[Starting in pen testing]

Some great VMs to work through with exercises

https://pentesterlab.com/

[poor cell phone coverage inside a building. fcc reg]

7 hours ago, badbass said:

Yeah Thanks Man I will phone a friend to give me a box to take good signal close to the window and boost it.

Cell phone boosters are illegal as will as they are broadcasting on frequencies you don't have a license for.

[stringray? can i build one?]

Assuming you have a license for the frequency or a good Faraday cage. Have a read about making your own Cell tower which could be handy for this.

https://www.evilsocket.net/2016/03/31/how-to-build-your-own-rogue-gsm-bts-for-fun-and-profit/

One tip set the Ki to * so encryption isn't used and will allow SIMs you don't know the keys for connect.

[Force http when site require https]

How does the site require HTTPS?

IF the site enforces HTTPS through HSTS and the user has visited the site before or they have HSTS Preload the browser just won't connect to HTTP for the site.

[SQL injection: steps after identifying a vulnerabilty]

Maybe get remote code execution.

https://pentesterlab.com/can walk you through some of it.

[WiFi with SDR at 470 MHz]

At 470MHz mightn't get through put required because frequency isn't high enough.

Maybe look at the Ham data services as they have data link in the Ham bands. More likely to have worked samples/code to start from, I would guess

[Replicating a radio signal (433 MHz)]

I can't remember if it's the ys1 or the hackRF (maybe both?) that there's basically a couple commands (record pattern/play pattern) where you don't even have to do all the decoding you just record it, then play it back.

Yard Stick one does RF Cat which makes it simple python commands. (As is a hardware define radio)

A hackRF is an SDR and isn't that simple but more powerful not as restricted with frequencies or modulation types.

[HackRF Transmit (not replay)]

Try using rfcat to transmit

sudo rfcat -r

d.setFreq(433000000)
d.setMdmModulation(MOD_ASK_OOK)
d.RFxmit("HALLO")

And then you can write a Python script that does that for you with rfcat.

THanks,

But I am needing to use HackRF due to frequency requirements. RFCat only works with Yardstick One (and similar chipsets). Plus RFCat doesn't do PPM.

[YARD STICK ONE NOT RECOGNISED IN GQRX - UNKNOWN HOST]

It seems the Yardstick 1 is generally useless for its price since it is only compatible with rfcat. It is a better idea to buy a Raspberry pi or an Arduino and buy a transceiver instead for a cheaper price and better usefulness.

Depends what problem you are trying to solve.

If you are in supported bands and supported encoding Yard Stick One is nice and simple.

[HackRF Transmit (not replay)]

Hi,

Has anyone come across any good tutorials on transmitting on the HackRF. I can find stuff on record replay but that isn't want I want.

I know the bits I want to send and need to send them PPM on a frequency just trying to find an example so I can repeat it.

[[BurpProxy] certificate error]

Import Burp's CA cert into your OS's or Firefox's trust store so it trusts all the certs that Burp signs.

If it is just a HTTP header you need to add you can look at browser addons to add HTTP headers.

[NTHASH - Any Takers]

Greetings all,

Recently recovered several hashes during a recent engagement - cracked all but one.

Anyone care to take a stab? It's an NTHASH, I've tried hashcat, rainbowtables via oph still no dice

HASH:

59658e5f44d88ec0ff7b40cfcb21ecc2

Does the egagement have enough fat to pay someone to do it?

http://www.onlinehashcrack.com/- only pay if they crack it

https://www.cloudcracker.com/

[Help SDR project]

The HackRF is open source and on Git Hub I tink.

[BadBarCode and RedBox]

Hi Guys,

So an interesting thing happened to me at a Red Box the other day. I already hate using them as it is. Long story short, when I slid my card the computer locked up and I saw the infamous "Application is not responding" window.. So obviously this is a Windows Server...

I work in POS Retail and most card readers I've seen are basically just HID devices. This got me thinking... I was reading about a hack out there called the "BadBarCode hack" where basically the UPC code contains information so that when the employee scans the code with their scanner (Also just an HID device) it basically opens a shell on the machine and virtually types control commands like a rubber ducky would... Needless to say you can do a lot of things with a rubber ducky! :) So to get to the point... What would stop someone from creating a card with "Bad information" so that when they scan the card the card reader just runs the commands? It's kind of terrifying if something like this is possible! And how would you fix something like this?

Love the show! Keep 'em coming! :)

JohnnyR030T

BadBarCode hack article:

https://threatpost.com/one-badbarcode-spoils-whole-bunch/115362/

Yes can be done. THough I don't think the barcode standard contains the window key to do a win+r and don't think alt is there either. I have done stuff about a year to login into something with a user/pass and could pass enter keys in at least. If you new the POS system you could press the delete previous items button or something and finish purchase at a lower amount.

I'm sure someone will think of an app escape you do basically have keyboard input as you say.

