It just a silly python script that either retrieves SSL Certificate based data from online sources, currently https://crt.sh/, https://certdb.com/, https://sslmate.com/certspotter/, and https://censys.io or given an IP range it will attempt to extract host information from SSL Certificates. If you want to use Censys.io you need to register for an API key.
How to install
git clone https://github.com/joda32/CertCrunchy.git cd CertCrunchy sudo pip3 install -r requirements.txt
How to use it? Very simply -d to get hostnames for a specific domain -D to get hostnames for a list of domains (just stuff it in a line-delimited text file) -I to retrieve and parse certificates from hosts in a netblock / IP range (e.g. 192.168.0.0/24) -T the thread count makes stuff faster, but don't over do it -o Output file name -f Output format CSV or JSON, CSV is the default for the rest, I'm still working on those :) API keys and configs All API keys are stored in the api_keys.py file below is a list of supported APIs requiring API keys.
A Chinese hacking group has been found leveraging a new exploit chain in iOS devices to install a spyware implant targeting the Uyghur Muslim minority in China's autonomous region of Xinjiang. The findings, published by digital forensics firm Volexity, reveal that the exploit — named "Insomnia" — works against iOS versions 12.3, 12.3.1, and 12.3.2 using a flaw in WebKit that was patched by
Give gifts this holiday season that inspires your favorite hackers to make something great. Our ten top picks for gifts to make 'em smile are perfect for hackers of all styles, ages, and interests.
Holiday gift guides always struggle when faced with nailing down a list for hackers — that's because hackers are as diverse in their interests and fascinations as they are diverse in gender, color, size and everything else. Someone with a multi-focused set of curiosity and unique gifts for finding out what makes the crackable crack may seem like a daunting individual to stuff a stocking for … but don't fret. With a keen eye on the latest interests in hacker culture, we've got a gift guide that can make the hacker in your life smile as they enjoy using your gift to hack and explore throughout the coming year.
Anonymity online: The Onion Pi
One of the most popular "snake oil" (fake) privacy gadgets is the so-called "Tor in a box" — a plug-and-play gadget that promises to make you anonymous online. Nearly all of these are made by clueless charlatans whose products put you at risk for privacy and security breaches. But your favorite hacker can just make or build an "Onion Pi" for $69.95, and with this free tutorial.
Attribution Dice
With Attribution Dice ($20), anyone can be a high-priced security consultant, and predict breach headlines before PR firms have a chance to feed them to reporters! With every security breach, hackers roll their eyes when headlines and PR firms roll out the same old, same old terms, methods and culprits. Instead of rolling eyes, your hacker can roll the dice, and wow friends, family, and neighbors with their hacker cyber-powers.
21 Bitcoin Computer
Money is always a welcome gift. Give the gift of going hands-on with Bitcoin with the 21 Bitcoin Computer. "The 21 Bitcoin Computer is ideal for buying and selling digital goods and services. You can use it to create bitcoin-payable APIs, set up your own personal digital goods store, pay people to share your content online, or host online games of skill." It's not cheap ($395) and comes with controversy, but it's a cool toy with a lot of potential, and 21 Inc. is going to be releasing an open source package for the device soon.
Gentleman's Bogota Lockpicks and Clear Practice Lock
Conventional wisdom suggests that all hackers know how to pick locks, but can they do it in style? A perfect stocking stuffer for slick hackers of all genders is the Gentleman's Bogota lockpick set ($34.95). These featherweights pin discreetly to a collar, hat, sleeve, vest, hemline, or wherever they choose. If the hacker you're shopping for wants to learn to lockpick, or just brush up on technique, throw in the clever Clear Practice Lock ($34.95).
Inverse Path USB Armory
In this reviewer's opinion, every hacker should have a USB Armory in their stocking this year. The Inverse Path USB Armory ($130) is a little USB stick with an entire computer onboard (800MHz ARM processor, 512MB RAM), designed to be a portable platform for personal security applications — and lives up to its reputation as "the Swiss Army Knife of security devices."
