This Blog is not death

What’s new? I have received various inquiries as to whether this blog is still being maintained. Yes he still will! Currently, however, a lot has changed in my life and through various security settings of my provider I have created a few tutorials directly on GitHub. So here are 2 categories which I would like to introduce to you.

Raspberry PI Tutorial

GitHub Tutorial: Lupin3000/Raspberry-PI-Tutorials

In this GitHub repository you will find instructions on how to use the small development board as a security analysis device. These instructions are simply intended to show which options the Raspberry PI offers and to provide an introduction to the topic of cyber security.

Adafruit Matrix LED

GitHub Tutorial: Lupin3000/AdafruitMatrixLED

I love the Adafruit Matrix LED! With a little python you can achieve everything your heart desires super quickly and easily. To make the start a little easier for you, I’ve created a few examples with Python. You are welcome to use these or (even better) develop them further.

More???

I also started to post some pictures and videos of my work on Instagram … Yes, I have to go with time too. 😉

So if you find the time and feel like it, just drop by these platforms and let yourself be inspired for your projects.

Something awesome for your Docker pipelines

While my constant research for pipeline tools, I have found a fantastic security scanner for Docker images. Something you could use quickly under the topic of CI/CD and DevSecOps for your development. It’s named anchore/grype and the best it’s Open source, really fast and delivers many nice options for reports.

Requirements

  • Docker installed (to pull images)

Hint: You also can load and scan *.tar archives.

Objective

Short introduction in installation and usage of Grype (locally to evaluate).

Note: The later integration into your pipelines shouldn’t be a problem. I will add the Grype repository to my watchlist and for sure try it out in my pipelines.

Installation and default configuration

This first step should only take a few minutes.

# install the latest version to /usr/local/bin
$ curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin

# install the latest version to ~/Downloads
$ curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b ~/Downloads

# move binary to /usr/local/bin/grype (if you define different location)
$ mv ~/Downloads/grype /usr/local/bin/grype

# create configuration file
$ vim ~/.grype.yaml

# show help
$ grype --help

I copied the content in short form from the official GitHub repository. You can adapt this to your needs at any time.

check-for-app-update: true
fail-on-severity: ''
output: "table"
scope: "squashed"
quiet: false
db:
  auto-update: true
  cache-dir: "~/.grype/db"
  update-url: "https://toolbox-data.anchore.io/grype/databases/listing.json"
log:
  file: ""
  level: "error"
  structured: false

Prepare the database

The Anchore Feed Service provides regular updates about publicly available vulnerabilities. In this section I will guide you to derive the updates manually.

# check database status (optional)
$ grype db status

# check feed service for new updates
$ grype db check

# run database update
$ grype db update

# verify db files (optional)
$ ls -la ~/.grype/db/

Usage examples

Even as the usage of Grype is very simple, here some short examples.

# scan image with configuration settings
$ grype node

# scans for vulnerabilities on all image layer and set output format
$ grype --scope all-layers -o cyclonedx node

# stop if a severity high is found with exit code 1
$ grype --fail-on high node

# show last exit status (optional)
$ echo $?

To stop your validation/pipeline on certain severities of security risks (exit code 1), you can choose between following options: negligible, low, medium, high & critical.

Hint: To save the reports you could use the redirect, to the output stream to a file.

Clean up

Don’t forget to clean up your system!

# list all Docker images (optional)
$ docker images

# delete specific Docker image by name
$ docker rmi node

ooktools and Yard Stick One

In my last tutorial, I showed you how to install RfCat and the ooktools on your macOS, as I promised to go into more detail on the ooktools later – I want to keep this promise now.

Requirements

  • RfCat installed
  • ooktools installed
  • jq installed (optional)
  • you own a Yard Stick One (or any rfcat compatible device)
  • you own a Garage Door opener (or similar device)

Objective

Learn and understand the ooktools sub command ‘signal’.

ooktools signal

The ooktools offers many great features (look at the command line help)! In this tutorial I will focus on signal search, signal record, signal plot and signal play.

