Category Archives: exploit

September meeting recap

Posted on by
1

Last meeting was awesome as always, we had some good demos and new faces which is always great. Ngharo started it off going around the room and asking ppl what they hacked last month and what they plan to hack next.

I gave my fakeAP demo to get credit card numbers or sniff traffic. The CC part failed :/ but the sniff part worked like a charm!! Then dw5304 gave a demo titled “Cable hacking for fun” and talked about how to get online anonymously with cable modems, getting almost unlimited bandwidth, modem cloning and lots more. Faraday came packing with some lithium ion batteries and big ass LEDs he gave out “to make flash lights out of” and stuff for making your capacitors which is always fun.

Then I spent the rest of the night drinking beer and yelling in to a ham radio, so I didn’t take any pictures. Congrats to uberushaximus for winning the dc414 free junk giveaway!

Here is a link to the github fakeAP pwnage project, it only works with Backtrack 5 and could use some improvement.
https://github.com/dc414/fakeAP_pwnage

Here is the slides to dw5304’s Cable hacking for fun:
https://skydrive.live.com/redir?resid=463779BB134E309F!375&authkey=!AF56QcP0xP4Ofco

August meeting awesomeness

Posted on by
Reply

Klaiviel started us off by giving us a nice show of binary key card hotel locks popular over seas, showed us a 3d printed key for one of his locks, explained pick proof locks from the 40s that are no longer used but highly effective and how to make them today using regular locks. Then he showed us why he is the second best key impressionist in the world, and made a working key for a lock right in front of us and giving us step by step instructions on how to do it our selves.

I stepped in and gave a quick demo of how I made our new and improved donations bucket which I will be making a blog post on later. Darkwind came packing with a alfa wifi antenna hooked up to a satellite dish! This made a killer directional wifi antenna, we took it up to the roof of bucketworks and got signals from all over including the moon 😛 Ngharo hooked it up to his lappy and cracked a few networks 🙂

After the roof party was over and we got back down stairs Castor gave a DEFCON20 badge hacking demo and showed us how to turn our badges into any other badge type we wanted, then showed us how to make the LEDs on the badge flash out words and stuffs. Then we all just started bull shitting and talking about up coming projects.

Cmoney couldnt make it out so I took a few picture that you can view here. Congrats to darkwind and faraday for winning the dc414 free junk giveaway!!

Arduino Windows Attack Tool

Posted on by
4

A few meetings back I demoed my Arduino Windows attack tool. The Arduino and shield emulate a keyboard when plugged into a PC. Once triggered it opens the DOS edit program, writes some vbscript to a file called go.vbs, then runs it using wscript. The script downloads a payload from a web server. In the case of the demo it was a reverse shell that connects back to a nc listener from msf. I got the idea from the Social-Engineering Toolkit Teensy USB HID Attack but I dont have/want a teensy so I looked and looked for an Arduino version but all I could find was a USB keyboard lib, so my value add was porting it to the Arduino.

Here is the USB lib I used.

Here is the schematic for the shield: *I added a button on pin 12

Here is the code for the Arduino:

And there you have it, my Arduino Windows attack tool. Its a little messy and hacked together, but it works. Enjoy 🙂

Many thanx to SilkyPantsDan, Rancid Bacon, and Practical Arduino

June meeting recap

Posted on by
Reply

June’s meeting was great! More new faces, lots of beer, and plenty of pizza 🙂 Ngharo got things started by making a few announcements like our new VPN that is available for donating members, and asking everyone what they are hacking ATM and what they wanna hack next. I was up next and talked about the new server and some of the sections of the site. Then Ulic gave us all the 411 on the Flamer virus sweeping the middle east and some of its unique features. dw5304 took over and gave a sweet demo on how to hack/mod the xbox360, complete with code and points of solder. We got some great pictures this time thanx to cmoney which you can view here. Congrats to nikto, Tony, and Ulic for winning the dc414 free junk giveaway.

Here is nikto and his dc414 junk 🙂

May meeting recap.

Posted on by
2

May’s meeting was off the hook, one of our best yet! Lots of new faces which is always nice, good demos, and good beer. Ngharo started it off by talking about the hackathon and THOTCON. Klaiviel did his lock master thing and said a few words about TOOOL. Darkwind gave a awesome demo on sniffing pagers. Its crazy to see all the pager traffic that is still out there. Then I showed off my Arduino windows attack tool and pwned a windows 7 box, There will a blog post about that later. Congrats to Genero for winning the dc414 free junk giveaway! I did take a bunch of pictures but my phone was full of fail and didn’t save any of them 🙁 so no pictures of the meeting this time, sorry. I promise to do better next time 😛 later.

