Some of our work was published and I would like to share it here:
More coming soon in a web near you 🙂
Me and Paulo Silva wrote a simple golang tool to check full disclosures on HackerOne. Why?
- You can filter the results
- You can see ALL the results (H1 has page limitations – 25 results)
- Its coded in Go 😀
So if you guys want to give it a try, feel free to install it and participate – https://github.com/dsopas/h1-search
I recently published two repos on my Github account. One is RFD Checker, which I did with my colleague Paulo Silva, where it scans for Reflected File Download vulnerabilities and the other one is a security mindmap (you can also have other formats). This last one had pretty good success just because it a mindset for helping infosec peers and bug bounty hunters on their assessments.
Feel free to share it and participate on any of the projects. They are open-source and with the help of the infosec community they can become a better tool to your arsenal.
On 13th March I did a webinar for Checkmarx showing in around 30 minutes what is and how you can exploit the web vector Reflected File Download.
You can still watch the recorded version at RFD: Still Threatening the Biggest Names on the Web.
Had a lot of fun doing it because it was my first webinar 🙂 ‘Til next time!
The team who loves hacking and learning new things have published more stuff:
I’m writing this article on my path of becoming a better researcher on IoT devices.
My goal was to create a portable device that I could use to scan BLE (aka Bluetooth Low Energy) devices and improve future tasks – like pentesting IoT for clients.
Disclaimer: No harm or malicious activities have been done to any device. Don’t use this type of information to do illegal stuff.
I used bleah (props to evilsocket) to record all the BLE devices on a car drive. Keep in mind that BLE has a max. range of around 100 meters (on open space) but the cheap adapter that I used had a range of 20 to 50 meters.
So first things first right? Modify my dongle.
I had the HUGE help of kripthor and we started by disassembling the device and identify where the antenna was.
We removed the connection and, after a few tries, we connected the external antenna of a old IP cam. Because the PCB was too small and the wires could break when we connect the device, we used a solder wire plastic holder (as a case) to have it all together and connected everything with chinese glue gun 🙂
This was the final result.
On the left you have a original dongle and in the right the mean mother f*cker dongle!
What I noticed… Better range and signal. I did a couple of tests using my own wearable and than my friend Paulo enters the scene to hold his watch in a open space.
Original dongle
80 meter range didn’t detect it
60 meter range -117dBm (sometimes didn’t detect it)
30 meter range -84dbm
10 meter range -76dbm
Mean mother f*cker dongle
100 meter range -92 dBm
60 meter range -84dBm
30 meter range -76dbm
10 meter range -71dbm
Now that I have a better dongle 😀 I had it to my portable configuration:
1x CSR 4.0 bluetooth adapter
1x Raspberry Pi 2 model B with a acrylic case (running Raspbian)
1x Powerbank
Devices found
Vendors that allowed connections ✓:
53x Unknown vendors
10x Samsung Electronics Co.
4x Apple
2x Polar Electro Oy
2x Samsung Electro-mechanics(thailand)
1x Texas Instruments
1x Google
1x Huawei Technologies Co
Totalling 74 devices in a 2.4km car drive across the city. On the unknown vendors I saw a couple of chinese wearables, Tiles, Bike GPS, etc:
Next step is to check popular areas, eg: running or bikes race events. That would pick lots of BLE devices.
This blog post has been created for completing the requirements of the SecurityTube Offensive Internet of Things course.
Student ID: IoTE- 766
Following my interest in going deeper on IoT – specially on hardware hacking, I grabbed a chinese IP cam – Loftek and started checking its internals. I already had researched the web application itself and the mobile app for Checkmarx but now I wanted something different.
My main goal was to find a serial port where I could connect to my laptop and see where it takes me. I was really hoping for root access…
After identifying the components I got what I wanted. A UART connection in J2 that I hoped that allowed me to create a serial communication. In this case it was pretty easy to identify them because they were printed on the PCB – RX – TX – GND – VCC (5V).
I grabbed a couple of pins and started soldering them to the RX – TX – GND. This last one was not very well positioned because the pin holes were very close to each other.
Now the fun part. Connect to my laptop. I used 3 jumper cables and the Attify Badge.
RX – D0
TX – D1
GND – GND
Next step, detect the baudrate for the communication. I used the python script from Craig Heffner on Kali Linux and it returned:
In the following case I used screen but you can also use minicom – with the previous detected baudrate:
And guess what! A root shell dropped in the console.
Other interesting thing that I already did on a previous research was to use this IP camera to sniff the network. What I did was to install a tcpdump binary and created a small script:
#!/bin/bash ifconfig ra0 down iwconfig ra0 mode monitor ifconfig ra0 up ./tcpdump -i ra0 --monitor-mode -w cap.cap & sleep 30 killall tcpdump ifconfig ra0 down iwconfig ra0 mode managed essid network-2g key s:myKeyto_Wifi ifconfig ra0 up
After a while I got few hits on the Wireshark that allow me to see people using Dropbox inside the network and some other services:
LLMNR/NBNS Poisoning anyone? 🙂
I hope to continue my path on hardware hacking because it’s really fun. Don’t forget also to check my BLE article where I wrote my notes on this “smart bluetooth” thing.
15/11/17 Donations
A few months ago, me and Luis had the idea to help the firefighters (true heroes) with a donation that could make their job more secure.
More than 210 thousand hectares of forest burned in Portugal only this year so this was the right thing to do.
After talking with João we thought about bringing more people together, specially in the infosec community. The objective was to bring more cash to the bucket.
The decision was unanimous, donate as much as we can to Associação dos Bombeiros Voluntários da Figueira da Foz.
Currently they’re asking for an acquisition of a new car.
This operation requires a huge amount of money. Other donations are applied in tires, car repairs, fuel, water, IT equipment and firefighters special clothes.
So if you want to help out…
The IBAN is PT50 0045 3050 4024 7032 1811 2.
Also don’t forget to send an email to geral at bvff.com.pt with the wire transfer confirmation and your NIF so they can also send you the receipt.
The following community gathered a total of 1845€:
- David Sopas
- LuÃs Gomes
- João Pena Gil
- Duarte Monteiro
- Cláudio André
- David Malheiro
- Guillaume Lopes
- Bruno Morisson
- Dragos Stanescu
- Francisco Moreira
Thanks!
BSides Lisbon 2017 was great \o/
It was my second BSides Lisbon (both as a speaker) and it’s amazing that the organization keeps improving this con.
It had awesome talks, and with the help of my great friend Duarte – we hosted a mini lockpicking village which had a great success.
I didn’t saw as many talks I wanted – because I was in the hallway cons with my mates but still I took some pictures:
Also I have the pleasure of working for three companies that sponsored this event – Checkmarx, Char49 and Cobalt. Thanks guys!
BTW you can download my presentation slides at Github » https://github.com/dsopas/talks/blob/master/Desktop/bsides_gtfo_pdf.pdf
Cya next year guys!
… you’re right! This guy 🙂
After my presentation last year, I decided to submit again a talk to the best infosec event in Portugal – BSides Lisbon. My talk GTFO Mr. User will be about:
In this talk, the author will present real case scenarios (aka hacking to PoC) showing the danger of large organizations ignoring high and critical security issues, with repercussions that would affect millions should the security threats fall into the wrong hands. Additionally, this talk will share tips on how to properly disclose bugs to companies without being a real Trump.
I’ll also bring some hardware to play during the event, specially for BLE hacking, and other few surprises in my talk (say what?!).
Don’t forget to check out the other speakers and buy your ticket!