Subover is a Hostile Subdomain Takeover tool designed in Python. From start, it has been aimed with speed and efficiency in mind. Till date, SubOver detects 36 services which is much more than any other tool out there. The tool is multithreaded and hence delivers good speed. It can easily detect and report potential subdomain takeovers that exist. The list of potentially hijackable services is very comprehensive and it is what makes this tool so powerful.
Installing You need to have Python 2.7 installed on your machine. The following additional requirements are required -
-l subdomains.txt is the list of target subdomains. These can be discovered using various tool such as sublist3r or others.
-o output_takeovers.txtis the name of the output file. (Optional & Currently not very well formatted)
-t 20 is the default number of threads that SubOver will use. (Optional)
-V is the switch for showing verbose output. (Optional, Default=False)
Currently Checked Services
Github
Heroku
Unbounce
Tumblr
Shopify
Instapage
Desk
Tictail
Campaignmonitor
Cargocollective
Statuspage
Amazonaws
Cloudfront
Bitbucket
Squarespace
Smartling
Acquia
Fastly
Pantheon
Zendesk
Uservoice
WPEngine
Ghost
Freshdesk
Pingdom
Tilda
Wordpress
Teamwork
Helpjuice
Helpscout
Cargo
Feedpress
Freshdesk
Surge
Surveygizmo
Mashery
Count : 36 FAQ Q: What should my wordlist look like? A: Your wordlist should include a list of subdomains you're checking and should look something like:
Hack The Box (HTB) is a free platform available to ethical hackers to do a penetration testing for ethical hacking projects. It consist of different type of challenges that are updated constantly. Some of the challenges related to the real world scenarios and rest of the challenges related to learning towards a CTF style of challenges. Before joining to HTB, there is a simple task for you to prove your skills after that you'll able to create an account, and then you'll be able to access to your HTB Lab, where several challenges await for you to hack them. That's the beginning step for all of us to joining this. If you got success while hacking then you'll get points.
Task For Joining The HTB
Before joining the HTB, there is a task to hack invite code and paste that code in the code box for further registration to your account. You can complete a simple challenge to prove your skills, if you don't hack that then here is a short video below this content about hacking the invite code. Watch the video and hack the code!
In this Video you'll learn about How to join Hack the box (HTB) in Kali Linux and other Linux Distributions.
The topic of DEATH is not one that most people care to talk about, but the truth is that we are all going to die at some point and everything that we did online is going to end up in limbo if we don't make sure that someone we trust is going to be able to gain access to this information. This is going to be extremely important in order to close it down, or have your loved one do whatever you want them to do with your information. There are many things to take into consideration for this kind of situation. If you are like the average modern person, you probably have at least one email account, a couple of social media accounts in places like Facebook and Twitter. Perhaps you also have a website that you run or a blog. These are all very common things that people will usually do at some point and if you have anything that you consider valuable, you should have a way to leave it in the hands of someone you trust when you pass away.
Pass Accounts and Passwords After Death
Maybe you have an online platform that has a lot of content that you find useful and important. Perhaps you have even been able to turn some of that content into monetizable material and you don't want this to end when you pass away. This is more than enough of a reason to make sure that your information can be given to someone when you are no longer around.
There have been many cases when all the information has ended up being impossible to recover when a person has died, at least not without the need for the family members to do all kinds of things in order to prove a person is deceased. So here are some ways, you can passyour online accounts/data after death:
1) Making a Safe 'WILL' (or Locker) containing master password.
Make an inventory of all your online accounts and list them on a piece of paper one by one and give it to your loved one. For eg:– Your primary email address – Your Facebook ID/email – The Bank account or Internet banking ID – etc. To clarify, it will be only a list of the accounts you want your loved one to be able to access after you're dead. Just the list of accounts, nothing else (no passwords).
