IoT devices are claimed to be vulnerable to massive attack. We tried to assess the status quo with two IoT honeypots in Taipei and Munich, backed by real devices like LIFX, Philips Hue, D-Link and Samsung IPCams, gaming consoles, WDCloud and SmartTV. After four months of observation, we conclude that IoT is somewhat "probed" but still far from being massively attacked.
This document discusses various generations of HID attack devices that can inject keystrokes and payloads without detection from antivirus or DLP tools. It covers 1st gen devices like Teensy and Rubber Ducky, 2nd gen techniques like BadUSB, and advanced 3rd gen tools like WHID Injector and P4wnP1 that add WiFi capabilities and ways to bypass airgapping. It also discusses mitigation techniques for Linux and Windows like usbguard and duckhunt as well as resources for further information.
The document provides instructions for initial testing and use of USR-TCP232-T24 serial communication products. It describes how to:
1. Initially test the hardware connection and network configuration, and test data transmission.
2. Configure the serial server to communicate in a router network and set up TCP and UDP server modes.
3. Details common applications like serial port setup, transparent transmission between two devices, and many-to-many serial communication.
Build your own private blockchain based on ethereumMehran Pourvahab
This document discusses building a private Ethereum blockchain using go-ethereum (geth). It explains how to download the necessary software, generate accounts, create a genesis block file to initialize the blockchain, and start mining. Commands are provided to interact with the blockchain through the JavaScript console and view account balances and mining status. Finally, installing and running an Ethereum blockchain explorer called Ethnamed is described to view transactions on the private network.
Layer 8 and Why People are the Most Important Security ToolDamon Small
People are the cause of many security problems, but people are also the most effective resource for combating them. Technology is critical, but without trained professionals, it is ineffective. In the context two case studies, the presenter will describe specific instances where human creativity and skill overcame technical deficiencies. The presenter believes this topic to be particularly relevant for the Packet Hacking Village, as many techniques used are the same that are pertinent for Capture the Packet and Packet Detective.
Technical details will include the specific tools used, screenshots of captured data, and analysis of the malware and the malicious user’s activity. The goal of the presentation is show the importance of technical ability and critical thinking, and to demonstrate that skilled people are the most important tool in an information security program.
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON
The document discusses simple and low-cost hardware for performing side channel attacks. It proposes building a basic circuit using inexpensive off-the-shelf components for under $20 to perform timing analysis attacks. The document then explores more advanced hardware-based side channel techniques like power analysis, voltage glitching, and frequency glitching and discusses how these techniques have been used in real-world attacks.
Adventures in Femtoland: 350 Yuan for Invaluable Funarbitrarycode
GSM networks are compromised for over five years. Starting from passive sniffing of unencrypted traffic, moving to a fully compromised A5/1 encryption and then even to your own base station, we have different tools and opportunities. A Motorola phone retails for only $5 gives you the opportunity to peep into your girlfriend's calls. RTL-SDR retails for $20 which allows you to intercept all two-factor authentication in a medium-sized office building. Lastly, USRP retails for $700 and can intercept almost everything that you can see in 2G.
But who cares about 2G? Those who are concerned switched off of 2G. AT&T is preparing to switch off all its 2G networks by the end of 2016. Even GSMA (GSM Alliance) admitted that security through obscurity is a bad idea (referring to COMP128, A5/*, GEA algorithms and other things). 3G and LTE networks have mandatory cryptographical integrity checks for all communications, mutual authentication both for mobile devices and base station. The opportunity to analyze all protocols and cryptographical primitives due to their public availability is important.
However, the main problem is that we do not have calypso phones for 3G. We do not have cheap and ready to use devices to fuzz 3G devices over the air. Or do we? What about femtocells? Perhaps telecoms are to fast to take their guard down with security considerations embedded in 3G/4G? Users can connect to femocells. and have access the Internet on high speeds, make calls, ect.. Why don't we abuse it?
Yes, there is already research that allows you to gain control over femtocell. There is also research that allows sniffing calls and messages after gaining control. But all such solutions are not scalable. You are still bound to the telecom provider. You still have to connect to a VPN - to a core network. You have to bypass location binding and so on. Perhaps there is an easier solution? Parhaps we can create UMTS-in-a-box from readily available femtocell and have them available in large quantities without telecom-branding? We already know.
We will tell the whole story from unboxing to proof-of-concept data intercept and vulnerabilities in UMTS networks with all your favorite acronyms: HNB, SeGW, HMS, RANAP, SCTP, TR-069.
This document discusses various techniques for advanced network forensics, including user/password cracking using Hydra, port scanning using Nmap, signature detection by analyzing file types in network payloads, and detecting converted file formats like MIME encoding. It provides examples of using tools like Hydra, Nmap, and Snort rules to detect activities like password cracking, port scanning, and the transmission of files like PDFs and images over the network.
Talk given in Hackware about the details behind my PCB business card. More detailed information can be found in my blog post:
http://yeokhengmeng.com/2015/09/pcb-businessname-card/
or Github repo
https://github.com/yeokm1/pcb-name-card
This document discusses various generations of HID attack devices that can inject keystrokes and payloads without detection from antivirus or DLP tools. It covers 1st gen devices like Teensy and Rubber Ducky, 2nd gen techniques like BadUSB, and advanced 3rd gen tools like WHID Injector and P4wnP1 that add WiFi capabilities and ways to bypass airgapping. It also discusses mitigation techniques for Linux and Windows like usbguard and duckhunt as well as resources for further information.
