Few feelings are as stomach-sinkingly awful as the thought of losing an expensive new iPhone. Whether you left it on the bus or someone slid it out of your back pocket, we put so much store in our phones that their loss leaves is saddened and angered. Most of us keep at least copies of everything in our lives on our phones, from personal conversations to emails,
To say nothing of all our personal information and social media accounts. Of course there are security measures in place, but nobody wants to risk having all that information fall into the hands of the wrong people. In this article, I will show you how to find a phone that has been lost, whether your own phone or the phone of a friend or family member.
Can you track an iPhone without them knowing?
First off, hopefully you activated the Find My Phone feature of your iPhone when you still had it in your possession. Secondly, if your phone doesn't have service (and thus a connection to the Internet) or if you don't have iCloud set up, then these solutions are not going to work for you. Unfortunately phone technology is advanced but it isn't magical; if your phone isn't talking to the network or if you haven't turned on Find My Phone, then unfortunately the technological solution is probably not going to work. (Seriously. If you have possession of your phone(s) then stop reading this article, pick up your devices, go to Settings and select "Find My Phone" (iPhone) or "Find My Device" (Android) and make sure they are toggled on. TTjem upi cam dp ot/"
Without further ado, let's find your phone!
Can I Tell if Someone is Tracking my iPhone?
Usually yes, if someone is using the "Find my Phone" feature, it will be displaying things on the iPhone screen. Thankfully, "Find My iPhone" comes pre-loaded on all phones with iOs 9 or newer. "Find my iPhone" is the gold standard when it comes to locating your lost iPhone. The service is integrated as part of iCloud. Here's how to use it to find your missing iPhone then track down your phone's exact location.
Step 1: Open up the "Find My iPhone" on a different device
It doesn't matter if you decide to use your iPad, your laptop, or a friend's iPhone – you can run the Find My Phone app fr0m Mac. You can use the Find my Phone app.
If you are using an Apple product like another phone or an iPad, you can simply click on the app.
If you are using a computer (even a Windows PC will work), go to icloud.com then click on the "Find iPhone" icon. Once you've clicked on the "Find iPhone" icon the website process and "Find my iPhone" app process are the same.
Step 2: Input Your Apple ID Credentials (they are the same as your iCloud info)
Since you are not using your phone, you won't be automatically logged in.
Once you log in to the app, select the "All Devices" drop-down option and then find the device that you want to locate.
Step 3: Once You Select Your Phone, Options Will Appear
As soon as you select your device on the page, iCloud will begin to search for it. If the search is successful, you will see your device on a map, pinpointing it's location. Before you sprint out the door to get it, there are some other options you should take a look at.
Once you select your device you will have three additional options in addition to seeing your phone's location. These options are playing a sound, activating "Lost Mode" and erase the phone.
Playing the sound is a great way to find your phone if you lost it somewhere around your house. If you click the option, an audio alert will go off on your phone which will hopefully help you find it. The alert will sound like a loud pinging noise alerting you that your phone is at home with you and not at the coffee shop you just visited. If you hear the pinging sound then you'll quickly find your phone by just following the sound.
When enabled, Lost Mode will lock your phone with a passcode and will display a message of your choice. This can either ensure it will be safe until you can find it, or will alert the thief what you expect of them and that you know where they are. This mode can also enable location services on your phone too.
However, if things have gone too far and you think there is a very slim chance you will ever get your device back – perhaps your phone has already crossed an international border – the best course of action is to simply erase it. Yes, this is giving up, but it also prevents your personal information getting into the hands of someone who could abuse it.
If you follow these steps, you should have your phone back in your pocket in no time.
Is there an app to track someones phone without them knowing?
What if you're looking for someone else's phone? I'm sorry to burst your bubble, but you are not allowed to track someone else's phone without their knowledge. While there are supposedly apps that you can install on a target's phone to track it and keep tabs on what they are doing on it, that is completely illegal and immoral. In addition to the moral issue, there is the practical fact that they could find the app which could lead to a very awkward situation, possibly one involving the police.
