Monday, June 26, 2017

Dynamic Binary Instrumentation (pt2)

Quick how to:


After install of Frida on your machine, you will need to install your server agent on your (use case is phone) iphone/android/qnx device ... (emulators) too in the case of android (yet to test on blackberry emulator)

get the download/s here:


moving on...

setting up on Android:

(am currently using android, so i will focus more on this)

The use case can be on any device there is enough documentation for the all the current (common) mobile OS platforms.



COMMENCE PART 2

What i aim to achieve:

Use Frida as a mobile penetration testing tool, on high end/secure (mostly banking/social media) applications

I cannot fully disclose the vulnerabilities on this applications seeing this is not ethical and in terms of responsible disclosure in the cases i find vulnerabilities.

The following cases shall be examined:

Root Check Evasion
SSL Pinning defeat
Encryption defeat
Obfuscation defeat (dynamic application mapping/reverse engineering)
Proxy bypass

I will start this in the manner they are arranged :)

(short post but should be longer practical ones after this)

REF: Frida - https://www.frida.re/

Sunday, April 16, 2017

Dynamic Binary Instrumentation aka DBI (pt1)

Ok hear me out, i kid you not ... my dad actually calls me a lazy genius, 90% of the time, i only do 'what i want, at my own convenience in a time frame that is under my desire' now reason for this is because my curiosity and work related incidences have led me to bug hunting ... i know, i reverse binaries/files/protocols etc... so lets see i handle this :)

what is DBI: 

So simply put:

peeking under the hood while the car is running... and making changes, adding fuel/gas , adding passengers/disembarking while again still in movement/running

so why do DBI kind of things?

well, catch bugs
dump memory
really cool debugger (yes imagine running it on pretty much every platform, using the same scripting language)
memory hooking
API hooking

alrighty, so what tools are we using?

enter ----> FRIDA

so who is FRIDA and why do i like her so much to blog and use her... instead of other girls i mean frameworks

So FRIDA is a DBI tool, that uses Javascript as its core scripting language (V8/DuckTape/JavaScriptCore) you inject the code into a binary (running or otherwise) Its Multi-Arch (name them) it also has bindings meaning :) ... python, C, Node.js , .NET and of course our favorite bit.... OpenSource

so install?

pip install frida

theres a sudo if you get stuck on the easy bit hehe

now pt2 covers how to use FRIDA

Friday, February 10, 2017

TESTING THE UBERWAVE-S

unhackable is not a way to address any product, but neither is it a way to address anything, even humans, enter...

the UberWave-S phone:

I got this from a  friend, he reached out to me with this exact words "you cannot hack my secure phone" and always being up to a challenge and previously hacked the cryptophone500 , i was really feeling the need to go at this phone, after a few passive research points i could find nothing about UberWave-S , was this guy trolling me, or was it so top secret? I moved to waiting for his communication via email.


we started communicating late 2016 and he sent the phone around November from Greece, this was the package that arrived :)





and this was what i found inside



back view



front view


battery removed and 'inside' view



yes, a feature phone, as per his explanation:

Because I am a practical person, with lots of real life practical tests of the devices that I create, I decided to take a more realistic approach. I am not saying that my device is invulnerable to all kinds of attacks, but it is stealth to most of the attacks of today's technology. For example, my device is totally invulnerable in OsmocomBB attacks of any kind. Also, it is stealth to all commercial or non commercial IMSI catchers, making voice and SMS decryption impossible. Another great feature is that security is always guaranteed with the device for the user, without the need for a second device, although the security will be compromised if the recipient of the call or SMS is not using the same device AND it is under attack. But if the user of the device is under attack and the recipient is not, then the security is valid for both parties. There are some vulnerabilities, and some solutions for them, but I would like to discuss them after you test the device."

i wanted his theory and practicality to put to test, and went ahead to test it.