The document provides instructions for initial testing and use of USR-TCP232-T24 serial communication products. It describes how to:
1. Initially test the hardware connection and network configuration, and test data transmission.
2. Configure the serial server to communicate in a router network and set up TCP and UDP server modes.
3. Details common applications like serial port setup, transparent transmission between two devices, and many-to-many serial communication.
Build your own private blockchain based on ethereumMehran Pourvahab
This document discusses building a private Ethereum blockchain using go-ethereum (geth). It explains how to download the necessary software, generate accounts, create a genesis block file to initialize the blockchain, and start mining. Commands are provided to interact with the blockchain through the JavaScript console and view account balances and mining status. Finally, installing and running an Ethereum blockchain explorer called Ethnamed is described to view transactions on the private network.
Layer 8 and Why People are the Most Important Security ToolDamon Small
People are the cause of many security problems, but people are also the most effective resource for combating them. Technology is critical, but without trained professionals, it is ineffective. In the context two case studies, the presenter will describe specific instances where human creativity and skill overcame technical deficiencies. The presenter believes this topic to be particularly relevant for the Packet Hacking Village, as many techniques used are the same that are pertinent for Capture the Packet and Packet Detective.
Technical details will include the specific tools used, screenshots of captured data, and analysis of the malware and the malicious user’s activity. The goal of the presentation is show the importance of technical ability and critical thinking, and to demonstrate that skilled people are the most important tool in an information security program.
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON
The document discusses simple and low-cost hardware for performing side channel attacks. It proposes building a basic circuit using inexpensive off-the-shelf components for under $20 to perform timing analysis attacks. The document then explores more advanced hardware-based side channel techniques like power analysis, voltage glitching, and frequency glitching and discusses how these techniques have been used in real-world attacks.
Adventures in Femtoland: 350 Yuan for Invaluable Funarbitrarycode
GSM networks are compromised for over five years. Starting from passive sniffing of unencrypted traffic, moving to a fully compromised A5/1 encryption and then even to your own base station, we have different tools and opportunities. A Motorola phone retails for only $5 gives you the opportunity to peep into your girlfriend's calls. RTL-SDR retails for $20 which allows you to intercept all two-factor authentication in a medium-sized office building. Lastly, USRP retails for $700 and can intercept almost everything that you can see in 2G.
But who cares about 2G? Those who are concerned switched off of 2G. AT&T is preparing to switch off all its 2G networks by the end of 2016. Even GSMA (GSM Alliance) admitted that security through obscurity is a bad idea (referring to COMP128, A5/*, GEA algorithms and other things). 3G and LTE networks have mandatory cryptographical integrity checks for all communications, mutual authentication both for mobile devices and base station. The opportunity to analyze all protocols and cryptographical primitives due to their public availability is important.
However, the main problem is that we do not have calypso phones for 3G. We do not have cheap and ready to use devices to fuzz 3G devices over the air. Or do we? What about femtocells? Perhaps telecoms are to fast to take their guard down with security considerations embedded in 3G/4G? Users can connect to femocells. and have access the Internet on high speeds, make calls, ect.. Why don't we abuse it?
Yes, there is already research that allows you to gain control over femtocell. There is also research that allows sniffing calls and messages after gaining control. But all such solutions are not scalable. You are still bound to the telecom provider. You still have to connect to a VPN - to a core network. You have to bypass location binding and so on. Perhaps there is an easier solution? Parhaps we can create UMTS-in-a-box from readily available femtocell and have them available in large quantities without telecom-branding? We already know.
We will tell the whole story from unboxing to proof-of-concept data intercept and vulnerabilities in UMTS networks with all your favorite acronyms: HNB, SeGW, HMS, RANAP, SCTP, TR-069.
This document discusses various techniques for advanced network forensics, including user/password cracking using Hydra, port scanning using Nmap, signature detection by analyzing file types in network payloads, and detecting converted file formats like MIME encoding. It provides examples of using tools like Hydra, Nmap, and Snort rules to detect activities like password cracking, port scanning, and the transmission of files like PDFs and images over the network.
Talk given in Hackware about the details behind my PCB business card. More detailed information can be found in my blog post:
http://yeokhengmeng.com/2015/09/pcb-businessname-card/
or Github repo
https://github.com/yeokm1/pcb-name-card
This document summarizes an ESP8266+Arduino workshop that demonstrates connecting an ESP8266 WiFi module to Arduino and programming it to create WiFi networks and access the internet. The workshop shows how to communicate with the ESP8266 using AT commands over serial, program it using the Arduino IDE, and use it as a web server and client. Code examples are provided to retrieve sensor data using a DHT11 and send it to a cloud database using the ESP8266's WiFi connection.
The document provides information about various interactive art and electronics projects from 2007-2009. It includes schedules and descriptions of workshops, summaries of projects using tools like Gainer I/O, Arduino, and Processing to control physical inputs and outputs. Code snippets are provided showing how to read sensor values and control outputs like LEDs and sound. Overall it discusses using technology like accelerometers, potentiometers, and buttons to create interactive art installations and performances.
The document provides an overview of network security topics including SIEM, logs, NetFlow, web logs, and compliance standards. It discusses how SIEM systems aggregate and correlate log/event data from multiple sources to provide security monitoring, incident response, forensic analysis and compliance reporting capabilities. Specific topics covered include syslog, NetFlow for network monitoring, and examples of web server logs and the types of data that can be extracted from logs for security purposes. Compliance standards like PCI-DSS and SOX are also mentioned in relation to why log collection and monitoring is important for audit requirements.
