http://hack0wn.com/forum/index.php?topic=963.0
build this:
http://www.ladyada.net/make/wavebubble/powersupply.html
use this:
http://ikat.ha.cked.net/
watch this:
http://video.google.com/videoplay?docid=-2160824376898701015
go to this:
http://dc404.kaos.to/index.html
buy one of these:
http://www.fon.com/en/
Friday, March 27, 2009
Fun with physical access to public computers
There is a common source of hacking that many people overlook. It is well known that physical access is total access. That is, if an attacker has physical access to a computer, it is not your computer anymore. Usually this involves a live CD to do things like grab the SAM file or replace it, etc. I want to concentrate on a situation where you have physical access, but have limited time and privlidges. We are also assuming that you can't boot to anything else. And we are going to say that you are not allowed to use a hardware keylogger. What can you do? Well, the objective is to get admin privlidges. Then, we will own the box. So. First, lets see about a shell. In my experience, I just write a batch file. This is the common source of hackery that is overlooked sometimes. Batch files and VBS scripts don't need to be compiled and the language is simple. As long as you have notepad, you are good. Batch files are just a collection of commands to be executed by cmd.exe. It also supports if and switch statements, and several other basic programming features. VBS scripts are just visual basic scripts. Most people use visual studio to make stuff with visual basic, but you can actually get away with only notepad. There won't be a GUI, but that can be a good thing. The only way to tell that either a batch or vbs script is running is the task manager. This is only one reason why disabling the task manager for users is a bad idea. Anyway, here is the batch script that I used to get a shell whenever I needed one.
[code]
@echo off
cmd.exe
[/code]
Yes really, thats it. Even if the admin disables the ability to execute cmd.exe if you navigate to it, this will work. You can google for all kinds of interesting batch and vbs scripts. Or you can be less lame and write your own. Once you get a shell, you can add yourself as administrator. You can also kill applications that you don't want running. In my situation, you could see the processes running but could not end any of them. So if I don't want VNC or other remote control software or access restriction stuff running, you can force kill them.
Or, use this:
This is a bloody brilliant site written by paul craig. He presented it at DefCon last year. It is designed to let you exploit internet kiosks. It basically automates the process of trying every possible way to get a shell. And it works great. Be aware that the site may be nsfw because of the giant picture of a girls naked butt on the front. That is the one thing that I do not understand, because you would think that you wouldn't want to draw attention to yourself. Anyway, I am working on getting a version of his site up without the picture on it. Until then, he has released a zip file with all the code for the site in it, so you can use that. Here's the site:
http://ikat.ha.cked.net/
I also recommend watching the talk he gave at defcon here. Its almost 100Mb, but its worth it. It gives a great explanation of what exactly is going on behind the scenes.
Enjoy!
[code]
@echo off
cmd.exe
[/code]
Yes really, thats it. Even if the admin disables the ability to execute cmd.exe if you navigate to it, this will work. You can google for all kinds of interesting batch and vbs scripts. Or you can be less lame and write your own. Once you get a shell, you can add yourself as administrator. You can also kill applications that you don't want running. In my situation, you could see the processes running but could not end any of them. So if I don't want VNC or other remote control software or access restriction stuff running, you can force kill them.
Or, use this:
This is a bloody brilliant site written by paul craig. He presented it at DefCon last year. It is designed to let you exploit internet kiosks. It basically automates the process of trying every possible way to get a shell. And it works great. Be aware that the site may be nsfw because of the giant picture of a girls naked butt on the front. That is the one thing that I do not understand, because you would think that you wouldn't want to draw attention to yourself. Anyway, I am working on getting a version of his site up without the picture on it. Until then, he has released a zip file with all the code for the site in it, so you can use that. Here's the site:
http://ikat.ha.cked.net/
I also recommend watching the talk he gave at defcon here. Its almost 100Mb, but its worth it. It gives a great explanation of what exactly is going on behind the scenes.
Enjoy!
Wednesday, March 25, 2009
quick hack idea
Get a pineapple (fon router hack, hak5.org for more details) and bring it on a airplane with you. Set up a network called United Airlines Courtesy Wireless or something and see how many people connect. For bonus points, use your cell phone (if you can get a signal) to actually connect them to the internet. While deliberately setting up lots of wireless communication on an airplane may not be the best idea, I'd be willing to bet that everything on the plane is shielded and you probably won't crash the thing. I'd also be willing to be that the first thing people will connect to is their email. More bonus points for convincing the captain or flight attendants that the plane is already equipped with wireless via social engineering so that they announce over the intercom that free wireless is available. You could set up a captive portal that had them download a small file that allowed them to join the 'special airplane kind of wifi' and pack a little dummy program that displays a window with a bogus speed graph and the word "Connected!". Then using the iexpress packing method, also include an exe created from metasploit that executes after the dummy program does. Then it doesn't matter that the internet suddenly doesn't work and the captive portal redirects to a page that explains how, unfortunately, the connection to the ground is currently unavailable due to wind currents or something. By that time, the exe is already running and you have a meterpreter session on every computer that connected. Of course, the classic, easier hack for this situation is just the pineapple asking clients with wifi on for their autoconnect SSID and then silently connecting with them.
