Invalid MIT-MAGIC-COOKIE-1

Problem

After an OS update including a restart of the system, an error occurs with SSH X11 forwarding. Instead of displaying the windows as usual, “Invalid MIT-MAGIC-COOKIE-1” is displayed in the terminal.

Here is the example. I connect to the Ubuntu with my macOS and get the error message.

┌──[lupin@HackMac]::[~]
└─ % ssh -C4Y lupin@10.0.0.12

lupin@nano4gb:~$ xeyes
Invalid MIT-MAGIC-COOKIE-1 keyError: Can't open display: localhost:10.0
lupin@nano4gb:~$ exit

1st Quick and dirty solution

Since I’m on my own and relatively secure network, I leave XQuartz running in the background, disable access control, reconnect and everything works again.

┌──[lupin@HackMac]::[~]
└─ % xhost +
access control disabled, clients can connect from any host

┌──[lupin@HackMac]::[~]
└─ % ssh -C4Y lupin@10.0.0.12

lupin@nano4gb:~$ xeyes
lupin@nano4gb:~$ exit

This setting is (fortunately) only valid for this one session. As soon as I end the connection, restart XQuartz and establish a new SSH connection, the error message appears again. Anyway a not so nice solution!

2nd Quick and dirty solution

XQuartz offers the possibility to establish the connection without authentication. This solution is permanent and can be set up in the simplest way. Open the XQuartz settings and uncheck the respective checkbox.

Restart XQuartz, establish a new connection.

┌──[lupin@HackMac]::[~]
└─ % xhost
access control enabled, only authorized clients can connect

┌──[lupin@HackMac]::[~]
└─ % ssh -C4Y lupin@10.0.0.12

lupin@nano4gb:~$ xeyes
lupin@nano4gb:~$ exit

Now everything works as usual. But even with this solution I have my doubts! So I undo the setting and restart XQuartz.

3rd Quick and dirty solution

As described in the previous step, I undid the setting and restarted XQuartz. Additionally I allowed local connections in the access control.

┌──[lupin@HackMac]::[~]
└─ % xhost
access control enabled, only authorized clients can connect

┌──[lupin@HackMac]::[~]
└─ % xhost +local:
non-network local connections being added to access control list

┌──[lupin@HackMac]::[~]
└─ % ssh -C4Y lupin@10.0.0.12

lupin@nano4gb:~$ xeyes
lupin@nano4gb:~$ exit

This solution also works but is not permanent and not secure.

What now?

Searching the internet didn’t really help me. Some of the suggested solutions are total nonsense (or I completely misunderstand). I’ve also read the man pages where it even says that the environment variable $DISPLAY should not be changed. With me (also due to the ignorance on my part) the first signs of despair are appearing! Trust me, I deleted also all recommended files, what did not change this situation.

My final Solution

In the end my problem was very easy to solve! I still had entries from already deleted macports in the .zprofile file, which set the local environment variable $DISPLAY. With the restart of my macOS, this export of the environment variable became active again, of course.

┌──[lupin@HackMac]::[~]
└─ % echo $DISPLAY
:0

┌──[lupin@HackMac]::[~]
└─ % vim .zprofile

# I deleted all old macports entries

┌──[lupin@HackMac]::[~]
└─ % sudo reboot

The result after the restart.

┌──[lupin@HackMac]::[~]
└─ % echo $DISPLAY           
/private/tmp/com.apple.launchd.ASpxDkLA98/org.xquartz:0

┌──[lupin@HackMac]::[~]
└─ % ssh -C4Y lupin@10.0.0.12

lupin@nano4gb:~$ xeyes

Everything is all right again. Oh yeah… that was troubleshooting. The good thing is I learned a lot about xhost, xauth plus my own systems.

This Blog is not death

What’s new? I have received various inquiries as to whether this blog is still being maintained. Yes he still will! Currently, however, a lot has changed in my life and through various security settings of my provider I have created a few tutorials directly on GitHub. So here are 2 categories which I would like to introduce to you.

Raspberry PI Tutorial

GitHub Tutorial: Lupin3000/Raspberry-PI-Tutorials

In this GitHub repository you will find instructions on how to use the small development board as a security analysis device. These instructions are simply intended to show which options the Raspberry PI offers and to provide an introduction to the topic of cyber security.

Adafruit Matrix LED

GitHub Tutorial: Lupin3000/AdafruitMatrixLED

I love the Adafruit Matrix LED! With a little python you can achieve everything your heart desires super quickly and easily. To make the start a little easier for you, I’ve created a few examples with Python. You are welcome to use these or (even better) develop them further.