# show sub command signal help
$ python2.7 -m ooktools.console signal --help
...
Usage: console.py signal [OPTIONS] COMMAND [ARGS]…

Signal Commands.

Options:
--help  Show this message and exit.

Commands:
brute   Bruteforce a binary range.
jam     Jam a frequency by just sending noise.
play    Play frames from a source file.
plot    Plot frames from a recorded signal.
record  Record frames to a file.
search  Search for signals.
send    Send signals using a RFCat dongle.

Search a signal

Garage Door Opener & Yard Stick One

My garage door opener has information about the frequency (868.3 MHz) on the back, which makes my search a little easier! If this is not the case for you, search for the FCC identifier.

If you have a rough idea about the frequency (and other values), look in the signal search help and compare all standard values with your needs! You only have to overwrite the values ​​which do not match (as arguments).

# show help for signal search
$ python2.7 -m ooktools.console signal search --help

# search signal in specific range
$ python2.7 -m ooktools.console signal search -S 868200000 -E 868400000

Note: Only signal search throws sometimes an Python/USB exception on my OS (after finish the search), all other commands work perfectly. If you have the same problem, reconnect the USB device (Yard Stick One)!

Record a signal

Now run the signal record. Go the same way like you did for the signal search! First look at the sub command help, overwrite the default values and run the command.

# show help for signal record
$ python2.7 -m ooktools.console signal record --help

# start a signal record
$ python2.7 -m ooktools.console signal record -F 868300000 -f 60 -D  ~/Desktop/test.json

After the signal record is finished, you can have a look on the JSON file.

# view file content and pipe output to jq (optional)
$ cat ~/Desktop/test.json | jq .

Plot the recorded signal

With signal plot you can easily create and watch frames from a recorded signal (json file). The help shows you the possible fine adjustments for the plot output. I have recorded 9 Frames, maybe that differs for you!

# show help for signal plot
$ python2.7 -m ooktools.console signal plot --help

# plot a signal record (number of frames)
$ python2.7 -m ooktools.console signal plot -c 6 -S ~/Desktop/test.json
ooktools plot

To specify the plot you can use sub command agrument --series.

# plot a signal record (series of fields)
$ python2.7 -m ooktools.console signal plot -s 1:4 -S ~/Desktop/test.json
ooktools plot series

Play a signal

It’s time to try. For that I have to walk a long way to the parking garage gate (I usually drive this route). For signal play sub command only two arguments are needed (source & repeats).

# show help for signal play
$ python2.7 -m ooktools.console signal play --help

# play a signal record
$ python2.7 -m ooktools.console signal play -r 2 -S ~/Desktop/test.json

I did not modify the record file, just run all recorded frames for 2 times. If you are wondering if this worked for me? No – the signal is sent too quickly this way. The gate doesn’t open like this. With tools like GQRX / URH & HackRF One I was able to compare the signals. So some fine-tuning is needed (baud rate/modulation/etc.). Nevertheless, you should have got a good overview of the ooktools.

RfCat on BigSur (Yard Stick One)

Some time ago, I wrote a tutorial about RfCat installation on Kali Linux. Many people asked me for similar tutorial on macOS (Big Sur). So I will use this time now (my first tutorial of year 2021), to show and try to explain (as best I can do). Also I will try to provide some basics for usage, as the community seems not so big and less online documentation is available like for other topics. You can reuse the knowledge for other OS, too.

Precondition

  • latest macOS Commandline Tools installed (xcode-select --install)

Install RfCat incl. everything needed

First you need to download libusb tarball, unzip the downloaded archive and compile/install it (don’t worry sounds harder as it is). If you choose other sources like macports, you may run into location issues (paths to binaries/libraries).

Note: the following examples will just provide the latest version (1.0.24), while I was writing this tutorial. Please look beforehand if there is a newer libusb version already available.