Set up a brand new e-mail address (Possibly Gmail account). Lets say youraccountsinfo@gmail.com
Now from your usual email account, Send an e-mail to youraccountsinfo@gmail.com, with the following content:– dd349r4yt9dfj – sd456pu3t9p4 – s2398sds4938523540 – djfsf4p These are, of course, the passwords and account numbers that you want your loved one to have once you're dead.
Tell your loved one that you did these things, and while you're at it, send him/her an e-mail from youraccountsinfo@gmail.com, so he/she will have the address handy in some special folder in his/her inbox.
Put the password for youraccountsinfo@gmail.com in your will or write it down on paper and keep it safe in your bank locker. Don't include the e-mail address as well, just put something like "The password is: loveyourhoney432d".
And its done! Your loved one will only have the password once you're dead, and the info is also secure, since it's split in two places that cannot be easily connected, so if the e-mail address happens to be hacked, the perpetrator won't be able to use it to steal anything that you're going to leave for your loved one.
2) Preparing a Future email (SWITCH) containing login information
This method is very similar to the first one except in this case we will not be using a WILL or Locker. Instead we will be using a Service called "Dead Mans Switch" that creates a switch (Future email) and sends it to your recipients after a particular time interval. Here is how it works.
Create a list of accounts as discussed in the first method and give it to your loved one.
Register on "Dead mans switch" and create a switch containing all the corresponding passwords and enter the recipients email (Your loved one).
Your switch will email you every so often, asking you to show that you are fine by clicking a link. If something happens to you, your switch would then send the email you wrote to the recipient you specified. Sort of an "electronic will", one could say.
3) Using password managers that have emergency access feature
Password managers like LastPass and Dashlane have a feature called as "emergency access". It functions as a dead man's switch. You just have to add your loved one to your password manager, with emergency access rights. he/She does not see any of your information, nor can he/she log into your accounts normally.
But if the worst happens, your loved one can invoke the emergency access option. Next your password manager sends an email to you and starts a timer. If, after a certain amount of time interval, you have not refused the request, then your loved one gets full access to your password manager.
You can always decide what they can potentially gain access to, and you set the time delay.
Why should i bother about passing my digital legacy?
Of all the major online platforms, only Google and Facebook have provisions for Inactiveaccounts (in case of death). Google lets you plan for the inevitable ahead of time. Using the "Inactive Account Manager", you can designate a beneficiary who will inherit access to any or all of your Google accounts after a specified period of inactivity (the default is 3 months).
Facebook on the other hand will either delete your inactive account or turn it into a memorial page when their family can provide any proof of their death, but there is also a large number of platforms that don't have any specific way for people to be able to verify the death of a loved one in order to gain access to the accounts. In either case, you wouldn't want your family to have to suffer through any hassles and complications after you have passed away.
You should also consider the importance of being able to allow your loved ones to collect all the data you left behind. This means photos and experiences that can be used to show other generations the way that you lived and the kind of things you enjoyed doing.
Those memories are now easier to keep and the best photos can be downloaded for the purpose of printing them for photo albums or frames. Allowing them to have the chance to do this in a practical way is going to be a great gesture and securing any profitable information is going to be essential if you want a business or idea to keep moving forward with the help of those you trust.
This is the reason why you need to be able to pass your online account information after death, but no one wants to give access to this kind of information to their loved ones because it's of a private nature and we would feel uneasy knowing that others can access our private conversations or message.
The Live HTML Editor program lets you write your HTML pages while viewing dynamically what changes are happening to your HTML page. The main purpose of this tool is to help HTML learners learn HTML quickly and easily while keeping an eye on what they are doing with their HTML page. It also helps developers in writing quick HTML lines to see how it will affect their HTML page.
This program can also help you visualize your inline and embedded CSS styles on fly. You can apply CSS styles and see them dynamically change the look and feel of your HTML page. Developers can test different inline and embedded CSS styles to make sure what will look good on their website.
Some of the features of this program are:
Live HTML preview of whatever HTML you type.