However, there are times when you want to find a friend's phone and you have a legitimate reason, and (the important part) they have given you permission to find it. Just as when you were looking for your own phone, there is an app that can help you find the phones of your friends and family with ease. The "Find My Friends" app used to be an extra download, but now it comes with iOS, so if your friends have ever updated their phone, they should have it.
"Find My Friends" is an app that basically allows you to share your location with others and vice versa. It can be great for keeping track of where your kids are, knowing what your significant other is doing, or just keeping tabs on your friends. It can also help them find a lost phone (as long as you have "Shared Locations" with them). Here is how to set it up:
Step 1: Open the app on your phone and the phone of the person you want to be able to share locations with.
Step 2: Click your profile in the bottom left of the screen.
Step 3: Enable "Share My Location" and make sure AirDrop is enabled on your own phone.
Step 4: From there, your friends and family will be able to search/add you to share your location with them and vice versa. You each will need to accept the "Shared Location" request from the other. Now, you can just click on their profile in the app and keep track of them.
As you likely realized while reading this article, it is a much better idea to be proactive than reactive when it comes to tracking phones. If you set up "Find My iPhone" and "Find My Friends" before your phone gets stolen or lost, it will save you a lot of potential hassle down the road. While it may be a bit worrisome to have someone be able to see your location at all times, it can really save you once your phone goes missing and you need to track it down. It is obviously best to pick someone who you trust not to take advantage of the information an app like "Find My Friends" can provide them.
No one deserves to have their phone stolen or go missing, but thankfully, there are some ways to find it, or at least have the information deleted. Hopefully, this guide helped you be able to find your phone or the phone of your friends and family, or at least prepared you for when it may happen.
If you have other ways of finding a lost phone, please share them with us below!
I spent the last couple days recoding the Pillager, getting rid of bugs, optimizing code, making it more extendable and more solid overall. So this post is to release the new code. However, with that being said, the Pillager is in mass revision right now and I added some more developers to the team to add a whole host of new database attacking features as well as moving past databases and into other areas of post exploitation pillaging. Soon to be released.. As usual this tool and any tool i create is based on my issues when performing penetration tests and solves those problems.. If you have any insight or comments i will certainly take them into consideration for future releases.
For now check out Version 0.7.. Named searches and Data searches via external config files are now functioning properly as well as other bugs fixed along the way... Drop this in a BT5 VM and make sure you have your DB python stuff installed per the help docs and you should be good to go. If you are looking to use oracle you are going to have to install all the oracle nonsense from oracle or use a BT4r2 vm which has most of the needed drivers minus cxoracle which will need to be installed.
Release Notes: --Fixed bugs and optimized code --Added Docstrings --Fixed Named and Data searches from config files About: The Database Pillager is a multiplatform database tool for searching and browsing common database platforms encountered while penetration testing. DBPillage can be used to search for PCI/HIPAA data automatically or use DBPillage to browse databases,display data. and search for specified tables/data instances. DBpillage was designed as a post exploitation pillaging tool with a goal of targeted extraction of data without the use of database platform specific GUI based tools that are difficult to use and make my job harder. Supported Platforms: -------------------- -Oracle -MSSQL -MYSQL -PostGreSQL