More???

I also started to post some pictures and videos of my work on Instagram … Yes, I have to go with time too. 😉

So if you find the time and feel like it, just drop by these platforms and let yourself be inspired for your projects.

Suitcase’s full of fun

This time I am not writing a tutorial on software. I would like to introduce you to my DIY project here. At a later point in time, however, I will focus on the newly used and partly self-developed software deeper.

Why this little project?

Over the years I have accumulated various electronic devices, cables and lots of other electrical scrap. Always storing it neatly is hell (I hate cardboard or plastic boxes). In addition, I do not live alone and should actually take all other people in the household into account. So I was looking for a better solution for my beloved girlfriend, my dog (who also likes to eat things) and of course my self. In addition, everything should be tidy, ready to hand and mobile. When I then remembered my training as an electrician (especially on my toolbox), it quickly became clear to me which solution would be suitable for me. Different Suitcases made of aluminum (light and stable), where each of them have slightly different scope.

What’s in there?

Actually there are several suitcases with different contents (depending on what I have planned). I would like to show you now, two of my personal favorites here.

Suitcase 1

This called by myself the RadioBox.

Raspberry Pi 4 Model B/8GB
Yardstick One (incl. ANT700 antenna)
Ubertooth One (incl. 2.4 GHz antenna)
ALFA Atheros (AWUS036NHA)
BashBunny + RubberDucky
GL.iNet GL-AR300M (Shadow) Mini VPN Router
Fresh’n’Rebel Powerbank (18000 mAh)
external USB SSD
HackRF One (incl. ANT500)
Waveshare monitor FHD (12.5inch, 1920×1080 pixels, IPS screen)

Suitcase 2

This called by myself the Hak5Box

Raspberry Pi 4 Model B/8GB
Keysy + SharkJack + KeyLogger
OM.G Cabel’s + Cable Programmer + Malicious cable detector
WiFi Pineapple (M7)
Alfa Network APA-M04 7dBi WLAN antenna (2,4 GHz)
Fresh’n’Rebel Powerbank (18000 mAh)
Waveshare monitor FHD (12.5inch, 1920×1080 pixels, IPS screen)

In addition, all cases are filled with brackets and foam so that the connecting cables are not visible (this is not shown in the pictures) and each device has a specific place.

Do you want such suitcases, too?

If you also want one (or more) suitcases and don’t have the time or inclination to build them yourself – just contact me! We can talk about it.

Note: It is important to know that each case and its contents are freely configurable (but it should fit).

Something awesome for your Docker pipelines

While my constant research for pipeline tools, I have found a fantastic security scanner for Docker images. Something you could use quickly under the topic of CI/CD and DevSecOps for your development. It’s named anchore/grype and the best it’s Open source, really fast and delivers many nice options for reports.

Requirements

Docker installed (to pull images)

Hint: You also can load and scan *.tar archives.

Objective

Short introduction in installation and usage of Grype (locally to evaluate).

Note: The later integration into your pipelines shouldn’t be a problem. I will add the Grype repository to my watchlist and for sure try it out in my pipelines.

Installation and default configuration

This first step should only take a few minutes.

# install the latest version to /usr/local/bin
$ curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

# install the latest version to ~/Downloads
$ curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b ~/Downloads

# move binary to /usr/local/bin/grype (if you define different location)
$ mv ~/Downloads/grype /usr/local/bin/grype

# create configuration file
$ vim ~/.grype.yaml

# show help
$ grype --help

I copied the content in short form from the official GitHub repository. You can adapt this to your needs at any time.

check-for-app-update: true
fail-on-severity: ''
output: "table"
scope: "squashed"
quiet: false
db:
  auto-update: true
  cache-dir: "~/.grype/db"
  update-url: "https://toolbox-data.anchore.io/grype/databases/listing.json"
log:
  file: ""
  level: "error"
  structured: false

Prepare the database

The Anchore Feed Service provides regular updates about publicly available vulnerabilities. In this section I will guide you to derive the updates manually.

# check database status (optional)
$ grype db status

# check feed service for new updates
$ grype db check

# run database update
$ grype db update

# verify db files (optional)
$ ls -la ~/.grype/db/

Usage examples

Even as the usage of Grype is very simple, here some short examples.

# scan image with configuration settings
$ grype node

# scans for vulnerabilities on all image layer and set output format
$ grype --scope all-layers -o cyclonedx node

# stop if a severity high is found with exit code 1
$ grype --fail-on high node

# show last exit status (optional)
$ echo $?

To stop your validation/pipeline on certain severities of security risks (exit code 1), you can choose between following options: negligible, low, medium, high & critical.