Hack the planet! The 20th anniversary of influential 1995 cyberpunk film "Hackers" was this year, and this cult classic got a special edition Blu-ray release, making it the must-have for the hackers in your life. The 20th anniversary "Hackers" Blu-ray features an hour-long "making of" documentary, rich video and audio transfer for the film itself, and interviews with: Cast members Matthew Lillard, Fisher Stevens, and Penn Jillette; hacking consultants Nicholas Jarecki and Emmanuel Goldstein; Director Iain Softley, and many more involved with the film's production and style.
A Hacker's hope for better sleep: The Re-Timer
Hackers are increasingly hacking themselves to make their own systems run better, and one thing hackers struggle with is their sleep cycles and feeling rested. Something that can help out is the Re-Timer ($299), a retro-future looking set of glasses and kit that adjusts the circadian rhythm and suppresses the body's production of melatonin (the sleepy hormone our bodies produce which makes us feel tired). Based on 25 years of research and on the market worldwide for three years, the Re-Timer has its own jet lag calculator app, as well as its Sleep App for Fitbit that makes a customized schedule based on actual sleep tracked.
USB Rubber Ducky Deluxe and LAN Turtle
A longtime favorite with hackers, penetration testers and IT professionals, the USB Rubber Ducky Deluxe ($42.99)is a cross-platform (Windows, Mac, Linux, Android) testing and experimentation device that is detected as a keyboard — imagine the possibilities. This stocking stuffer pairs well with its animal friend LAN Turtle ($50), a covert sysadmin and pentest tool for remote access, network intel gathering, and man-in-the-middle monitoring through a simple graphic shell (all in a generic USB ethernet adapter case).
TechShop Gift Certificate
Give the gift of hacking and making: A gift certificate to a TechShop. "Part fabrication and prototyping studio, part hackerspace, and part learning center, TechShop provides access to over $1 million worth of professional equipment and software. We offer comprehensive instruction and expert staff to ensure you have a safe, meaningful and rewarding experience." There are TechShops in Arizona, California, Michigan, Missouri, Pennsylvania, Texas, and Virginia/Washington, D.C. (some states have multiple locations). Future locations include St. Louis, MO and Paris, France.
Products to avoid
If you see these products, run! You're better off with a lump of coal. Don't waste precious holiday money on "snake oil" privacy and security products like these:
Now that we got that out of the way... I have been seeing posts on sites with people having fun with embedded systems/devices and I was feeling left out. I didn't really want to go out and buy a device so I looked at what was laying around.
First order of business was to update the camera with the most recent firmware:
Device info page confirming firmware version
Now that the device was using the same version of firmware as I was going to dive into, lets get to work. I will be using binwalk to fingerprint file headers that exist inside the firmware file. Binwalk can be downloaded from the following url: http://code.google.com/p/binwalk/
Running binwalk against the firmware file
binwalk FW_TV-IP110W_1.1.0-104_20110325_r1006.pck DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------------------------- 32320 0x7E40 gzip compressed data, from Unix, last modified: Thu Mar 24 22:59:08 2011, max compression 679136 0xA5CE0 gzip compressed data, was "rootfs", from Unix, last modified: Thu Mar 24 22:59:09 2011, max compression
Looks like there are two gzip files in the "pck" file. Lets carve them out using 'dd'. First cut the head off the file and save it off as '1_unk'
#dd if=FW_TV-IP110W_1.1.0-104_20110325_r1006.pck of=1_unk bs=1 count=32320 32320+0 records in 32320+0 records out 32320 bytes (32 kB) copied, 0.167867 s, 193 kB/s
Next cut out the first gzip file that was identified, we will call this file '2'
#dd if=FW_TV-IP110W_1.1.0-104_20110325_r1006.pck of=2 bs=1 skip=32320 count=646816 646816+0 records in 646816+0 records out 646816 bytes (647 kB) copied, 2.87656 s, 225 kB/s
Finally cut the last part of the file out that was identified as being a gzip file, call this file '3'
#dd if=FW_TV-IP110W_1.1.0-104_20110325_r1006.pck of=3 bs=1 skip=679136 2008256+0 records in 2008256+0 records out 2008256 bytes (2.0 MB) copied, 8.84203 s, 227 kB/s
For this post I am going to ignore files '1_unk' and '2' and just concentrate on file '3' as it contains an interesting bug :) Make a copy of the file '3' and extract it using gunzip
#file 3 3: gzip compressed data, was "rootfs", from Unix, last modified: Thu Mar 24 22:59:09 2011, max compression #cp 3 3z.gz #gunzip 3z.gz gzip: 3z.gz: decompression OK, trailing garbage ignored #file 3z 3z: Minix filesystem, 30 char names
As we can see the file '3' was a compressed Minix file system. Lets mount it and take a look around.