Usage Examples: ************************************************************************ For Mysql Postgres and MsSQL pillaging: --------------------------------------- python dbPillage -a [address] -d [dbType] -u [username] -p [password] For Oracle pillaging you need a SID connection string: ------------------------------------------------------ python dbPillage-a [address]/[sid] -d [dbType] -u [username] -p [password] Grab some hashes and Hipaa specific:(Default is PCI) ------------------------------------ python dbPillage -a [address] -d [dbType] -u [username] -p [password] --hashes -s hipaa Drop into a SQL CMDShell: ------------------------- python dbpillage.py -a [address] -d [dbType] -u [username] -p [password] -q Config file specified searches: ------------------------------- Search for data Items from inputFiles/data.txt: python dbpillage.py -a [address] -d [dbType] -u [username] -p [password] -D Search for specific table names from inputFiles/tables.txt: python dbpillage.py -a [address] -d [dbType] -u [username] -p [password] -N
Switch Options: --------------------- -# --hashes = grab database password hashes -l --limit = limit the amount of rows that are searched or when displaying data (options = any number) -s --searchType = Type of data search you want to perform (options:pci, hipaa, all)(PCI default) -u --user = Database servers username -p --pass = Password for the database server -a --address = Ipaddress of the database server -d --database = The database type you are pillageing (options: mssql,mysql,oracle,postgres) -r --report = report format (HTML, XML, screen(default)) -N --nameSearch = Search via inputFiles/tables.txt -D --dataSearch = Targeted data searches per inputFiles/data.txt -q --queryShell = Drop into a SQL CMDshell in mysql or mssql
Prerequisites: ------------- python v2 (Tested on Python 2.5.2 BT4 R2 and BT5 R3 - Oracle stuff on BT4r2 only unless you install the drivers from oracle) cx_oracle (cx-oracle.sourceforge.net) psycopg2 (initd.org/psycopg/download/) MySQLdb (should be on BT by default) pymssql (should be on BT by default)
HOW TO DEFACE A WEBSITE USING REMOTE FILE INCLUSION (RFI)?
Remote File Inclusion (RFI) is a technique that allows the attacker to upload a malicious code or file on a website or server. The vulnerability exploits the different sort of validation checks in a website and can lead to code execution on server or code execution on the website. This time, I will be writing a simple tutorial on Remote File Inclusion and by the end of the tutorial, I suppose you will know what it is all about and may be able to deploy an attack.
RFI is a common vulnerability. All the website hacking is not exactly about SQL injection. Using RFI you can literally deface the websites, get access to the server and play almost anything with the server. Why it put a red alert to the websites, just because of that you only need to have your common sense and basic knowledge of PHP to execute malicious code. BASH might come handy as most of the servers today are hosted on Linux.
SO, HOW TO HACK A WEBSITE OR SERVER WITH RFI?
First of all, we need to find out an RFI vulnerable website. Let's see how we can find one.
As we know finding a vulnerability is the first step to hack a website or server. So, let's get started and simply go to Google and search for the following query.
inurl: "index.php?page=home"
At the place of home, you can also try some other pages like products, gallery and etc.
If you already a know RFI vulnerable website, then you don't need to find it through Google.
Once we have found it, let's move on to the next step. Let's see we have a following RFI vulnerable website.
http://target.com/index.php?page=home
As you can see, this website pulls documents stored in text format from the server and renders them as web pages. Now we can use PHP include function to pull them out. Let's see how it works.
I have included my malicious code txt URL at the place of home. You can use any shell for malicious scripts like c99, r57 or any other.
Now, if it's a really vulnerable website, then there would be 3 things that can happen.
You might have noticed that the URL consisted of "page=home" had no extension, but I have included an extension in my URL, hence the site may give an error like 'failure to include maliciousScript.txt', this might happen as the site may be automatically adding the .txt extension to the pages stored in server.
In case, it automatically appends something in the lines of .php then we have to use a null byte '' in order to avoid error.
Successful execution.
As we get the successful execution of the code, we're good to go with the shell. Now we'll browse the shell for index.php. And will replace the file with our deface page.