Smartphones, tablets, TVs, cars and smartwatches: Android is everywhere enabling users and developers with rich set of applications, libraries and services. Android Things brings such a power to virtually any object, any “thing”: using a low-cost (yet powerful) board, developer can add intelligence and connectivity to home, industries, vehicles and even medical appliances. This presentation introduces practical concepts around the Android Things platform and how to have fun with it.
The document discusses Terracotta VPN, a VPN service operated from China that has been used to anonymize cyber attacks. It was discovered when threat analysts found a hacked server being used to control a backdoor. Investigation revealed over two dozen compromised servers enlisted as nodes for Terracotta VPN. A month of logs from one node showed over 118,000 connections, mostly from China. The document explains how Terracotta VPN works, encrypting traffic but sending credentials in clear text, and why it was named after terracotta pots that can be easily cracked.
"Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald...PROIDEA
Radio-frequency (RF) remote controllers are widely used in multiple industrial applications like manufacturing, construction and transportation. Cranes, drillers and diggers, among others, are commonly equipped with RF controllers, which have become the weakest link in safety-critical IIoT applications. Our security assessment revealed a lack of important security features at different levels, with vendors using obscure proprietary protocols instead of standards. As a consequence, this technology appeared to be vulnerable to attacks like replay, command injection, e-stop abuse, malicious repairing and reprogramming. Together with ZDI, we ran into a 6-months responsible disclosure process and then released 10 security advisories. In this presentation, we share the findings of our research and make use of demos to discuss the problems in detail. We conclude providing recommendations for all parties involved in the life-cycle of these devices, from vendors to users and system integrators.
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...Felipe Prado
This document discusses exploiting Qualcomm WLAN and modem chips over-the-air. It begins with introductions to the researchers and Tencent Blade Team. It then outlines the agenda and provides background on Qualcomm chips, including the WLAN firmware, modem firmware loading process, and attack surfaces. It details a vulnerability in the WLAN firmware that allows overwriting memory and escalating privileges to the modem and kernel. It demonstrates exploiting this vulnerability over-the-air to achieve remote code execution on Android devices. The document concludes with discussions on stability of exploitation and delivering payloads across different devices.
This document contains an agenda and notes from a workshop or conference on May 24, 2008. It includes a schedule with 4 sessions between 10:00-18:30 covering topics like Gainer I/O, LEDs, controlling outputs with buttons and LFOs, and using Processing with Funnel and Minim. Notes describe code examples for controlling LEDs with mouse input, buttons, and LFOs. Other topics mentioned include scopes, 3D rendering, audio, and sketches as quick, inexpensive ways to explore and prototype ideas rather than confirm them. References are made to related books on physical computing, Processing, and Gainer.
- The document discusses various Linux system log files such as /var/log/messages, /var/log/secure, and /var/log/cron and provides examples of log entries.
- It also covers log rotation tools like logrotate and logwatch that are used to manage log files.
- Networking topics like IP addressing, subnet masking, routing, ARP, and tcpdump for packet sniffing are explained along with examples.
APNIC Senior Security Specialist Adli Wahid presented on the APNIC Honeynet Project, interesting observations, mitigation and multistakeholder collaboration at Threat Con 2021, held online from 8 to 11 September 2021.
OSTU - Sake Blok on Packet Capturing with TsharkDenny K
Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who want to deliver their applications to users in a fast, secure, efficient and scalable manner. Sake\'s main focus is to take new products for a spin in their test environment, design custom solutions for customers and troubleshoot the problems customers might encounter while using ion-ip solutions. Two years ago (2006), Sake started to add the functionality he was missing to Wireshark. He also started to fix Wireshark-bugs that were reported on Bugzilla. This work on Wireshark resulted in an invitation from Gerald Combs to join the Wireshark Core Development Team in 2007.
UPC router reverse engineering - case studyDusan Klinec
Security analysis of the UPC UBEE EVW3226 router, reverse engineering, WPA2 password generation algorithm. Statistic analysis of the password generation function is provided. Results from the wardriving.
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
This document describes FastNetMon, an open source DDoS mitigation toolkit. It provides concise summaries of network traffic and detects DDoS attacks in real-time. It can block malicious traffic through methods like BGP announcements. FastNetMon supports many Linux distributions and can integrate with hardware/cloud solutions. It detects attacks faster than traditional hardware/service approaches through optimized packet capture using tools like Netmap and PF_RING.
Honeypots - November 8th Misec presentationTazdrumm3r
A low-interaction honeypot was deployed in multiple cloud environments. Various malware samples were captured, including Conficker and other viruses. Analysis of IP addresses and packet captures revealed attempts to exploit Microsoft SQL Server, Windows shares, and RDP ports. The diverse environments allowed collection of malware from around the world.
The document discusses reverse engineering the firmware of Swisscom's Centro Grande modems. It identifies several vulnerabilities found, including a command overflow issue that allows complete control of the device by exceeding the input buffer, and multiple buffer overflow issues that can be exploited to execute code remotely by crafting specially formatted XML files. Details are provided on the exploitation techniques and timeline of coordination with Swisscom to address the vulnerabilities.
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsPROIDEA
There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
To demonstrate, we will show a few case-studies - most interesting examples from real-life industry software, which in our opinion are a quintessence of "security by obscurity". We will challenge the security of proprietary protocols in pull printing solutions, FOREX trading software, remote desktops and home automation technologies.
