Last years barcampmke was awesome, everyone had lots of fun and met some great people. Some of you might remember we had a little stand last year and ran the good old wall of sheep, well we liked it so much that this year we decided to become an official sponsor of barcampmke and expand our operations. This year we will not only be doing the the wall of sheep, but we will also be running a lockpick and tamper evident village, cat5 cable making couples contest, plus giving away free beer!! To get a free beer you have to either pick a lock from the village in under 2 minutes or reveal the secret message contained in a package secured with tamper evident lables, tape, lock seals, and tug tights, or beat your competitor to making a working cat5 cable! So sharpen up on your skills and win some free beer! See you at barcamp.
Lets hack schools
School is about to start back up for the year which gives us a great opportunity to give. So at the next meeting “9.7.12” if you bring in school/art supplies to donate in addition to the normal $5 dc414 donation you will get a “I HACK SCHOOLS” pin and the satisfaction of helping tomorrows generation to learn. So lets hack schools together!
Some ideas of stuff to give:
No.2 pencils
ballpoint pens “red and black”
Spiral-bound or composition notebooks
colored pencils
colored clay
non colored clay “grey”
backpacks
index cards
construction paper
glue
three ring binders
erasers
Pencil sharpener (hand-held with a top to collect shavings)
folders
dc414 donations bucket 2.0
A while back we started using a bucket to collect cash donations at meetings and for a while I have been wanting to trick it out. So I was keeping an eye out for things to add other then blinking lights, then cmoney came home with a powerball advertisement thing from her gas station that has a electric pendulum thing. I wish I had a picture of it but I didn’t have the for site to take one before I took it apart.
So anyway I got right to work on making the bucket pimp. First I made a little board
with a 555 timer blinking light circuit on it.
put some lights on it and wired the pendulum thing to it.
And hot glued it all to the lid of the bucket.
Here is what it looks like all together.
Ok thats it, I hope you think its cool. If you don’t, go fuck your mom.
August meeting awesomeness
Klaiviel started us off by giving us a nice show of binary key card hotel locks popular over seas, showed us a 3d printed key for one of his locks, explained pick proof locks from the 40s that are no longer used but highly effective and how to make them today using regular locks. Then he showed us why he is the second best key impressionist in the world, and made a working key for a lock right in front of us and giving us step by step instructions on how to do it our selves.
I stepped in and gave a quick demo of how I made our new and improved donations bucket which I will be making a blog post on later. Darkwind came packing with a alfa wifi antenna hooked up to a satellite dish! This made a killer directional wifi antenna, we took it up to the roof of bucketworks and got signals from all over including the moon π Ngharo hooked it up to his lappy and cracked a few networks π
After the roof party was over and we got back down stairs Castor gave a DEFCON20 badge hacking demo and showed us how to turn our badges into any other badge type we wanted, then showed us how to make the LEDs on the badge flash out words and stuffs. Then we all just started bull shitting and talking about up coming projects.
Cmoney couldnt make it out so I took a few picture that you can view here. Congrats to darkwind and faraday for winning the dc414 free junk giveaway!!
dc414 @ DEFCON20
Most of the crew will be in Vegas for DEFCON20 this year!!! Lets all get drunk and party! I will also be getting married while there to the super awesome cmoney!! For our brothers not going, we will be doing our best to drink your share of booze π I get the opportunity to speak on the DCG panel again this year so if you are at DC20 come check it out, me and other POCs will be laying down some knowledge for y’all. Also find me or other dc414 members so we can all party π I will be taking lots of pictures and posting them on Twitter, Facebook, and G+ so be sure to check that shit out as well. See ya there.
Good times with snmp
At the last meeting dw5304 gave a demo on snmp scanning and gaining access to things you shouldn’t have access to with a few home brew windows apps he coded up. Its been a while since I messed with snmp but his demo got me back into it, so I made a little python script to scan subnets for open snmp servers with the read/write string set to private. Here is the code:
#! /usr/bin/env python
import commands
from scapy.all import *
base = "69.2.1." #IP range to scan minus the last octet.
f = open('/tmp/snmp_output.txt', 'w+')
for i in range(1, 255):
ip = base+str(i)
print ip+"\n"
p = IP(dst=ip)/UDP(dport=161, sport=39445)/SNMP(community="private",PDU=SNMPget(id=1416992799, varbindlist=[SNMPvarbind(oid=ASN1_OID("1.3.6.1.2.1.1.1.0"))]))
pkt = sr1(p, timeout=1)
if pkt and pkt.sprintf("%IP.proto%") != "icmp":
p1 = pkt.sprintf("%SNMP.PDU%").split("ASN1_STRING['", 1)
p2 = p1[1].split("'", 1)
print pkt.sprintf("%IP.src%")+" - "+p2[0]
f.write(pkt.sprintf("%IP.src%")+" - "+p2[0]+"\n")
f.close()
print "\nDONE!!!!!!!!!!!!!!!\n"
Its a little hacked together and could use improvement but it works “feel free to send in any improvements you make”. It puts all the found servers IPs in /tmp/snmp_output.txt along with their system description enumerated via snmp. Here is a sample output:
69.1.117.87 - Ruckus Wireless Inc (C) 2006
69.1.117.156 - Ruckus Wireless Inc (C) 2006
69.1.117.190 - Ruckus Wireless Inc (C) 2006
69.1.117.193 - Ruckus Wireless Inc (C) 2006
69.1.117.203 - Ruckus Wireless Inc (C) 2006
69.1.117.221 - Ruckus Wireless Inc (C) 2006
69.1.163.92 - 24-port 10/100 + 2-Port Gigabit Switch with WebView and PoE
69.1.163.93 - Product: GW 4 FXS;SW Version: 5.80A.023.006
Once you find a few servers you can do snmpwalks on them and scour it for juicy info.
