We are proud to announce that dc414 will have a little area at barcamp mke this year! We will be selling stickers, taking orders for shirts, handing out fliers, showcasing some of our past projects and running a DEFCON style wall of sheep “with a dc414 twist”!! Should be lots of fun so come check out our area and barcamp!
To keep up to date with dc414’s activities at barcamp mke you can follow us on our mailing list, facebook, and twitter. Hope to see you there.
I have a house full of little n00bs who have been “hacking” each other in the house lately. See we have one laptop in the house that the kids share in the living room and form time to time one kid will get up and not log out of the sites he/she were using and one of the others will sit down, see the sites open and leave little messages like “hacked by so and so”.
It all started when my oldest boy (19) liked a bunch of dick related stuff on my youngest boys (14) face book account. lol. They have even got cmoney a few times! Now normally i would yell at them for things like this but no one got hurt and they are learning a valuable lesson in technology that is normally learned at much greater coast. Plus it might spark an interest in security for them as well, at the very lest they are more aware of it.
So all in all i think its a good thing they jest in this manner, i just hope they keep it as such. One thing i know for sure is i will be scanning that laptop for key loggers on the regular now ๐
The last meeting was awesome as always! My SQLi presentation went well and i even got to do a little demo of iPillage, i took my IR Copy toy but didnt really get to play with it. dw5304, wowed all showing his remote boot system hes working on that needs only a NIC, and gave a little tut on surface soldering! It doesn’t stop there, Klaiviel schooled us all a little in HAM radio, how to track someone with it and how to get your message across the world! He also did a little lock pick demo and GAVE EVERYONE A FREE LOCK! Thanks bro! ๐ I only took a few pictures this week and here they are.
Everyone got a free dc414 sticker for showing up as well as “Things to know if the FBI show up” cards from DEFCON19 and UCLA. We also got to use our new free junk give away random picker, thanks to ngharo for coding that up, and gave away a few LAN taps, and as always our free junk! Congrats go to Meg again for winning The NORTON Essentials for Mac or more of the crap i don’t want anymore ๐
dc414 is happy to bring you ENCOSH, a online encoding and hashing app. You just feed ENCOSH a string and it will hash it using MD4, MD5, SHA1, SHA256, SHA384, SHA512, LM, NTLM and encodes it using Base64, ROT13, HEX, URL, RawURL then spits them all out for you. I had used it as a personal tool for a long time and got lots of use out of it for sql injections and what not so im sure someone else will as well, so enjoy ๐
I got sick of upgrading phpMyAdmin at work every time a new version came out so i made this little script to do it for me. All you have to do is pass the .gz download url to it.
Here is the code:
#!/bin/bash
upgrade() {
wget $1 -O phpmyadminupgrade.tar.gz
FILE="phpmyadminupgrade.tar.gz"
tar zxvf $FILE
FOLDER=`echo $FILE | awk -F".tar" '{print $1}'`
cp /usr/share/phpmyadmin/config.inc.php ~/phpMyAdmin*
rm -rf /usr/share/phpmyadmin/*
cp -R ~/phpMyAdmin*/* /usr/share/phpmyadmin/
chmod -R 777 /usr/share/phpmyadmin/
chmod 644 /usr/share/phpmyadmin/config.inc.php
rm -rf ~/phpMyAdmin*
rm ~/$FILE
echo "Done!!"
exit 1
}
usage() {
echo "Use this script to update phpmyadmin"
echo "to run:"
echo "./upgradephpmyadmin.sh url"
exit 1
}
if [ -z "$1" ]; then
usage;
else
upgrade $1
fiPast that into “upgradephpmyadmin.sh”
chmod a+x it and run it as root like so:
user@user:~$ sudo ./upgrademyphpadmin.sh urlNOTE: This bash script assumes phpMyAdmin’s html files, including config.inc.php live in /usr/share/phpmyadmin/ and that you are running this script in your home directory.
Got some cool shit at DEFCON, here are some pics of the stuff i got. Here is the DEFCON19 cd iso, and here is your mom ๐
While at DEFCON we ran a little hack contest, back at the riv amongst our selves “me, ngharo, black rat, and alex”, to see who could bypass the hotels internet billing system ๐ I would like to say that i came out on top as leet hacker supreme by getting online first. Yeah im the best hacker ever ๐ dont freak out, we are good people and didn’t actually use the hotels internet in this manner, i personally opted for a slightly more secure method and tethered my phone. ok thats it peace.
I know this post is a little late but we have been busy with other stuff, and my mom always said better late then never. Valdimir started us off with a fun demo of his magnetic card reader “vid below”, which could also write to a card but he didnt have the right software, he said he will be getting the right stuff soon. Then he came out with the big guns, a 3G/cell phone jammer!! This thing was all kinds of fun, and i uploaded a little vid of one of the demos we did with it “bellow”. The awesomeness didn’t end there, dw5304 gave us a nice demo of ZFS and showed off some of its more robust features. One of my personal favorite features was being able to pipe snap shots to anything!! Congrats to Darkwind for beeing last meetings winner of free junk from dc414!! Here are some pics taken at dc414.
Darkwind and his winnings!
Vlad reading cards:
Vlad be jammin:
2600, the magazine familiar to many as a preeminent hacking quarterly, is publishing a calendar. While, according to the 2600 site, most calendars only mark holidays, 2600 intends to โprovide as complete a guide to milestones in the hacker world as humanly possible.โ Not an easy task considering that, depending on your definition, hacking could extend to the discovery of fire, or at least the wheel.
2600 gives some examples in which they only list events back to March 3, 1885, when AT&T was founded. If this example is followed, that โonlyโ gives one 126 years to work with, but compiling a full list of hacking dates is still a daunting task. If you can think of any dates worthy of consideration, email them to: calendar@2600.com. We think maybe September 5th, 2004 might be a notable date to include. Weโll leave it up to figure out what that date is, in case it wasnโt painfully obvious.
OP: http://hackaday.com/2011/06/04/help-2600-magazine-compile-a-list-of-dates-for-their-hacker-calendar/
The RV042 is a Dual WAN, 4 port switch, VPN Router. Work just got it in to do a little load balancing and for fail over protection. One of my favorite things to do with new toys like this guy is give them a nice once over. Which of course is how i found a XSS in the login logging functions of this device. I was originally looking for weaknesses in the login scheme and notice that my attempts are being logged, notably the user name i was trying to login as was being logged, along with a brief description of the failure. I then put non-standard characters in there which broke the UI, after some more playing around i found i was able to get html to render, from there i just started messing with XSS payloads till i found one that worked.
Here is my working XSS at the login screen:
The string i used is < iframe src="https://dc414.org" >
For password i just put in some junk
Here is what it looks like after i submit:
Here is the XSS in action ๐
K thats it, enjoy, peace.
Another awesome meeting with dc414 this month. dw5304 pwned us all with his GPS jammer, and a ardunio RFID reader. The laser mic from last months meeting was busted out for a while and ngharo brought his oscilloscope which we used to mess with the RFID reader. Vladimir had some killer lasers, one of which we used to light a cig ๐ Check out the vids below to see some of the fun ๐
The laser lighter – https://www.youtube.com/watch?v=FRFPO2X-Mao
Ardunio RFID reader demo – https://www.youtube.com/watch?v=PfCxP5Huoxw
oscilloscope + RFID play time – https://www.youtube.com/watch?v=4c5NK9idhtA