Wednesday, March 18, 2009
quick link dump
I am working on building a custom version of Linux by installing more packages and getting rid of some on Ubuntu. I have a basic version already done, but I plan on adding more things to it. Anyway, I have been looking up how to do a lot of stuff on Ubuntu, so I figured I would post all the links I have been using so I don't have to look it up again.
http://www.makeuseof.com/tag/building-your-own-local-wordpress-blog/
http://www.commandlinefu.com/commands/browse/sort-by-votes
http://www.howtoforge.com/ubuntu_lamp_for_newbies
http://rubbervir.us/projects/ubuntu_media_server/part2.html
http://ubuntu-tutorials.com/2006/12/28/how-to-setup-gnump3d-for-a-streaming-media-server-ubuntu-510-6061-610/
http://laptoplogic.com/resources/50-ways-to-impress-your-geeky-linux-friends
http://www.youtube.com/watch?v=Ad17kma8rNM
http://elitebydesign.com/the-ultimate-wordpress-guide-for-the-absolute-beginner-part-1/
http://forums.asmallorange.com/index.php?showtopic=7037
http://www.petri.co.il/forums/showthread.php?t=15918
http://www.thinkdigit.com/forum/archive/index.php/t-98267.html
unrelated:
http://www.codinghorror.com/blog/archives/001210.html
http://www.codinghorror.com/blog/archives/001243.html
http://www.makeuseof.com/tag/building-your-own-local-wordpress-blog/
http://www.commandlinefu.com/commands/browse/sort-by-votes
http://www.howtoforge.com/ubuntu_lamp_for_newbies
http://rubbervir.us/projects/ubuntu_media_server/part2.html
http://ubuntu-tutorials.com/2006/12/28/how-to-setup-gnump3d-for-a-streaming-media-server-ubuntu-510-6061-610/
http://laptoplogic.com/resources/50-ways-to-impress-your-geeky-linux-friends
http://www.youtube.com/watch?v=Ad17kma8rNM
http://elitebydesign.com/the-ultimate-wordpress-guide-for-the-absolute-beginner-part-1/
http://forums.asmallorange.com/index.php?showtopic=7037
http://www.petri.co.il/forums/showthread.php?t=15918
http://www.thinkdigit.com/forum/archive/index.php/t-98267.html
unrelated:
http://www.codinghorror.com/blog/archives/001210.html
http://www.codinghorror.com/blog/archives/001243.html
Tuesday, March 17, 2009
hooray for math!
Lately I have run in to several interesting mathematical 'things'. I like math, so I decided to do a post on them.
The first cool math law is called Benfords law. I read an article about it a while ago and thought it was one of the more interesting properties of numbers I had heard of. It was discovered in 1881, and then again in 1937. It turns out that if you have a really large set of random numbers, the percentage of occurrence of each number decreases by a lot as you go up the number line. In other words, if I have a million random numbers, the number of 1's in that chunk of data will be much higher than the number of 2's, which will be higher than 3's and so on. Because of this law, insurance companies and banks can screen for fraud because humans are really bad at making up random numbers. So if someone tries to write a check for an amount that doesn't look suspicious, the number they choose will probably have lots of 5's in it. It may be impossible to detect the fraud after only 1 check, but after a lot, a definite pattern begins to emerge and Benfords law is violated. This throws a flag and the bank investigates. You can read more about Benfords law at wikipedia and here.
Another neat math trick is the Markov Chain. The Markov Chain is based on a simple idea: that the current state captures and has all the information that could possibly influence future states. So, we can kind of think of the chain as being a closed system, where no more variables or anything are introduced externally. Chutes and Ladders and Hi Ho Cherrio are both games that can be exactly modeled with a Markov chain. This is all in the realm of probability theory, which can be very dense, but there are some really cool applications for the Markov chain. The way I first heard about it was its use in predicting sports outcomes. Several NCAA prediction algorithms are based on a Markov chain. It can also be used for predicting gambling (black jack card counting tables are calculated with Markov chains), generating music, and my favorite, generating text. There are several examples of using Markov chains on text to impersonate people and pass the Turing test. The basic way it works is that you give it a huge chunk of text and it breaks that text up in to 3 word chunks. It then looks at each of these chunks, finds words in common with other chunks, and combines them. This means that the sentences make sense syntactically, but the content makes no sense at all. Wikipedia has a great article on Markov Chains, and you can find a Markov chain Text generator here and the python code for it here.