#mkdir cameraFS #sudo mount -o loop -t minix 3z cameraFS/ #cd cameraFS/ #ls bin dev etc lib linuxrc mnt proc sbin server tmp usr var
There is all sorts of interesting stuff in the "/server" directory but we are going to zero in on a specific directory "/server/cgi-bin/anony/"
The "cgi-bin" directory is mapped to the root directory of http server of the camera, knowing this we can make a request to http://192.168.1.17/anony/mjpg.cgi and surprisingly we get a live stream from the camera.
video stream. giving no fucks.
Now at first I am thinking, well the directory is named "anony" that means anonymous so this must be something that is enabled in the settings that we can disable.... Looking at the configuration screen you can see where users can be configured to access the camera. The following screen shows the users I have configured (user, guest)
Users configured with passwords.
Still after setting up users with passwords the camera is more than happy to let me view its video stream by making our previous request. There does not appear to be a way to disable access to the video stream, I can't really believe this is something that is intended by the manufacturer. Lets see who is out there :)
Because the web server requires authentication to access it (normally) we can use this information to fingerprint the camera easily. We can use the realm of 'netcam' to conduct our searches
HTTP Auth with 'netcam' realm
Hopping on over to Shodan (http://www.shodanhq.com) we can search for 'netcam' and see if there is anyone out there for us to watch
9,500 results
If we check a few we can see this is limited to only those results with the realm of 'netcam' and not 'Netcam'
creepy hole in the wall
front doors to some business
Doing this manually is boring and tedious, wouldn't it be great if we could automagically walk through all 9,500 results and log the 'good' hosts.... http://consolecowboys.org/scripts/camscan.py
This python script requires the shodan api libs http://docs.shodanhq.com/ and an API key. It will crawl the shodan results and check if the device is vulnerable and log it. The only caveat here is that the shodan api.py file needs to be edited to allow for including result page offsets. I have highlighted the required changes below.
def search(self, query,page=1): """Search the SHODAN database.
Arguments: query -- search query; identical syntax to the website page -- page number of results
Returns: A dictionary with 3 main items: matches, countries and total. Visit the website for more detailed information.
About RED_HAWK: RED_HAWK is a all in one tool for Information Gathering, Vulnerability Scanning and Crawling. A must have tool for all pentesters and hackers. RED_HAWK's features:
Basic ScanSite Title (NEW): IP Address Web Server Detection IMPROVED CMS Detection Cloudflare Detection robots.txt Scanner
Whois Lookup (IMPROVED)
Geo-IP Lookup
Grab Banners IMPROVED
DNS Lookup
Subnet Calculator
Nmap Port Scan
Sub-Domain Scanner IMPROVED: Sub Domain IP Address
Reverse IP Lookup and CMS Detection IMPROVED: Hostname IP Address CMS
Error Based SQLi Scanner
Bloggers View NEW HTTP Response Code Site Title Alexa Ranking Domain Authority Page Authority Social Links Extractor Link Grabber
WordPress Scan NEW Sensitive Files Crawling Version Detection Version Vulnerability Scanner
Crawler
MX Lookup NEW
Scan For Everything - The Old Lame Scanner
List of CMS Supported on RED_HAWK
RED_HAWK's CMS Detector currently is able to detect the following CMSs (Content Management Systems) in case the website is using some other CMS, Detector will return could not detect.
