beakmyn
-
Posts
422 -
Joined
-
Last visited
Posts posted by beakmyn
-
-
Which is why programs like HHD's serial monitor create a psuedo driver that you load before the other program and it shares the COM port to that program but still allows you to monitor it.
You could also share the port by using CuriousTech's Xport. This will create a virtual serial port for the real one.
Either way these must be run BEFORE the program that is to use the port since as you've found, they lock the port for exclusive access.
Of course the other way is to put you're own serial device in-between by use of a vampire tap. Physical access trumps software.
Or method 3 is to use HHD to port mirror and take what's gozinta/outa com1 and pass it on through to Com2.
-
This is a good how to.
http://www.linuxhomenetworking.com/wiki/in..._Using_iptables
-
You would need to create a custom cable to put the power supplies in series, think batteries stacked on top of each other. That would increase your voltage but your current output would remain the same.
Stick with laptop HDD. they have less inrush current so your USB port won't cut off on a current limit. USB wasn't really meant to power an external harddrive that's why most external drive enclosures come with two cords. They parallel the USB power to provide the needed current to spin-up the drive.
-
I just installed ubuntu server on an old 500MHz Dell laptop. It now serves as my VPN. Works great.
In case you do need a graphical web browser, no worries, just install links2
-
I need a way to disable CTRL+ALT+DELETE functionality without restarting the computer. I can block the keyboard input, but i'm having a hard time blocking the CTRL+ALT+DELETE functionality... i think it's protected. anyone here know of a way to do this?
i need to disable it while the computer is up and running and have it re-enabled upon reboot.
You can modify the computer security policy however this WILL survive a reboot. There is a way to do it for particular users and not others.
Start > Run > gpedit.msc
User configuration > Administrative Templates > System > Ctrl+Alt+Del Options
These are reverse logic options
I.E. you want to enable the removal of Task Manager.
Microsoft article 293655 explains how to do this for local users.
You can't prevent ctrl+alt+del from happening but you can control what options the user has when they press it.
-
It Should work just fine on a standard usb with a small modification to the search routine that figures out what drive letter is the CD and what drive letter is the Flash drive. Heck it may work without modification, haven't tried it yet. I use the U3 for the exact reason HR stated. The programs are on a readonly partition so they can't be deleted.
I'm not sure of the current state of the switchblade. Last I knew I gave the developer group* permission to use my ini methods. Their intent was to develop a new version which I haven't heard about in quite a while.
The code is all vbs not VB so anyone is free to modify as they please.
* I forgot who contacted me about this.
Looks like Gonzor's autorun.inf is being detected by Mcafee AV as Tool-Hacksaw. But mine isn't.
...play the game with the bravery of being out of range
-
CapitalOne provides a similar service with their card lab here in the US.
-
http://www.irongeek.com/i.php?page=securit...kprinterhacking
Yep, nothing new but can be fun, just like some people I know who like to print to random wireless printers they find
-
Using an Eee is impratical, IMHO. I've spent the last week researching portable laptops that are still usable. There's basically 3 laptops in the category for me.
12" WXGA screen (1280x800) resolution
1.7GHZ processor
2GB RAM
120GB hard drive
WIFI, BLUETOOTH
Most laptops of this size are going to have shared video memory so you want th 2GB of RAM since the video will be taking a good chunk of it.
Resolution of the Eee not usable for web surfing. I see 1024x768 a minimum nowadays.
1. Sager 7260
2. HP tx2000z
3. Asus U2e
For the money I found the Sager to be the best deal and the only one you could buy without an OS. With the bells and whistles it's around $750 - $780 (discountlaptops.com has the best price). The downside to the HP besides the price is the Wacom doesn't work in Linux, yet. The Asus is pricey at over $1000
-
I've got a pc running debian which provides only ssh (-p 22).
If I use iptables to block all incoming traffic not related to port 22, does that really make sense? I mean, there are no other services listening on a port.
You do have a firewall that's what iptables is doing for you. You'll want to throttle port 22 incoming though.
-
Ok, so it took some researching and poking around but you can easily do pretty much whatever you want with the "public" Fonera signal. I'll tell you how to change the ESSID (removing the FON_ prepend) and how encrypt it. Why would you want to? Well, let's say you don't just want to share your internet connection with just anyone; lest you be liable for whatever illegal actions they perform while connected through your network. Here, you have a little more control over who gets to connect.