# download via curl
$ curl -L -C - "https://github.com/libusb/libusb/releases/download/v1.0.24/libusb-1.0.24.tar.bz2" -o ~/Downloads/libusb-1.0.24.tar.bz2

# unzip archive
$ tar -xf ~/Downloads/libusb-1.0.24.tar.bz2 -C ~/Downloads/

# change into extraced archive directory
$ cd Downloads/libusb-1.0.24

# verify dependencies for build and install process are available
$ ./configure

# run build
$ make

# run installation
$ sudo make install

# verify installation (optional)
$ ls -la /usr/local/lib/libusb*

# delete archive and directory (optional)
$ rm -fr ~/Downloads/libusb-1.0.24*

Install required Python packages with Python Pip. Without these the RfCat compilation, installation and usage will not correctly work!

Note: As I do have different Python version installed, I specify the excat Python version (2.7.x) in the following examples. If you have only the default MacOS Python version installed – you could use pip directly (without python2.7 -m).

# verify already installed packages (optional)
$ python2.7 -m pip freeze

# install libusb via pip
$ python2.7 -m pip install libusb

# install pyusb via pip
$ python2.7 -m pip install pyusb

# install pyreadline via pip
$ python2.7 -m pip install pyreadline

# install ipython via pip
$ python2.7 -m pip install ipython

# install PySide2 via pip
$ python2.7 -m pip install PySide2

Clone RfCat Git repository from Github (may some older online documentations still link to Bitbucket). In the following example I choose the Downloads directory – of course you can choose any preferred destination.

# clone from GitHub
$ git clone https://github.com/atlas0fd00m/rfcat.git ~/Downloads/rfcat

# change directory
$ cd Downloads/rfcat

# run the installation
$ sudo python2.7 setup.py install

# verify the installation (optional)
$ ls -la /usr/local/bin/rfcat*

# show rfcat help (optional)
$ /usr/local/bin/rfcat -h

# delete cloned directory (optional)
$ rm -fr ~/Downloads/rfcat

If everything went well so far, you should take a look at your installed Python packages.

# verify installed packages (optional)
$ python2.7 -m pip freeze | grep -i 'libusb\|pyusb\|pyreadline\|ipython\|PySide2\|rfcat'

Optional installation of ooktools

Now I recommend to install the ooktools packages via Python Pip. The ooktools will make your life much easier and you will have much faster results.

# install ooktools via pip
$ python2.7 -m pip install ooktools

# verify and show help (optional)
$ python2.7 -m ooktools.console --help

# verify and show specific help topic (optional)
$ python2.7 -m ooktools.console wave --help

I’ll go into the ooktools in a later tutorial, but not today.

Run RfCat

So far so good. Let’s start to connect the Yard Stick One (plug into USB) and run the first example. Always have in mind, the official operating frequencies (for the Yard Stick One):

  • 300 – 348 MHz
  • 391 – 464 MHz
  • 782 – 928 MHz

Note: RfCat expact the values in “Hz”, so 315 MHz are 315000000 Hz.

Hint: don’t put any other transmitter next to the Yard Stick One while you use it (eq. Mobile, Wifi router, etc.). You could destroy it or weaken/disrupt your signals.

# start rfcat (interactive Python)
$ sudo rfcat -r

If no error message appears, you’re good to go.

# start scan on specific frequency (315 MHz)
In [1]: d.specan(315000000)

You should see now the spectrum analyser.

RfCat specan on 315 MHz

Okay, stop the scanning process by closing the spectrum analyzer window. Now let’s start a simple record (also if you don’t have a signal nearby).

Note: there are many more settings and I cannot describe all here! It always depends to the problem you like/need to solve.

# enter the IDLE state (important after any action)
In [2]: d.setModeIDLE()

# specific frequency (315 MHz)
In [3]: d.setFreq(315000000)

# specific modulation (ASK/OOK/Manchester encoding)
In [4]: d.setMdmModulation(MOD_ASK_OOK)

# specific baudrate (4800 Hz)
In [5]: d.setMdmDRate(4800)

# turn on the amplifier
In [6]: d.setMaxPower()

# drops most blocks to pkts (CARRIER)
In [7]: d.lowball()

# start and dump data to screen
In [8]: d.RFlisten()

# stop listen (press Enter to stop)

# enter the IDLE state (or you need to unplug from USB)
In [9]: d.setModeIDLE()

# exit
In [10]: exit()

Your result should look like:

RfCat listen example

Hint: use the Tabulator key for command-line completion (also tab completion) and take use of the internal help of RfCat (eq. help(d.setMdmModulation))

The popular frequencies are mostly near by:

  • 315 MHz (car fobs)
  • 433 MHz (door openers, medical devices)
  • 868 MHz (door openers in EU/swiss)
  • 915 MHz (industrial equipment, medical devices)

Send via Python script

It would be not enough to show you only Command line and nothing about transmit. Therefore now a small Python script, which send out some example data. I think the following script is self explanatory.

from rflib import *

d = RfCat()
d.setFreq(315000000)
d.setMdmModulation(MOD_ASK_OOK)
d.setMdmDRate(4800)

print("Transmission starting")
d.RFxmit("\x2e\x2e\x2d\x2e\x2e\x2d\x2e\x00\x00\x00\x00\x00\x00"*10)
print("Transmission complete")

Hint: \x escape sequence means the next two characters are interpreted as hex digits for the character code (\x is used inside strings to represent a character), 0x is used for literal numbers in Python.

O.MG Cable Setup on (Kali) Linux

MG made something really cool (and dangerous too) to perform keystroke injection attacks (via Rubber Ducky scripts) simply over wireless interface. In this tutorial I want to show you the first important steps before you can start the penetration testing. The cables, programmer and other awesome MG products are available from Hak5.

Important: You should own (or buy) at least one O.MG Cable Programmer, otherwise you will not be able to follow the steps below!

Preparation

First check whether Python 3.7 (or higher) and pyserial (incl. dependencies) is installed. It is already pre-installed in my Kali Linux.

# check python version
$ python3 --version
Python 3.8.6

# check for python package
$ pip3 freeze | grep 'pyserial'
pyserial==3.5b0

If you still need to install the necessary packages.

# install needed python package(s)
$ sudo pip3 install pyserial

Download the latest O.MG Firmware (incl. needed scripts/binaries) now.

# download latest Firmware via CURL
$ curl -L -C - https://github.com/O-MG/O.MG_Cable-Firmware/releases/download/v1.5.3/O.MG_Cable-Firmware-v1.5.3.zip -o ~/Downloads/O.MG_Cable-Firmware-v1.5.3.zip

# unzip archive
$ unzip ~/Downloads/O.MG_Cable-Firmware-v1.5.3.zip -d ~/Downloads/

# list content (optional)
$ ls -la ~/Downloads/O.MG_Cable-Firmware-v1.5.3/

# list physical USB device hierarchy (optional)
$ lsusb

Install Firmware

Now plug the O.MG programmer into your computer and the O.MG cable into the programmer. This can be a bit more difficult at first, so be careful not to destroy everything right away. Even when pulling out – Treat it like a beautiful woman.

Note: If you are running Kali Linux as VM (e.g. VirtualBox), passthrough needed USB devices.

VirtualBox USB passthrough

Change into directory O.MG_Cable-Firmware-v1.5.3 and set the file permissions for file flash.py and start the Firmware configuration and setup.

# list physical USB device hierarchy (optional)
$ lsusb

# run python script
$ sudo python3 ./flash.py

Caution: If you see the following output (or similar) Connecting........_____..... but flashing the firmware ends with an error – means that the programmer was recognized correctly but the cable was not. Remove the cable and plug it in again. In addition, the cable needs a reset after every firmware flash.

If everything works (which is the normal case) you will be asked in which mode (AP or STA) the wifi should work. In my example, I am using for this tutorial the Access Point (AP) mode. So I’ll set the SSID as well as wifi credentials. You can later access with any modern browser via URL http://192.168.4.1. Whether you need AP or STA mode depends on your environment and your attack vector. But try to get to know both as well as their respective advantages and disadvantages.

SELECT WIFI MODE ...: 2
ENTER WIFI SSID ...: OMGtest
ENTER WIFI PASS ...: test12345

Confirm your entries and wait a moment. An overview is displayed (do not forget the password).