WordPress
Joomla
Drupal
Magento
RED_HAWK Installation How To Configure RED HAWK with moz.com for Bloggers View Scan?
Get your AccessID and SecretKey and replace the $accessID and $secretKey variable's value in the config.php file
All set, now you can enjoy the bloggers view.
How to use RED_HAWK?
Known Issues of RED_HAWK ISSUE: Scanner Stops Working After Cloudflare Detection! SOLUTION: Use the fix command (for Debian-based distros) or manually install php-curl and php-xml. Watch the video to see how to solve that isuue:
Support and Donations Found RED_HAWK cool? Well you could buy a cup of tea for the author 😉 Just send any amount of donations (in Bitcoin) to this address: 1NbiQidWWVVhWknsfPSN1MuksF8cbXWCku
Can't donate? well that's no problem just drop a "THANK YOU, AUTHOR" this will motivate me to create more exciting stuffs for you😉 TODOs for RED_HAWK:
Make a proper update option ( Installs current version automatically )
Are you tired of reading endless news stories about ethical hacking and not really knowing what that means? Let's change that!
This Post is for the people that:
Have No Experience With Cybersecurity (Ethical Hacking)
Have Limited Experience.
Those That Just Can't Get A Break
OK, let's dive into the post and suggest some ways that you can get ahead in Cybersecurity.
I receive many messages on how to become a hacker. "I'm a beginner in hacking, how should I start?" or "I want to be able to hack my friend's Facebook account" are some of the more frequent queries. Hacking is a skill. And you must remember that if you want to learn hacking solely for the fun of hacking into your friend's Facebook account or email, things will not work out for you. You should decide to learn hacking because of your fascination for technology and your desire to be an expert in computer systems. Its time to change the color of your hat 😀
I've had my good share of Hats. Black, white or sometimes a blackish shade of grey. The darker it gets, the more fun you have.
If you have no experience don't worry. We ALL had to start somewhere, and we ALL needed help to get where we are today. No one is an island and no one is born with all the necessary skills. Period.OK, so you have zero experience and limited skills…my advice in this instance is that you teach yourself some absolute fundamentals.
Let's get this party started.
What is hacking?
Hacking is identifying weakness and vulnerabilities of some system and gaining access with it.
Hacker gets unauthorized access by targeting system while ethical hacker have an official permission in a lawful and legitimate manner to assess the security posture of a target system(s)
There's some types of hackers, a bit of "terminology". White hat — ethical hacker. Black hat — classical hacker, get unauthorized access. Grey hat — person who gets unauthorized access but reveals the weaknesses to the company. Script kiddie — person with no technical skills just used pre-made tools. Hacktivist — person who hacks for some idea and leaves some messages. For example strike against copyright.
YardStick One Unleashed, Automating RF Attacks In Python - An RFCat Primer
I decided to dive into our current device a bit more before moving on to a new device, and really ramp up the skillsets with RFCat and the Yardstick.So for this blog you will need our previous Target and a Yardstick One. We will be hacking everyting using only the Yardstick and Python.
So last time we scanned for signals with GQRX and a Software Defined Radio device. We took the demodulated wave forms in Audacity and discerned what the binary representation of our wave forms were by decoding them manually. We then transferred those into a hex format that our yardstick understood.However there is a way to do everything with our Yardstick. It will require a bit more understanding of the RFCat library, and a bit of python.
This blog will be your RFCAT primer and coding tutorial, but don't be scared with the word "Programming" I will be using simple code, nothing complicated.So if your a programmer, tune out any coding explanation and understand RFCat, if your not a coder, then use this as a jumping point to start making some quick python scripts for hacking.
Video Series PlayList Associated with this blog:
The first thing we did in our last blog after looking up the frequency was to open up GQRX and check if we can see our devices signals. As it turns out you can actually do this in python with RFCat. Which is really convenient if you left your Software Defined Radio dongle at home but happen to have access to a Yardstick.