Hint: To save the reports you could use the redirect, to the output stream to a file.

Clean up

Don’t forget to clean up your system!

# list all Docker images (optional)
$ docker images

# delete specific Docker image by name
$ docker rmi node

ooktools and Yard Stick One

In my last tutorial, I showed you how to install RfCat and the ooktools on your macOS, as I promised to go into more detail on the ooktools later – I want to keep this promise now.

Requirements

RfCat installed
ooktools installed
jq installed (optional)
you own a Yard Stick One (or any rfcat compatible device)
you own a Garage Door opener (or similar device)

Objective

Learn and understand the ooktools sub command ‘signal’.

ooktools signal

The ooktools offers many great features (look at the command line help)! In this tutorial I will focus on signal search, signal record, signal plot and signal play.

# show sub command signal help
$ python2.7 -m ooktools.console signal --help
...
Usage: console.py signal [OPTIONS] COMMAND [ARGS]…

Signal Commands.

Options:
--help  Show this message and exit.

Commands:
brute   Bruteforce a binary range.
jam     Jam a frequency by just sending noise.
play    Play frames from a source file.
plot    Plot frames from a recorded signal.
record  Record frames to a file.
search  Search for signals.
send    Send signals using a RFCat dongle.

Search a signal

My garage door opener has information about the frequency (868.3 MHz) on the back, which makes my search a little easier! If this is not the case for you, search for the FCC identifier.

If you have a rough idea about the frequency (and other values), look in the signal search help and compare all standard values with your needs! You only have to overwrite the values which do not match (as arguments).

# show help for signal search
$ python2.7 -m ooktools.console signal search --help

# search signal in specific range
$ python2.7 -m ooktools.console signal search -S 868200000 -E 868400000

Note: Only signal search throws sometimes an Python/USB exception on my OS (after finish the search), all other commands work perfectly. If you have the same problem, reconnect the USB device (Yard Stick One)!

Record a signal

Now run the signal record. Go the same way like you did for the signal search! First look at the sub command help, overwrite the default values and run the command.

# show help for signal record
$ python2.7 -m ooktools.console signal record --help

# start a signal record
$ python2.7 -m ooktools.console signal record -F 868300000 -f 60 -D  ~/Desktop/test.json

After the signal record is finished, you can have a look on the JSON file.

# view file content and pipe output to jq (optional)
$ cat ~/Desktop/test.json | jq .

Plot the recorded signal

With signal plot you can easily create and watch frames from a recorded signal (json file). The help shows you the possible fine adjustments for the plot output. I have recorded 9 Frames, maybe that differs for you!

# show help for signal plot
$ python2.7 -m ooktools.console signal plot --help

# plot a signal record (number of frames)
$ python2.7 -m ooktools.console signal plot -c 6 -S ~/Desktop/test.json

To specify the plot you can use sub command agrument --series.

# plot a signal record (series of fields)
$ python2.7 -m ooktools.console signal plot -s 1:4 -S ~/Desktop/test.json

Play a signal

It’s time to try. For that I have to walk a long way to the parking garage gate (I usually drive this route). For signal play sub command only two arguments are needed (source & repeats).

# show help for signal play
$ python2.7 -m ooktools.console signal play --help

# play a signal record
$ python2.7 -m ooktools.console signal play -r 2 -S ~/Desktop/test.json

I did not modify the record file, just run all recorded frames for 2 times. If you are wondering if this worked for me? No – the signal is sent too quickly this way. The gate doesn’t open like this. With tools like GQRX / URH & HackRF One I was able to compare the signals. So some fine-tuning is needed (baud rate/modulation/etc.). Nevertheless, you should have got a good overview of the ooktools.

RfCat on BigSur (Yard Stick One)

Some time ago, I wrote a tutorial about RfCat installation on Kali Linux. Many people asked me for similar tutorial on macOS (Big Sur). So I will use this time now (my first tutorial of year 2021), to show and try to explain (as best I can do). Also I will try to provide some basics for usage, as the community seems not so big and less online documentation is available like for other topics. You can reuse the knowledge for other OS, too.

Precondition

latest macOS Commandline Tools installed (xcode-select --install)

Install RfCat incl. everything needed

First you need to download libusb tarball, unzip the downloaded archive and compile/install it (don’t worry sounds harder as it is). If you choose other sources like macports, you may run into location issues (paths to binaries/libraries).

Note: the following examples will just provide the latest version (1.0.24), while I was writing this tutorial. Please look beforehand if there is a newer libusb version already available.

