Hardware
Noooooooooo Touch!
TL;DR I presented this work at Insomni’hack, if you’d prefer to watch the recording of that then you can find it here: https://www.youtube.com/watch?v=Nvw_BH7jPzE
Imagine you’re on a physical engagement, standing outside an office door. You need an access card but you don’t have one (yet). You notice that there’s a pattern where employees need to tag in, but to leave they just wave their hand and the door swings open. You pull a torch out of your backpack and switch it on. There’s no visible light but a subtle vibration assures you that it’s on and working. You shine it through the glass door, pointing it at a bookshelf, a chair or wall on the inside, like trying to line up a shot in pool. Within about 5 seconds… pop! The door swings open, there’s nobody else in sight and you walk right in. Not even a fingerprint left behind. It turns out, this scenario isn’t as farfetched as you might think.
Serial PitM
Sometimes you need to get in the way of a hardware device and its controller, and see what it has to say for itself. If you are lucky, the two parts are communicating using a serial port, and then it’s relatively simple to do. In this post, I will explain two scenarios where I had to do this, and the approach that I took in each. As a bonus, I’ll also show some hardware that I put together to make it easier.
P4wnP1 LTE updates
After publishing my blog post about running P4wnP1 on an LTE modem, where I explained how to install Linux and P4wnP1 on an actual LTE modem for sneaky USB attacks, and then trying and failing to do an internal presentation to show it off to folks, I realised that I had not completely documented the process. In fact, I had left it rather incomplete as it turned out! As I was intending to give a public demonstration of P4wnP1-LTE, I had some work to do.
P4wnP1-LTE
I’ve written a couple of blog posts in the past in which I explain how to use Marcus Mengs’ truly excellent P4wnP1. The most common deployment scenario involves a Raspberry Pi Zero W, or possibly a FriendlyArm NanoPi R1S. The downside of these platforms is that you need to be in fairly close physical proximity in order to access the WiFi interface, or even closer to access Bluetooth. The NanoPi R1S can support an LTE modem, to give you much bigger range, but the downside to that is that it looks pretty clunky.
Investigating the Wink Hub 2
Rogan brought half of his hardware parts bin to the hackathon! Michael Rodger, Daniel Scragg, Isak van der Walt, Thulani Mabuza and Rogan Dawes formed the Chubby Hackers team to investigate the Wink Hub 2 during SenseCon 2023. This was building on our project from SenseCon 2022 where we looked at the Wink Hub 1, particularly the various debug interfaces for the main i.MX28 and the peripheral radio controller chips. There is quite a lot of detailed information available online for the Wink Hub 1, but not a whole lot for the Wink Hub 2. In fact, there is practically nothing! We aimed to change that.
DualSense Reverse Engineering
Ciao belli!
On the 19th of November 2020, SONY finally released the new PlayStation 5 in the UK. A few days earlier in the US, Japan, and Canada. Of course, Play Station 5 came together with a new Wireless Controller, this time named DualSense. I wanted to see if I could continue my PlayStation controller adventures on this new device, following on my previous work.
A few SONY installations available in London for the release of the PlayStation 5. DualSense Wireless Controller The DualSense Wireless Controller presents new features such as:
Making the Perfect Red Team Dropbox (Part 2)
In part 1 of this series, we set up the NanoPi R1S as a USB attack tool, covering OS installation, installation of P4wnP1, and even keylogging a “passed through” keyboard. In this part, I am going to focus on operations as an Ethernet attack tool, using two scenarios. Firstly, as a box which can be connected to an unused Ethernet port, and provide remote access to the target’s network, and secondly, as an Ethernet Person in the Middle (PitM), where it can be placed in between a legitimate device and its upstream switch, and mask its own traffic using the legitimate device’s IP address and MAC address. In the second scenario, we can also defeat Network Access Control measures, because the legitimate device will handle all of that.
Making the Perfect Red Team Dropbox (Part 1)
As part of our preparations for our upcoming RingZer0 “Q Division” Training, I have been working on making a software image for the FriendlyArm NanoPi R1S Single Board Computer (SBC) that we’ll be using to demonstrate some close quarters techniques. I will detail the process of configuring an R1S by installing the Armbian distribution as well as P4wnP1 ALOA. We will also take a quick look at getting USBProxy configured to act as a keylogger.
[Dual-Pod-Shock] Emotional abuse of a DualShock
Hacking PlayStation DualShock controllers to stream audio to their internal speakers.
Ciao a tutti.
Introduction I didn’t really know what this project was going to be about and where or how it would end up. The only thing I know is that I started working on it because one day I was bored and having a chat with a friend of mine:
Your flat is like a Luna Park for nerds. Just look around and, I am sure, you’ll figure out what to do. — He said.
DEEP INSERT – Card Skimmer Research
So I get a phone call from Daniel on a Wednesday night,
Stu, can you bring your hardware stuff with you tomorrow, I’ve been given a card skimmer that i want us to see what we can get from it.
So I get my bag ready with the hardware tools i have, RS232 to USB UART adapter, Saelea 8 Channel Logic Analyser, and numerous other components.
Thursday comes round and I’m eager to see what device Daniel has, he gives me it and says “gimme 10, then we will sit down and see what we can get”, I waited 1-second and tore into this thing!
Page 1 of 2
Next