The document summarizes the process of exploiting vulnerabilities in a university WiFi network to gain unauthorized access. It describes initially monitoring the network to find user credentials stored in plaintext in packet captures. It then explains how to impersonate a legitimate user by spoofing MAC addresses and setting browser cookies to gain access to other sites like Orkut without compromising accounts. Potential issues with the approach and possibilities for further exploitation are also mentioned.
This document discusses security assessments of 4G mobile networks. It introduces the presenters and provides an overview of 4G network architecture and potential vulnerabilities, including at the radio access network level and GPRS Tunnelling Protocol. Examples of attacks like GTP "synfloods" are mentioned. The document advocates working with mobile operators to identify and address security issues for the benefit of subscribers.
This document provides an overview of setting up an Intel IoT Developer Kit including the hardware components, installing software, and running sample codes. It discusses the Galileo and Edison boards, microSD cards, IDEs, MRAA and UPM libraries, and connecting devices. It also demonstrates how to set up environments for C/C++ with Eclipse, JavaScript with XDK, and Arduino, and describes where to find documentation and sample codes for getting started with the kits and sensors.
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
This document summarizes an ESP8266+Arduino workshop that demonstrates connecting an ESP8266 WiFi module to Arduino and programming it to create WiFi networks and access the internet. The workshop shows how to communicate with the ESP8266 using AT commands over serial, program it using the Arduino IDE, and use it as a web server and client. Code examples are provided to retrieve sensor data using a DHT11 and send it to a cloud database using the ESP8266's WiFi connection.
The document provides information about various interactive art and electronics projects from 2007-2009. It includes schedules and descriptions of workshops, summaries of projects using tools like Gainer I/O, Arduino, and Processing to control physical inputs and outputs. Code snippets are provided showing how to read sensor values and control outputs like LEDs and sound. Overall it discusses using technology like accelerometers, potentiometers, and buttons to create interactive art installations and performances.
The document provides an overview of network security topics including SIEM, logs, NetFlow, web logs, and compliance standards. It discusses how SIEM systems aggregate and correlate log/event data from multiple sources to provide security monitoring, incident response, forensic analysis and compliance reporting capabilities. Specific topics covered include syslog, NetFlow for network monitoring, and examples of web server logs and the types of data that can be extracted from logs for security purposes. Compliance standards like PCI-DSS and SOX are also mentioned in relation to why log collection and monitoring is important for audit requirements.
Smartphones, tablets, TVs, cars and smartwatches: Android is everywhere enabling users and developers with rich set of applications, libraries and services. Android Things brings such a power to virtually any object, any “thing”: using a low-cost (yet powerful) board, developer can add intelligence and connectivity to home, industries, vehicles and even medical appliances. This presentation introduces practical concepts around the Android Things platform and how to have fun with it.
The document discusses Terracotta VPN, a VPN service operated from China that has been used to anonymize cyber attacks. It was discovered when threat analysts found a hacked server being used to control a backdoor. Investigation revealed over two dozen compromised servers enlisted as nodes for Terracotta VPN. A month of logs from one node showed over 118,000 connections, mostly from China. The document explains how Terracotta VPN works, encrypting traffic but sending credentials in clear text, and why it was named after terracotta pots that can be easily cracked.
"Attacking industrial remote controllers for fun and profit" - Dr. Marco Bald...PROIDEA
Radio-frequency (RF) remote controllers are widely used in multiple industrial applications like manufacturing, construction and transportation. Cranes, drillers and diggers, among others, are commonly equipped with RF controllers, which have become the weakest link in safety-critical IIoT applications. Our security assessment revealed a lack of important security features at different levels, with vendors using obscure proprietary protocols instead of standards. As a consequence, this technology appeared to be vulnerable to attacks like replay, command injection, e-stop abuse, malicious repairing and reprogramming. Together with ZDI, we ran into a 6-months responsible disclosure process and then released 10 security advisories. In this presentation, we share the findings of our research and make use of demos to discuss the problems in detail. We conclude providing recommendations for all parties involved in the life-cycle of these devices, from vendors to users and system integrators.
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...Felipe Prado
This document discusses exploiting Qualcomm WLAN and modem chips over-the-air. It begins with introductions to the researchers and Tencent Blade Team. It then outlines the agenda and provides background on Qualcomm chips, including the WLAN firmware, modem firmware loading process, and attack surfaces. It details a vulnerability in the WLAN firmware that allows overwriting memory and escalating privileges to the modem and kernel. It demonstrates exploiting this vulnerability over-the-air to achieve remote code execution on Android devices. The document concludes with discussions on stability of exploitation and delivering payloads across different devices.
This document contains an agenda and notes from a workshop or conference on May 24, 2008. It includes a schedule with 4 sessions between 10:00-18:30 covering topics like Gainer I/O, LEDs, controlling outputs with buttons and LFOs, and using Processing with Funnel and Minim. Notes describe code examples for controlling LEDs with mouse input, buttons, and LFOs. Other topics mentioned include scopes, 3D rendering, audio, and sketches as quick, inexpensive ways to explore and prototype ideas rather than confirm them. References are made to related books on physical computing, Processing, and Gainer.
- The document discusses various Linux system log files such as /var/log/messages, /var/log/secure, and /var/log/cron and provides examples of log entries.
- It also covers log rotation tools like logrotate and logwatch that are used to manage log files.
- Networking topics like IP addressing, subnet masking, routing, ARP, and tcpdump for packet sniffing are explained along with examples.
APNIC Senior Security Specialist Adli Wahid presented on the APNIC Honeynet Project, interesting observations, mitigation and multistakeholder collaboration at Threat Con 2021, held online from 8 to 11 September 2021.
