Recently I’ve been revisiting some hardware hacking techniques. I purchased a Hydrabus and a standard SOIC-8 clip from DigiKey to assist with this task. For practice, I decided I wanted to attempt to extract the firmware from the same DVR system I experimented with back in 2015. Link to post.
After inspecting the circuit board, I found a flash memory chip on the back.
Some careful lighting adjustments revealed the chip was a Winbond W25Q128FV, which is supported by flashrom.
Most security professionals are very familiar with the pitfalls of default configurations. However, the larger Open Source Software community may not. Recently, I have been researching the nature of these configurations and specifically how it relates to the self-hosting community.
This journey started when I was looking for a replacement to the app I used to track my vehicle's fuel economy/expenses. I found a self-hosted solution that appeared to suit my needs. Given my security background it was important that I vet anything that I was considering putting on my server. The application in question is called "Hammond", and is available on Github. The backend is written in Go, a language I am not super familiar with, but know enough to be dangerous. The readme lists a few ways to start the server. The first option is to run the server using a docker command.
Google Dorks are a great way to uncover infomation semi-passively. Primarily, it involves special search queries that lead to information that shouldn't be public. In this blog post, I will showcase some useful queries and show the impact these queries have and provide some remediation steps.
Both queries I'll show are very similar.
intitle:"index of /" intext:"config.py"
and
intitle:"index of /" intext:".env"
The core is the intitle:"index of /". This returns results that
contain "index of /" in the title. Pages with results like this are
open directories being listed by the underlying http server.
Recently, Intigrity (https://twitter.com/intigriti) posted a challenge on Twitter. I found this challenge to be pretty interesting, as I had not really heard of any issues regarding GUIDs (Global Unique IDentifier), sometimes also listed as UUID (Universally unique identifier). These are all what I had previously assumed were essentially random and non-predictable. Unfortunately, some versions of the UUID are not so random, at least for UUIDv1.
The rest of the post continues after the break.
Recently, I completed a CTF challenge that involved an interesting vulnerability. Since the challenge is active, I won't be providing screenshots, but I've kept things general enough that it shouldn't spoil anything.
The entire app was provided with a dockerfile, so it could be run offline.
My first step was to investigate the app and see what vulnerabilities might exist. The web app is very simple, and was developed using Flask. It contains a single web page that allows you to upload a tar.gz file. The uploaded file is extracted using the tarfile library. The validation of user uploaded file is insufficient.
A few years ago, I bought a remote controlled outlet from Walmart. I don’t recall the exact price, but it was less than $20. It was pretty much purchased for the explicit reason of trying to understand how they worked. The end goal, is that I wanted to know if
This is going to be quite a long post, so I suggest getting a cup of coffee before continuing. At the end, I have included a youtube video showing the entire process.
I’ve been interested in RFID hacking for a really long time. The "gold standard" has been the proxmark series of tools. Unfortunately, these are quite expensive, especially for a hobbyist. However, thanks to the internet and the usual sources, there are pre-assembled versions available for under $100.
In this post, I’ll share a quick tutorial on how to clone an access control card to a rewriteable card.
The hardware I’m using was purchased from Amazon for $67. I don’t
know what firmware was loaded on it, because it didn’t seem to work
initially. The first thing I did was clone the RFID Research
Group repository
(sometimes known as the iceman repository). This contains both the
proxmark software and the firmware for the device. The firmware is
loaded by running ./pm3-flash-all in the repository after building.
One issue is that the USB port on the long side of the device does not
seem to work. I didn’t take any notes nor do I remember the exact
process I followed, but I think it was pretty straight forward once it
was actually speaking with my computer. I’m assuming that is for
powering the device with something that can deliver more current than a
standard USB port.
FYI, this is a rewrite of some work I did in 2016 and was previously hosted on my old blogspot account. In doing research for the rewrite, I found that several people had done largely similar work, but I have identified some new information, particularly the ability to format the disk drive by sending a post request.
Before the Internet of Things (IoT) took over, homes and businesses were watched by closed circuit cameras, and some did have LAN and WAN remote viewing. The WAN connection was not through a cloud system, but rather a direct connection to the IP address of the device. Unfortunately, given the price point of these devices, a lot of security corners were cut.