My lame IR copy toy pt2

Some of you might remember the first post on my lame IR copy toy. Well I have tweaked the code a little and put it all on a nice little PCB board that fits great over the Arduino, here is the “finished” project:

Heres some video of it working:

Heres it being used to control a helicopter:

Here is the code:

One thing I left out of my first post is in order for this to work you have to use this IR remote library from Ken Shirriff. Thats it, peace.

October meeting recap.

October’s meeting was awesome as always and we had a few new faces which is always a good thing! We all hacked away at Windows Server 8 for a bit and found a few bugs, but unfortunately for the n00bs the meeting didn’t really get popping until after they let :/

ngharo gave us all a great talk on the wall of sheep. How he coded it, what he coded it in, what other software was used, and all the challenges that came up along the way. Dark Wind brought a toy remote controlled helicopter that uses IR for control, we found out my IR copy toy could be used to copy codes from the remote and take control of the helicopter 🙂 I was excited to finally get to use my 1337 IR copy toy on something!!

After all the IR fun there was a little talk about making a arduino based safe cracker to get into the safe at Bucketworks, that should be a cool project once its all done. Then I showed everyone how to make their own resisters with little more the a piece of paper and a pencil. The DIY fun didn’t stop there, I also demo’ed how to make capacitors using just tin foil, cling wrap, tap and some wire! Then while trying to make the home made capacitor blow up we did found out that if you expose it to high voltage, like the kind coming out of a wall outlet, it will start buzzing and expanding 🙂

A congrats to Dark Wind on winning the dc414 free junk give away, he got Red Hat Linux 6.1 enterprise with the extended support package 😛 Here is some pictures courtesy of cmoney “tyvm cmoney”, I didn’t get a pic of Dark Wind with his winning because, idk, I failed. Ok thats it see you next time.

BarCamp – Post Conference Report

DC414 got a lot of exposure at BarCamp.  We were the only peeps that setup in “the commons” where most everyone would pass through while entering the building.  This was also the area that lightning talks, introductions, and closing events took place.

Wall of Sheep
The wall was a great success for the most part.  Initially, we had to manually sniff and enter sheep onto the wall.  This was becoming a pain in the ass.  We finally got it automated by taking a log from ettercap and piping it into a ruby script which would post to simple webservice.  The source can be found here.  In the afternoon we started getting flooded with fake logins to gmail.com from a user on the network.  Some nerd had scripted this to create chaos upon us!  Unfortunately, we were tapped onto the network at such a point were we would not see local IPs for the source of traffic.  I lol’d and set dw5304 on the hunt to track the user down.  We knew he was using ruby as that’s what the user-agent string was.  dw5304 quickly found him and we all had a laugh.  The scripter gave a lightning talk on his mischief later in the evening.  We’d like to expand on the current scripts and tweak our filters to automate even more types of insecure communications.

The overall atmosphere was very, very hacker friendly.  I had fun listening in to Klaiviel, Vlad, and darkwind troll some unfortunate hotel workers on their radios.  We also did a bit of urban exploration in Bucketwork’s basement … with a 1w laser 😉  Klaiviel did an awesome job presenting on lock picking/etc.  It was funny how Klaiviel showed up with like 5x as many locks and equipment as the guy who was hosting the lockpicking session.  There is safe at Bucketworks that they need assistance opening … Klaiviel did a bunch of research and came to the conclusion that he will need to brute force it.  I’m hoping dc414 can come together and make this happen.  dw5304 dropped a lot of knowledge to people coming by our setup.  Much thanks to all the equipment and dedication he brought to BarCamp.

Some very smart folks were creeping around and while I personally did not see many presentations, I still learned a lot.  We gave out a ton of stickers, flyers, window clings (thanks cmoney and Anarchy).  With that we should see new peeps start showing up to meetings.

June 2011 meeting recap

I know this post is a little late but we have been busy with other stuff, and my mom always said better late then never. Valdimir started us off with a fun demo of his magnetic card reader “vid below”, which could also write to a card but he didnt have the right software, he said he will be getting the right stuff soon. Then he came out with the big guns, a 3G/cell phone jammer!! This thing was all kinds of fun, and i uploaded a little vid of one of the demos we did with it “bellow”. The awesomeness didn’t end there, dw5304 gave us a nice demo of ZFS and showed off some of its more robust features. One of my personal favorite features was being able to pipe snap shots to anything!! Congrats to Darkwind for beeing last meetings winner of free junk from dc414!! Here are some pics taken at dc414.