Welcome back to the Linux Command Line Hackery series, this is Part-V of the series. Today we are going to learn how to monitor and control processes on our Linux box, so wrap your sleeves up and let's get started. Command: ps Syntax: ps [options] Description: ps displays information about the currently running processes. Some of the common flags of ps are described briefly below Flags: -Aor -e -> select all processes -a -> select all processes except both session leaders and processes not associated with a terminal. T -> select all processes associated with current terminal -u<username or id> -> select all processes of a given user or userlist Open up a terminal and type ps: ps what you'll see is a list of processes currently running in your terminal. One important thing to notice in the output is what's called as PID which stands for process ID. It is the number that uniquely identifies a process. Just keep that PID concept in mind we'll use it soon. OK I know that's not really what you want to see rather you want to see all the processes that are currently running on your box. Don't worry we have flags to rescue, in order to see all the processes you can use the -e flag like this: ps -e Boom! you get a long list of processes currently running on your machine (don't stare at me like that, you asked and I gave you that). If you want to see processes of a particular user you can type the following command in your terminal: ps -u bob here "bob" is a username. This command will list all processes of the user with effective user name of bob. You can do a full-format listing of the processes using the -f flag like this: ps -fubob But the output of the ps command is a snapshot not really a live preview of what is going on in your box. I know your next question is going to be something like this, Isn't there a command in Linux that gives me a live updating information of the processes? Yes, there is a command called top that we'll learn about next. Command: top Syntax: top [options] Description: top gives a dynamic real-time view of a running system. That is, it gives the up-to-date information about all the processes running on your Linux box (sounds fun!). Besides giving information about current processes and threads top also provides a brief system summary. To start top just type this command: top and you'll get a nice and cute looking ugly display :). Well what the heck is going on here you might ask, right? What you get is information about what is going on with your computer. To see what more can you do with top just type <h> within the program window and you'll be given list of options that you can play with. OK looking at what processes are going on in your box is cool but what if you want to terminate (or close) a process, is there a command line utility for that? Yes, there is and that's what we are going to look at next. Command: kill Syntax: kill [options] <pid> [...] Description: kill is used to send a signal to process which by default is a TERM signal meaning kill by default sends a signal of termination to process (Cruel guy). To list the available signals we can use the -l or -L flag of the kill command. To simply terminate a process we provide kill command a PID (process ID) and it will send the TERM signal to the process. So to kill a process first we'll list the running processes and then we'll keep the PID of the process in mind that we want to terminate. After that we'll issue the kill command with the PID that we just found. ps -ax kill 1153 the above command will send a TERM signal to the process whose PID is 1153, as simple as that. We can also use our already learned skills to refine the output of ps command. Say we have a xterm terminal running on our box and we want to terminate it. By using ps command all alone we'll get a long listing of all processes running on our box. But we can limit the output of ps command to just those processes that we're interested in by piping ps command with the grep command like this: ps -ax| grep xterm wow! that's amazing, we're able to pull out only those results from the ps command that contained xterm in them. Isn't that a cool trick? But what is that vertical bar ( | ) doing in the middle, you may be thinking, right? Remember we learned about the input and output re-directors previously, the vertical bar (pipe in geeky terms) is another re-director whose task is to redirect the output of one command as input to another command. Here the pipe redirects the output of ps -ax command as input to grep command and of-course from the previous article you know that grep is used to search for a PATTERN in the given input. That means the above command searches for the xterm word in the output of ps -ax command and then displays just those lines of ps -ax command which contain xterm. Now get that PID and kill that process. That's it for today, try these commands up on your own box and remember practice is gonna make you master the Linux command line. :)
After Some Requests, I made this tutorial on How to Remove Windows Passwords So First of all lets' see which tool we are going to use [UPDATE] If you are having any kinda problem with this method on windows 8/8.1 then try this method