RFCat as a Spectrum Analyzer:
In order to use RFCat as a spectrum analyzer we need to make sure we have RFcat installed and a few prerequisites such as python and PySide modules.I actually did this inside of an Ubuntu VMware because Pyside was giving me issues on OSX and I didn't feel like trying to fix it. So If you spin up an ubuntu vm you can do the following to get things up and running..
Install Spectrum Analyzer PreReqs:
sudo pip install PySide
sudo apt-get install ipython
Plug in your adapter and type in the following:
rfcat -r
d.specan(315000000)
You will then see the below output of RFCat Specan running in the 315 MHz range.
Click our doorbell, or trip the motion sensor and you will see a frequency spike as shown in the second picture.
This is similar to what you saw in GQRX but all with your Yardstick and the Python RFCat library.
So everything seems to be working and we can see our devices transmitting on the 315MHz frequency.Unfortunately we have no record button on Spescan. This leaves us to dive a little deeper into RFCat. We will see what RFCat can do for us in the recording and sniffing capacity.
Sniffing RF Data With The YardStick and Python:
In RFCat there is a simple listening command in our interactive session which will give us an idea of what is being transmitted and in what type of data format we are recieving. When using GQRX we received a WAV file, but what does RFCat give us?One thing I have realized over the years is programming is all about dealing with data in various formats and figuring out how to parse and use it in various implementations. So the first thing we have to figure out is what kind of data we are dealing with.
Lets hop back into RFCat and set a few parameters so the yardstick knows to listen on 315MHz and to use ASK modulation.The settings below should all be familiar from our last blog with an exception of "lowball" which configures the radio to use the lowest level of filtering. We basically want to see everything but may experience some noise by not filtering it out.. For example before you hit your doorbell button you may see random FF FF FF FF data outputted to the screen.
Below is the cmdline input needed and some example output. After all of our settings are in place we can use RF.listen() to start listening for everything in the 315000000 frequency range and have it output to the screen.
After you set it up, you can press the button on your doorbell and you will receive the following output. We have lots of zeros and what might be some hex output.
Destroy ficti0n$rfcat -r
>>> d.setFreq(315000000)
>>> d.setMdmModulation(MOD_ASK_OOK)
>>> d.setMdmDRate(4800)
>>> d.setMaxPower()
>>> d.lowball()
>>> d.RFlisten()
Entering RFlisten mode...packets arriving will be displayed on the screen
If you hit "ENTER" in your terminal you will stop receiving packets and drop back into a python interactive terminal. If we take a look at the repeating pattern in the above output, it looks like some random patterns and then a repeating pattern of, 84e708421084e738.If we convert that to binary we can compare with what we decoded WAV from our previous blog.
Since we are already in a python terminal you can type the following to see the binary representation:
Lets break that up into 8 bit bytes and compare it to our previous blogs binary, hmm its lot different then what we originally decoded the signal to be:
If we take the above capture data and format it correctly for RFcat with the replay code from the last blog. When we send it over, it does indeed ring the doorbell, thats interesting. A completely different value in both hex and in binary and still we get a doorbell to ring. So the variance we talked about last time extends a bit more. Below is the code with the new hex from the capture data:
I will also take a minute to note something before we continue. I had a little trouble at first when using a telescopic antenna in RFcat and the YardStick.So I will list those issues below as notes for you to play with if you run into random looking captures when pressing your doorbell button.
When using a telescopic antenna closed I had almost repeating output with some random bits flipped
When extending the antenna it went crazy output with random noise
I then used a small rubber ducky antenna and got the repeating output shown above.
What we have done so far:
So above, we managed to figure out the following all in RFCat
Verify the frequency with RFCat
How can I listen for it and capture a transmission with RFCat
How can I send this transmission with RFCat
We have basically eliminated the immediate need for the graphical tools that we were using in the last blog. Not to say that they are not useful. They absolutely are, and we should use them often and know how to work with all kinds of formats and understand everything.. However, if we are living in a reality that all we have is a Yardstick and no other tools. We are not helpless and we can still kick some serious RF butt.