Darkwind and his winnings!

Vlad reading cards:

Vlad be jammin:

Defend Online Anonymity – Set Up a Tor Relay

Got this in a email from the good people over at EFF:

Dear Anarchy,
We use Tor to access our website and to publish to our blog, which is blocked inside of our country. — Iranian human rights activist
If you could do something to make the Internet safer and more private for activists, investigative journalists, and humanitarian aid workers around the world, would you?

You can.

Today EFF is launching the Tor Challenge—a campaign to encourage Internet users all over the world to support the Tor network by operating relays.

Tor is a service that helps you to protect your anonymity while using the Internet and allows you to circumvent Internet censorship. When you use the Tor software, your real IP address remains hidden. Activists all over the world depend on Tor to maintain anonymity when communicating and accessing websites that have been blocked by their governments.

The Tor software depends on the Tor network, which is made up of Tor relays operated by individuals like you. The more Tor relays we have running, the faster, more secure and more robust the Tor network becomes.

Are you ready to help Internet activists all over the world?

Click here to see how and learn more.
Defending your digital rights,

The EFF Activism Team

This is a great idea and more ppl should run tor exit relays, but it does not come with out some pains. I kept on getting DMCA notices so i had to employ a few exit policy rules on my relay. Here is the ones im using.

ExitPolicy accept *:20-23 # FTP, SSH, telnet
ExitPolicy accept *:43 # WHOIS
ExitPolicy accept *:53 # DNS
ExitPolicy accept *:79-81 # finger, HTTP
ExitPolicy accept *:88 # kerberos
ExitPolicy accept *:110 # POP3
ExitPolicy accept *:143 # IMAP
ExitPolicy accept *:194 # IRC
ExitPolicy accept *:220 # IMAP3
ExitPolicy accept *:443 # HTTPS
ExitPolicy accept *:464-465 # kpasswd, SMTP over SSL
ExitPolicy accept *:543-544
ExitPolicy accept *:563 # NNTP over SSL
ExitPolicy accept *:587 # SMTP
ExitPolicy accept *:706
ExitPolicy accept *:749 # kerberos
ExitPolicy accept *:873 # rsync
ExitPolicy accept *:902-904
ExitPolicy accept *:981
ExitPolicy accept *:989-995 # FTP over SSL, Netnews Administration System, telnets, IMAP over SSL, ircs, POP3 over SSL
ExitPolicy accept *:1194 # openvpn
ExitPolicy accept *:1220 # QT Server Admin
ExitPolicy accept *:1293 # PKT-KRB-IPSec
ExitPolicy accept *:1500 # VLSI License Manager
ExitPolicy accept *:1723 # PPTP
ExitPolicy accept *:1863 # MSNP
ExitPolicy accept *:2082-2083 # Radius
ExitPolicy accept *:2086-2087 # GNUnet, ELI
ExitPolicy accept *:2095-2096 # NBX
ExitPolicy accept *:3128 # SQUID
ExitPolicy accept *:3389 # MS WBT
ExitPolicy accept *:3690 # SVN
ExitPolicy accept *:4321 # RWHOIS
ExitPolicy accept *:4643
ExitPolicy accept *:5050 # MMCC
ExitPolicy accept *:5190 # ICQ
ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL
ExitPolicy accept *:5900 # VNC
ExitPolicy accept *:6666-6667 #IRC
ExitPolicy accept *:6679
ExitPolicy accept *:6697
ExitPolicy accept *:8000 # iRDMI
ExitPolicy accept *:8008
ExitPolicy accept *:8080 # HTTP Proxies
ExitPolicy accept *:8087-8088 # Simplify Media SPP Protocol, Radan HTTP
ExitPolicy accept *:8443 # PCsync HTTPS
ExitPolicy accept *:8888 # HTTP Proxies, NewsEDGE
ExitPolicy accept *:9418 # git
ExitPolicy accept *:9999 # distinct
ExitPolicy accept *:10000 # Network Data Management Protocol
ExitPolicy accept *:19638
ExitPolicy reject *:*

So anyway, yes everyone should run a tor relay and should also use the above for your tor relay config. On ubuntu boxes just search for ExitPolicy in /etc/tor/torrc and past it in. Be sure to comment out any pre-existing exit policies. Ok go set up a tor exit relay already!!

