Presenting at NCSSS-15 Cyber Summit

Awarded with the prestigious Award of Excellence by National Cyber Defense and Research Center

Presenting at Defcon | OWASP Lucknow Chapter at Amity, Lucknow

Demonstrating the Usage of Advanced Hadware Devices and Facial Recognition

In an Exclusive Conversation with India Watch

Interview for India Watch Channel on Security in India. Click to Know More...

Wednesday, 3 December 2014

Keep Spying with a Low Cost Voice Recorder

Voice Recording is one of the primary aspects when it comes to Spying. Today let us discuss about ISD 1820 Voice Recording Module.

This Module works both independently as well as with Arduino, Pi Boards etc. it is quite small, say a few centimeters bigger than the SD card adapter. This module operates on 3V-5V. Starting to record, playing back can both be controlled using hardware switches as well as Boards like Arduino, Pi etc.

This module is can be used to build various projects for spying and can be interfaced with SIM900, Motion Sensor so on and so forth.

A Basic Video demonstrating operations of this module can be found at-

Wednesday, 19 November 2014

Android Keypad Tones, A Perfect BlueBox!

I recently found that keypad tones from android devices can act as a perfect phone phreaking blue box.

In Simple Terms: Feed in Equivalent Calling tones to the Mic of the Land Line from Android, this will allow you to call the number for whom the tones are generated for. 

However, for some devices like Samsung and others, may not generate the same tones. However, for those devices, we can simply install ToneDef Application from Google Playstore for free. Using this app or the android dialer pad itself may allow phreaking on telephone land lines.

So many of you guys might have seen a old style phone lock that hides the entire keypad from a landline phone. Now, you don't have to bother about that at all. We can simply use an android app to bypass Keypad locks and in most cases with the ToneDef app we can simply bypass Pay-Phones as well.

Have a Look at a simple demonstration using android at-
Kindly share your thoughts in the comments and if you liked the video, kindly give it a share.

Monday, 27 October 2014

Exploit Writing Series Tutorial 1: Buffer Overflow on Linux

Hey folks,
i have been thinking for so long to start a noob friendly series on exploit writing but never got that much time. Anyways, let's talk about exploit writing-

So, what is an exploit?
an exploit is a piece of code that takes the advantage of a vulnerable system.

However, keeping this a noob friendly tutorial let's make some things very clear. Firstly, an exploit may or may not work on two different application versions, may not work on two different operating systems.
Secondly, if you think you already know basics, you can leave the website immediately.

Well, Throughout this series we will start from the very basic (I Mean it :P) this means we will take up things as soon as they appear. So, you don't have to worry about ASM, Comp. Architecture etc.

i already mentioned that we will take up things as soon as they appear. However, for this tutorial you should have a lil knowledge about C Programming.

So, let's take up the most basic "Stack based Buffer Overflows" at the very first stage-

Now, what is a stack?
we can see in the above picture that we organized every book one above the other. However, we can collectively say that this is a stack of books. Now, to build this stack, we placed the first book, then the other on top of it and so on until we run out of books.

Exactly, what follows in Computer systems. We can put operands and operators one above the other to form a stack. This is called the "Push" operation. This also means that the first book is now at the bottom and the last one is at the top. This is why stack is called Last-in-First-Out. So, when we need to remove a book, we first need to remove the book at the top, this is called the "Pop" operation.

So, What is Buffer Overflow?
A buffer is a region which stores data temporarily and when more data than its capacity is supplied, it gets overflowed.

Let's see an example-
void noexec()
printf("this never executes");

void main(int argc, char** argv)
char buffer[50];
In the above program, we have two different functions- main and noexec. When we run this program, it simply receives the command line argument, copies it into the buffer variable and simply prints it. Now, you might ask, why do we have noexec() function if we are not calling it any where in the program? this is because in order to work out the simplest buffer overflow, we will try to execute this function by exploiting it.