Here are some good OIDs to look for and/or set: *found most of this online & got some from dw5304
ip.ipForwarding.0 <-this tells you if its forwarding packets or not "useful to DoS a device"
1.3.6.1.2.1.4.24.2.1.1 <-ipforwardingdest
sysName.0 <-device name
1.3.6.1.4.1.4413.2.2.2.1.1.1.4.0 i 1 ... EnableTelnetServer.
1.3.6.1.4.1.4413.2.2.2.1.1.1.1.0....telnetIpStackInterfaces.
1.3.6.1.4.1.4413.2.2.2.1.1.1.2.0....telnetUserName..
1.3.6.1.4.1.4413.2.2.2.1.1.1.3.0....telnetPassword..
1.3.6.1.4.1.4413.2.2.2.1.1.1.4.0....telnetServerControl.
1.3.6.1.4.1.4413.2.2.2.1.1.1.5.0....telnetSessionIp.
1.3.6.1.4.1.4413.2.2.2.1.1.1.6.0....telnetSessionInProgress.
1.3.6.1.4.1.4413.2.2.2.1.1.1.7.0....telnetForceUserLogout.
1.3.6.1.2.1.1.1.0 = System Description
1.3.6.1.2.1.1.3.0 = Modem up time
1.3.6.1.2.1.4 = Some useful information (walk)
1.3.6.1.2.1.4.20.1.1.0 = HFC IP (getnext)
1.3.6.1.2.1.4.20.1.3.0 = HFC Subnet (getnext)
1.3.6.1.2.1.2.2.1.6.2= Mac
1.3.6.1.2.1.10.127.1.1.3.1.3.1 = Maximum upload bandwidth
1.3.6.1.2.1.10.127.1.1.3.1.5.1 = Maximum download bandwidth
1.3.6.1.2.1.10.127.1.1.4.1 = Current status (walk)
1.3.6.1.2.1.17.4.3.1.1.0 = Hosts behind modem
1.3.6.1.2.1.69.1.4.4.0 = TFTP Configuration file server IP
1.3.6.1.2.1.69.1.4.5.0 = Configuration file name
1.3.6.1.2.1.69.1.3.5.0 = Current firmware
1.3.6.1.2.1.69.1.4.2.0 = DHCP Server IP
1.3.6.1.2.1.69.1.4.3.0 = Time Server IP
1.3.6.1.2.1.69.1.5.8.1.7 = View Log (walk)
1.3.6.1.2.1.10.127.1.1.1.1.2.3 = Downstream Frequency
1.3.6.1.2.1.69.1.4.5.0 = Image File
1.3.6.1.2.1.17.4.3.1.1 = Learned MAC (Get Next)
---[ Read / Write OIDs
1.3.6.1.2.1.69.1.1.3.0 = Boot modem (1=boot now)
1.3.6.1.2.1.69.1.3.1.0 = TFTP Firmware server IP
1.3.6.1.2.1.69.1.3.2.0 = Firmware filename
1.3.6.1.2.1.69.1.3.3.0 = Firmware update status (1=update now, 2=update on boot,3=disable updates)
1.3.6.1.2.1.69.1.5.2.0 = SNMP Traps server IP (0.0.0.0 = disabled)
1.3.6.1.2.1.69.1.5.3.0 = SNMP Traps status (1=enabled, 4=disabled)
1.3.6.1.4.1.1166.1.19.3.1.14.0 = SNMP Port
1.3.6.1.4.1.1166.1.19.3.1.15.0 = SNMP Traps port
1.3.6.1.4.1.1166.1.19.3.1.17.0 = HTML Server status (1=enabled, 2=disabled)Other OIDs
1.3.6.1.2.1.1.5.0 = modem type
1.3.6.1.3.83.1.1.4.0 = Cable Modem Serial Number
1.3.6.1.3.83.1.4.5.0 = Alternate OID for Config File
1.3.6.1.3.83.1.4.3.0 = Provisional Server
1.3.6.1.2.1.1.6.0 = Area String
1.3.6.1.2.1.4.20.1.3+(hfc ip) = Subnet Example 1.3.6.1.2.4.20.1.3.10.169.53.2451.3.6.1.3.103.1.5.1.3.1.5 = CPE USB MAC
1.3.6.1.2.1.2.2.1.6.1 = Cable Modem USB MAC
1.3.1.6.1.2.1.10.127.1.2.1.1.1.2 = Default Gateway MAC Address
1.3.6.1.2.1.2.10.127.1.1.3.1.6.1 = Max Burst Up
1.3.6.1.2.1.2.2.1.6.5 = CPE MAC
1.3.6.1.4.1.1166.1.19.3.1.17.0Ii 1 or 0 enable or disable webif
1.3.6.1.4.1.4413.2.2.2.1.1.4.1 =βreflects the IP stack interfaces on which a ssh 1.3.6.1.4.1.4413.2.2.2.1.1.4.2 = "reflects the user name which will be allowed ssh access."