Supports HTML Syntax Highlighting.
Supports opening an HTML file and Live Preview editing of that file.
Supports Saving files.
Support for inline and embedded CSS.
However this program does not support Javascript and it also doesn't support separate CSS files. This program is still in development phase and we might see support for Javascript and separate CSS files in the future.
If you are a student and want to learn HTML without having to install a bulky software that takes a lot of time to open and function, then this is a good option. The Live HTML Editor is Free and Opensource project and has been written in Python with QT interface you can check out source from sourceforge.
In android there is lots of personal data that can be accessed by any unauthorized apps that were installed on the device. This is just because your Android data is openly saved in your file explorer that is not encrypted or protected by encryption method, so, even normal app can also hijack your data very easily as the media access permissions are granted when you click on accept button while installing the apps. And this may be endangering the private data that you might not want to share with anyone. So here we have a cool way that will help you to make your data private by disallowing the apps to access your media files without your permission. So have a look on complete guide discussed below to proceed.
How To Protect Your Private Data From Android Apps
The method is quite simple and just need a rooted android device that will allow the Xposed installer to run on the device. And after having the Xposed installer you will be using an Xposed module to disallow the apps to have access to your personal or say private data. For this follow the guide below.
Steps To Protect Your Private Data From Android Apps:
Step 1. First of all, you need a rooted android as Xposed installer can only be installed on a rooted android, so Root your android to proceed for having superuser access on your android.
Step 2. After rooting your Android device you have to install the Xposed installer on your android and thats quite lengthy process and for that, you can proceed with our Guide to Install Xposed Installer On Android.
Step 3. Now after having an Xposed framework on your Android the only thing you need is the Xposed module that is DonkeyGuard – Security Management the app that will allow you to manage the media access for apps installed on your device.
Step 4. Now install the app on your device and after that, you need to activate the module in the Xposed installer. Now you need to reboot your device to make the module work perfectly on your device.
Step 5. Now launch the app and you will see all the apps that are currently installed on your device.
Step 6. Now edit the media permission for the apps that you don't want to have access to your media with private data.
That's it, you are done! now the app will disallow the media access to that apps.
Manually Checking App Permission
Well, our Android operating system offers a nice feature in which we can manage a single app's permission. However, you need to have Android 6.0 Marshmallow or a newer version to get the option.
Step 1. First of all, open Settings and then tap on 'Apps'.
Manually Checking App Permission
Step 2. Now you will see the list of apps that are currently installed on your Android smartphone. Now you need to select the app, and then you will see 'Permissions.'
Manually Checking App Permission
Step 3. Now it will open a new window, which will show you all permissions that you have granted to the app like Camera access, contacts, Location, microphone, etc. You can revoke any permissions as per your wish.
Manually Checking App Permission
Well, the same thing you need to perform if you feel that you have installed some suspicious app on your Android. By this way, you can protect your private data from Android apps.
How do I get started with bug bounty hunting? How do I improve my skills?
These are some simple steps that every bug bounty hunter can use to get started and improve their skills:
Learn to make it; then break it! A major chunk of the hacker's mindset consists of wanting to learn more. In order to really exploit issues and discover further potential vulnerabilities, hackers are encouraged to learn to build what they are targeting. By doing this, there is a greater likelihood that hacker will understand the component being targeted and where most issues appear. For example, when people ask me how to take over a sub-domain, I make sure they understand the Domain Name System (DNS) first and let them set up their own website to play around attempting to "claim" that domain.
Read books. Lots of books. One way to get better is by reading fellow hunters' and hackers' write-ups. Follow /r/netsec and Twitter for fantastic write-ups ranging from a variety of security-related topics that will not only motivate you but help you improve. For a list of good books to read, please refer to "What books should I read?".