Now we are going to take this a bit further so we can learn some more about RFCat, Python and mistakesI made when trying to automate this stuff. I found some interesting quirks I had to work through and I would like to save others some time who are also in the learning process as I am.
Using RFrecv() for Listening:
Ok first thing I learned is that RFListen() is not all that useful when it comes to automating this stuff. I tried to set its output to a variable but that did not seem to work.. So instead we will be working with another feature that lets us listen and that is RFrecv().If we fire up our RFCat in the terminal again we can give that a try:
Destroy:~ ficti0n$ rfcat -r
>>> d.setFreq(315000000)
>>> d.setMdmModulation(MOD_ASK_OOK)
>>> d.setMdmDRate(4800)
>>> d.setMaxPower()
>>> d.lowball()
>>> d.RFrecv()
Traceback (most recent call last):
File "", line 1, in
File "/Library/Python/2.7/site-packages/rflib/chipcon_nic.py", line 1376, in RFrecv
data = self.recv(APP_NIC, NIC_RECV, timeout)
File "/Library/Python/2.7/site-packages/rflib/chipcon_usb.py", line 664, in recv
raise(ChipconUsbTimeoutException())
ChipconUsbTimeoutException: Timeout waiting for USB response.
OK thats not cool we are getting a weird error if we don't get a signal right away regarding ChipconUsbTimeoutException.
No problem since we are in a python terminal we can just capture this exception and pass it, then continue with sniffing.This is done with a Try/Except block.
try:
... d.RFrecv()
... except ChipconUsbTimeoutException:
... pass
...
That looks a little better, I am no longer receiving errors, but lets put this in a loop so we are continuously listening with RFrecv() and press our doorbell so we can capture our doorbell signal.Below is the output of a random signal that came in followed by our doorbell.. but its all kinds of crazy looking and a bit hard to read:
try:
... d.RFrecv()
... except ChipconUsbTimeoutException:
... pass
...
while True:
... try:
... d.RFrecv()
... except ChipconUsbTimeoutException:
... pass
Lets try to fix the output a little and make it more readable by encoding it before we view it. Open up your text editor and use the following code.What we are doing here is simply setting up our listener as we did before and then setting it to a variable we can use.
Line 12: Setting our RFrecv() output to the variable y and z. The y variable is the output that we want
Line 13: We will wrap the y variable with an encode function to encode it with a HEX encoding.
Line 14: After that we just print it out.
When we run this script from the command line we will get a much nicer output shown below, much like we did with the RFlisten function above. The big difference being that our data is now set to the variable "capture"on line 13 and we can do what we want with that data. For example we can directly replay that data rather then manually performing the actions.
Parsing and replaying data:
This actually took me a bit of time to figure out, so we need to do a few things to get this to work:
We need to parse out the data from the surrounding 0s
We need to convert it to a format we can send (tricker then it sounds)
We need to add padding and send that data over (We know how to do this already)
Parsing Data:
So with this I first tried all kinds of regular expressions, but for some reason the inverse of more then 3 zeros in a row does not seem to work. I am no regex master but that seemed like it should be working. I then tried a few creative solutions reducing repeating zeros down to pairs that I could split on with string functions. This actually worked well but then my buddy showed me this which was more efficient:
re.split ('0000*', capture)
All this is doing is using the regex library to parse on a set of 4 or more zerosand return whats left in a list of useable hex data for sending.So lets add that into our code and give it a try to see what we get back. I made the following code changes:
Line 2: Import the Regex library
Line 11: We defined the capture variable so we can access it outside of the Try Block and the loop
Line 21: We created a payloads variable and created a list from the capture file of non 0000 blocks
Line 22: We print out our list of useable payloads which can been seen in the below output
Data Format Woes:
So we have data in a list we can pull from, thats awesome but I ran into a few issues. I first tried to parse this data into the \x format we normally used when sending our attack payloads manually, but that actually does not work. Reason being that if I use a code snippet like the following to convert this data into the right format everything looks ok and something like this \x84\xe7\x08\x42\x10\x84\xe7.But it won't actually work when I send it with RFCat. For some reason when you paste in your own hex its in a different format then if you programmatically create hex like below. You don't really need to understand the code below, just know it takes our payload and creates the hex in a visual format to what we used in the last blog:
DON'T USE THIS.. IT WONT WORK!!!