Good times @ mke makerspace open house

Me and ngh made a trip to mke makerspace’s open house and man it was well worth the ride. Got to see lots of cool clocks 😀 make a little blinking LED in soldering class, watched a makerbot in action and tons more awesome stuff. Also thanx to makerspace we also have a nice DIY project to give away at the next dc414 meeting “the blinky light we made in soldering class” Heres some pics i took while there. Thats it, peace.
mke makerspace

Warning ! Your account a Aol was limited

but… I don’t even have a Aol account, however thats of no concern to the fools that sent me this nice little phishing email:

Delivered-To: XXX@gmail.com
Received: by 10.42.218.8 with SMTP id ho8cs188088icb;
Sat, 2 Apr 2011 20:49:38 -0700 (PDT)
Received: by 10.43.56.140 with SMTP id wc12mr7828120icb.237.1301802578076;
Sat, 02 Apr 2011 20:49:38 -0700 (PDT)
Return-Path:
Received: from cl-t009-331cl.privatedns.com (cp1.likuid.com [64.15.156.140])
by mx.google.com with ESMTPS id xe4si10607558icb.57.2011.04.02.20.49.37
(version=TLSv1/SSLv3 cipher=OTHER);
Sat, 02 Apr 2011 20:49:38 -0700 (PDT)
Received-SPF: neutral (google.com: 64.15.156.140 is neither permitted nor denied by best guess record for domain of nobody@cl-t009-331cl.privatedns.com) client-ip=64.15.156.140;
Authentication-Results: mx.google.com; spf=neutral (google.com: 64.15.156.140 is neither permitted nor denied by best guess record for domain of nobody@cl-t009-331cl.privatedns.com) smtp.mail=nobody@cl-t009-331cl.privatedns.com
Received: from nobody by cl-t009-331cl.privatedns.com with local (Exim 4.69)
(envelope-from )
id 1Q6EJl-0006w2-N4
for XXX@gmail.com; Sat, 02 Apr 2011 23:49:37 -0400
To: XXX@gmail.com
Subject: Warning ! Your account a Aol was limited
X-PHP-Script: compagnelic.com/Skpy2.php for 81.192.139.76
From: Service Aol
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id:
Date: Sat, 02 Apr 2011 23:49:37 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - cl-t009-331cl.privatedns.com
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - cl-t009-331cl.privatedns.com



AOL April 2011


Dear AOL Customer,

As part of our security measures,We regularly check the work of the AOL screen. We demand information to you for the following reason :

Our system detected unusual charges to a credit card linked to your AOL account.

This is the final reminder to log in to AOL as soon as possible. Once you are connected. AOL will provide you with steps to restore access to your account .

Secure Server


Click here to confirm

Once connected, follow the steps to activate your account. Thank you for your understanding as we work to ensure account security .
We appreciate your attention to this
question. Please understand that this is a security measure aimed at protecting you and your account. We apologize for any inconvenience ..


Thank you for using AOL!


This notification was sent to you by AOL. To change your notification preferences, log into your AOL account, click the Profile sub-tab, then click the Notifications link under Account Information. Changes take up to 10 days to be reflected in our mailings. AOL will not sell or rent your personally identifiable information to tiers.Pour more information about the security of your information, read our privacy policy at https://www.aol.com/privacy .

Copyright © 2011 AOL Inc. All rights reserved. Designated trademarks and brands are the property of their respective owners. AOL is located at 2211 First St. N., San Jose, CA 95131.


Well since I dont have a Aol account the first thing I did was take a close look at the headers where I found this little bit of info:

X-PHP-Script: compagnelic.com/Skpy2.php for 81.192.139.76

So I stopped by compagnelic.com/Skpy2.php which happen to be a php script for mass emails from some M£NaBiLo$ss guy. I also followed the link given in the email which takes me to some fake Aol connection page that forwards to a phishing site geared to get all your personal information! The form submits to a “HiTman.php” that when I tried to visit, it just sent me along to aol.com. All in all not a very good attempt “less spelling and loading errors would help”, I have seen better but thanx for the lulz and the online anonymous email app 😀

Aprils meeting run down.