# download via curl
$ curl -L -C - "https://github.com/libusb/libusb/releases/download/v1.0.24/libusb-1.0.24.tar.bz2" -o ~/Downloads/libusb-1.0.24.tar.bz2

# unzip archive
$ tar -xf ~/Downloads/libusb-1.0.24.tar.bz2 -C ~/Downloads/

# change into extraced archive directory
$ cd Downloads/libusb-1.0.24

# verify dependencies for build and install process are available
$ ./configure

# run build
$ make

# run installation
$ sudo make install

# verify installation (optional)
$ ls -la /usr/local/lib/libusb*

# delete archive and directory (optional)
$ rm -fr ~/Downloads/libusb-1.0.24*

Install required Python packages with Python Pip. Without these the RfCat compilation, installation and usage will not correctly work!

Note: As I do have different Python version installed, I specify the excat Python version (2.7.x) in the following examples. If you have only the default MacOS Python version installed – you could use pip directly (without python2.7 -m).

# verify already installed packages (optional)
$ python2.7 -m pip freeze

# install libusb via pip
$ python2.7 -m pip install libusb

# install pyusb via pip
$ python2.7 -m pip install pyusb

# install pyreadline via pip
$ python2.7 -m pip install pyreadline

# install ipython via pip
$ python2.7 -m pip install ipython

# install PySide2 via pip
$ python2.7 -m pip install PySide2

Clone RfCat Git repository from Github (may some older online documentations still link to Bitbucket). In the following example I choose the Downloads directory – of course you can choose any preferred destination.

# clone from GitHub
$ git clone https://github.com/atlas0fd00m/rfcat.git ~/Downloads/rfcat

# change directory
$ cd Downloads/rfcat

# run the installation
$ sudo python2.7 setup.py install

# verify the installation (optional)
$ ls -la /usr/local/bin/rfcat*

# show rfcat help (optional)
$ /usr/local/bin/rfcat -h

# delete cloned directory (optional)
$ rm -fr ~/Downloads/rfcat

If everything went well so far, you should take a look at your installed Python packages.

# verify installed packages (optional)
$ python2.7 -m pip freeze | grep -i 'libusb\|pyusb\|pyreadline\|ipython\|PySide2\|rfcat'

Optional installation of ooktools

Now I recommend to install the ooktools packages via Python Pip. The ooktools will make your life much easier and you will have much faster results.

# install ooktools via pip
$ python2.7 -m pip install ooktools

# verify and show help (optional)
$ python2.7 -m ooktools.console --help

# verify and show specific help topic (optional)
$ python2.7 -m ooktools.console wave --help

I’ll go into the ooktools in a later tutorial, but not today.

Run RfCat

So far so good. Let’s start to connect the Yard Stick One (plug into USB) and run the first example. Always have in mind, the official operating frequencies (for the Yard Stick One):

300 – 348 MHz
391 – 464 MHz
782 – 928 MHz

Note: RfCat expact the values in “Hz”, so 315 MHz are 315000000 Hz.

Hint: don’t put any other transmitter next to the Yard Stick One while you use it (eq. Mobile, Wifi router, etc.). You could destroy it or weaken/disrupt your signals.

# start rfcat (interactive Python)
$ sudo rfcat -r

If no error message appears, you’re good to go.

# start scan on specific frequency (315 MHz)
In [1]: d.specan(315000000)

You should see now the spectrum analyser.

Okay, stop the scanning process by closing the spectrum analyzer window. Now let’s start a simple record (also if you don’t have a signal nearby).

Note: there are many more settings and I cannot describe all here! It always depends to the problem you like/need to solve.

# enter the IDLE state (important after any action)
In [2]: d.setModeIDLE()

# specific frequency (315 MHz)
In [3]: d.setFreq(315000000)

# specific modulation (ASK/OOK/Manchester encoding)
In [4]: d.setMdmModulation(MOD_ASK_OOK)

# specific baudrate (4800 Hz)
In [5]: d.setMdmDRate(4800)

# turn on the amplifier
In [6]: d.setMaxPower()

# drops most blocks to pkts (CARRIER)
In [7]: d.lowball()

# start and dump data to screen
In [8]: d.RFlisten()

# stop listen (press Enter to stop)

# enter the IDLE state (or you need to unplug from USB)
In [9]: d.setModeIDLE()

# exit
In [10]: exit()

Your result should look like:

Hint: use the Tabulator key for command-line completion (also tab completion) and take use of the internal help of RfCat (eq. help(d.setMdmModulation))

The popular frequencies are mostly near by:

