the signal switches.
currently i only check for the scrolllock turning of so maybe there is a performance boost hidden in it too.
to see if the arduino has understood the signal correctly i managed to return the send keys as real keys back to the computer.
now i have a hardware keyboard controlable by software on the same machine.
good for anticheating tool workarounds (when it gets faster)...
please make sure you select a keyboard enabled usb type in the arduino ide via "Tools" > "USB-Type"
thats it for now, feel free to contribute or wait. ;)
-
Finally we have a working sample project for all teensy users which have an sd-card reader.
-
Hi,
First post, first teensy program so don't judge.
Finally got around to implementing an idea I had for some time - a HID password manager. No buttons, no screen, no soldering required. Plug it in and use your normal keyboard to control it. Not very useful for the offensive aspect of things, but not getting pwned is important, right?
It uses keyboard status leds for input: you press caps/scroll/num lock, the led turns on and teensy can act on that.
The way you would use it is:
- Edit your login info in the source code
- Compile and upload it to teensy (duh)
- When you need to login, select the username field and plug teensy in
- Enter the secret key sequence (aka secret knock)
- Use scroll lock and num lock to navigate the login list
- Find the one you need and press caps lock
- Press login
- ???
- Profit
The secret knock is just a sequence of caps, num and scroll lock keys (see source code). Default is: caps, scroll, num lock, num lock.
To make it work I had to add a couple of lines to usb_api.cpp:
bool usb_keyboard_class::led_numlock_on() { return keyboard_leds & 1; } bool usb_keyboard_class::led_scrolllock_on() { return keyboard_leds & 4; } bool usb_keyboard_class::led_capslock_on() { return keyboard_leds & 2; } bool usb_keyboard_class::isReady() { return usb_configuration; }
Obviously you need to add definitions to usb_keyboard_class class in usb_api.h:
bool led_numlock_on(); bool led_capslock_on(); bool led_scrolllock_on(); bool isReady();
And the actual program code:
/* Teensy Password Manager By: something_evil on 30 May 2010. --------- Controls: Scroll lock - up; Num lock - down; Caps lock - type the selected login info; --------- Configuration and general info: Edit the logins in setup() and don't forget to change LOGIN_COUNT constant to how many passwords you have. knockSeq - sequence of keys, that unlocks the device. Once plugged in the device will flash twice. This means you can start entering the secret sequence. Default is caps lock, scroll lock, num lock, num lock. If you mess up, just start from the beginning. LOCK_OUT_AFTER - This sets the number of times you can mess up the secret sequence. By default you have 3 tries. After that - unplug, relax, plug it in and try again. The input is a bit flaky so don't rush it. It's not a race ;) Hack away! */ /* ---- Stuff for the logins DB ---- */ struct loginEntry { char* description; char* userName; char* password; }; const int LOGIN_COUNT = 4; loginEntry logins[LOGIN_COUNT]; int currentPos = 0; // currently selected entry /* ---- Authentication stuff ---- */ byte knockSeq[] = {KEY_CAPS_LOCK, KEY_SCROLL_LOCK, KEY_NUM_LOCK, KEY_NUM_LOCK}; int knockPos = 0; byte knockFails = 0; boolean authenticated = false; boolean lockedOut = false; const int LOCK_OUT_AFTER = 3; /* ---- LED stuff ---- */ const int ledPin = 11; int ledState = LOW; long previousMillis = 0; // will store last time LED was updated long interval = 250; // interval at which to blink (milliseconds) boolean firstRun = true; void setup() { pinMode(ledPin, OUTPUT); /* ------------------- Enter your logins here ------------------- */ logins[0].description = "First site"; logins[0].userName = "Administrator"; logins[0].password = "rootpassword!