Requirements
SSH access to your Fonera
scp (secure copy) OR Winscp OR vi editor in Fonera
Hardware Used
Fonera+ (FON 2201)
Files touched
I will only show you modified sections of the scripts for brevity.
/etc/config/fon
/lib/fon/config.sh
/etc/init.d/chillispot #For WPA only
Background
In non-modified mode when the Fonera boots it calls
/etc/config/Wireless which is just a redirect to set up the wireless (contents: . /lib/fon/config.sh wireless). So config.sh is called with parameters to accomplish this. It queries the /etc/config/fon file "Public" section settings. Currently there is no code in this file that allows the "Public" signal to be encrypted. This is easily fixed, just copy the code from the private section and replace the appropriate references sections. This is easy enough for WEP but there's a catch if you want to use WPA.
Here's the rub; WPA uses the passphrase you provide and the ESSID as a seed to create the actual encryption key. Not a big deal except that the ESSID you supply in the /etc/config/fon is not the actual ESSID of the public connection even though that's what will show up in your wireless client/manager!
So, you have to do a little more work and modify the chillispot config file and remove the FON_ prepend which is shown below. Unless this is done you'll never be able to connect to the public side using WPA encryption.
Keep in mind that the Public signal isn't available until the Fonera has determined that it can access the internet.
Modified: /lib/fon/config.sh
config wifi-iface public option device wifi0 option ifname ath0 option mode ap config_get ssid public essid option ssid "$ssid" option hidden 0 config_get encryption public encryption case "$encryption" in wpa*|WPA*|Mixed|mixed) case "$encryption" in WPA|WPA1|wpa|wpa1) enc=psk;; WPA2|wpa2) enc=psk2;; Mixed|mixed) enc=psk-mixed;; esac config_get crypto public wpa_crypto option encryption "$enc${crypto:+/$crypto}" config_get key public password option key "$key" ;; WEP|wep) option encryption wep config_get key public wepkey option key "$wepkey" ;; esacThis is the workhorse script . You'll see the unmodified section of the script, on your Fonera, for "config wifi-iface public" is pretty spartan. Just copy the what's in the private section pertaining to encryption and replace the appropriate "config_get private" with "config_get public" These are the calls to /etc/config/fon. This file needs to be changed if you want to enable encryption on the public wifi.
WEP Encryption
This is the easiest and requires the least amount of work on your part.
Modified: /etc/config/fon
config wifi public option essid 'MyPublicPlace' option isolate 1 option wepkey '1' option key1 'DEADBEEF11' option key2 '' option key3 '' option key4 ''
DEADBEEF11 is a 10 digit hexidecimal passphrase. This creates WEP 64 encryption key.
Also tested:
option key1 $(get_serial)
Conveniently creates a WEP64 key that is the serial number
For a WEP 128 key try
option key1 'FoneraIsCool!'
Setting option wepkey '1' sets the Key# index to use. But since there is currently no webif interface to change this leave it at 1.
WPA Encryption
Using WPA comes with the warm fuzzy of a less-likely to be broken key. Yes, I know all the ways to break it, you don't need to tell me.
Modified: /etc/config/fon
config wifi public option essid 'MyPublicPlace' option isolate 1 option encryption 'wpa' option wpa_crypto tkip option password 'CPE1704TKS'
Modified: /etc/init.d/chillispot
# enable the wifi interface ssid config_get ssid public essid # Original #iwconfig "$wifi_ifname" essid "FON_$ssid" # WPA working iwconfig "$wifi_ifname" essid "$ssid"
See the difference? Because the Public wifi was never meant to be encrypted it wasn't an issue to prepend the FON_ to the ESSID. However doing this will break WPA because the ESSID in use doesn't match what was used for the seed to the hash. So, you've got a buried shovel.
We must remove the FON_ prepend. This doesn't appear to break anything. It does make it harder for the user to know it's FON spot so you'll want to set your ESSID to include the FON_ as an alternative.
Removing the FON_ doesn't affect the captive portal.