I'm sure as I take more math and explore the internet more, I will find more of these kinds of things, and I will do another post on them when I do.
The first cool math law is called Benfords law. I read an article about it a while ago and thought it was one of the more interesting properties of numbers I had heard of. It was discovered in 1881, and then again in 1937. It turns out that if you have a really large set of random numbers, the percentage of occurrence of each number decreases by a lot as you go up the number line. In other words, if I have a million random numbers, the number of 1's in that chunk of data will be much higher than the number of 2's, which will be higher than 3's and so on. Because of this law, insurance companies and banks can screen for fraud because humans are really bad at making up random numbers. So if someone tries to write a check for an amount that doesn't look suspicious, the number they choose will probably have lots of 5's in it. It may be impossible to detect the fraud after only 1 check, but after a lot, a definite pattern begins to emerge and Benfords law is violated. This throws a flag and the bank investigates. You can read more about Benfords law at wikipedia and here.
Another neat math trick is the Markov Chain. The Markov Chain is based on a simple idea: that the current state captures and has all the information that could possibly influence future states. So, we can kind of think of the chain as being a closed system, where no more variables or anything are introduced externally. Chutes and Ladders and Hi Ho Cherrio are both games that can be exactly modeled with a Markov chain. This is all in the realm of probability theory, which can be very dense, but there are some really cool applications for the Markov chain. The way I first heard about it was its use in predicting sports outcomes. Several NCAA prediction algorithms are based on a Markov chain. It can also be used for predicting gambling (black jack card counting tables are calculated with Markov chains), generating music, and my favorite, generating text. There are several examples of using Markov chains on text to impersonate people and pass the Turing test. The basic way it works is that you give it a huge chunk of text and it breaks that text up in to 3 word chunks. It then looks at each of these chunks, finds words in common with other chunks, and combines them. This means that the sentences make sense syntactically, but the content makes no sense at all. Wikipedia has a great article on Markov Chains, and you can find a Markov chain Text generator here and the python code for it here.
I'm sure as I take more math and explore the internet more, I will find more of these kinds of things, and I will do another post on them when I do.
Friday, March 13, 2009
R/C wifi car update
An update on the status of the r/c car:
We are now in the planning phase of this project. We have also added another member to the group doing it. Between the 3 of us, we can split up the cost and get more ideas. Once we introduced our new guy to the concept, he loved it. He also gave us some good ideas that we will probably implement.
The first thing that we plan on doing is replacing the laptop we were going to use as the websever with a tiny computer. The motherboard will be one of those little Intel Atom boards that are about 7 inches by 7 inches. I love these things because of their size, power, and that they have USB, a PCI slot, and serial and parellel on them. Oh, and an ethernet jack. So we plan on making the ethernet jack and the PCI slot in to 2 wireless interfaces. then the phidget controller will go over USB, and the webcam will go over USB as well. Serial and parallel can be used for sensors or other microcontrollers. Depending on how the car looks when we get it, the motors may change. In either case, we will probably end up with an extra spot open on the phidget. For $45, we are using every spot no matter what. One of my ideas for a use was a model rocket launcher. Like an emergency flare or something. Or defense :). We also need batteries for it. That is the only weakness with using that computer. We think it draws around 50 watts, but I bet we can get it down by running minimal command line linux. The thing that will suck up the most power is going to be the wireless interfaces. All it has to do is run some C code, host a very small http server, a very small ssh server, and deal with the hardware. We also plan on sticking some wifi antennas on. There are a couple of tutorials on line that show how to make your own wifi antennas, so I want to try some of those before I spend like $50 on a nice omnidirectional antenna. We also planned on adding speakers to it. I don't know, I just have this image in my head of a pink barbie car driving down the street with several hundred dollars worth of electronic gear on it with several giant antennas sticking our blasting "I'm a Barbie Girl". I wonder if the cops would be called? In that case, it probably needs an LCD screen in the front so we can explain to people via skype what this thing is.