@#$%^&*()_+|"; logins[1].description = "Second site"; logins[1].userName = "Username"; logins[1].password = "meh"; logins[2].description = "My gmail password"; logins[2].userName = "Loosername"; logins[2].password = "looserpassword"; logins[3].description = "other email password"; logins[3].userName = "name"; logins[3].password = "pass"; } /* Stolen (and changed a bit) from http://www.irongeek.com/i.php?page=securit...eystroke-dongle */ void PressAndRelease(int KeyCode, int ModifierCode = 0, int KeyCount = 1){ for (int KeyCounter = 0; KeyCounter < KeyCount; KeyCounter++){ Keyboard.set_modifier(ModifierCode); Keyboard.set_key1(KeyCode); Keyboard.send_now(); Keyboard.set_modifier(0); Keyboard.set_key1(0); Keyboard.send_now(); } } /* Clears the keyboard's status lights */ void ClearLights() { if (Keyboard.led_numlock_on()) PressAndRelease(KEY_NUM_LOCK); if (Keyboard.led_capslock_on()) PressAndRelease(KEY_CAPS_LOCK); if (Keyboard.led_scrolllock_on()) PressAndRelease(KEY_SCROLL_LOCK); } /* Clears the currently focused field/line */ void ClearCurrentField() { /* Key sequence: END (just to be sure), SHIFT + HOME, DEL */ PressAndRelease(KEY_END); PressAndRelease(KEY_HOME, MODIFIERKEY_SHIFT); PressAndRelease(KEY_DELETE); } /* Erases previous login description and prints current one */ void PrintCurrentDescription() { ClearCurrentField(); /* Lets print our current position in the list and the total number of logins */ Keyboard.print(currentPos + 1); Keyboard.print("/"); Keyboard.print(LOGIN_COUNT); Keyboard.print(" "); Keyboard.print(logins[currentPos].description); } /* Navigates the login info array */ void NavigateDown() { currentPos++; if (currentPos >= LOGIN_COUNT) currentPos = 0; PrintCurrentDescription(); } /* Navigates the login info array */ void NavigateUp() { currentPos--; if (currentPos < 0) currentPos = LOGIN_COUNT - 1; PrintCurrentDescription(); } /* Prints login info */ void DoLogin() { ClearCurrentField(); Keyboard.print(logins[currentPos].userName); PressAndRelease(KEY_TAB); Keyboard.print(logins[currentPos].password); } /* Authenticates the user based on 'knock' sequence */ void DoAuthentication() { byte currentKey = 0; // key pressed (caps, num or scroll lock) if (Keyboard.led_numlock_on()) { delay(100); // user input messes up without this currentKey = KEY_NUM_LOCK; PressAndRelease(KEY_NUM_LOCK); } if (Keyboard.led_scrolllock_on()) { delay(100); // user input messes up without this currentKey = KEY_SCROLL_LOCK; PressAndRelease(KEY_SCROLL_LOCK); } if (Keyboard.led_capslock_on()) { delay(100); // user input messes up without this currentKey = KEY_CAPS_LOCK; PressAndRelease(KEY_CAPS_LOCK); } if (currentKey == 0) // User didn't press any keys this loop return; if (knockSeq[knockPos] == currentKey) { // is the sequence correct ? knockPos++; // correct, now ask for next key } else { knockPos = 0; // wrong sequence, start over knockFails++; if (knockFails >= LOCK_OUT_AFTER){ lockedOut = true; // game over. Unplug, plug in and try again // Keyboard.print("Better luck next time, foo"); } } if (knockPos >= sizeof(knockSeq)){ // user correctly entered the whole sequnce authenticated = true; PrintCurrentDescription(); } } /* Blinks the LED (code from BlinkWithoutDelay example) */ void BlinkLed(){ if (millis() - previousMillis > interval) { previousMillis = millis(); // save the last time you blinked the LED // if the LED is off turn it on and vice-versa: if (ledState == LOW) ledState = HIGH; else ledState = LOW; digitalWrite(ledPin, ledState); // set the LED with the ledState of the variable: } } /* ---------------------- Main loop ---------------------- */ void loop() { if (!Keyboard.isReady()) return; // can't run until usb stuff ready if (firstRun == true){ // also, on first run wait a bit so the drivers start working delay(1500); ClearLights(); // turn off num lock, caps lock and scroll lock firstRun = false; /* Let the user know we're ready by blinking twice */ digitalWrite(ledPin, HIGH); delay(100); digitalWrite(ledPin, LOW); delay(100); digitalWrite(ledPin, HIGH); delay(100); digitalWrite(ledPin, LOW); } if (lockedOut) // just exit if the user failed to correctly enter the knock sequence return; if (!authenticated){ // not authenticated ? DoAuthentication(); // then guess the knocks delay(100); return; // can't go further until authenticated } BlinkLed(); // blinks the led so user knows it's working /* Process input */ if (Keyboard.led_numlock_on()) { delay(100); // user input messes up without this NavigateDown(); PressAndRelease(KEY_NUM_LOCK); } if (Keyboard.led_scrolllock_on()) { delay(100); // user input messes up without this NavigateUp(); PressAndRelease(KEY_SCROLL_LOCK); } if (Keyboard.led_capslock_on()) { /* If we start typing immediately wierd screwups happen - password in uppercase (user hasn't released capslock yet?). Just to be safe wait for 200 ms */ delay(200); PressAndRelease(KEY_CAPS_LOCK); DoLogin(); } delay(100); }
Tested on Win7 (x64), but since it's HID it should work anywhere.