Last nights meeting was not a let down, dw5403 and Matt wowed us with killer demonstrations of a laser mic setup “pics below” and Van eck phreaking!! (Video). dw also brought his DIY 3 port powerless hub and gave us a little demo of ssl strip. Matt busted out all massive lock collection and we all got to play around a little bit. We also saw the release of ODiG! Bellow is a pic of this months winner of junk from dc414 “dstarar”. (more pics HERE, i took more but they got all fucked up some how)

Hacking with ODiG

Some of you maybe have seen this before, I had this post/tool on one of my old sites a long time ago. I am going to show you how to do a zone transfer using my online tool ODiG. Ok so its not really hacking but it can help you get a foot in the door. Wikipedia says a zone transfer also sometimes known by its (most common) opcode mnemonic AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to employ for replicating the databases containing the DNS data across a set of DNS servers. Zone transfer comes in two flavors, full (opcode AXFR) and incremental (IXFR). Nearly universal at one time, it is now becoming less popular in favor of the use of other database replication mechanisms that modern DNS server packages provide.

Ok so what all that means is a DNS zone transfer will give us all the subdomains a DNS has on record for a given domain. Like if we did a zone transfer on a DNS server that servces google we would get mail.google.com, code.google.com, images.google.com and so on. In other words giving you more access points into the network, now instead of just the www.target.com and what ever links you can find on the site you can attack anything they may have that goes out to the net. You might get lucky and find some test servers and who knows what else.

For testing I will be using morainepark.edu a local tech college. Now goto ODiG and use morainepark.edu as the target and in the query drop down select NS (nameserver), leave the rest as is, enter in the captcha and hit submit. Now we are looking for what ever DNS server holds records for the domain morainepark.edu so we will be looking in the “;; AUTHORITY SECTION:” and we see “morainepark.edu. 9863 IN NS dns.uw-mad.wiscnet.net” Here we see that dns.uw-mad.wiscnet.net is the DNS server that holds the records we want so now again go back to ODiG. Again put morainepark.edu as the target only this time put dns.uw-mad.wiscnet.net in the DNS server field and change the Query drop down box to AXFR (zone fransfer) enter in the captcha hit submit and you will be given all the records that DNS server holds for the morainepark.edu domain, now you can really get some scanning done!!

If you did the same thing to wisconsin.edu you would get a transfer failed message which will be the case with any secure DNS host. Now for the sake of security I wold hope ppl are pen-testing things before they expose them to the net, but more often then not they dont and that can get really messy! Securing BIND against this kind of information leak just edit /etc/bind.conf and add this line:
allow-transfer{192.168.1.4; 172.16.1.5; };

Where 192.168.1.4 and 172.16.1.5 are the only address you will allow transfers to and from. To secure other DNS server software look here: HERE

PHP Shadow released!

PHP Shadow obsfiacates a php script for you making it harder to detect on a system. One possible use would be to hide a php shell from IDS/IPS and other systems as well. So how does it work? Well you start with some php code like so:


function go()
{
$txt="hello world";
echo $txt;
}
go();

Then you submit it to PHP Shadow and you should get this back:

< ? eval(str_rot13(base64_decode('c2hhcGd2YmEgazM0cTFzOTFzbzJyNTE0bzg1NzZzbm8xbjc1bjg5bjZvKCl7JGtwNzgyNHMzcTRxNXM3bzJzMjJxMDM0NzU4cDFyOTQ1ND0idXJ5eWIgamJleXEiO3JwdWIgJGtwNzgyNHMzcTRxNXM3bzJzMjJxMDM0NzU4cDFyOTQ1NDt9azM0cTFzOTFzbzJyNTE0bzg1NzZzbm8xbjc1bjg5bjZvKCk7IHJwdWIgIjxwcmFncmU+PG92dD5HdXZmIGZwZXZjZyBqbmYgcmFwYnFycSBvbCA8biB1ZXJzPVwidWdnY2Y6Ly9xcDQxNC5iZXRcIj5xcDQxNDwvbj5mIENVQyBGdW5xYmo8L292dD48L3ByYWdyZT4iOw=='))); ? >

Now paste that code into a blank php file and it will run as normal. So we can see that PHP Shadow base64 encodes and rot13s your code and adds another layer of protection that cant be seen until you decode it. So here is what our code looks like after we rot13 and base64 decode it:


function x34d1f91fb2e514b8576fab1a75a89a6b(){$xc7824f3d4d5f7b2f22d034758c1e9454="hello world";echo $xc7824f3d4d5f7b2f22d034758c1e9454;}x34d1f91fb2e514b8576fab1a75a89a6b(); echo "< center >< big >This script was encoded by < a href=\"https://new.dc414.org\" >dc414< /a >s PHP Shadow< /big >< /center >";

We see that all vars and functions are MD5 hashed to make it harder to follow and see whats going on. The code in italics is added by PHP Shadow to help spread the word 🙂 Thats all i got, enjoy.