Caveats
If you use the web interface to make changes that touch the /etc/config/fon file like changing the private wifi settings, you will lose your modifications to the public wifi. This is due to the webif scripts in use that overwrite this file.
It should be a trivial procedure to modify the wireless settings web page to allow you to set both the private and public settings. These modifications most likely won't survive a firmware update though.
Final Notes
Reboot your Fonera and you should see that both the "Public" and "Private" are now encrypted!
You can have both the WEP and WPA options in the /etc/config/fon file just remember to set the "option encryption" appropriately.
Next up, modifying the webif scripts to make it even easier.
-
So I got a chance to get back to my Fonera+ (fon 2201) today and I successfully flashed the firmware and got root ssh
http://www.fonboard.nl/wiki/HowTo_Foneraplus_unlocking/en
The data in the memory location didn't match even though my firmware version was correct. Not a problem since that just means following this:
http://www.fonboard.nl/wiki/FAQ_Foneraplus_unlocking
which instead of overwriting a portion of the memory you overwrite all it. After about 15 minutes and a reboot I can ssh into the box.
So, now getting dd-wrt on it is pretty much a moot point. Now it's time to upgrade busybox to something useful.
-
If you're serious about power get a Lind. I've been happy with mine. Works great, even at -15degF
An inverter will work but it's inefficient to take 13.8VDC to 115Vpseudosine to you laptop supply which then converts it back to ~15VDC
-
I've logged over 100,000 access points and have never connected to one.
I had created a program a few years ago that woudl take Netstumbler captures from (Combined with GPS data) and plot them on a Google Map. It also exports it to Google Earth so you can see roughly where these were captured. On a ride to work form my house I use to get on average a few hundred Wifi spots, so 100,000 is pretty easy in a one day road trip.
If anyone wants to tyr it, here is the info. The google maps api part is broken, just becasue I am too lazy to keep up with their changes, and havent needed to hack the API Key requirements in a while, but the Google Earth KML export still works. What you will need to see this in google earth is Netstumbler, a GPS (To use during Netstumblers wifi discovery) and my program. Instructions below as well as a small sample file of what the output looks like from Netstumbler.
Program: http://www.twistedpairrecords.com/Files/Shop/NSGPSKML.exe EX file: http://www.twistedpairrecords.com/Files/Shop/gps.nsgps Open Netstumbler (MUST HAVE GPS DATA in d.ddddd format) and log some AP's. Export the data as SUMMARY with the file extension nsgps. DO NOT USE TEXT OR WISCAN! For example, "MyFInds.nsgps". Click OPEN from this program and navigate to the file. It will then parse the data and create a google map html or Google Earth KML file for you to view or upload to the internet. After selecting the file, click the palette option to choose an icon for display as your Access Points on Google Earth. Save the KML file and double click it and it will launch in Google Earth. The html map part does not work any longer, because at the time I wrote the program, the Google Map Api was written differently and I was getting around their requirments to use an Api Key.
Again, the google map html part is broken, but can easily be fixed by changing the javascript at the top to refelct the new google map api code along with getting your own api key for your site. The KML google earth part still works. This was made almost 3 years ago, so I have no intention of making a new one and I know there are some bugs in it, use of the program is AS-IS.
This works really well for Google earth http://www.rjpi.com/knsgem.htm ;)
-
Just don't mention it in the FAA flight plan ;) They don't to not like that sorta thing.
-
Maybe he posted in the wrong thread??
I've logged over 100,000 access points and have never connected to one.
I call BS.
http://wigle.net/gps/gps/main/stats/
#29 in the list 100,000 + logged 70K with GPS.
BTW, 50K of those were in Houston, Texas in 1 day.
I run Kismet with external antenna.
-
So what is the method for getting dd-wrt onto the Fonera+ (FON 2201).
I've tried the Fonera hacks but they don't work since the stock firmware is 1.1.0 r2.
I say dd-wrt because according to openwrt they say the ethernet switch isn't working yet in their firmware.
-
Maybe he posted in the wrong thread??
No, I didn't. It's in the beginning of the episode @ 0:51 where they talk about routerpasswords.com and connecting to open access points. Sorry, it's a very sore point for me. Being a wardriver != a criminal that connects. Not to start a flame war, but unless you have permission from the owner to connect you're breaking the law. I've logged over 100,000 access points and have never connected to one.