It would be cool if there was a way to easily edit the login info without needing to recompile. I was thinking about having two secret knocks - one to turn on the password manager and another to turn it into a flash drive. The passwords would be in a text file. Any ideas?
it is indeet possible to turn it into a flash drive, and the 24k fat32 partition it can handle internally would be enough for a passwords.txt, BUT its more then a mess if you want to switch easily between the two modes, fortunately you want read only support for the teensy and read write for windows but if both methods want to write to the file you will be in AVR hell.
maybe Paul can help ;) *wink*
-
Hi there i started this thread to document my progress with the ducky and the sd-card reader addon...
Step 1 :
research the Interwebs...
* http://en.wikipedia.org/wiki/SCSI_Inquiry_Command
* http://elasticsheep.com/2010/04/teensy2-us...with-an-sd-card
* http://fourwalledcubicle.com/LUFA.php
Step2 :
first aproach ;)
got a working FIXED HDD-drive.
Step3 (needs to be done):
convert the HDD to a CD-ROM
-
Bootable OS: This was hinted on by another poster regarding CD-ROM emulation. Alot of modern computers now have bootable drives as an option in their BIOS'es. The USB Multipass is also a great project to integrate into this.
[Quick offtopic note] The teensy++ with pins works great as a hairbrush...no seriously! [/offtopic]
im currently working on the cd-rom emulation its "slow" but working:
what i have so far:
dipswitch decides weather mass-storage mode or cd-rom emulation is activated.
in mass-storage mode you can put an iso file into the _ISO folder on the sdcard, so the teensy works like a normal usb-stick.
in cd-rom emulation mode (non dvd until now) it looks for the _ISO folder on the sd-card and mounts the first image as a bootable cd-rom drive.
im currently trying to speed the teensy up but 16 MHz are way to less to get USB 2.0 High-Speed support.
so currently its more like an 50x CD-ROM, due to the fact that there are no read delays (cd-rom seeking spinup/down) it feels like a 150x cd-rom.
i want to preserve the HID-Keyboard support so i can change the bootorder in the bios with the teensy itself.
( mostly using HP notebooks in the company so same bios for all).
btw. I like the Hairbrush thingie.
best regards from germany,
JR
-
Man, are you gonna love this thing :)
http://www.i-odd.com/english/product/iodd2501.php
I'm gonna grab a couple and have a go at them.. who knows, maybe they can be made even more fun ?
Man with your post you made 750 Members of our Company extremly happy.
Please feel free to feel yourself hugged 751 times.
-
theese are bad bad news :)
but btw.: sd card support works and i tested it with masstorage/HID kombination.
its perfect to have the executable and the keystrokes on the same stick to let your magic happen ;)
http://elasticsheep.com/2010/04/teensy2-us...ith-an-sd-card/
for LUFA there is a masstorage / dataflash example which turns the teensy to a readonly 20kbyte usbstick with HID support. very good to deliver payloads if you have just the teensy.
-
Hi there,
would it be possible to add a USB-CDROM feature for the teensy to mount iso files?
so you can boot from the teensy?
-
i got my ducky Today (03.05.2010) shipped (22.04.2010) so the mail service between the us and germany works again, great :)
ps.: thanks for the photo of the hak5 crew signed by Shannon ;)
-
One idea i had when it woud be possible to add micro-sd cards to the teensy was:
add multiple sd cards
add a dip switch or potentiometer for sd card selection
compile some kind of bootloader for the ISOs on the sd-cards
and boot right away from the isos.
A usb stick that has all OS-Boot CDs on it i will ever need would be THAT thing for an IT-roadwarrior like me.
regards,
JR.
-
i love this thing, always thought about a way to automate stuff without having to add something to the machine im on, did it some time ago with the warrior chips if you can remember them.
i would develop a password generator linked to the exact time of day to generate passwords that change every minute by scheduled tasks or something :) just have to keep the time on the thingy in sync. but at least a daily changing password algorythm would be easily possible.
if i im not with the first 100 i will buy the teensy straight away :)
-
if you are just filtering the traffic you want and not a bunch of arp crap it wouldn't be to much gzipping it then pasting it to the net via dns tunnel... hmmm i love the world where with a bit it knowledge everything can be archived :)
-
Hardware MITM with no possebility to catch the attacker is great, already did this with a fritzbox (common low cost router here in germany) sending the traffic filtered and compressed via tcp to my root server :-)
but the fon is live capturing and this is even more nicer. :-)
great peace of work
best regards,
J.
-
Episode 4x24
in Hak5
wrote a wrapper for autoit with enhanced security and Account control.