Let's compile this program using the following command-
#gcc -ggdb -o rofl -fno-stack-protector expl1.c -mpreferred-stack-boundary=2
To compile a C program in linux, we use gcc, -ggdb option allows the code to be executed and listed in debugger by supplying enough information to the debugger, about the program, -fno-stack-protector option turns off stack protection mechanisms in Linux while compiling the program and -mpreferred-stack-boundary=2 option aligns the stack on a 4-byte boundary and will be susceptible to crash as well. However, by default it's on 16-byte boundary.

(You can Skip the above paragraph, for now we just need to focus on compiling the application program)

Let's execute the program, and supply 50 A's, we can see that it gets printed, Let's try with 51 A's, 52 A's and 53 A's. We can see that program exited normally after outputting the supplied input. However, as soon as we provide 54 A's we get Segmentation Fault which denotes crashing of the program or we can say the buffer just overflowed. You might ask, we had the buffer for 50 characters but it still got executed at 51,52,53. This is because the input didn't overwrote the EIP initially and may have overwrote other registers which didn't affected the program's execution.

What is EIP?
A register which stores the address of the next instruction. Therefore, if we overwrite this EIP register with the address of our choice, our choice will be the next instruction to be executed by the program. This potentially means that we can redirect the flow of a program to anywhere we want.

Let's open this program in GDB-
GDB is a debugger which can allow us to view the state of the registers, stack, memory locations etc throughout the execution of a program(I Know this is the most basic tutorial and introducing GDB may not be the correct idea right now, but for the sake of running the noexec function we need its memory address).

#gdb ./rofl

the above command will run the program in GDB. To find the starting address of the noexec() function we need to input a simple command which is "disassemble" followed by the name of the function

(gdb) disas noexec

this command will output the following-
Don't get scared! for Now, we only need the address of the first instruction which is 0x0804847c.

Next, we simply need to input this address after 54 A characters and this will overwrite the current address in EIP resulting in altering the flow of the program according to our needs.

Let's test it out-
Keeping it simple, we will supply 54 A's and the address in Little endian format which is to reverse the bytes(ex- split the bytes 08 04 84 7c to 7c 84 04 08.
We can see that after outputting the input, noexec function runs thus outputting "This Function Does Not Execute".

This tutorial is purely for the newbies in exploit writing. If You liked this tutorial, comment your feedback and suggestions.

For exploiting the same on x64 based architecture, refer to Adhokshaj Mishra's Website.

See you Next week.

Saturday, 27 September 2014

Fixing SickFuzz for Kali Linux

SickFuzz is a fuzzer for web applications and has always been a script which i miss the most on Kali linux. Let us see how we can fix it to run on Kali Systems-

Download the script from this link and try to execute it.
The First Error would be:
And probably the second one would be:

To Fix these errors, we need to make the following changes in the spike and the fpath variables. However, fpath variable is the path of the file.

As soon as you fix and restart, it works like charm-
Happy Fuzzing :)

Friday, 26 September 2014

Simplest Command to Fetch SSIDs Around You

Today we will discuss how we can easily capture network SSIDs from the various devices around you.

This will help you find previously connected networks from various devices due to the fact that any wireless enabled device will keep looking for previously connected network after a certain period of time.

To keep it simple we will simply use 'tshark' the command line sequel for wireshark.

The first step is to put your wireless card in monitor mode-

airmon-ng start wlan0 
Next, issue the following command-
tshark -i mon0 -R wlan.fc.type_subtype==0x04 -T fields -E separator=- -e -e wlan_mgt.ssid

Lets understand this command, -i denotes the interface to capture packets from and since we have put our wireless card in monitor mode, we will use mon0.

-R denotes the filter to use, wlan.fc.type_subtype==0x04 denotes the 'Probe Request' packet which is used for seeking a network actively, by the device. we used Hex notation of probe packet that is 0x04. Next, to list only the information which we require rather than the entire packet we use -T fields. -E separator denotes the character separator between two fields. -e denotes the actual fields which we want to display.

Therefore, our command should display something like-

XX:XX:XX:XX:XX:XX-[Network Name]
 running this command will output something similar to the following-

This was a simple tutorial but i thought it will be helpful for few people who wants to get information about previously connected networks from certain devices.