evilgenius » hacking

Chaos BBQ Weekend – New World Order

hosh — Sun, 12 Jul 2009 13:26:35 +0000

During the upcoming weekend (17.07. – 19.07.2009) the Chaos BBQ Weekend will take place in Dortmund, Germany, old Europe (N51°31′39.4″ E7°27′53.8″). There will be some Workshops and Lectures and of course there will be a lot of meat (vegi food as well).
In case you need a place for sleeping, don’t worry there will be room for everyone!

See you next weekend!

25C3 – 25th Chaos Communication Congress, Berlin

hosh — Thu, 25 Dec 2008 20:31:59 +0000

Hi there, it is getting time for the annual Chaos Communication Congress in Berlin, Germany, Old Europe. This time there are many speeches about mobile device security and GSM networks, check out the “Fahrplan”.
I hope to meet some old friends and find some interesting new people. And by the way: Happy Christmas!

Crapto1 – the tool to break the Mifare crypto algorithm

hosh — Mon, 27 Oct 2008 21:02:53 +0000

A few month ago a paper was released which described how to break the Crypto1 algorithm of the Mifare Classic cards. Now the implementation has been released. The files with the source code have all in all only 611 LOC. Not so much…

Configuring your DSL modem through your router

hosh — Thu, 09 Oct 2008 21:38:42 +0000

I unplugged my modem last week before I went to Dortmund for some days and plugged it back in last Sunday when I came back. Since then my DSL broadband access is pretty slow. Like 1 Mbit/s downstream, should be around 16 Mbit/s. Therefore I messed a little bit around with my configuration and found out that my DSL Modem – Siemens C2-010-I, is actually Viking II Plus and not a modem but a moden/router/bridge. My provider configured the Viking as a bridge, therefore it looked like a usual DSL modem.

Basically you just have to configure your interface on your PC to have the IP-Address 192.168.1.2 (or any other address within 192.168.1.0/24) and then you either can access the Viking’s HTTP or telnet server via 192.168.1.1.

With the web interface running on the HTTP server you can configure basic things like switching your bridging modem into a router. The basic configurations options you have for every DSL router. Anyway more interesting is the telnet interface. With the help of it you can get many more informations about your DSL connection. I found a preliminary command reference for the Viking chip set family which seems to contains many commands you can use to get some more informations out of your modem/router/bridge.

martin@kovalski:~$ telnet 192.168.1.1 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'.


                         ******************

                               Welcome

                         ******************
Software Release R100B01.0B_HN_20060406

Copyright (c) 2001-2004
login: alice@13184

password:

Login Successful

$help

Command        Description

-------        -----------

alias          To Alias a command

apply          Apply configuration/image file

commit         Commit the active config to the flash

create         Create a new entry of specified type

delete         Delete the specified entry

download       Download a file on to the Device

exit           To exit the CLI shell

get            Display info for the search

help           Provides help

list           List files

modify         Modify information for specified entry

passwd         To modify user password

ping           The normal ping command

prompt         Change the user prompt

reboot         Reboot the device

remove         Remove file

reset          Reset info for the specified entry

size           ATM Sizing Information

traceroute     The normal traceroute command

trigger        To set trigger

unalias        To undefine previously defined alias

verbose        Switch ON/OFF the verbose mode

$get dsl stats curr
No.  of  15  Min. Valid Data Intervals   : 6

No.  of  15  Min. Invalid Data Intervals : 0

Current  15  Min. Elapsed Time (MM:SS)   : 6:56

Current  15  Min. Errored Seconds        : 0

Current  15  Min. Sev Errored Seconds    : 0

Current  15  Min. Unavailable Seconds    : 0

Current  Day Elapsed Time (HH:MM:SS)     : 1:51:56

Current  Day Errored Seconds             : 0

Current  Day Sev Errored Seconds         : 0

Current  Day Unavailable Seconds         : 38

Previous Day Monitored Time (HH:MM:SS)   : 0:0:0

Previous Day Errored Seconds             : 0

Previous Day Sev Errored Seconds         : 0

Previous Day Unavailable Seconds         : 0

$get dsl params
Vendor ID            : 0039

Revision Number      : E.37.2.8

Serial number        : 123456789abcdx

Self Test            : Passed              Framing Structure     : Unknown

Standard             : ADSL2/2+            Trellis Coding        : -

Local Tx. Power(dB)  : 12.6                Remote Tx.Power(dB)   : 0.0

Local Line Atten(dB) : 18.5                Remote Line Atten(dB) : 11.5

Local SNR Margin(dB) : 12.5                Remote SNR Margin(dB) : 6.5

Tx Line Rate(kbps)   : 0                   Rx Line Rate(kbps)    : 0

Up SValue            : -                   Down SValue           : -

Up DValue            : -                   Down DValue           : -

Data Boost           : -                   Max Att. DnS LR(kbps) : 0

UpIntrlvd UpFast DownIntrlvd DownFast AS0(kbps): - - - - AS1(kbps): - - - - LS0(kbps): - - - - LS1(kbps): - - - - RValue : - - - - $

Anyway… now that you are able to get some informations out of your DSL modem/router. I actually like my OpenWrt based router…. damn…

…. writing this I just realized that this whole problem might not be related to my broadband provide – you remember, I just wanted to figure out why my connection was so slow before I tried to mess around with my modem – but to the not configured QOS settings of my so beloved OpenWrt router. Before I went to Dortmund my router got a little software update. Check, confirmed. QOS disabled.

… now that I have my whole bandwidth back… what was the point… right: I love my OpenWrt router. So I like to keep the bridge configuration but want to be able to access the DSL modem/router/bridge from within my local network behind my OpenWrt router. Therefore I have to adjust the firewall configuration a little. First make sure, that your modem and your router are not in the same subnet. I decided to configure my router to be 192.168.2.1/24 and the modem to stay as 192.168.1.1/24.