Tool Name:- chntpw Tool Description: Obviously its' going to be what the man page of tool says: "chntpw is a utility to view some information and change user passwords in a Windows NT/2000 SAM userdatabase file, usually located at \WINDOWS\system32\config\SAM on the Windows file system. It is not necessary to know the old passwords to reset them. In addition it contains a simple registry editor (same size data writes) and hex-editor with which the information contained in a registry file can be browsed and modified." Attack Requirements: 1. Physical Access to victims Computer. 2. A live bootable pendrive of Kali Linux. (Download Kali Linux) So Lets' get started: Step 1: Mounting the drive containing Windows OS-> This one is easy ain't it? Well so that you might not have forgotten how to do it, I'll type the syntax: ntfs-3g /dev/sda1 /media/win Note that 'sda1' in above command is the partition on which Windows OS is installed yours can be different. To check yours simply type fdisk -l which will list your all partitions and then check by yourself on which partition your Windows OS is installed. If you can't get it this way then don't worry I'm still here well then you can try doing it in 'GUI' way. Click on Applications > Accessories > Disk Utility then select victims' hard disk and see on which partition Windows OS is installed. If Windows Partition is installed on any other partition then replace 'sda1' in the above command with that which you found e,g 'sda2''. Also note that if there is no such directory as 'win' (mentioned in above command) in your /media folder then you must create one which is simple just type mkdir /media/win this command will make win folder in media folder on which you'll mount victim's Windows OS (It is not necessary that it's name be 'win' you can use any name). Step 2: OK after successfully mounting Victim's Windows OS now you need to move there but wait not only there instead very much deep in there. You need to move to config folder which is located in System32 folder (Note that it is Capital 'S' in windows 7 & 8). You can move there using this command:- cd /media/win/Windows/System32/config/ (On Windows 7 & 8) or cd /media/win/WINDOWS/system32/config/ (On Windows XP and those before it) Step 3: Now is the most tough part of game (only if tough means easy :) ). Now as when you are inside the config directory type the following command to see the list of users available on Victim's Machine: chntpw -l SAM (remember it is ell not 1)
note the name of user whose password you want to clear. Step 4: Oh man our happy journey is coming to an end now. Follow the upcoming steps to blast Victim's Windows OS password: type the command: chntpw -u <username> SAM
Note: <username> here is the name of user you noted in the above step. it will display different options before you. type 1 and hit enter type y and hit enter
Voola you busted Victim's password now turn off Kali and Open Victim's Windows OS without knowing His/Her Password. Bad Bad Bad... For More Info on chntpw type this in your terminal: man chntpw This will display Manual Page of chntpw... Happy Cracking... :) Don't forget to read the Disclaimer
YardStick One Unleashed, Automating RF Attacks In Python - An RFCat Primer
I decided to dive into our current device a bit more before moving on to a new device, and really ramp up the skillsets with RFCat and the Yardstick.So for this blog you will need our previous Target and a Yardstick One. We will be hacking everyting using only the Yardstick and Python.
So last time we scanned for signals with GQRX and a Software Defined Radio device. We took the demodulated wave forms in Audacity and discerned what the binary representation of our wave forms were by decoding them manually. We then transferred those into a hex format that our yardstick understood.However there is a way to do everything with our Yardstick. It will require a bit more understanding of the RFCat library, and a bit of python.
This blog will be your RFCAT primer and coding tutorial, but don't be scared with the word "Programming" I will be using simple code, nothing complicated.So if your a programmer, tune out any coding explanation and understand RFCat, if your not a coder, then use this as a jumping point to start making some quick python scripts for hacking.
Video Series PlayList Associated with this blog:
The first thing we did in our last blog after looking up the frequency was to open up GQRX and check if we can see our devices signals. As it turns out you can actually do this in python with RFCat. Which is really convenient if you left your Software Defined Radio dongle at home but happen to have access to a Yardstick.
RFCat as a Spectrum Analyzer:
In order to use RFCat as a spectrum analyzer we need to make sure we have RFcat installed and a few prerequisites such as python and PySide modules.I actually did this inside of an Ubuntu VMware because Pyside was giving me issues on OSX and I didn't feel like trying to fix it. So If you spin up an ubuntu vm you can do the following to get things up and running..
Install Spectrum Analyzer PreReqs:
sudo pip install PySide
sudo apt-get install ipython
Plug in your adapter and type in the following:
rfcat -r
d.specan(315000000)
You will then see the below output of RFCat Specan running in the 315 MHz range.
Click our doorbell, or trip the motion sensor and you will see a frequency spike as shown in the second picture.
This is similar to what you saw in GQRX but all with your Yardstick and the Python RFCat library.
