June Meeting Recap

Thanks to all that attended the June meeting.  Lot’s of interesting discussion and demos as usual.

Some highlights were Klaiviel giving an in-depth look at the state of 3D printing with a focus on weapons and some of the issues surrounding it.

We later headed for the roof of Bucketworks to learn about DirectTV hardware installations and some of the tools the pros use.  We got to learn about different satellites  and had some really good discussions while the ISS zipped past brightly in the night sky.  Thanks Darkwind.

dw5304 took over next and showed off some 40Gb Ethernet gear along with a demo.  We also had fun exploiting some really awful security of a customer management portal that dw5304 stumbled upon.

edgewalker was one of the lucky contestants to win the Free Junk Giveaway.  Enjoy the LetterPerfect software on your IBM/DOS compatible PC! 

Some pictures courtesy of our beloved overlord, AnarchyAngel.

A Question to Milwaukee, a Bucketworks Emergency

Bucketworks is a co-working, meetup, and practice space for creative professionals.  They’ve been gracious enough to host DC414 monthly meetings and many other events for hackers.

We’re all at risk of losing this space due to some recent financial problems they’re encountering.  I encourage anyone to give back to this awesome space and help them continue to help us.

DC414 as an organization is helping, you can too by donating to Bucketworks by following this link.

Please read Tim Syth’s (Director of Bucketworks) question to Milwaukee:

After being born and raised in rural Wisconsin, and spending nearly 5 years wandering the planet as a photographer and student, I came to Milwaukee about 18 months ago because the city intrigued me. It was gritty, blue-collar and raw. It did not offer the apparition of a polished facade. Its issues were displayed prominently on its sleeve. It felt real.

Perhaps naively, I also came to Milwaukee hoping I could make a difference. Here was a place I could come and actually have a name and face as I tried to leave a positive mark as the director of a project called Bucketworks. I still believe this.

Bucketworks, for those who don’t know, just celebrated its eleventh birthday. Eleven years ago this May it was started by James Carlson and a cadre of accomplices who wanted nothing more than to explore creatively in a way that only art in warehouses can provide. There was little method to the madness, but it was one of the first collaborative spaces in the country, and in Milwaukee of all places. It was a place all about making it happen (whatever “it” was) and giving people a reason to gather and work together. It was the spot in the city for the curious and motivated to gather and create art, businesses, theater, events and products.

Bucketworks has had its issues, much like its home city, but through thick and thin and two floods Bucketworks has managed to persevere, and in that time, Milwaukee has started to blossom. We now have the Milwaukee Makerspace, ArtMKE, the Hudson, VETransfer, Gener8tor, MARN, the Creative Alliance, Open MiKE, just to name a few. As a relatively new transplant, the vibrancy of the creative culture in Milwaukee is a sorely told story—we are lucky to be in this time and place. But as each of these great efforts filled a niche, and as each of these efforts has been born, Bucketworks has adjusted and pushed ahead because it has always been the job of Bucketworks to be on the edge—to be that hard-to-explain place “where things start.”

Fast forward 18 months from my arrival in Milwaukee to today and some of that gritty, blue-collar and raw is weighing on me. Those of you I have had the pleasure of meeting know that I have been very open about the situation at Bucketworks. It has its issues and it wears its dirt on its sleeve. Specifically, we have not been been paying rent for 4 months. For the year I have been here prior to those four months, we paid $7000/mo for 6 months and $2500/mo for 6 months before that. We are not paying rent because we spent $2500 on a broken heating system we don’t own, but because we could not afford to fix the system completely, we still paid $2500/mo to heat the space in the winter. We patched a roof we don’t own with the gracious donation of time from a Milwaukee startup that helps veterans develop job skills. We repaired air conditioners. We spent $2000 on a sprinkler system we don’t own to get the building up to code. We replaced toilets that were broken, patched floors, and fixed lights, all while running the organization.