Join discussions and ask questions. As you may be aware, the information security community is full of interesting discussions ranging from breaches to surveillance, and further. The bug bounty community consists of hunters, security analysts, and platform staff helping one and another get better at what they do. There are two very popular bug bounty forums: Bug Bounty Forum and Bug Bounty World.
Participate in open source projects; learn to code. Go to https://github.com/explore or https://gitlab.com/explore/projects and pick a project to contribute to. By doing so you will improve your general coding and communication skills. On top of that, read https://learnpythonthehardway.org/ and https://linuxjourney.com/.
Help others. If you can teach it, you have mastered it. Once you discover something new and believe others would benefit from learning about your discovery, publish a write-up about it. Not only will you help others, you will learn to really master the topic because you can actually explain it properly.
Smile when you get feedback and use it to your advantage. The bug bounty community is full of people wanting to help others so do not be surprised if someone gives you some constructive feedback about your work. Learn from your mistakes and in doing so use it to your advantage. I have a little physical notebook where I keep track of the little things that I learnt during the day and the feedback that people gave me.
Learn to approach a target. The first step when approaching a target is always going to be reconnaissance — preliminary gathering of information about the target. If the target is a web application, start by browsing around like a normal user and get to know the website's purpose. Then you can start enumerating endpoints such as sub-domains, ports and web paths.
A woodsman was once asked, "What would you do if you had just five minutes to chop down a tree?" He answered, "I would spend the first two and a half minutes sharpening my axe." As you progress, you will start to notice patterns and find yourself refining your hunting methodology. You will probably also start automating a lot of the repetitive tasks.
NanoCore is one of the most powerful RATs ever created. It is capable of taking complete control of a victim's machine. It allows a user to control the system with a Graphical User Interface (GUI). It has many features which allow a user to access remote computer as an administrator. Download nanocore rat 1.2.2.0 cracked version free of cost.
NanoCore's developer was arrested by FBI and pleaded guilty in 2017 for developing such a malicious privacy threat, and sentenced 33 months in prison.
FEATURES
Complete Stealth Remote Control
Recover Passwords from the Victim Device
Manage Networks
Manage Files
Surveillance
Plugins (To take it to the next level)
Many advanced features like SCRIPTING
DOWNLOAD NANOCORE RAT 1.2.2.0 CRACKED – REMOTE ADMINISTRATION TOOL
Are you tired of reading endless news stories about ethical hacking and not really knowing what that means? Let's change that!
This Post is for the people that:
Have No Experience With Cybersecurity (Ethical Hacking)
Have Limited Experience.
Those That Just Can't Get A Break
OK, let's dive into the post and suggest some ways that you can get ahead in Cybersecurity.
I receive many messages on how to become a hacker. "I'm a beginner in hacking, how should I start?" or "I want to be able to hack my friend's Facebook account" are some of the more frequent queries. Hacking is a skill. And you must remember that if you want to learn hacking solely for the fun of hacking into your friend's Facebook account or email, things will not work out for you. You should decide to learn hacking because of your fascination for technology and your desire to be an expert in computer systems. Its time to change the color of your hat 😀
I've had my good share of Hats. Black, white or sometimes a blackish shade of grey. The darker it gets, the more fun you have.
If you have no experience don't worry. We ALL had to start somewhere, and we ALL needed help to get where we are today. No one is an island and no one is born with all the necessary skills. Period.OK, so you have zero experience and limited skills…my advice in this instance is that you teach yourself some absolute fundamentals.
Let's get this party started.
What is hacking?
Hacking is identifying weakness and vulnerabilities of some system and gaining access with it.
Hacker gets unauthorized access by targeting system while ethical hacker have an official permission in a lawful and legitimate manner to assess the security posture of a target system(s)
There's some types of hackers, a bit of "terminology". White hat — ethical hacker. Black hat — classical hacker, get unauthorized access. Grey hat — person who gets unauthorized access but reveals the weaknesses to the company. Script kiddie — person with no technical skills just used pre-made tools. Hacktivist — person who hacks for some idea and leaves some messages. For example strike against copyright.