So everything seems to be working and we can see our devices transmitting on the 315MHz frequency.Unfortunately we have no record button on Spescan. This leaves us to dive a little deeper into RFCat. We will see what RFCat can do for us in the recording and sniffing capacity.
Sniffing RF Data With The YardStick and Python:
In RFCat there is a simple listening command in our interactive session which will give us an idea of what is being transmitted and in what type of data format we are recieving. When using GQRX we received a WAV file, but what does RFCat give us?One thing I have realized over the years is programming is all about dealing with data in various formats and figuring out how to parse and use it in various implementations. So the first thing we have to figure out is what kind of data we are dealing with.
Lets hop back into RFCat and set a few parameters so the yardstick knows to listen on 315MHz and to use ASK modulation.The settings below should all be familiar from our last blog with an exception of "lowball" which configures the radio to use the lowest level of filtering. We basically want to see everything but may experience some noise by not filtering it out.. For example before you hit your doorbell button you may see random FF FF FF FF data outputted to the screen.
Below is the cmdline input needed and some example output. After all of our settings are in place we can use RF.listen() to start listening for everything in the 315000000 frequency range and have it output to the screen.
After you set it up, you can press the button on your doorbell and you will receive the following output. We have lots of zeros and what might be some hex output.
Destroy ficti0n$rfcat -r
>>> d.setFreq(315000000)
>>> d.setMdmModulation(MOD_ASK_OOK)
>>> d.setMdmDRate(4800)
>>> d.setMaxPower()
>>> d.lowball()
>>> d.RFlisten()
Entering RFlisten mode...packets arriving will be displayed on the screen
If you hit "ENTER" in your terminal you will stop receiving packets and drop back into a python interactive terminal. If we take a look at the repeating pattern in the above output, it looks like some random patterns and then a repeating pattern of, 84e708421084e738.If we convert that to binary we can compare with what we decoded WAV from our previous blog.
Since we are already in a python terminal you can type the following to see the binary representation:
Lets break that up into 8 bit bytes and compare it to our previous blogs binary, hmm its lot different then what we originally decoded the signal to be:
If we take the above capture data and format it correctly for RFcat with the replay code from the last blog. When we send it over, it does indeed ring the doorbell, thats interesting. A completely different value in both hex and in binary and still we get a doorbell to ring. So the variance we talked about last time extends a bit more. Below is the code with the new hex from the capture data:
I will also take a minute to note something before we continue. I had a little trouble at first when using a telescopic antenna in RFcat and the YardStick.So I will list those issues below as notes for you to play with if you run into random looking captures when pressing your doorbell button.
When using a telescopic antenna closed I had almost repeating output with some random bits flipped
When extending the antenna it went crazy output with random noise
I then used a small rubber ducky antenna and got the repeating output shown above.
What we have done so far:
So above, we managed to figure out the following all in RFCat
Verify the frequency with RFCat
How can I listen for it and capture a transmission with RFCat
How can I send this transmission with RFCat
We have basically eliminated the immediate need for the graphical tools that we were using in the last blog. Not to say that they are not useful. They absolutely are, and we should use them often and know how to work with all kinds of formats and understand everything.. However, if we are living in a reality that all we have is a Yardstick and no other tools. We are not helpless and we can still kick some serious RF butt.
Now we are going to take this a bit further so we can learn some more about RFCat, Python and mistakesI made when trying to automate this stuff. I found some interesting quirks I had to work through and I would like to save others some time who are also in the learning process as I am.
Using RFrecv() for Listening:
Ok first thing I learned is that RFListen() is not all that useful when it comes to automating this stuff. I tried to set its output to a variable but that did not seem to work.. So instead we will be working with another feature that lets us listen and that is RFrecv().If we fire up our RFCat in the terminal again we can give that a try:
Destroy:~ ficti0n$ rfcat -r
>>> d.setFreq(315000000)
>>> d.setMdmModulation(MOD_ASK_OOK)
>>> d.setMdmDRate(4800)
>>> d.setMaxPower()
>>> d.lowball()
>>> d.RFrecv()
Traceback (most recent call last):
File "", line 1, in
File "/Library/Python/2.7/site-packages/rflib/chipcon_nic.py", line 1376, in RFrecv
data = self.recv(APP_NIC, NIC_RECV, timeout)
File "/Library/Python/2.7/site-packages/rflib/chipcon_usb.py", line 664, in recv
raise(ChipconUsbTimeoutException())
ChipconUsbTimeoutException: Timeout waiting for USB response.