But why not just raise the prices to cover the bills? We don’t raise the prices because we feel it is important for there to be a place in our city where a person can explore projects without breaking the bank. We believe a lack of money should not stop people from trying. Bucketworks is home to 15+ businesses on any given month who pay on average less than $200 a month to operate. If you can get past the Commons, bang for your bucket it is the lowest-cost place in the city to start a business. Bucketworks is a place where teenagers from the city come to make art while learning important things like punctuality and responsibility. Bucketworks is a place where people gather to learn English and to learn about citizenship. Bucketworks is a place where people meet to talk about open data and to teach each other about technology and mysticism and financial planning. Bucketworks is a place to sword fight, practice aerial silks and to dance. Bucketworks is where people voluntarily work together on improving healthcare. Bucketworks is the place where bees are nurtured and celebrated. In short, Bucketworks is a living and breathing demonstration of functional, diverse community in a city that is known for its silos and segregation.

Please note this isn’t a blame game that falls on our landlord or others who are currently interested in the space. I have a good relationship with our landlord—we agree with a shake of our hands and then do the best we can. We operate like much of Milwaukee operates, and I think this is to be celebrated. Also note that this text represents solely my words and perspectives.

In closing, I want to say that Bucketworks is cleaning out its closets and washing the dirt from its sleeves. I will meet with anyone who is interested and let them know where we stand, what we need to do better and what our plan is to get there. We already have great partnerships that are interested in supporting and bringing stability to this wonderful project, but right now we need time, and in order to get that time, we need money. $18,000 would get us six months of runway on rent, $36,000 would get us twelve, and anything in between would be awesome.

As a recent transplant to this city who has seen Berlin, Tokyo, Hong Kong, Venice, New York, Mexico City, Riga, Paris and many others, I believe Milwaukee is a place to be right now. We have a city that can hide little and is full of people who want to do more. I am committed to making this a place where people have a real option when they want to try an idea. I am willing to do what it takes to bring long term stability to an awesome project in a city that is just rediscovering itself.

So the question I have is this:

Does Milwaukee want Bucketworks?

If it does, please donate what you can. If all you can do is forward this on, please do so. We have an opportunity to show that Milwaukee is a community together. We are not asking for much and we never have asked for much, but I am asking for Bucketworks now. If we reach our goal, the funds will be used for to cover rent. If we do not reach our goal, the funds will be used to find a new home. Our goal is to raise $18,000+ by the end of the business day today—please help.

Thank you,

Tim Syth
Director of Bucketworks

Getting IP addresses from contacts on Skype as told by Noize.

Skype is an extremely popular, proprietary, cross-platform, peer-to-peer Voice-over-IP software client written by Skype Communications SARL, which is now owned by Microsoft Corporation. Due to its peer-to-peer always-on nature it is possible for a researcher to determine characteristics about a target computer, without the user’s knowledge. This can be leveraged to obtain information like the IP address of a target computer.

This is an Educational Guide only; use knowledge at your own risk! and always “the quieter you become, the more you are able to hear”.

Prerequisites

  • Your IP address

Skype Setup

  1. Head into Tools -> Options -> Advanced -> Connection
  2. Uncheck the checkbox labeled: “Use port 80 and 443 as alternative for incoming connections.”
  3. Use port 1210 for incoming connections.  Located right about the checkbox from step 2
    The reason for using this port is because it’s a unassigned tcp/udp port so we will not be DoSing a port, or cause other issues.

Wireshark Setup

  1. Open wireshark and start watching your incoming and outgoing traffic.
    Sniff the interface you will be using Skype on
  2. Create a filter like this
    ip.src == $your_ip_address and udp.srcport == 1210

Capture IP

  1. Start a call to a person, online or offline
  2. Watch wireshark and it will start to give you outgoing and incoming connections
  3. Once you have an outgoing IP that is consistent to the incoming IP, you have found it.

Happy Hacking!

Many thanks to Noize for writing this up and allowing us to share it.