So i booted up my RogueBTS



and went on an MITM escaped

capturing more than enough phones in the area, but sadly i could not catch the little minx, i rebooted severally changed parameters such as distance between the phone and BTS, 5-10 meters spacing, hopped on different channels, manipulated GPS settings, this variables dictate how fast you get a connection.

however my rogueBTS works on this principles

uses 2G (attacks)/(modern ones attack 3G and downgrade to 2G)
attacks nearest BTS to jam signal and forces phone to connect to it
drops any encryption to allow direct/un-encrypted SMS/voice calls

So did i catch it, NO short answer, explanation, on removing the battery , the phone had been tampered on the screws meaning some hardware modification had been done, not wanting to mess with it i did not do any research on this however the creator did tell me this:


unscrewed-screws :)


"To give you some more information about my Secure Phone, it's not an Android or iOS device, but a feature phone and more specifically, a Samsung GT-S5610.
I am working with OsmocomBB since it's birth in 2008 and especially with the hardware part and this is where I am focused. I am not one of the developers of OsmocomBB, but since I noticed OsmocomBB, I am stuck with it, and I am mostly working on the hardware part, since I'm very good at this field. Also, my main research is in real life applications of these attacks and how to implement the hardware so the attacks are feasible in real world environments. Also, I am working mostly in the hardware part, because I'm not so good with the software, but I am very good at hardware and especially with RF.
 So, after many years of experience, I saw that there was not really a device that you could say that you're 100% protected. The 100% secure device still does not exist, but I was stunned how people was hooked up to cryptophones, and without even touching a cryptophone, I immediately knew it's vulnerabilities. Your researched verified my suspicions. It packs some security, but you must use 2 cryptophones to have a secure communication. From that point on, everything else is compromised.
 My Secure Phone was created in 2012, after a client of mine asked for a secure as possible device. I already told him that there's not such thing, but he insisted. So, by using my experience and skills, you will see the device that you will have in your hands. I tried to use a different, more radical approach, and the first thing I tossed out is the usage of major OS distributions like Android and iOS, due to the unique thing that so far no OS is secure enough and constantly new exploits are made. So, because a major requirement was secure as possible voice, SMS and data, I selected to use a feature phone. Feature devices do not use a 100% secure OS, but at least, if an attacker does not have access to the device, it's very difficult to inherit insecurities through OS upgrades and "unnecessary" connections to the internet.
 I am sorry, but I can't reveal yet more details on the conversions that I've made, but I can give you some hints. First of all, the device is totally invulnerable to OsmocomBB attacks of any kind. The device is just stealth to OsmocomBB. It is also stealth to around 99% of modern IMSI catchers. I leave 1% just in case. There is only one big problem that I can't overcome, and this is because the hack is due to an insecurity in the design of the 3gpp protocols, and there's not much to be done. Although I've found a solution to this problem, the solution degraded the device usability. An updated "patch" can be done, but as I explained, I am not a software guy to make it work as it should.
 To use the Secure Phone is very simple. You simply use it. No extra codes or mutual authentication is needed. Also, you do not need to use 2 Secure Phones to use the security features, although for both parties security, it is advised to use both parties a Secure Phone. For example. If the owner of the device is under attack and the other party is not under attack, there is no way to compromise both parties communication, all voice, SMS and data are secure. But if both parties are under attack, and the other party does not use a Secure Phone, then both parties are compromised. This is normal, but a lot better that the cryptophone's mandatory default usage from both parties of cryptophones. Also, there is no delay in the voice calls or dropped called due to non mutual authentication. No other special action is required. The safety features are enabled by default. If you can't use the device, the user of the Secure Phone is either under attack, or the Secure Phone rejects and does not accept to use insecure communication methods.
 Since you are going to make a research on a operator, I also suggest you to test my Secure Phone. Of course, the best way to do that is to use a SIM from another provider, and try do any kind of test with the equipment of the operator that you have access on."

So, as per his request he allowed sharing this information alongside his contact information


NB: this phone was created for government entities, further explanations to why the phone is not caught is because it has been 'cut off from the 2G platform' from his explanation:

"Very happy to hear that your 2G BTS didn't brake my device. The same will apply with 3G/4G, for the same reasons that your 2G didn't break the device but also, because 3G/UMTS uses mutual authentication. 4G connections provide even more information of the 4G clients to the telco providers. Also 4G does not carry voice yet. So, if you make a 3G/UMTS BTS and use a SIM from a real provider and try to break my phone, then this would not be possible, due to mutual authentication. The only way to "break" my device is to use your own programmed 3G/UMTS SIM and try to camp to your 3G BTS, but that's not an attack schenario, because you already own the 3G SIM and the keys inside. As a conlusion, even a 3G rogue BTS, your's or more advanced and professional rogue BTS, will not break the secure phone, but it would be nice for you to do any further tests that you please.
You can document, share and publish all your findings, including my contact information. "


So without much a-do Ladies and Gents, spiders and bots hackers and enthusiasts, Mr UberWave-S together with his mail address, :) 
Kindly reach out for more info on this from me or him with best regards.