Other then that it looks like I'll have to take another look at Helix as it's been a while since I last used it.
-
Wardrivers don't connect to the APs that they log. They log only and move on.
#1 Rule DO NOT CONNECT!
-
I know that this system is used at all Marriott hotels including, as I've been told, at Marriott hotels in Disney.
-
I did not discover the initial exploit (print to image writer) and don't take credit for it. I'm just providing documentation for it and how I took it to the next step. I don't condone doing this and if you pay the $9.95 you won't have to do any of this.
Target: iBahn Site Kiosks Wardman Park Marriot, Washington, DC
Goal #1: Free access to the internet
Goal #2: Free access to the operating system
Goal #3: Root the box
The iBahn kiosk software is much like other kiosk systems. It runs on a standard PC and replaces the Explorer windows shell (start button, taskbar, etc) with its own. This, along with XP policies essentially prevents the user from exiting the kiosk system and gaining unauthorized access to the PC.
In most cases the interface will look like a web browser. Its look and feel is purposely similar to Internet Explorer. This keeps the concierge, desk attendant, et al from having to provide tech support. The kiosk software itself very configurable by the administrator and uses a text file configuration. This allows the whitelist/blacklist of websites for free access. Set up of the credit card payment systems (not done in-house but sent over the internet to a central server)* and all other conceivable administration tasks.
EXPLOIT #1A:
*Because of this, you can just pull the Ethernet cable and plug it into your device and have unrestricted access. However, you'll look pretty conspicuous running your laptop next to the kiosk.
In kiosk mode it’s locked down.
- You don’t have access to printing* (or at least you’re not supposed too).
- You can’t run any programs.
- Autorun is turned off - switchblade will not run :(
- No booting to CD or USB
- BIOS is password protected
- No safe mode
- XP Guest account access
So what do you get if you pay the $9.95 access fee? Well you’ll get internet and access to Microsoft Office (Word, Excel, and PowerPoint) and possibly other programs like Solitaire. Yep, pay $9.95 and you can play Solitaire!
Walking up the terminal you'll most likely spot a few things. Most everything on the menu bar is disabled and when you try to access a website other then those on the free whitelist you’ll be automatically redirected back to the home page. Now remember the browser is based on Internet Explorer which means some web tricks will work. I.E. those tricks associated with obscuring the URL in the address bar.
Tricks to obscure the URL
http://www.pc-help.org/obscure.htm
You CAN’T type in http://www.hak5.org
You CAN type in http://www.ibahn.com@www.hak5.org
Yes this will take you to hak5.org but any links you click on will be un-obscured and will redirect you to the kiosk home page. If you’ve you got a lot of time on your hands you could continuously re-obscure the URL. If you’re really smart you could try and perform as cross-scripting exploit so that you stay in the kiosk home page. Or if you’re even more cunning you could set up a website that will provide you with URL obstrufication automatically.
Now, if you read back a little bit you’ll notice I said “most everything on the menu bar is disabled…” This is key to our exploit. There are actually a few things that have to fall into place in order for this exploit to be successful. It seems that the programmers got a little careless and when you maximize the kiosk window the print button is no longer disabled.
So, you can print. What good is that, you ask? Well, if the default Microsoft Office install was performed then the “Microsoft Office Document Image Writer” printer driver is installed. So, print the current web page and choose it as the printer. Once it finishes it will run the document imaging program.
So, we’ve escaped the kiosk software.
Now this program, being part of Microsoft Office has an option under the Tools menu to “Send Tex to Word”. After a bit of processing you’re now running Microsoft Word without having to pay for it. You’ve now got several avenues of exploitation available to you, which I’ll explain below
Step 1: Maximize Window Step 2: Click on Print button Select “Microsoft Office Document Image Writer” as the printer. Step 3: Tools > Send Text to Word Step 4: Exploit!
Since the system is still pretty well locked down you won’t be getting a command shell or Explorer shell anytime soon, unless you keep reading.
EXPLOIT #1B: You can do what I did and go into VBA and make your own web browser using the Internet Activex Control and some text boxes and command buttons. But most people probably don’t know how to do that.