Now, the adjustment of the router’s firewall:

martin@kovalski:~$ ssh root@192.168.2.1 root@192.168.2.1's password:


BusyBox v1.4.2 (2008-10-01 22:05:02 CEST) Built-in shell (ash)

Enter 'help' for a list of built-in commands.

_______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M KAMIKAZE (7.09) ----------------------------------- * 10 oz Vodka Shake well with ice and strain * 10 oz Triple sec mixture into 10 shot glasses. * 10 oz lime juice Salute! --------------------------------------------------- root@SRB178:~# ifconfig eth0.1 192.168.1.2 up root@SRB178:~# iptables -t nat -A postrouting_rule -o eth0.1 -d 192.168.1.1/24 -j MASQUERADE root@SRB178:~# iptables -A forwarding_rule -i br-lan -o eth0.1 -p tcp --dport 80 -d 192.168.1.1 -j ACCEPT root@SRB178:~# iptables -A forwarding_rule -i br-lan -o eth0.1 -p tcp --dport 23 -d 192.168.1.1 -j ACCEPT

First configure your WAN interface. Then the firewall: The first rule is to masquerade the traffic from 192.168.2.0/24 as 192.168.1.2. The modem/router does not know anything about the 192.168.2.0/24 network. It will receive the requests out of the network but does not know where to send them back.
The other two rules are to allow the forwarding of traffic from the internal network to the modem/router on port 80 (http) and 23 (telnet).

If you want to get the informations easier than manually telnet into the modem and send the commands you can also use the fancy DSL-Modem Tool. There are several versions of this tool for different modems, but basically they all seem to use telnet to gather the informations.

By the way, the user name and password for accessing my modem were:
User: alice@13184 password: hnto$mgmt@lice
This is the default configuration of my broadband provider Alice.

kthxbye.

Counter measurements of FTE against copying their Bluetooth sniffer

hosh — Thu, 04 Sep 2008 19:54:49 +0000

Seems that FTE is finally reacting on the fact that you can easily copy their Comprobes firmware to other, regular Bluetooth USB dongles. First, with their new hardware they released earlier this year, also the structure of the firmware has changed. Therefore the newer firmware wont work out of the box the good old way.

Second they seem to have changed their licensing policy. You have to register your software (with your license key) of FTE4BTonline. And, that’s the funny thing, seems that you also have to ‘de-register’ your software online. Means: when you want to install your software somewhere else, de-install it on the other PC and ‘de-register’ it online. Then install it on the other PC. What happens when your old PC is br0ken? No idea.

Anyway.. maybe that way more people will be interested in building their own and free Bluetooth sniffer.

CBBQWE08 and Secure Simple Pairing

hosh — Wed, 18 Jun 2008 22:29:30 +0000

This weekend the CBBQWE08 will take place in Dortmund, Germany, Old Europe. It’s organized by the CCC Dortmund there will be some lectures – I will give an overview of the new security features of Bluetooth Secure Simple Pairing – but the main focus of the event is the BBQ and having some fun. I hope it will be good weather.

Slides for modifying your BT dongle into a sniffer

hosh — Fri, 28 Mar 2008 23:37:21 +0000

Remark: FTE changed something in their firmware, therefore the described way does not work anymore!

Found this slides, which give you a nice 20min walk through for changing your BT dongle to a BT sniffer.

24C3: Mifare Security

hosh — Sun, 06 Jan 2008 15:41:40 +0000

Seems that I have missed one of the most interesting speeches at 24C3.
Henryk Plötz and Karsten Nohl presented the recent developments in reverse engineering the Mifare RFID card. What they basically did is polishing away the different layers of the chip in the Mifare card and then visually analyze the layers, trying to find the cryptographic relevant parts. The security of the low-end Mifare Classic cards is to be concerned as broken. “Start migrating!” This does not have an impact on the high-end Mifare DESFire card. Check out the video!

Slides 1
Slides 2

Torrent of the video recording in Matroska / Vorbis / H.264
Torrent of the video recording in MPEG-4 / AAC-LC / H.264

24C3: Bluetooth Stuff

hosh — Fri, 28 Dec 2007 21:06:50 +0000

Hi there! Greetings from 24C3, the annual hacker meeting of CCC. Some updates on Bluetooth related stuff:

Balle released a new version of bluediving, now available in version 0.9.

A funky new tool has been released at this congress: bluedrift. What driftnet is for ethernet, bluedrift is for Bluetooth. Using a special Bluetooth dongle which is capable of being flashed, you are now able to automatically sniff Bluetooth traffic and extract OBEX data, e.g. electronic vcards or pictures, from your sniff.

Another project I didn’t know before is the Wave Bubble by ladyada: “A design for a self-tuning portable RF jammer”

Best cite of the congress: “MIT doesn’t teach you how to fuck GSM-Networks” — Ladyada

iPhone’s Bluetooth Bug and the Metasploit Framework

hosh — Sat, 29 Sep 2007 20:21:55 +0000

As balle already pointed out, there is a major Bluetooth Bug in iPhones. The SDP-Service can be exploited to execute arbitrary code. The funny thing with iPhones is, that even when Inquiry Scan is disabled (“hidden Bluetooth device”) it’s easy to find out the Bluetooth Address of an iPhone: The WiFi-address is the Bluetooth address incremented by one. When you know the MAC Address of the iPhone, you also know the Bluetooth address.

Another interesting thing: The Metasploit Framework about to be ported to the iPhone. All the applications seem to run as UID 0 on the iPhone – this is going to be fun!

Source: Computerworld