Tuesday, February 7, 2017

Kali Linux and VMware [why you no co-operate]

setup:

Alienware Mx14 r3 its a beast, but i miss my mac for not breaking shit when i have to do something as simple as install VMware (fusion) for workstation its another B8!@3 , so lets make this short, and under lesson learnt,

I upgrade to kali linux uname -r : 4.9.0-kali1-amd64


i try to install latest vmware workstation :( trouble starts here .... vmware 12.5.2 build-4638234)

I get complains , some modules wont compile :(

(screenshots are forgotten at this point as i have a API documentation and testing to do , and i need my vmware (yes i hate vbox sue me)


error looks (something) like this:

module_/tmp/modconfig-eTZynd/vmnet-only' failed


I mean come on ..... i try all fixes from installing headers but , naaah thats not it... i mean okay lets fix this :)


  • Make a backup of /usr/lib/vmware/modules/source/vmnet.tar
  • Go to /usr/lib/vmware/modules/source
  • Extract vmnet.tar (tar xvf vmnet.tar)
  • Change to vmnet-only directory (cd vmnet-only)
  • Make a backup of /usr/lib/vmware/modules/source/vmmon.tar
  • Go to /usr/lib/vmware/modules/source
  • Extract vmnet.tar (tar xvf vmmon.tar)
  • Change to vmnet-only directory (cd vmmon-only)



As I could not find any patches for VMware – and the latest version 12.5.2 still fails to compile, I created a nasty hack myself..

Warning – This is not an official patch, and I am not an expert in kernel code, but I applied this to vmmon and vmnet, and both compile OK, and load/run, on Kernel 4.9-rc3..

In vmnet-only/userif.c, around line 113, change

#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 6, 0)
    retval = get_user_pages(addr, 1, 1, 0, &page, NULL);
#else
    retval = get_user_pages(current, current->mm, addr,
                1, 1, 0, &page, NULL);
#endif
to

#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0)
     retval = get_user_pages(addr, 1, 0, &page, NULL);
#else
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 6, 0)
     retval = get_user_pages(addr, 1, 1, 0, &page, NULL);
#else
     retval = get_user_pages(current, current->mm, addr,
                 1, 1, 0, &page, NULL);
#endif
#endif
– and in vmmon-only/linux/hostif.c, around line 1162, change

#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 6, 0)
   retval = get_user_pages((unsigned long)uvAddr, numPages, 0, 0, ppages, NULL);
#else
   retval = get_user_pages(current, current->mm, (unsigned long)uvAddr,
                           numPages, 0, 0, ppages, NULL);
#endif
to

#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 9, 0)
   retval = get_user_pages((unsigned long)uvAddr, numPages, 0, ppages, NULL);
#else
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 6, 0)
   retval = get_user_pages((unsigned long)uvAddr, numPages, 0, 0, ppages, NULL);
#else
   retval = get_user_pages(current, current->mm, (unsigned long)uvAddr,
                           numPages, 0, 0, ppages, NULL);
#endif
#endif



Recreate vmnet.tar  & vmmon.tar (tar cvf vmnet.tar vmnet-only/)
Recompile VMWare (vmware-modconfig --console --install-all)
Optionally, remove vmnet-only  && vmmon-only directory (rm -rf vmnet-only)


IT WORKS .... [SOLVED]




Tuesday, November 8, 2016

Penetration Testing of a Telco Company [CORE]

Over the past few years/months... Theres been a lot of chatter about penetration testing and security of telecommunication companies, however the biggest hinderance to this has however been, well you guessed it, access:

from, tools, resources, money and well knowledge.

As a step to help out on the community, I will be releasing some of the materials to familiarize the intended audience (student, lectures, humans and fellow security enthusiasts) from this basically knowledge and tools.

We will be looking at security in telcos now not only in the Air & Abis layer but also the protocols, and the infrastructure, the core networks so :

SS7
Diameter
GGSN
GRX
HLR&VLR

we are coming for you: :) , I will also start this in a point of explaining how telcos work and the heavy accronyms behind them, then after we will dive into setting up some test/lab facilities, then move on to the security side of them, the 4-6 part series will be broken down so everyone can chime in :) feel free to engage.