1.3.6.1.4.1.4413.2.2.2.1.1.4.3 = "reflects the password which will be allowed ssh access."
1.3.6.1.4.1.4413.2.2.2.1.1.4.4 = "start or stop the ssh server.
1.3.6.1.4.1.4413.2.2.2.1.1.4.7 =terminate ssh session
You can find a lot more online. Enjoy and happy hacking π
July meeting sweetness
July’s meeting was hot in more then one way! First I would like to thank genero again for his genorous donation for the raffle, which put a solid $200 in the 3d printer fund!! Also congrats to faraday for winning both the raffle and the Photoshop and WIN contest!! I know it took forever to pick a winner but we did it damnit π
ngharo started the demos off with talking about how he set up dc414’s new astrisk server using google voice as the SIP trunk! Then showed us how he set it up to use NMAP to scan IPs from asterisk and speak the results to you over the phone! Klaiviel took over and made Ngharo a case for his raspberry pi and a penny launcher with his sweet 3d printer. Then I stepped in and showed everyone how to send spoofed emails from the dc414 server using the email spoofer web app, then how to send spoofed txt messages using the same app π Then Tony used a SIP provider that allowed for spoofing CID to spoof a call to Vlad. Then dw5304 wowed us all with a SNMP scanner he made, showed us some of the results like accessing a routers, modems, and windmills!!
Here are some pics from the meeting thanx to cmoney and congrats to Castor for winning the dc414 free junk giveaway!
Here is Faraday with his raffle winnings!
Here is Castor and his free junk from dc414
LAN Party This Weekend
Come party, video game style, at Bucketworks this Saturday, July 14th at 2PM.
BasementLAN only asks you bring $5 to donate to Bucketworks for electricity.
You can register at BasementLAN.org, or just show up π
Get Your Raffle Tickets!
The super awesome genero donated a box of goodies to dc414 and we decided to raffle the entire box off at the next meeting. Tickets are $20 each, or three for $50. The more you buy the better your chances of winning are! You can secure your tickets now by clicking the donate link on the right (make sure to include your contact information) or get them at the next meeting.
We will be raffling the goodies off next meeting.
Here is a list of what’s inside:
RadioShack scanner radio, needs 12v power supply – img
Fiber to Ethernet converter – img
Finger print reader – img
PC fan still in the box – img
Bluetooth Mouse – img
Cisco Wifi antenna – img
Cable box – img
belkin video switch – img
LAN cable tester – img
IP Camera with two way audio – img
cell jammer, broken power button – img
PS3 camera – img
Linksys switch, needs power supply – img
InFocus projector, MIGHT need bulb – img
Slingbox, needs to be reset – img
Intel Core 2 Duo 2.33Ghz 4M Cache 1333Mhz FSB – img
Veo PTZ IP Camera x2 – img
Ethernet card for desktop – img
Parallax Basic module – img
Wireless Ethernet Bridge, needs reset – img
Linksys WAP, needs power supply – img
VX-5 ham radio, needs new batteries, charger, and antenna – img
Dlink ip cam x2 – img
That is a lot of stuff for just 20 bucks, but you can’t win with out a ticket so be sure to get yours and have a chance to walk away with that treasure trove of electronics!
Arduino Windows Attack Tool
A few meetings back I demoed my Arduino Windows attack tool. The Arduino and shield emulate a keyboard when plugged into a PC. Once triggered it opens the DOS edit program, writes some vbscript to a file called go.vbs, then runs it using wscript. The script downloads a payload from a web server. In the case of the demo it was a reverse shell that connects back to a nc listener from msf. I got the idea from the Social-Engineering Toolkit Teensy USB HID Attack but I dont have/want a teensy so I looked and looked for an Arduino version but all I could find was a USB keyboard lib, so my value add was porting it to the Arduino.
Here is the schematic for the shield: *I added a button on pin 12
Here is the code for the Arduino:
And there you have it, my Arduino Windows attack tool. Its a little messy and hacked together, but it works. Enjoy π
Many thanx to SilkyPantsDan, Rancid Bacon, and Practical Arduino