OSTU - Sake Blok on Packet Capturing with TsharkDenny K
Sake Blok, a Wireshark/Ethereal devotee since 1999, works as a Research & Development Engineer for ion-ip in the Netherlands (http://www.ionip.com) . His company provides solutions to customers who want to deliver their applications to users in a fast, secure, efficient and scalable manner. Sake\'s main focus is to take new products for a spin in their test environment, design custom solutions for customers and troubleshoot the problems customers might encounter while using ion-ip solutions. Two years ago (2006), Sake started to add the functionality he was missing to Wireshark. He also started to fix Wireshark-bugs that were reported on Bugzilla. This work on Wireshark resulted in an invitation from Gerald Combs to join the Wireshark Core Development Team in 2007.
UPC router reverse engineering - case studyDusan Klinec
Security analysis of the UPC UBEE EVW3226 router, reverse engineering, WPA2 password generation algorithm. Statistic analysis of the password generation function is provided. Results from the wardriving.
Ripe71 FastNetMon open source DoS / DDoS mitigationPavel Odintsov
This document describes FastNetMon, an open source DDoS mitigation toolkit. It provides concise summaries of network traffic and detects DDoS attacks in real-time. It can block malicious traffic through methods like BGP announcements. FastNetMon supports many Linux distributions and can integrate with hardware/cloud solutions. It detects attacks faster than traditional hardware/service approaches through optimized packet capture using tools like Netmap and PF_RING.
Honeypots - November 8th Misec presentationTazdrumm3r
A low-interaction honeypot was deployed in multiple cloud environments. Various malware samples were captured, including Conficker and other viruses. Analysis of IP addresses and packet captures revealed attempts to exploit Microsoft SQL Server, Windows shares, and RDP ports. The diverse environments allowed collection of malware from around the world.
The document discusses reverse engineering the firmware of Swisscom's Centro Grande modems. It identifies several vulnerabilities found, including a command overflow issue that allows complete control of the device by exceeding the input buffer, and multiple buffer overflow issues that can be exploited to execute code remotely by crafting specially formatted XML files. Details are provided on the exploitation techniques and timeline of coordination with Swisscom to address the vulnerabilities.
CONFidence 2014: Jakub Kałużny: Shameful secrets of proprietary protocolsPROIDEA
There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
To demonstrate, we will show a few case-studies - most interesting examples from real-life industry software, which in our opinion are a quintessence of "security by obscurity". We will challenge the security of proprietary protocols in pull printing solutions, FOREX trading software, remote desktops and home automation technologies.
The document summarizes the process of exploiting vulnerabilities in a university WiFi network to gain unauthorized access. It describes initially monitoring the network to find user credentials stored in plaintext in packet captures. It then explains how to impersonate a legitimate user by spoofing MAC addresses and setting browser cookies to gain access to other sites like Orkut without compromising accounts. Potential issues with the approach and possibilities for further exploitation are also mentioned.
This document discusses security assessments of 4G mobile networks. It introduces the presenters and provides an overview of 4G network architecture and potential vulnerabilities, including at the radio access network level and GPRS Tunnelling Protocol. Examples of attacks like GTP "synfloods" are mentioned. The document advocates working with mobile operators to identify and address security issues for the benefit of subscribers.
This document provides an overview of setting up an Intel IoT Developer Kit including the hardware components, installing software, and running sample codes. It discusses the Galileo and Edison boards, microSD cards, IDEs, MRAA and UPM libraries, and connecting devices. It also demonstrates how to set up environments for C/C++ with Eclipse, JavaScript with XDK, and Arduino, and describes where to find documentation and sample codes for getting started with the kits and sensors.
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
En la presentación expuesta se puede apreciar los resultados de las auditorias efectuadas a los dispositivos Smart TV (LG 43uf6407, SAMSUNG UE32F5500AW, Panasonic TX-40CX680E) y la Barra de sonido OKI SB Media Player 1g. Durante el workshop se pudieron apreciar fugas de información en las cabeceras de respuesta, servicios expuestos y componentes desactualizados. En el caso de la Barra de sonido OKI y en todos los mediacenter InOut TV las carencias en seguridad son acentuadas, ya que disponen de servicios como XAMPP, con credenciales por defecto, esto sumado la falta de actualizaciones supone un potencial riesgo que ello conlleva. Durante la auditoría también se efectuó una captura del tráfico, llegando en algunos casos a enviar la lista total de canales sintonizados y el orden en que están ordenados en el Smart TV.
Rete di casa e raspberry pi - Home network and Raspberry Pi Daniele Albrizio
The document discusses setting up a Raspberry Pi 3 to improve home network privacy and security. It describes installing Kali Linux on the Raspberry Pi and configuring it with NAT, DHCP, and an access point to monitor network traffic. It also covers using Pi-hole for ad blocking and tools like Wireshark for sniffing and analyzing traffic patterns on the home network. The goal is to gain more visibility and control over devices connected to the network to limit information leakage and unauthorized behavior.
Cracking Into Embedded Devices - HACK.LU 2K8guest441c58b71
The document discusses offensive techniques for compromising embedded devices, focusing on exploiting vulnerabilities in HTTP, UPnP, SNMP, and Wi-Fi to gain remote access. Many examples are provided of specific devices that were compromised through bugs like cross-site request forgery, privilege escalation flaws, and password leaks. The goal of the research is to show how embedded devices are easier to hack than general purpose systems and can be used as stepping stones into internal corporate networks.