[Evading detection during wifi hacking]

Seriously in the real world. No one notices. Most organisations can't notice stuff on their wired LAN.

Sometime saying you were nosiey and they didn't detect you is a very important finding.

[setting up a hack lab]

My first thought is what exactly do you want to run on the xenserver to make a hack lab?

For beginning the single VM/iso from https://pentesterlab.com/ are really good. They just run fine on your desktop just need one at a time, so no need for a full server. I personally would start there. Save the money for now.

Sure if want to get into more set up a xenserver so you can start making a full network to pivot through etc. Though maybe by that stage best to see if you can get a job with a Pen Test firm as then your client set up and manage the network for you :p You just need to identify the issues.

[Getting credentials from an app]

I would sincerely hope that apps like Facebook and Twitter implement SSL pinning to protect against somehting like this.

Yes last time I looked those apps Cert Pin. Also you will find a lot of apps with use OAuth so don't store or transmit user/pass pairs. Though you can still use the OAuth token. Though the token is often limited in the functions it can do.

[Vault - My free and opensource password manager]

Here's a tricky one though: How do you ensure the log doesn't get tampered with?

Good question - I'm not sure. I am not going to allow for the log to be cleared. If someone gets the password right on the 100th time they won't be able to clear the login and the owner would see it next time they logged in. Now that doesn't stop someone from modifying the log with a 3rd party application or ADB or something. Without sending the log to a server somewhere and then pulling it down when needed I'm not sure how I could keep it from being tampered with. Maybe the alternative option is to have a kill switch built in where if your password is entered incorrectly x times in x timespan then all of the passwords are dropped.

With a lot of these things need to consider your threats, risk and advisories and pick the most important to target.

If someone has third party access they can make a copy of everything (especially if phone is rooted) and they can brute force offline. If wipe after X wrong passwords either go back to safe copy each time or just update the counter back to zero.

Main thing if lose the phone or if some else accesses it the brute time should be longer than the time it takes you to change all your passwords. The phone's password and full disk crypto are important here.

[bad hard drive attempt to recover data.]

I can agree with you... every command I throw it this drive is a fail.

I don't see the partition table anymore, I tried testdrive recovery tool and its a fail to read /dev/sdb

I know the partition sdb5 is my home folder. Any advice?

Restore from backup?

I know this is a little late but my first step would have been to plug the disk in as an external drive to a working computer and copied off the files I required. When disks start throwing errors like that it is a matter time before they die completely so should plan out what you want to do before powering them back up. If the partition tables were still good I would target the files I wanted as the drive might just die during an image as the I/O of an image is quite high and could kill it even faster without getting the required files.

[SSLStrip not working]

If site has HSTS the only way to SSL Strip a user is on the user's very first visit in that browser. As they may got to the HTTP site first.

If they have visited a site with HSTS the browser will never go to the HTTP version.

If the site is in the preload list (https://code.google.com/p/chromium/codesearch#chromium/src/net/http/transport_security_state_static.json) the browser will never go the HTTP regardless. To add a site to the preload need hsts headers then to be added to https://hstspreload.appspot.com/

Given how HSTS use is growing and the preload list is also growing SSL Strip is going to become less effective. As HSTS and preload is designed to stop this. Almost got to look rolling out custom browser or some other totally new class of attack. With sites like https://www.ssllabs.com/ssltest/it is much easier for owners to valid the setup of their site.

Then to help stop rouge certs there is Host Key Pinning that pins on the public or the CA. Google has that set up in the Preload list and other sites are doing it through the headers. https://en.wikipedia.org/wiki/HTTP_Public_Key_PinningWith this if you are trying a MitM the user won't even get a self signed warning to click through the browser just want even let them in.

One attack that may work is actually going after the cipher weaknesses and decrypting the traffic. Use BEAST, POODLE, etc to attack the sites.

[What events are you going to in 2016?]

Kiwicon has had their first Kiwicon 10 planning meeting so guess that is on the cards.

https://twitter.com/kiwicon/status/679152258559307776

Just waiting to hear back on some CFT and CFP responses and there might be some more :)

[Introducing the WiFi Pineapple NANO]

With HSTS not really sure how you are going to get around it. If it is in the Preload list or have visited the site before the broswer will refuse to connect to anything but HTTPS. Then you have to hope the user will just click yes on the cert warning dialog.

[Where to learn about Software Defined Radio?]

A great set of video tutorials

https://greatscottgadgets.com/sdr/

[HackRF One 35$ 65 / Piece]

Need to pay attention to the parts list. Know some of these alternate builds uses a lower spec processor then over clock it. So it might use more power or be less stable for example. Also from what I understand all the hardware test code and hardware test jigs aren't open source so the the assembly line testing of these isn't as goos as the ones from Great Scott Gadgets.

[Newby wants more than FM on NooElec NESDR Mini 2]

Aviation uses AM rather than FM so you will need to change the demodulation settings