EXPLOIT #1C:
Insert > Hyperlink (Ctrl +K) Address: http://www.hak5.org
But who uses Internet Explorer? Got that USB drive with portable Firefox on it? Make a hyperlink to your USB drive and run it or make a hyperlink to download it. Now you’ve got unrestricted Internet Access.
EXPLOIT #2:
If you know where the root drive is on windows (Hint: C:) you can insert a hyperlink to C:. It’s as easy as clicking on:
Insert (Ctrl +K) > Hyperlink: address c:
You’ve now got access to the root drive. Because of restrictions in place the drives don't automatically show up in file browse windows. You have to manually type them in. Good 'ole "security through obscurity"
You’re limited to the locks in place such as not being able to run task manager, cmd and other useful tools. But, that never stopped us before so head on over to systinternals.com and grab Process Explorer. Yep it’ll install and run. Now you start killing processes. There’s only 1 small problem killing the site kiosk software doesn’t allow you to run the explorer shell. That’s not a problem since being the resourceful person you are you’ve already surmised that if you can install programs then you can install shells, like blackbox for windows http://www.bb4win.org. Now you've got a program menu, system tray, clock all the stuff you really want.
EXPLOIT #3:
Getting Root
I did not try to gain root access but here’s my thoughts on this.
If you we’re paying attention when you ran process explorer or happened to look at the systray in Blackbox you would’ve notice that a VNC server is running. Being the curious little monkey you are you would’ve clicked on it and noticed that there is a password set.
Ponder this for a moment.
There’s an administrator password for the site kiosk (accessed through Ctrl+H, if I recall correctly), a BIOS password and a VNC password. We can assume with some certainty that they are all the same, or at least hope. Which is the most easy to exploit?
Hint: it’s the little stars you’re looking at.
There are currently a couple different methods for exploiting a VNC server.
- Use one of the several asterisk password “unhide” programs.
- Obtain the password from the registry and crack it. Remember, the system won’t allow you to write to the registry but you can read you just have to figure out how ;)
- Perform a pentest exploit from the comfort of your room since you know the IP address of this PC. If you don't then you have no hope of doing any of the previous.
Good luck and once they fix this bug you'll have to pay your $9.95 (the first time ;) )
-
off topic:
From my experience it might work if you put the harddrive in the freezer.. (inside a plastic bag or something) for like a day..
Then connect it.. it sometimes does the trick and you have some time to get your stuff off..
(basically until it warms up again)
But only use it as a last resort and from what I've heard.. you can only do this once so better grab the good stuff first.
This method works very well for drives that have the "click of death". Put the drive in the freezer for at least 2 hours.You don't really need it to be in a plastic bag. Then remove it and hook it back up. Try and get it to boot. If it boots you've got 5-30 minutes of time before it dies again. You can then put it back in the freezer for another couple of hours and try again.
You want it cold but you don't want extreme cold so don't go putting it into liquid nitrogen or dry ice. You can run drive from inside the freezer if you want but you run the risk of water condensation and shorting out the board.
I've successfully used this method several times on different drives and put it back in the freezer up to 6 times, before the drive just compeletely failed.
The key is getting your data off. Don't bother with something you download later. Just get the really important stuff off first, you may not have a second chance.
As for data restoration programs I've had good luck with GetDataBack from Runtime.org, For quick and dirty there's always dd
-
Sorry should've removed that link it's an old version.
http://rapidshare.com/files/79403074/switc....zip.html is the latest.
-
I had an issue on my PC using a PQI flash drive and they sent me a program that would allow you to query and change IDs and whole bunch of other low level functions. If I can find it I'll post a link.
Hijacking the COM Port
in Security
Posted
The "vampire tap" was a device that you plugged inline with the serial port and allowed another device to monitor the data on the port and still allow normal data flow to the intended device. This one had the most bells & whistles of the one I used last (3 years ago). http://cgi.ebay.com/RS-232-RS-449-HP-4951-...1QQcmdZViewItem
Damn I wish I had one now! They come in real handy for troubleshoot archaic systems that no one remembers how they work.
To use it you have a DB9 or DB25 connector the looks like a straight though with another connector sticking out the top, the "vampire tap". What you hook up to it is your choice.