2014 09 12 Dia Programador Session MaterialsBruno Capuano
Materiales utilizados durante el evento virtual del día del programador en córdoba. Trata temas como USB Hacking, desarrollo de apps con Leap Motion, trabajo con Arduinos, Kinect V2, reconocimiento facial, y desarrollo de apps para Lego Mindstorms EV3
Presented at LISA18: https://www.usenix.org/conference/lisa18/presentation/babrou
This is a technical dive into how we used eBPF to solve real-world issues uncovered during an innocent OS upgrade. We'll see how we debugged 10x CPU increase in Kafka after Debian upgrade and what lessons we learned. We'll get from high-level effects like increased CPU to flamegraphs showing us where the problem lies to tracing timers and functions calls in the Linux kernel.
The focus is on tools what operational engineers can use to debug performance issues in production. This particular issue happened at Cloudflare on a Kafka cluster doing 100Gbps of ingress and many multiple of that egress.
BSides London 2015 - Proprietary network protocols - risky business on the wire.Jakub Kałużny
When speed and latency counts, there is no place for standard HTTP/SSL stack and a wise head comes up with a proprietary network protocol. How to deal with embedded software or thick clients using protocols with no documentation at all? Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. However, when you dive inside this traffic and reverse-engineer the communication inside, you are there. Welcome to the world full of own cryptography, revertible hash algorithms and no access control at all.
We would like to present our approach and a short guideline how to reverse engineer proprietary protocols. To demonstrate, we will show you few case-studies, which in our opinion are a quintessence of ""security by obscurity"" - the most interesting examples from real-life financial industry software, which is a particularly risky business regarding security.
Similar to HITCON 2015: Your Lightbulb Is Not Hacking You: Observation from a Honeypot Backed by Real Devices (20)
Google Calendar is a versatile tool that allows users to manage their schedules and events effectively. With Google Calendar, you can create and organize calendars, set reminders for important events, and share your calendars with others. It also provides features like creating events, inviting attendees, and accessing your calendar from mobile devices. Additionally, Google Calendar allows you to embed calendars in websites or platforms like SlideShare, making it easier for others to view and interact with your schedules.
Building a Raspberry Pi Robot with Dot NET 8, Blazor and SignalR - Slides Onl...Peter Gallagher
In this session delivered at Leeds IoT, I talk about how you can control a 3D printed Robot Arm with a Raspberry Pi, .NET 8, Blazor and SignalR.
I also show how you can use a Unity app on an Meta Quest 3 to control the arm VR too.
You can find the GitHub repo and workshop instructions here;
https://bit.ly/dotnetrobotgithub
21. Methodology
• Taipei from March 23 - July 23, 2015
• Munich from April 22 - June 22
• URL / credential randomly pushed on Shodan and Pastebin
• Faked identity, Avatar
– Facebook
– Dyndns
– Skype
– private documents in WDCloud
21
29. D-Link DCS-931L IPCAM
• No more “blank” password. Set to 123456.
• My D-Link cloud service
– I failed to enable it.
• Firmware 1.02 vulnerabilities
– CVE 2015-2048 CSRF to hijack authentication
– CVE 2015-2049 Unrestricted file upload to execute
• /video.cgi + admin:123456
• “Peeped” for Only two times. They went to port 8080
directly, without trying port 80.
• Maybe they used Shodan in advance.
29
30. D-Link DCS-931L IPCAM (2)
142.218.137.94.in-addr.arpa. 3600 IN PTR 94-137-218-142.pppoe.irknet.ru. With a browser
110.199.137.94.in-addr.arpa. 3600 IN PTR 94-137-199-110.pppoe.irknet.ru.
Jun 2, 2015 22:29:28.754491000 CST 94.137.218.142 8457 192.168.42.11 80 HTTP/1.1 GET /aview.htm
Jun 2, 2015 22:29:32.464749000 CST 94.137.218.142 8458 192.168.42.11 80 HTTP/1.1 GET /aview.htm
Jun 2, 2015 22:29:33.393077000 CST 94.137.218.142 8464 192.168.42.11 80 HTTP/1.1 GET /dlink.css?cidx=1.022013-07-15
Jun 2, 2015 22:29:33.399200000 CST 94.137.218.142 8467 192.168.42.11 80 HTTP/1.1 GET /security.gif
Jun 2, 2015 22:29:33.403489000 CST 94.137.218.142 8465 192.168.42.11 80 HTTP/1.1 GET /devmodel.jpg?cidx=DCS-931L
Jun 2, 2015 22:29:33.410560000 CST 94.137.218.142 8463 192.168.42.11 80 HTTP/1.1 GET /function.js?cidx=1.022013-07-
15
Jun 2, 2015 22:29:33.411512000 CST 94.137.218.142 8466 192.168.42.11 80 HTTP/1.1 GET /title.gif
Jun 2, 2015 22:29:35.241203000 CST 94.137.218.142 8471 192.168.42.11 80 HTTP/1.1 GET /favicon.ico
Jun 2, 2015 22:29:35.474530000 CST 94.137.218.142 8474 192.168.42.11 80 HTTP/1.0 GET /dgh264.raw
Jun 2, 2015 22:29:35.495830000 CST 94.137.218.142 8473 192.168.42.11 80 HTTP/1.0 GET /dgaudio.cgi
Jun 2, 2015 22:29:36.470095000 CST 94.137.218.142 8475 192.168.42.11 80 HTTP/1.0 GET /dgh264.raw
Jun 2, 2015 22:29:36.516931000 CST 94.137.218.142 8476 192.168.42.11 80 HTTP/1.0 GET /dgaudio.cgi
Jun 7, 2015 21:23:43.888173000 CST 94.137.199.110 40454 192.168.42.11 80 HTTP/1.1 GET /video.cgi
30
Got attack for TP-Link, but sorry it’s a D-Link ...