OK thats not cool we are getting a weird error if we don't get a signal right away regarding ChipconUsbTimeoutException.
No problem since we are in a python terminal we can just capture this exception and pass it, then continue with sniffing.This is done with a Try/Except block.
try:
... d.RFrecv()
... except ChipconUsbTimeoutException:
... pass
...
That looks a little better, I am no longer receiving errors, but lets put this in a loop so we are continuously listening with RFrecv() and press our doorbell so we can capture our doorbell signal.Below is the output of a random signal that came in followed by our doorbell.. but its all kinds of crazy looking and a bit hard to read:
try:
... d.RFrecv()
... except ChipconUsbTimeoutException:
... pass
...
while True:
... try:
... d.RFrecv()
... except ChipconUsbTimeoutException:
... pass
Lets try to fix the output a little and make it more readable by encoding it before we view it. Open up your text editor and use the following code.What we are doing here is simply setting up our listener as we did before and then setting it to a variable we can use.
Line 12: Setting our RFrecv() output to the variable y and z. The y variable is the output that we want
Line 13: We will wrap the y variable with an encode function to encode it with a HEX encoding.
Line 14: After that we just print it out.
When we run this script from the command line we will get a much nicer output shown below, much like we did with the RFlisten function above. The big difference being that our data is now set to the variable "capture"on line 13 and we can do what we want with that data. For example we can directly replay that data rather then manually performing the actions.
Parsing and replaying data:
This actually took me a bit of time to figure out, so we need to do a few things to get this to work:
We need to parse out the data from the surrounding 0s
We need to convert it to a format we can send (tricker then it sounds)
We need to add padding and send that data over (We know how to do this already)
Parsing Data:
So with this I first tried all kinds of regular expressions, but for some reason the inverse of more then 3 zeros in a row does not seem to work. I am no regex master but that seemed like it should be working. I then tried a few creative solutions reducing repeating zeros down to pairs that I could split on with string functions. This actually worked well but then my buddy showed me this which was more efficient:
re.split ('0000*', capture)
All this is doing is using the regex library to parse on a set of 4 or more zerosand return whats left in a list of useable hex data for sending.So lets add that into our code and give it a try to see what we get back. I made the following code changes:
Line 2: Import the Regex library
Line 11: We defined the capture variable so we can access it outside of the Try Block and the loop
Line 21: We created a payloads variable and created a list from the capture file of non 0000 blocks
Line 22: We print out our list of useable payloads which can been seen in the below output
Data Format Woes:
So we have data in a list we can pull from, thats awesome but I ran into a few issues. I first tried to parse this data into the \x format we normally used when sending our attack payloads manually, but that actually does not work. Reason being that if I use a code snippet like the following to convert this data into the right format everything looks ok and something like this \x84\xe7\x08\x42\x10\x84\xe7.But it won't actually work when I send it with RFCat. For some reason when you paste in your own hex its in a different format then if you programmatically create hex like below. You don't really need to understand the code below, just know it takes our payload and creates the hex in a visual format to what we used in the last blog:
DON'T USE THIS.. IT WONT WORK!!!
for payload in payloads:
formatted = ""
if (len(payload) > 6) and (len(payload) % 2 == 0):
print "Currently being formatted: " + payload
iterator = iter(payload)
for i in iterator:
formatted += ('\\x'+i + next(iterator))
else:
continue
Formatted Hex Vs Manually Pasted Hex
So lets compare the outputs of our manually created Hex String versus what we get when we format with the above code
Below is the output of the following:
Your encoded capture
Your parsed payloads in a nice list
Your payload being processed into hex.