Flash Operation Complete!

[ WIFI SETTINGS ]
  WIFI_SSID: OMGtest
  WIFI_PASS: test12345
  WIFI_MODE: 2
  WIFI_TYPE: ACCESS POINT

[ FIRMWARE USED ]
  INIT: firmware/esp_init_data_default_v08.bin
  ELF0: firmware/image.elf-0x00000.bin
  ELF1: firmware/image.elf-0x10000.bin
  PAGE: firmware/page.mpfs

<<< PROCESS FINISHED, REMOVE PROGRAMMER >>>
Press Enter to continue...

That was done super quickly and easily. Now pull the cable out of the programmer and you can start.

First steps with Shark Jack

After you receive your new Shark Jack device from Hak5, you need to upgrade the Firmware. This tiny tutorial will guide you through the process. You should plan a maximum of 10 minutes of your life for this action.

Preparation

Enable the Arming mode (middle switch position) and connect with your RJ45 interface, also connect USB-C for charging. Do not stop charging while the whole upgrade process! In case your local device does not provide such interface, I have really good experience with the multiport adapter from SATECHI.

Download and install latest Firmware

The default settings for your new Shark Jack are:

  • IP: 172.16.24.1 (Arming mode)
  • User: root
  • Password: hak5shark

Download latest Shark Jack Firmware from here.

Hak5  Download Center - SharkJack
# download Firmware (via command line)
$ curl -L -C - https://downloads.hak5.org/api/devices/sharkjack/firmwares/1.1.0-stable -o ~/Downloads/upgrade-1.1.0.bin

# verify SHA256 checksum (optional)
$ shasum -a 256 ~/Downloads/upgrade-1.1.0.bin

# copy Firmware from local to Shark Jack device
$ scp -C4 ~/Downloads/upgrade-1.1.0.bin root@172.16.24.1:/tmp/

# SSH into SharkJack device
$ ssh -C4 root@172.16.24.1

# list directory content (optional)
root@shark:~# ls -la

# show current version
root@shark:~# cat VERSION
1.0

# start update
root@shark:~# sysupgrade -n /tmp/upgrade-1.1.0.bin

Now be patient and do not remove the Shark Jack from RJ45 or the USB-C for charging! The device installs the new firmware and reboots. For me it was around 3 – 4 minutes.

# check interface status (optional)
$ ifconfig

# SSH into Shark Jack device
$ ssh -C4 root@172.16.24.1

# show current version
root@shark:~# cat VERSION
1.1.0

That’s it … have fun and success.

Introduction into Wifi Pineapple API

After short time you might come to the idea to control your Wifi Pineapple via terminal only. Luckily the developers provided an API. There is already a Python wrapper available. But why not easily using curl and jq?

Objective

Learn how to setup and use (via curl) the Wifi Pineapple API.

Precondition

jq installed (latest)

Preparation

If not done already, you need to create a API token. To do so, open “Advanced” section – insert a token name and press button “Generate”.

Wifi Pineapple generate API token

The curl commands can be very long and unhandy. To make it a little easier to use, you should save and use the very long token (and header) as a variables ($TOKEN and $HEADER).

# create token variable
$ TOKEN="458aef505b17d0e954f95419c8da0df1047529708787bb04b15362bc3ecaa6e19e22d8bf2378293275c0e9ce6af62ef0e00691ec24aaa7309e6b9923067177af"

$ HEADER='-H "Content-type: application/json"'

# create a first simple nothification
$ curl -s -X POST  $HEADER -d '{"system": "notifications", "action": "addNotification", "message": "my first notification", "apiToken": "'$TOKEN'"}' http://192.168.2.10:1471/api/

As the Wifi Pineapple use an well known prefix we cannot use jq directly! So we need to remove the prefix from our output. Now create a new variable and pipe the output through sed. In my case the following characters are used as response prefix “)]}’,“.