(TP-Link Multiple Vuln, CVE-2013-2572, 2573)
31. Philips Hue
• Hacking Lightbulbs Hue (Dhanjani, 2013)
• MeetHue: Getting Started
• Port 30000 malicious takeover
Hourly traffic
• HTTP/1.0 POST /DcpRequestHandler/index.ashx Per bulb per hour
• HTTP/1.0 POST /DevicePortalICPRequestHandler/RequestHandler.ashx
• HTTP/1.1 POST /queue/getmessage?duration=180000&…
OTA Firmware update
• HTTP/1.0 GET /firmware/BSB001/1023599/firmware_rel_cc2530_encrypte
d_stm32_encrypted_01023599_0012.fw
31
33. Philips Hue (3)
• API user as in official tutorial
curl -X PUT -d '{"on": true}'
http://114.34.182.36:80/api/newdeveloper/groups/0/action
• No one has tried Philips Hue API, even we leaked API of
newdeveloper on Pastebin.
• Three people visited its homepage, and no further actions.
• We forgot to forward port 30000 until June 18.
• For broadcasted UDP port 1900, we have set an iptables rule,
but not sure if it's the right way.
33
34. LIFX
• Discovery protocol in UDP port 56700
• Controlling stream in TCP port 56700
• Official cloud API: http://developer.lifx.com/
• Current API: 2.0
– Official cloud API: http://developer.lifx.com/
– Official API 2.0 Doc: https://github.com/LIFX/lifx-protocol-docs
• Maintains a keep-alive connection to LIFX cloud API.
• Once get “turn on” from TCP, it broadcasts the message via
UDP to local bulbs.
34
38. Nintendo Wii U
• Quite safe
• No open port while standing by and playing
• Regular phone-home for OTA
HTTP/1.1 GET /pushmore/r/8298800e4375f7108b2bf823addaf70d
• So we decided to remove it from research
– Euh, not really.
We removed the device in July.
38
39. Google Broken (?) Glass
• A noisy source, but mostly /generate_204
• # nmap -sU 192.168.43.54 and it's disconnected from WiFi.
• A lot of opened ports: TCP 8873, TCP 44014, etc.
• Removed from research. Maybe next time.
39
40. WDCloud 2TB
• Lots of traffic, including ARP broadcasting, SSDP M-SEARCH,
SSDP NOTIFY
• Mostly from embedded Twonky Media Server that pings
iRadio, IPCam in LAN
• SSH, SMB, HTTP
• Beyond what you can expect from a NAS (?)
40
41. WDCloud 2TB (2)
• Phones home
24 0.936172 192.168.186.18 -> 54.186.91.233 HTTP
GET /rest/nexus/onlineStatus?tsin=WD01 HTTP/1.1
341 12.629990 192.168.186.18 -> 54.186.91.233 HTTP
GET /rest/nexus/registerDevice?ip_internal=192.168.186.18 ...
5337 3302.850595 192.168.186.18 -> 54.68.185.97 HTTP
GET /rest/nexus/ipCheck HTTP/1.1
18195 780.084983 192.168.186.18 -> 129.253.55.203 HTTP
GET /nas/list.asp?devtype=sq&devfw=04.01.03-421&devlang=eng&devsn=&auto=1
HTTP/1.1
164167 1770.338099 192.168.186.18 -> 129.253.8.107 HTTP
GET /api/1.0/rest/remote_access_status/2208751 HTTP/1.1
41
42. WDCloud 2TB (3)
• Noisy Twonky Media Server
2584 32.926206 192.168.186.18 -> 192.168.186.46 HTTP
GET /rootDesc.xml HTTP/1.1
332562 3489.183064 192.168.186.18 -> 192.168.186.46 HTTP/XML
POST / HTTP/1.1
IPCam returns 500 Internal Server Error when asked to DeletePortMapping, so
WD bothers it every hour
To iRadio (subscribed once)
38907 529.893728 192.168.186.18 -> 192.168.186.50 HTTP
GET /dd.xml HTTP/1.1
38924 529.978422 192.168.186.18 -> 192.168.186.50 HTTP
GET /AVTransport/scpd.xml HTTP/1.1
38956 530.107191 192.168.186.18 -> 192.168.186.50 HTTP
GET /ConnectionManager/scpd.xml HTTP/1.1
38970 530.187170 192.168.186.18 -> 192.168.186.50 HTTP
GET /RenderingControl/scpd.xml HTTP/1.1
42
44. WDCloud 2TB (5)
• Directly from WDC.Com (port_test and returns deviceID)
129317 3094.970315 129.253.8.24 -> 192.168.186.18 HTTP
GET /api/1.0/rest/port_test?format=xml HTTP/1.1
• Phones home (in HTTPS and we didn't MITM)
11159 123.071890 192.168.186.18 -> 129.253.8.107 TCP
57021→443 [ACK] Seq=1302534518 Ack=2477249199 Win=17424 Len=0
• Tons of people trying to guess SSH password
3307 1300.264326 205.185.102.90 -> 192.168.186.18 SSHv2
Client: Key Exchange Init
44
45. AppleTV
• Port 7000 from Mac
• iphone-sync port 62078
“In a nutshell, a service named lockdownd sits and listens on the iPhone
on port 62078. By connecting to this port and speaking the correct
protocol, it’s possible to spawn a number of different services on an