There is still the possibility of making it autonomous, or at least semi autonomous. I definitely want to write some scripts over the break that will automatically scan for wifi networks and connect. I think I should be able to modify an autoconnect script and add in a bit to flag wep encrypted networks and call a function to crack them and then connect to them. It would actually have to be fairly complex because it will have to decide which network is best, all availible networks would have to be ranked and then attempted to be connected to in that order. It also should have a safeguard in case the signal gets too low so we can turn around before it gets stranded.
If anyone reads this and knows bash scripting well, help. email is aloishis89 at gmail dot com.
I will post later this week on the stuff I worked on over spring break.
We are now in the planning phase of this project. We have also added another member to the group doing it. Between the 3 of us, we can split up the cost and get more ideas. Once we introduced our new guy to the concept, he loved it. He also gave us some good ideas that we will probably implement.
The first thing that we plan on doing is replacing the laptop we were going to use as the websever with a tiny computer. The motherboard will be one of those little Intel Atom boards that are about 7 inches by 7 inches. I love these things because of their size, power, and that they have USB, a PCI slot, and serial and parellel on them. Oh, and an ethernet jack. So we plan on making the ethernet jack and the PCI slot in to 2 wireless interfaces. then the phidget controller will go over USB, and the webcam will go over USB as well. Serial and parallel can be used for sensors or other microcontrollers. Depending on how the car looks when we get it, the motors may change. In either case, we will probably end up with an extra spot open on the phidget. For $45, we are using every spot no matter what. One of my ideas for a use was a model rocket launcher. Like an emergency flare or something. Or defense :). We also need batteries for it. That is the only weakness with using that computer. We think it draws around 50 watts, but I bet we can get it down by running minimal command line linux. The thing that will suck up the most power is going to be the wireless interfaces. All it has to do is run some C code, host a very small http server, a very small ssh server, and deal with the hardware. We also plan on sticking some wifi antennas on. There are a couple of tutorials on line that show how to make your own wifi antennas, so I want to try some of those before I spend like $50 on a nice omnidirectional antenna. We also planned on adding speakers to it. I don't know, I just have this image in my head of a pink barbie car driving down the street with several hundred dollars worth of electronic gear on it with several giant antennas sticking our blasting "I'm a Barbie Girl". I wonder if the cops would be called? In that case, it probably needs an LCD screen in the front so we can explain to people via skype what this thing is.
There is still the possibility of making it autonomous, or at least semi autonomous. I definitely want to write some scripts over the break that will automatically scan for wifi networks and connect. I think I should be able to modify an autoconnect script and add in a bit to flag wep encrypted networks and call a function to crack them and then connect to them. It would actually have to be fairly complex because it will have to decide which network is best, all availible networks would have to be ranked and then attempted to be connected to in that order. It also should have a safeguard in case the signal gets too low so we can turn around before it gets stranded.
If anyone reads this and knows bash scripting well, help. email is aloishis89 at gmail dot com.
I will post later this week on the stuff I worked on over spring break.
What Happened
Here is the complete story of why I missed the bowling thing. I heard about this thing that AirTran did for college age people where it was $70 for a one way standby ticket. I thought I would try it. The idea was that I would look up flight times to Tampa online and get to the airport early and get on a plane in the morning and be home by the afternoon. I was also going to carry on my luggage. About 24 hours prior to me leaving, I began to notice that the flights to Tampa were selling out. By the morning of me leaving, there were only 2 left and the earliest one left at around 3 in the afternoon. I decided to get to the airport early anyway in case there was room on an earlier flight. After getting on the Tech bus and then the subway, I walked up to the Airtran counter and told them that I wanted to buy a standby ticket to Tampa. This is where the badness started happening. I was told that all Airtran flights to Tampa were sold out and that my carry on bag was too big. This meant two things. First, I had to find another airline, and second, I had to either buy a ticket to check my bag, or I had to mail it home. I had all my clothes in there, so I had to check it. So I got on the phone with my mom who was on the computer at home looking at tickets (the internet is not free in the Atlanta airport, which is pretty much the gayest thing ever). I talked to just about every airlines and soon discovered that it was going to end up being a trade off of time and money. Delta (the next cheapest alternative) had a one way flight to tampa for $900. Or, I could get a cheaper flight by way of Philidelphia or Chigaco, which would mean an 11 hour flight. My mom was freaking out because it turns out trying to by a ticket to Tampa, WHERE EVERYONE GOES FOR SPRING BREAK, several hours beforehand, is not easy. Or cheap. Then who should