But this is where things go wrong, you then have :
Your nicely formatted Hex created by your code above (Yay for us)
Then you have your manually pasted in hex from your original attack payloads as unprintable characters(What?)
You can clearly see there is a major difference between when we manually paste in our hex like we did in the last blog and when we create it from our capture file.This led to another sleepless night of researching whats going on. I did a bunch of troubleshooting until I found some code on the RFcat site and saw it using the BitString library and something called BitArray.The examples for this library were using binary data instead of hex and then converting it.
BitString BitArray Formating FTW:
If you remember above we created binary input with some python, so lets use that code in our current program template and then feed it into byteArray and see what happens. We can install bitstring with the following:
Install Bitstring:
sudo pip install bitstring
Our New code using BitString:
Line 2: I imported bitstring
Line 25: I added a for loop to go through our payload list one by one
Line 27: I convert our current payload to binary
Line 28: I take that binary and I feed it into bitstring to fix the formatting issues
Lines 29-30:Print out our binary and our new data that match our manually pasted data format, shown below
With these conversions the data above looks like its correct to attack our target devices. I know this seems like a lot of steps, but honestly this is only 50 lines of code in all to automate our replay attacks in a simple way.It is also very easy if you know what your doing and don't spend all of your time figuring it out like I did. You just need to understand how to work with the types of data each component understands.
With this latest code update we are ready to send our code with a simple modification to our RFxmit line from the last blog. We will now change RXxmit to take our formatted variable and then append our padding:
Below is our full code to automate this attack, with a few changeups, but not many.. Really all I did was add some conditional statements to limit our data to longer payloads that are divisible by 2 since our hex takes 2 string characters for example \x41 is the string character 4 and 1.I originally did this for the iterator code which required the proper amount of characters but decided to leave it since it makes sense anyway.I also set it so that if there is a capture it breaks out of the loop. This way we are not continuously attacking every transmission we see. Instead for our testing we can hit our doorbell, replay all the values before our script finishes and exits.
Note: I sent similar code to a friend and had him run it against a black box real world target. He had permission to attack this target via the owner of a facility and it worked flawlessly. So although a doorbell is a trivial target. This same research applies to garages, gates, and any other signal not using protection mechanism such as rolling code, multiple frequencies at once etc.
Also note that when you run this, almost all of the payloads in your list will ring the doorbell which is why I put a timing variable before the sending command. This way your doorbell isn't overburdened. I already broke a few of these devices during testing LOL.
I have since modified this code to be more effective, and have additional features and more niceties, I will release that code when its ready.. For now enjoy the below code and hit me up with any questions or comments.
I hope this blog is helpful in demystifying RFCat in order to successfully perform/automate attacks with only Python and your Yardstick One. This is essentially a few nights of my research posted here for everyone to learn from. Because it was a pain to find useful information, and I would like to save other people a lot of sleepless nights. I am by no means the master of RF or RFCat, there is tons more to learn. Up next I will get back on track with a real world attack against a device and creating our own keyfobs to replay our attacks in the future.
Kiwi-Arts was founded after a long journey of visions.
One morning I awoke with a strong urge to experience paint. I wanted to feel the paint in my hands, I wanted to touch the brushes, and I wanted to mix colors all day long. I loved the feeling of paint on different surfaces. I developed a desire to apply paint, and scrape it off again, only to continue this process as visions began to reveal themselves. I studied art/painting at Spurill Art Center for the Arts in Atlanta Georgia under the direction of Chery Baird and started to fulfill my desires of freedom.
My paintings are painted by seeing beyond the image itself, and my desire to express freedom. All of my paintings are a spiritual journey and my hope is that my audience is able to feel this journey as they view my pieces.
My goal is to inspire others through my passion for life. My wish for you is to find peace within yourself, and that you listen to the small voice that is within us all. Share positive energy, and fuel others by it. Do not hold onto negative feelings, and express yourself through your given talents.
.jpg)
Posts