April fun

Posted on by
Reply

Aprils meeting wasn’t for fools, it was for hackers 😛 It was another awesome meeting full of beer, pizza, lulz, and hacks. dw5304 got the night rolling with how to bypass windows 7 login password, then went on to talk bout how to pwn Time Warner internet! Then Klaiviel gave us a 101 style schooling on hand cuffs, tumbler, combo, and tubular locks and some others! He also covered some car locks, key impression and stuff. He explained the different picking methods and the tools of the trade. Ngharo and I topped off by giving the talk we have prepared for THOTCON! It went well but it is clear we need a little practice before the big event.

Here are some pictures from the meeting thanx to cmoney. Congrats to Klaiviel for getting so many achievements for the Lock Master badge in one night and to The Professor for winning the dc414 free junk giveaway!! He got a awesome CD/DVD/DVD-R external drive “lol”, enjoy!

Big winner of free dc414 junk 🙂

March meeting madness!

Posted on by
2

March’s meeting was filled with all sorts of shenanigans. dw5304 started things off with a little demo of Windows Server 8 and some of its improved features and functions.

Ngharo kept the OS ball rolling by going over some Linux 101 and while he was showing us how grep can be used to find wanted data in Apache logs Castor pulled a little prank on Ngharo and left a message in the logs for him 😛 Every one got a big laugh out of it. Ngharo also has promised to give a new Linux demo every meeting!

Then I stepped in and gave a demo on how to use temp XSS attacks to gain access to user accounts on web sites, the target in this case was Daily Motion using a known vector. It was complete with a explanation of the attack string, the payload, how to use it, and how to fix it. I gave the room the opportunity to hack my Daily Motion account, using the cookie stolen during my demo which turned out to be a bad idea, Ngharo thought it was cute to replace my profile picture with the index picture from lemonparty2 😐 Yeah, ok I loled hard at that one 🙂

Then The Professor showed us how to use “The Social Engineering Tool Kit” to phish n00bs and pwn their passwords! He gave us a step by step of how to copy a website, how to access the phish page, and what happens when its used. Then we all talked about how to know when your being phished. It was a great first demo from The Professor.

A big congrats to The Professor for winning the dc414 Free Junk Giveaway “pic below”, Enjoy your new Launchpad 🙂 Here are some other pictures from the awesome Cmoney.

The big winner:

SIDE NOTE:
The next morning with a slight hangover I open my email and find this from Daily Motion:
Hello anarchyang31,

The avatar of your Dailymotion account “anarchyang31” has been deleted due to non respect of the General Terms Of Use (inappropriate content).
In any event, we ask that you observe those conditions. You can review them by clicking here: http://www.dailymotion.com/legal/terms

After 5 deleted avatars, you will no longer be able to change it and it will be replaced with a default avatar.

You can upload a new avatar by clicking here: http://www.dailymotion.com/profile/avatar

Best regards,


The Dailymotion Team

LMAO thanx Ngharo. Ok thats it, later.

First 2012 meeting recap

Posted on by
Reply

January’s meeting had a few kinks but all in all everything went well and we had a few new faces in the crowd. We had some issues with the G+ hangout, but it was our first time and i’m sure it will go smoother the second time around. Then i had video issues while trying to give my LFI attacks demo and had to give a backup demo, but everyone else was awesome.

Darkwind gave his first presentation with dc414 and it was a good one for sure. He showed us some of his modded radio equipment and how to decode all sorts of transmissions, from HAM faxes, pagers, DTMF tones and more being broadcast in the air ways. Talked a little about cell tower emulators and software radios. dw5304 and Klaiviel gave us a run down of how they hacked the new xbox 360 to play ripped games off the HDD in just a few not so easy steps 😛 Then dw5304 have a little demo on resetting passwords on any windows box with just a few key strokes. I gave the last presentation of the night and after my LFI demo fail i was able to give a nice little demo of how the ODiG tool works and how it can aid in pwning networks.

One of the coolest things about the meeting, it was our honor to have Jayson Street join us via G+. We hope to see him at the next meeting. Cmoney couldn’t join us but I was able to snap a few shots here and there which you can view here. The big winner of free dc414 junk was Stephanie, here she is with her winnings: “ALFA usb 802.11n card”
Stephanie and her winnings

Fun with CVE-2011-0997

Posted on by
9

Saw a killer dhcp client bug come across the wire the other day and thought it would be fun to play around with. Heres some info on it:
dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message.
source: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0997

This is super easy to exploit, all you need to do is set up a DHCP server and edit the clients hostname to include our payload! Once you get dhcp up and running edit your /etc/dchp3/dhcpd.conf and locate the line that loks something like this:
subnet 10.10.5.0 netmask 255.255.255.0 {
Then right under it add something like this:
option host-name "test;nc -l -p 1337 -e /bin/bash";
Now using the above payload when someone requests an IP from you and its accepted a shell will open on port 1337 on their machine 😀

What happens is the victims computer gets the hostname value from DHCP, then just runs it against the shell. Now because we added a shell metacharacter “;” we are telling the shell that it has multipliable commands to execute which in the above case its the commands to change the hostname to test and “nc -l -p 1337 -e /bin/bash”. Fun right? Ok thats it, peace.