iPhone or iPad.” (http://www.zdziarski.com/blog/?p=2345)
• 360, Shodan, and unknown source from many countries
scanned port 5000 (not open), 7000, 62078
• No other incoming connections
• Phone home (https://support.apple.com/ja-jp/HT202944)
17.130.254.28 TCP 54 0x9a8d (39565) 49416→443
17.130.254.23 TCP 54 0x9a8d (39565) 49416→5223 iCloud DAV service
45
51. Samsung SmartCam
• 2013-3964 URI XSS Vulnerability
• Samsung Electronics default password
root/root
admin/4321
• Only script kiddies, no one even tried root/root
51
52. Samsung SmartCam (2)
• Brainless scanning like
9103 2881.778773 183.60.48.25 -> 192.168.186.46 HTTP
GET http://www.baidu.com/ HTTP/1.1
2086 1310.725002 50.16.184.158 -> 192.168.186.46 HTTP
GET /languages/flags/ptt_bbrr.gif HTTP/1.1
4792 1376.142669 88.217.137.70 -> 192.168.186.46 HTTP
GET /jmx-console HTTP/1.1
• Named probes
1442 925.665117 212.34.129.217 -> 192.168.186.46 HTTP
GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1
52
53. iMac
• Open ports: SSH
• Several fake documents with personal identities
• Traffic to Apple: upgrades, Apple store
• Port 22 is probed nearly everyday …
– April 24, port 22 probed by 222.184.24.6 (CN)
– April 25, port 22 probed by 80.138.250.177 (DE)
– April 28, 222.186.42.171 (Jiangsu, CN) tried to login, played around for
11.5 mins
– April 29, probed by Shodan :)
– May 16, 45.34.102.240 tried to brute force SSH.
– May 20, 223.94.94.117 tried to brute force SSH.
53
55. iRadio
• No open ports, so just a decoration
• Gets token from Grundig
• Listens to MPG streaming audio
• Pinged by WDCloud Twonky for UPnP AV DCP
https://technet.microsoft.com/zh-tw/ms890335
• Many zero-lengthed packet to rfe2b-r1.alldigital.net on April
30.
• Otherwise it's very quiet.
19227 179.258446 192.168.186.50 -> 162.249.57.151 TCP
50044→8000 [RST, ACK] Seq=7037960 Ack=2828210800
Win=16384 Len=0
55
56. Attacks?
• Mostly script kiddies
• Not hacked (so far)
• Only one guy peeped D-Link IPCam, once in 4 months
56
58. Attacks – Script Kiddies (1)
vtigercrm attack (target: Vtiger)
• Mar 12, 2015 15:06:32.614481000
CST 217.160.180.27 51048 HTTP/1.1 GET /vtigercrm/test/upload/vtiger
crm.txt
• Mar 12, 2015 19:28:40.635673000
CST 177.69.137.97 36571 HTTP/1.1 GET //vtigercrm/matrix.php?act=f
&f=sip_additional.conf&d=%2Fetc%2Fasterisk
58
59. Attacks – Script Kiddies (2)
Finding Proxy (mostly from China)
• Mar 12, 2015 17:25:11.681911000
CST 222.186.128.52 3125 HTTP/1.1 GET http://www.baidu.com/
• Mar 13, 2015 00:00:01.669619000
CST 61.157.96.80 43134 HTTP/1.1 GET http://www.so.com/?rands=_6
8203491282038869815136
59
60. Attacks – Script Kiddies (3)
Linksys Router Vulnerability
For E Series Router
• Mar 13, 2015 08:59:41.790785000
CST 149.129.49.120 35675 HTTP/1.1 GET /tmUnblock.cgi
For older Linksys
• Mar 18, 2015 23:02:11.820423000
CST 114.216.84.142 1998 HTTP/1.1 GET /HNAP1/
• Mar 19, 2015 00:43:37.161583000
CST 62.24.91.163 49246 HTTP/1.1 GET /HNAP1/
60
61. Attacks – Script Kiddies (4)
Tomcat manager exploit (CVE-2009-3843)
• Mar 14, 2015 12:28:48.344370000
CST 119.167.227.55 4308 HTTP/1.1 GET /manager/html
• Mar 21, 2015 05:57:23.279693000
CST 61.160.211.56 2948 HTTP/1.1 GET /manager/html
61
62. Attacks – Script Kiddies (5)
Morpheus Scans
• Mar 15, 2015 04:08:36.934818000
CST 118.98.104.21 59420 HTTP/1.1 GET /user/soapCaller.bs
62
74. Recap
• Mostly script kiddies
– OK, only 1 peeping. Thanks him/her.
• No serious IoT hackers
– Scripts for popular IPCam, yes.
– Targeted on low hanging fruits.
• Very hard to meet those who want to play
74
75. Backed by Real Devices?
• Pros
– Shodan thinks it’s not a honeypot
– Correct response, correct action
– Hackers know how to identify a CONPOT
• Cons
– Scalability
• Future works
– Route many IP to one lab
– Rewrite at layer 7 to change serial number, footprints
75
77. Philips Hue Port 30000 Takeover
Telnet to port 30000 of the bridge and type:
[Link,Touchlink]
The light should blink a few times to acknowledge the hostile
takeover.
Ref:
https://nohats.ca/wordpress/blog/2013/05/26/philips-hue-
alternative-for-lamp-stealer/
77