# create prefix variable
$ PREF=")]}',"

# create a second simple nothification (incl. sed and jq)
$ curl -s -X POST  $HEADER -d '{"system": "notifications", "action": "addNotification", "message": "my second notification", "apiToken": "'$TOKEN'"}' http://192.168.2.10:1471/api/ | sed -e "s/^$PREF//" | jq .

If everything was working well, the terminal output will be pretty-printed (via jq) and you should be able to see both notifications (Browser UI).

Wifi Pineapple notifications via API

API examples

The online API documentation is very good described. However, to give you a better start, a few examples are shown below.

# get current version of Wifi Pineapple
$ curl -s -X POST $HEADER -d '{"module": "Advanced", "action": "getCurrentVersion", "apiToken": "'$TOKEN'"}' http://192.168.2.10:1471/api/ | sed -e "s/^$PREF//" | jq .

# get current time zone of Pineapple
$ curl -s -X POST $HEADER -d '{"module": "Configuration", "action": "getCurrentTimeZone", "apiToken": "'$TOKEN'"}' http://192.168.2.10:1471/api/ | sed -e "s/^$PREF//" | jq .

# check available module storages
$ curl -s -X POST $HEADER -d '{"module": "ModuleManager", "action": "checkDestination", "apiToken": "'$TOKEN'"}' http://192.168.2.10:1471/api/ | sed -e "s/^$PREF//" | jq .

# get installed modules
$ curl -s -X POST $HEADER -d '{"module": "ModuleManager", "action": "getInstalledModules", "apiToken": "'$TOKEN'"}' http://192.168.2.10:1471/api/ | sed -e "s/^$PREF//" | jq .

I think you’ve got it. In similar way you can use the API for “Recon”, “Logging”, “Networking” and so on.

Understand and measure signal strength with Wifi Pineapple

It’s a long title for a tutorial this time. Don’t worry I will try my best to make it short and understandable. Many people wonder why there penetration of Wifi networks not really works and forget about an very important point: “Wifi Signal Strength”. But what is it? How can I measure it? Do I need to buy expensive software? Here a try to enlighten you. For this explanation I will use the Wifi Pineapple device with some command line tools and a nice UI module.

Objectiv

Understand the basics of Wifi Signal Strength and learn how to measure it.

Precondition

Wifi Pineapple device incl. SSH connection into it plus internet connection (to download the module).

The basics

The WiFi signal strength is given as the logarithmic (not linear) unit of measurement of the power dBm. Decibels are relative to milliwatts and are expressed as a negative number from 0 to -100. For example, a signal value of -50 is much stronger than a signal value of -70. A difference of 3 dBm is therefore halving or doubling the strength of the previous value. The following table should give some information about the values.

Signal strengthQualityDescription
-30 dBmExcellentOne of the best values ​​that can be achieved.
-50 dBmGoodAn very good signal level which allows all applications in the network.
-70 dBmAcceptableNot a good value, there are already severe application problems.
-90 dBmVery badVery bad value, there is usually no connection here.

The measurement

Now let’s get to the measurement quickly. Start the Wifi Pineapple and connect.

# SSH into Wifi Pineapple device
$ ssh root@192.168.2.10

Let’s take a look at the values ​​of the wifi devices themselves (these will be different).

# show statistics on each wireless interface in the system
$ cat /proc/net/wireless

# show interface configuration with ifconfig
$ ifconfig wlan0
$ ifconfig wlan1

# show interface configuration with iwconfig
$ iwconfig wlan0
$ iwconfig wlan1

Now we scan the Wifi’s and have the values ​​displayed (repeat this multiple times to get the average).

# use iwlist to scan (old way)
$ iwlist wlan0 scanning | egrep -i 'SSID|Quality'

# use iw to scan (modern way)
$ iw wlan0 scan | egrep -i 'SSID|signal'

Make it more visible

Under the Wifi Pineapple modules you can search for “SignalStrength” and install it. After successful installation, select the module then select one of your available wifi interfaces and press button “Scan”.

Wifi Pineapple module SignalStrength scan

After short time you will have outputs as table and graph.

Signal Level Graph

That’s it already. With these basics, you should be able to understand and perform your wifi penetration tests even better.