Friday, September 16, 2016

Reverse 3NG1N33R1NG [Playing with Radare2 .. OK Bokken)

IDA is a expensive, but its superb... superb is an understatement , however I am not coughing up 2700Euros for that , after all many of my students cant afford this, and am really loving the learning curve that radare2 comes with.

So what is radare2 > OpenSource IDA replacement (well for me that is)

its a huge library of reverse engineering tools, however Radare2 lacked a major component , GUI hence the steep learning curve, I am willing to look at multiple GUI methods, however I have been in love with Bokken , an option for GUI in the radare2 framework.

I will explore more options as I go on, including the visual mode and WebUI:

BOKKEN:









Installation

Bokken has some issues, its still under development (personally i maintain my own bit as much as i can, I have yet to push all my changes (forbid as i am still going through most of this code)

Installation on MacOSX (El-Captian soon moving to Siera (this will be an issue but i will see through ti :) ... )

simple:

brew install bokken
(installs bokken 1.8 last release)

Error: os.getenv("DISPLAY").strip()

When i try to start bokken, i fix this by installing  XQuartz to handle $DISPLAY

another Error:  from PIL import Image - ImportError: No module named PIL
When try to start bokken again, I fix this by installing pillow via pip (check if installed with pip freeze | grep pillow) install by:sudo pip install pillow

I manage to start get bokken running (see first image, however, when trying to load a file, i meet this error)

Error: ValueError: invalid literal for int() with base 10:

This seems that theres an issue, I look at the code (I will be fixing this and pushing it to my github, for now i just commented the code to work from a standpoint that entry points aren't calculated, this will be fixed soon from my end and pushed out , for now, am just looking around and having too much fun :)


If you have questions, kindly reach out :)


Tuesday, April 12, 2016

HCK the BRCK (i)

Hailed as the revolution of Africa's connection to the internet the BRCK has been one of the most talked about modem/router , with rugged features to allow secure usage through any kind of physical elements, I moved the advert up a ladder to test its security.

Details about the BRCK
  • Modem
  • Router 
  • Power back up
This are the main/surface details about the BRCK, beyond this it contains an operating system (BusyBox) closed source however.

I managed to get my hands on one of the 1st generation BRCKs from the founder a very jovial, smart lady Juliana Rotich, she gave me a task of 'checking it for bugs' I went a little further, and as off by the end of this four part series on how we dive into working the BRCKs security and development wise.

Wednesday, April 6, 2016

Testing the CryptoPhone 500 against OUR... DIY IMSI catcher

I got a chance to use and test the GSMK Cryptophone 500 , with this phone , rumors have it to cost in between 2000USD to 5000USD depending on make and model/vendor , I am not into prices so much as features and specifications, however the phone is noted to have the following:

The GSMK CryptoPhone 500 is an Android-based secure mobile phone with 360° mobile device security for secure messaging and voice over IP communication on any network.
Cp500 72dpi
By combining GSMK’s renowned end-to-end voice and message encryption with a highly sophisticated approach towards mobile device protection, the CryptoPhone 500 offers a defence-grade mobile phone security solution with true 360° mobile device security:
  • Secure messaging and voice over IP calls on any network, including 2G GSM, 3G UMTS/W-CDMA, and Wireless LAN
  • Hardened Android operating system with granular security management and streamlined, security-optimized components
  • Permission enforcement module controls access to network, data and sensors, keeping you in control of your security policies
  • Baseband firewall protects against over-the-air attacks with constant monitoring of baseband processor activity, baseband attack detection, and automated initiation of countermeasures
  • Two-layer storage encryption system protects data at rest against unauthorized access





(pulled from the products website)

I really wanted to check the performance of security offered by the cryptophone 500 that claims to be able to protect one from IMSI catchers which can listen into your GSM conversations/do OTA attacks / perform DOS on your phone to kick you off the mobile network / spoof address e.t.c

So we created a very cheap IMSI catcher (50 USD or less i.e without a computer)

The firewall on the phone was up:





I ran the IMSI catcher with some interesting results, here are the screenshots:




the above shows the IMSI caught by our catcher





the cryptophone registering to the IMSI catcher (we only allowed it to see the messages for POC purposes+verify IMSI)