May meeting recap

The May meeting was another great one. Both Ngharo and my self were late because of traffic and junk so darkwind got things started with his popular demo of sniffing pager messages from the air. I Showed up at the tail end and when he was done I started the introductions. It was good to see all the new faces. After everyone talked for about 15 minutes I gave a live demo on using actionscript “flash” to inject a XSS exploit into a other wise secure website. Then Noize took over and gave a interesting live demo of getting IP addresses from contacts on Skype. Then dw5304 showed some of the features in the untangled firewall software. Congrats to ALee for winning the dc414 free junk giveaway!! Here are some pictures I took of the meeting.

ALee and his winnings!

Cisco DDR2200 ADSL2 Residential Gateway Router Vulnerabilities

I have discovered two Vulnerabilities in the Cisco DDR2200 ADSL2 Residential Gateway Router. The first vulnerability is that this device responds to UPNP multicast packets and UPNP SOAP requests out side of its local area network. Allowing attackers to forward ports and redirect traffic with out being authenticated, all of which can be exploited using dc414’s Upnp Exploiter.

The second vulnerability is remote command execution in the web based ping function. You can inject a pipe “|” followed by your command and it will get run on the shell and return the results as shown below.

Ping PoC: http://192.168.1.254/waitPingqry.cgi?showPingResult=1&pingAddr=127.0.0.1|ls

Screenshot from 2013-04-15 18:55:59

Upnp Exploiter

dc414 and I are proud to introduce Upnp Exploiter! A Upnp scanner and exploit tool. This tool comes with two main scanning functions and exploit functions.

The first scanning functions is the target scan. Here you can pick a single IP or IP range to find anything that reports back to a UPNP multicast packet sent to the normal UPNP broadcast address “239.255.255.250 on port 1900” If target responds it takes a closer look and sees if it can get the targets UPNP profile letting us know what type of device it is, what UPNP functions it supports, its IP, and other information. When used remotely, this all takes advantage of the fact that the target device violates the UPNP specs and responds to UPNP requests outside of the deices local area network.

The second scanning function only works in a local area network and just sends out a UPNP broadcast. This function is just using the UPNP protocol as intended.

Once a list of UPNP supported devices are found the script mines some information from it like device type, UPNP functions, IP. If its a gateway device it prompts you and asks if you want to attempt to exploit it.

The first option is to forward ports. If doing this LAN side its best to do some network recon with NMAP or something, find some fun services running on a internal server and forward them to the web for later hacking. While gathering information on the device it gets a list of other ports forwarded via UPNP and the devices internal IP. This is supper helpful when doing things on the remote side. One of my personal favs is routing the modems internal port 80 to 81 on WAN. This should give you access to the routers internal web UI for configuration. Most of the time the default creds will work for admin access >:)
This of course violates lots of rfc’s, protocols, and other stuff lol.

The second exploit option tries to turn a gateway device into a proxy. Now this works using IP addresses and one host per port. So if you want to connect to Victim A on port 8 you use the script to forward all data coming in on any port you choose “for now we will say 88” to VA on port 80. So you connect to port 88 on the Victim B “the gateway device” and all the traffic is forwarded to VA on port 80. This also breaks UPNP rules, but who cares.

The last little thing this script does is parse the replies for the unique_service_name() vulnerability and reports to you if it finds anything with some helpful information to aid in exploiting it.

You can get the script from the git page HERE. If you like it please consider donating to dc414 or me (Anarchy Angel – anarchy@new.dc414.org) for taking the time to make such an awesome script 🙂 If anyone would like to help with development please contact Anarchy Angel (me).

Many thanks to Ngharo for help with the regex and list stuff.

April meeting recap

Aprils meeting was awesome! Ngharo started us off with room introductions, which was helpful considering all the new faces at this meeting. Next I gave a quick demo of my new tool Upnp Exploiter. Which lead to me disclosing two 0day vulnerabilities in the Cisco DDR2200 ADSL2 Residential Gateway Router “expect more on all this later”! Then dw5304 gave his SNMP demo again and showed all the n00bs how to pwn Cisco routers using SNMP to upload a your own config to them. Then we all started messing around with trying to draw words on an oscilloscope with my arduino. Because of a late start that is all we had time for. Congrats to BigStarHero for winning a Emerson switch board in the free junk giveaway! Here is some pictures from the meeting.