for payload in payloads:
formatted = ""
if (len(payload) > 6) and (len(payload) % 2 == 0):
print "Currently being formatted: " + payload
iterator = iter(payload)
for i in iterator:
formatted += ('\\x'+i + next(iterator))
else:
continue
Formatted Hex Vs Manually Pasted Hex
So lets compare the outputs of our manually created Hex String versus what we get when we format with the above code
Below is the output of the following:
Your encoded capture
Your parsed payloads in a nice list
Your payload being processed into hex.
But this is where things go wrong, you then have :
Your nicely formatted Hex created by your code above (Yay for us)
Then you have your manually pasted in hex from your original attack payloads as unprintable characters(What?)
You can clearly see there is a major difference between when we manually paste in our hex like we did in the last blog and when we create it from our capture file.This led to another sleepless night of researching whats going on. I did a bunch of troubleshooting until I found some code on the RFcat site and saw it using the BitString library and something called BitArray.The examples for this library were using binary data instead of hex and then converting it.
BitString BitArray Formating FTW:
If you remember above we created binary input with some python, so lets use that code in our current program template and then feed it into byteArray and see what happens. We can install bitstring with the following:
Install Bitstring:
sudo pip install bitstring
Our New code using BitString:
Line 2: I imported bitstring
Line 25: I added a for loop to go through our payload list one by one
Line 27: I convert our current payload to binary
Line 28: I take that binary and I feed it into bitstring to fix the formatting issues
Lines 29-30:Print out our binary and our new data that match our manually pasted data format, shown below
With these conversions the data above looks like its correct to attack our target devices. I know this seems like a lot of steps, but honestly this is only 50 lines of code in all to automate our replay attacks in a simple way.It is also very easy if you know what your doing and don't spend all of your time figuring it out like I did. You just need to understand how to work with the types of data each component understands.
With this latest code update we are ready to send our code with a simple modification to our RFxmit line from the last blog. We will now change RXxmit to take our formatted variable and then append our padding:
Below is our full code to automate this attack, with a few changeups, but not many.. Really all I did was add some conditional statements to limit our data to longer payloads that are divisible by 2 since our hex takes 2 string characters for example \x41 is the string character 4 and 1.I originally did this for the iterator code which required the proper amount of characters but decided to leave it since it makes sense anyway.I also set it so that if there is a capture it breaks out of the loop. This way we are not continuously attacking every transmission we see. Instead for our testing we can hit our doorbell, replay all the values before our script finishes and exits.
Note: I sent similar code to a friend and had him run it against a black box real world target. He had permission to attack this target via the owner of a facility and it worked flawlessly. So although a doorbell is a trivial target. This same research applies to garages, gates, and any other signal not using protection mechanism such as rolling code, multiple frequencies at once etc.
Also note that when you run this, almost all of the payloads in your list will ring the doorbell which is why I put a timing variable before the sending command. This way your doorbell isn't overburdened. I already broke a few of these devices during testing LOL.
I have since modified this code to be more effective, and have additional features and more niceties, I will release that code when its ready.. For now enjoy the below code and hit me up with any questions or comments.
I hope this blog is helpful in demystifying RFCat in order to successfully perform/automate attacks with only Python and your Yardstick One. This is essentially a few nights of my research posted here for everyone to learn from. Because it was a pain to find useful information, and I would like to save other people a lot of sleepless nights. I am by no means the master of RF or RFCat, there is tons more to learn. Up next I will get back on track with a real world attack against a device and creating our own keyfobs to replay our attacks in the future.