With the phone 'ON' (we also had rebooted the baseband to check we shake of any unwanted connection and try again)

We managed to capture the CryptoPhone and get a connection to/from it and received the following (on the baseband firewall prompt):








Where it alerted us of a medium 'suspicion data' entry saying the BTS (IMSI catcher) had no neighbouring cell available (this is pretty easy to fix... we dint move to fix it as we were trying it on a base level budget [single osmocombb BTS])

We then moved to attacking the CryptoPhone by simple attacks such as spoofing the SMS address and sending an SMS to it



spoofing a text message


and more down here (means we can spam/fuzz :)   )





We then tried to make calls to verify our call integrity , but however we were greeted by a stern warning:





We turned on back encryption (we could still however record the call) and this is what we received:



encrypted huh :)

We managed to record the conversation irrespective of been allowed to make the call under 'secure' infrastructure, we will not disclose how our IMSI catcher is setup, however we will reach out to CryptoPhone for this findings, :)


Using Typhon OS and an OsmocomBB phone to create a RogueBTS (Rogue GSM Base Station) IMSI catcher

Requirements:

OsmocomBB compatible phone (Motorola c113/115/118/123)
CP2102 cable (can be found here)
TyphonOS (read this is you havent, or directly head to downloading)

Setup:

Boot up the OS(live or install)


All the softwares referenced here are already installed.

To run an OsmocomBB application on the phone, you must first find out what interface your CP2102 cable is connected to. Run this command:
dmesg | grep tty

If you want to run it on ttyUSB0 (and I propose that you do) remove all USB devices and plug the CP2102 cable in first. The CP2102 cable will automatically move to /dev/ttyUSB0. To run it on other interfaces, modify the firmware upload string appropriately.

You can now upload firmware on the phone and observe output.
 From the /rf/osmocom-bb/src/host/osmocon/ directory, run:

sudo ./osmocon -d tr -p /dev/ttyUSB0 -m c123xor –c ../../target/firmware/board/compal_e88/rssi.highram.bin

Then, with the phone powered off, press the power button once briefly and wait for the firmware to load onto the phone.
As it loads, the screen output should look like this:















RSSI stands for Received Strength Signal Indicator and is can be used to identify the strongest ARFCN in the area. This is important as the BTS needs to sync with the strongest legitimate BTS in order to receive configuration information.


Once done exploring the RSSI app, there are plenty more applications that you can run which are beyond the scope of this document. However, feel free to explore them to further your understanding on the OsmocomBB platform.

Running

After installing everything, we can now run the full system.
Plug in the calypso phone with the CP2102 cable, and ensure that it is on ttyUSB0 before proceeding. Note: Charge the phone to its fullest as the power cable interferes with transmission.
From the /rf/osmocom-bb/src/host/osmocon/ directory run the trx application with the following code (on one line):

sudo ./osmocon -p /dev/ttyUSB0 -m c123xor -c ../../target/firmware/board/compal_e88/trx.highram.bin ../../target/firmware/board/compal_e88/chainload.compalram.bin


Then press the power button on the phone briefly to load the application.

From the /rf/public/smqueue/trunk/smqueue directory run the smqueue application with the following code:

sudo ./smqueue

From the /rf/public/subscriberRegistry/trunk directory, run the sipauthserve application with the following code:

sudo ./sipauthserve

Finally, from the /rf/public/openbts/trunk/apps directory, run the OpenBTS application with the following code:

sudo ./OpenBTS

After a few seconds, the OpenBTS terminal (top right) will look like this indicating that syncing has taken place and it is transmitting:



Figure 15 - Running TRX, smqueue, sipauthserve and OpenBTS


If you had set your MCC and MNC to that of a legitimate network operator, the 2G phones in the area will begin connecting to your fake base station. If you left it as the default then you will see a name either “Test” or “Range” or "Safaricom [this is not legal by the way assuming you spoofed the name too]" when perform a manual search on your phone.



The above setup creates a fakeBTS (IMSI catcher) and works as a spoofed Mobile Network.
On the next setup we will work on how to send SMSs and even spoof some messages alphanumeric address and all.


Dynamic Binary Instrumentation (pt2)

Quick how to: After install of Frida on your machine, you will need to install your server agent on your (use case is phone) iphone/andro...