Free junk giveaway big winner!

windows 8/server 2012 unsigned driver hell no more.

So I have this nice new computer that I built with a asus p9x79 motherboard. I wanted it to become a 2012 server for some stuff. After loading the OS I found out that the nic is “incompatible” seeing intel thinks that its a desktop board and should not be used in a server. I went looking though the inf file and found out that it was ignoring the hardware id’s.

[ControlFlags]
ExcludeFromSelect = \
PCI\VEN_8086&DEV_1502,\
PCI\VEN_8086&DEV_1503

Well this sucks…. lets fix it.

I then removed the exludefromselect and the two lines fallowing it.

went to install the modified driver and ended up with image

well at least I know its ok :). Now lets fix the catalog’s hash.

A hunt on google told me I needed inf2cat so lets download it here.

inf2cat /driver:”C:\Driver” /os:8_X64

My new catalog was created :).
went and tried installing my new driver once again and Damm :(… digital signature is missing wtf???? how the hell am I going to fix that I thought.

A little more searching found out we can make a self signed cert and attach it to a driver “he he”…. nice try Microsoft…..

So lets get this sucker signed. download here

makecert -r -n "CN=Intelnic" -pe -ss MyCertStore -sr LocalMachine

Now I needed to export this cert with its private key so we can import it into “Trusted Root CAs” and “Trusted Publishers” on my local machine I was creating the driver and also on the target machine I wanted to install my driver at :).

Now that we have it imported lets sign this sucker.
signtool sign /s MyCertStore /n "Intelnic" /t http://timestamp.verisign.com/scripts/timestamp.dll "C:\Driver\e1c63x64.cat"

Went back to my server installed the cert int trusted root cas and trusted publishers hey look my nic now works :).

it works

Thanks Microsoft for making a “secure” os that has to have drivers that are signed … but wait…. I just made it my self o well there went that idea….

March meeting madness!

The March meeting was no let down, we had lots of people and as always great demos. Ngharo got it started with a make your own pringles can cantenna. 9 luck attendees got to make and take home their own cantenna!  Then he kept it going with a quick demo of radio Mobile and how to use it to make a long range wireless mesh network. Then the professor gave a demo on metasploit using a java exploit to root a windows box. dw5304 took over and gave a little demo of a hacked xbox360 and using a laptop to control everything the console does. Here are some pictures from the meeting. Congrats to uberushaximus for winning 100 free hours to AOL high speed!!

bucketworks PA project

Earlier last week I ended up making a new pa system for Bucketworks. Now what most people will not realize is everything at Bucketworks is hacked to gather and this is no different. I was asked to make a low power radio system for notifying people within Bucketworks for people at the door and other uses, seeing we would need to file for an fcc licence i decided to go another route and the Bucketworks pa project was born.

during our wondering around at Bucketworks we (paul,eli,and I) have come across manly things one of them things was an old pa speaker and I got to thinking does it still work? I ended up wiring one up to an amp, we found in the basement along with a old audio mixer seen below after finding out we had a bad 1/4″ cable.

and low and behold it worked.
https://www.youtube.com/embed/Lehy4tTpVCg

The next step was to figure out where all the rest of the speakers were located and where to run the wires back to the server room where we were going to store the audio equipment. we ended up finding a total of 5 speakers wired them in and played some Pandora over the new pa system. I had to modify a cable to go from the “server” to the audio board.

I then set to making the Bucketworks pa bot. This bot is a windows client that logs in into an irc channel and organically just sent text to a text to speech function over the sound board. I expanded it to authenticate, noaa weather warnings, play music, tell the time and a few other functions.

After showing it to a few guys we ended up hearing this and we all started laughing.

and the Bucketworks pa project was complete.
If there is any interest i will upload the code if it is wanted.