315 MHz (car fobs)
433 MHz (door openers, medical devices)
868 MHz (door openers in EU/swiss)
915 MHz (industrial equipment, medical devices)

Send via Python script

It would be not enough to show you only Command line and nothing about transmit. Therefore now a small Python script, which send out some example data. I think the following script is self explanatory.

from rflib import *

d = RfCat()
d.setFreq(315000000)
d.setMdmModulation(MOD_ASK_OOK)
d.setMdmDRate(4800)

print("Transmission starting")
d.RFxmit("\x2e\x2e\x2d\x2e\x2e\x2d\x2e\x00\x00\x00\x00\x00\x00"*10)
print("Transmission complete")

Hint: \x escape sequence means the next two characters are interpreted as hex digits for the character code (\x is used inside strings to represent a character), 0x is used for literal numbers in Python.

Install Gqrx and GNU Radio on macOS (Big Sur)

I’ve tried many times and different ways but the installation of Gqrx and GNU Radio on macOS Big Sur via MacPorts failed always. I did not give up and found a working solution for me (my HackRF One) and these two needed tools. In this tutorial I would like to show you the installation (Gqrx & GNU Radio). If you need first to install HackRF One on macOS, please have a look here.

Install XQuartz

First download and installation starts with XQuartz. Download the latest DMG, run the installation and logout/login from your system.

Install Gqrx SDR

As already mentioned, Gqrx (at least for me) cannot installed on Big Sur via MacPorts. Therefore download and install the precompiled binary from Gqrx. As soon the installation was successful, you can connect and use the HackRF One.

Install Python 3.7

The third step also requires a download and installation. Look for the version Python 3.7! Any version below will not work.

Install GNU Radio

Finally, at the last step, we can start to download and install GNU Radio. It’s a quite big application, so please be patient while processing. Also the startup of GNU Radio (inside XQuartz) takes always some few seconds.

If you consider the time (download/installation) compared to the MacPorts installation (download/build/installation), a time gain. Of course Xquartz is also needed for MacPorts. Here if you will try via MacPorts:

# install gr-osmosdr (incl hackrf + gnu radio)
$ sudo port install gr-osmosdr

# install gr-fosphor (needed by gnu radio)
$ sudo port install gr-fosphor

# install gqrx
$ sudo port install gqrx

Install HackRF One on macOS (Big Sur)

This time it’s about installing HackRF One binaries on the macOS Big Sur. In another later tutorial I will dive deeper into macOS, HackRF ONE and GnuRadio (gnuradio-companion), but not yet. The installation takes place via latest MacPorts.

Preparation

macPorts installed
Commandline Tools installed (SDK higher 11)
HackRF One connected and started (via USB cable)

CommandLineTools SDK

My first installation failed with a error (even as MacPorts where completely new installed and Command Line Tools where installed, too). I looked into log file and saw a issue with clang version.

# read log file (optional)
$ cat /opt/local/var/macports/logs/_opt_local_var_macports_sources_rsync.macports.org_macports_release_tarballs_ports_science_hackrf/hackrf/main.log
 …
 clang: error: invalid version number in 'MACOSX_DEPLOYMENT_TARGET=11.0'
 …
 

# show clang version (optional)
$ clang --version

So looked it up on the Internet and saw that the clang version in the new SDK is higher and will solve this issue. To confirm I had a look installed SDK’s.

# list SDKs (optional)
$ ls /Library/Developer/CommandLineTools/SDKs/
MacOSX.sdk MacOSX10.14.sdk MacOSX10.15.sdk

To be really sure. Yes new SDK is installed.

# list SDKs (optional)
$ ls /Library/Developer/CommandLineTools/SDKs/
MacOSX.sdk MacOSX10.14.sdk MacOSX10.15.sdk MacOSX11.1.sdk

# show xcrun configs (optional)
$ xcrun --sdk macosx11.1 --show-sdk-path
$ xcrun --sdk macosx11.1 --show-sdk-version

Installation

After the installation and verification (yes the new sdk was getting installed), I tried the macPorts installation again.

# install hackrf via mac ports
$ sudo port install hackrf

Test installation

This time all went fine and I could start testing the device.

# show USB device info (optional)
$ ioreg -p IOUSB -l -w 0 -b

# show hackrf info
$ hackrf_info

# start debug (optional)
$ hackrf_debug --si5351c -n 0 -r

# start record
$ hackrf_transfer -r myRecord.raw -f 433780000

# start transmit record
$ hackrf_transfer -t myRecord.raw -f 433780000 -x 20

– Softwaretester –

knowledge is power

Security