-
Episode 4x16
in Hak5
Hi Darren nice show, i already played with ping.fm and added all my (ca 30) social networks and mailing lists to it.
i attach the source of my commandline version to send messages to ping.fm, i wrote it yesterday evening so it can still be a bit crappie.
a compiled version will follow later :)
#AutoIt3Wrapper_Change2CUI=y #include "WinHTTP.au3" if $cmdline[0] <> 1 then Exit if PingFM_Send($cmdline[1]) Then ConsoleWrite("Message send sucessfully!" & @CRLF) Else ConsoleWrite("Message could not be send..." & @CRLF) EndIf Func PingFM_Send($message) Local $api_key, $user_app_key, $hw_open, $hw_connect, $hw_openRequest, $head, $data, $response $api_key = "6bd9fd924c22bf53f83520414d360ad8" $user_app_key = "00000000000000000000000000000000-0000000000" $hw_open = _WinHttpOpen("Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.0.3; .NET CLR 2.0.50727; ffco7) Gecko/2008092417 Firefox/3.0.3") $hw_connect = _WinHttpConnect($hw_open, "69.44.44.70", 80) $hw_openRequest = _WinhttpOpenRequest($hw_connect, "POST", "/v1/user.post") $head = "Host: api.ping.fm" & @CRLF $head &= "Content-Type: application/x-www-form-urlencoded" & @CRLF _WinHttpAddRequestHeaders($hw_openRequest, $head, $WINHTTP_ADDREQ_FLAG_ADD) $data = "api_key=" & $api_key $data &= "&user_app_key=" & $user_app_key $data &= "&post_method=default" $data &= "&body=" & $message _WinHttpSendRequest($hw_openRequest, $WINHTTP_NO_ADDITIONAL_HEADERS, 0, $WINHTTP_NO_REQUEST_DATA, 0, StringLen($data), 0) _WinHttpWriteData($hw_openRequest, $data) _WinHttpReceiveResponse($hw_openRequest) $response = _WinHttpReadData($hw_openRequest) _WinHttpCloseHandle($hw_openRequest) _WinHttpCloseHandle($hw_connect) _WinHttpCloseHandle($hw_open) if StringInStr($response, '<rsp status="OK">') Then Return True Return False EndFunc ;==>PingFM_Send
the necessary include winhttp.au3 can be downloaded here: http://www.autoitscript.com/forum/index.php?showtopic=84133
the necessary user key can be requested at ping.fm api page.
best regards,
J.
-
100k views and no reply?, is my question so bad or was the word "whitehat hacking" so fearsome? :-)
-
indeet, but for testing purposes it is nice to have this up because you can change a batch script save it and instantly try out if it does the things it was supposed to be :-)
when done, you have the possebility to move it to the u3 partition.
-
instead of figuring out the crazy iso stuff everytime you insert a custom app in the u3 partition of your stick i have created a multiloader which will search for a start.exe on the usb stick and executes it, so you only have to do the iso stuff the first time then use a start exe created by you to make the magic happen.
the attached rar includes a autorun.inf the sourcecode of the exe the exe itself and a precreated iso which can be imported via the launchpad installed.
Best regards,
J.
-
btw: the snapshot release of openwrt now works with the fon+ right out of the box even with the freifunk gui ;-)
-
Hi there, after "discovering" afew network issues of other computers with jasager i will now turn to whitehat hacking and turn the Fon into a mobile internet station.
First i did install iphonemodem with zrelay to enable a socks5 server on the iphone, then connect to the fon via static ip ( unfortunately because iphone switches completely to wlan if it gets a dns+gateway, which i have removed in the static ip configuration)
then created a script on the fon watching for the mac of the fon if port 1080 is open and a socks connection is possible (tsocks). then it triggers a script that will do the following, change the br-lan traffic from outgoing via eth0.1 (wan) to the socks client located on the fon which is connected to the iphone, and leaving directly to the internet.
i theorie everything is aready working but i have a problem finding the correct software (tsocks,vtun,iptables-rules)
to forward the traffic transparently for the clients connected via wlan or lan to the socks server of the iphone.
tsocks itself already works so i can do an "tsocks opkg update" via the iphone to update the package archive on the fon :-)
has anybody already experimented with this or knows a a software/configuration to create for example a virtual interface "socks0" to forward the traffic to?
best regards,
JRSmile
ps: thanks digininja for the tip with gargoyle, it worked perfectly after i have removed all the custom stuff ;P
-
My instructions here get you the latest fonera firmware which is a modified openwrt. Best you go for the instructions posted by "Rob". See page two of this forum for it.
nevermind, i already test flashed one of my fons so i found it out myself :-)
short question, i can install the following images:
DD-WRT
LEGENT (no eth0)
orginal fon image
this new fon image.
but always when i want to install open-wrt it does not come further then ca 2 seconds after the boot_timeout phase.
so the image is loaded then hangs.
any ideas?
[Payload] Rooter
in Payloads
Posted · Edited by jrsmile
have reduced to only payload.txt but i cant get the escaping to work the payload just hits win+r and stops.
QUACK STRING powershell Import-Certificate -CertStoreLocation cert:\CurrentUser\Root -FilePath ((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\root.cer')
nevermind forgot the quotation marks after QUACK STRING .... new git version uploaded