come to our house but an old Northside alumni who was selling knives. So my mom has to go listen to a presentation on the knives that slice AND dice and come with a lifetime warrenty. After refusing to buy large quantities of knives, we had an idea. Flying in to the Sarosota airport would be a lot cheaper because it is so much smaller. And sure enough, we found a reasonably priced flight to Sarosota that made a stop in Charlotte, NC. So I go up to the US Airways counter and talk to a dude named Fred. Fred was marginally insane. He made a remark about my name being Hunter and then excitedly muttered something about hunting and wild game. He also told me that he had been working at that desk for longer than I had been alive. Interesting. However, crazy Fred was nice because he managed to get me a seat on that flight and even gave me an Exit row window seat (lots of leg room). After making it through security, I found the gate and waited. The plane was scheduled to leave at 1:55. If everything went well, I would be home by 7. Nothing went well. The plane ended up being delayed for an hour because of the weather. Once I landed in North Carolina, I had missed my flight to Sarasota by 15 minutes. My new departure time? 10 pm. 5 hours of layover. But wait! On the screens by the gate there was a plane listed that was leaving for Tampa at 6:30! So I went to go ask the workers if I could just get on that one. And that is when my checked bag decided to attack my plans again. If I had not checked anything, I could have been on that plane. But because I did check something, the rule is you have to fly with your bags. It is 38 degrees in North Carolina and it is raining. I have never wanted to be home so badly in my life. Anyway, I have 4 hours to go now, and I will wrap up the story tomorrow (assuming I get home and the plane doesn't explode). Anyone want to bet that my bag will get lost?
Thursday, March 12, 2009
Bootable backtrack on usb
I just had to figure this out for a second time, so heres what you do:
-get the usb version of backrack at remote exploit
-format the usb stick to FAT32 and make sure it can hold around 900 Mb of stuff
-copy the entire root directory of the extracted backtrack folders into the usb drive
-run bootinstall.bat (or the shell one for linux) in BOOT
then you should be good.
-get the usb version of backrack at remote exploit
-format the usb stick to FAT32 and make sure it can hold around 900 Mb of stuff
-copy the entire root directory of the extracted backtrack folders into the usb drive
-run bootinstall.bat (or the shell one for linux) in BOOT
then you should be good.
Sunday, March 8, 2009
Beta Test my game
I am taking a C programming class and we are developing for GameBoy Advance. If you want to try out the release candidate of my game, here's what you do.
1. Download a gameboy emulator here. Just extract the zip file and run the exe. There is no installation.
2. Download my game here. Once you save it to somewhere you will remember, just drag and drop the game file into the gameboy emulator window. The keys you need are Enter (the start button) and the arrow keys.
It is not a very complicated game and I only wrote it in a couple days. Please let me know of any problems or bugs you encounter and any suggestions you have for it. I am trying to get music going for it, but its very complicated. Thanks for trying it out, let me know if you have any problems getting it to run.
1. Download a gameboy emulator here. Just extract the zip file and run the exe. There is no installation.
2. Download my game here. Once you save it to somewhere you will remember, just drag and drop the game file into the gameboy emulator window. The keys you need are Enter (the start button) and the arrow keys.
It is not a very complicated game and I only wrote it in a couple days. Please let me know of any problems or bugs you encounter and any suggestions you have for it. I am trying to get music going for it, but its very complicated. Thanks for trying it out, let me know if you have any problems getting it to run.
Tuesday, March 3, 2009
Geek Oceans 11
I have been reading up on card counting in Blackjack for fun. It turns out that you don't need to be a genius, you just have to memorize lots and lots of tables. The math theory behind it is pretty interesting. I will want to test my counting skills on my friends soon. Anyway, it turns out that some casinos now are embedding RFID in their chips. This got me thinking. RFID is not nearly as secure as some people think it is. What if you took some RFID chips in your room and read them with your laptop. The RFID radio will be forced to puke up its ID. Then all you need to do it get a bunch of RFID cards and spoof chip values. They probably assign each chip an individual ID number and encode its value in it. This lets the house know how much you have in chips and your betting rate, etc. This is also a way that they can tell whether or not you are counting cards. I am interested to know that if the system they use keeps track of anomalies like 2 chips reporting identical IDs. If it ignored this, then there is no way a human would know that several chips are in 2 places when there are hundreds of thousands of chips. If this is the case, then someone with several RFID cards spoofing chips in their pocket would essentially hide your betting from the house. You could also perform a DOS attack by flooding the reader with IDs. This would draw attention, but the security guys would think it was a hardware failure and ignore data from that reader. By selectively allowing and denying access to RFID IDs that represent different chip values, you could make it appear that you were betting much more or less than you actually were.
Subscribe to:
Posts (Atom)
Posts