YardStick One Unleashed, Automating RF Attacks In Python - An RFCat Primer
I decided to dive into our current device a bit more before moving on to a new device, and really ramp up the skillsets with RFCat and the Yardstick.So for this blog you will need our previous Target and a Yardstick One. We will be hacking everyting using only the Yardstick and Python.
So last time we scanned for signals with GQRX and a Software Defined Radio device. We took the demodulated wave forms in Audacity and discerned what the binary representation of our wave forms were by decoding them manually. We then transferred those into a hex format that our yardstick understood.However there is a way to do everything with our Yardstick. It will require a bit more understanding of the RFCat library, and a bit of python.
This blog will be your RFCAT primer and coding tutorial, but don't be scared with the word "Programming" I will be using simple code, nothing complicated.So if your a programmer, tune out any coding explanation and understand RFCat, if your not a coder, then use this as a jumping point to start making some quick python scripts for hacking.
Video Series PlayList Associated with this blog:
The first thing we did in our last blog after looking up the frequency was to open up GQRX and check if we can see our devices signals. As it turns out you can actually do this in python with RFCat. Which is really convenient if you left your Software Defined Radio dongle at home but happen to have access to a Yardstick.
RFCat as a Spectrum Analyzer:
In order to use RFCat as a spectrum analyzer we need to make sure we have RFcat installed and a few prerequisites such as python and PySide modules.I actually did this inside of an Ubuntu VMware because Pyside was giving me issues on OSX and I didn't feel like trying to fix it. So If you spin up an ubuntu vm you can do the following to get things up and running..
Install Spectrum Analyzer PreReqs:
sudo pip install PySide
sudo apt-get install ipython
Plug in your adapter and type in the following:
rfcat -r
d.specan(315000000)
You will then see the below output of RFCat Specan running in the 315 MHz range.
Click our doorbell, or trip the motion sensor and you will see a frequency spike as shown in the second picture.
This is similar to what you saw in GQRX but all with your Yardstick and the Python RFCat library.
So everything seems to be working and we can see our devices transmitting on the 315MHz frequency.Unfortunately we have no record button on Spescan. This leaves us to dive a little deeper into RFCat. We will see what RFCat can do for us in the recording and sniffing capacity.
Sniffing RF Data With The YardStick and Python:
In RFCat there is a simple listening command in our interactive session which will give us an idea of what is being transmitted and in what type of data format we are recieving. When using GQRX we received a WAV file, but what does RFCat give us?One thing I have realized over the years is programming is all about dealing with data in various formats and figuring out how to parse and use it in various implementations. So the first thing we have to figure out is what kind of data we are dealing with.
Lets hop back into RFCat and set a few parameters so the yardstick knows to listen on 315MHz and to use ASK modulation.The settings below should all be familiar from our last blog with an exception of "lowball" which configures the radio to use the lowest level of filtering. We basically want to see everything but may experience some noise by not filtering it out.. For example before you hit your doorbell button you may see random FF FF FF FF data outputted to the screen.
Below is the cmdline input needed and some example output. After all of our settings are in place we can use RF.listen() to start listening for everything in the 315000000 frequency range and have it output to the screen.
After you set it up, you can press the button on your doorbell and you will receive the following output. We have lots of zeros and what might be some hex output.
Destroy ficti0n$rfcat -r
>>> d.setFreq(315000000)
>>> d.setMdmModulation(MOD_ASK_OOK)
>>> d.setMdmDRate(4800)
>>> d.setMaxPower()
>>> d.lowball()
>>> d.RFlisten()
Entering RFlisten mode...packets arriving will be displayed on the screen
If you hit "ENTER" in your terminal you will stop receiving packets and drop back into a python interactive terminal. If we take a look at the repeating pattern in the above output, it looks like some random patterns and then a repeating pattern of, 84e708421084e738.If we convert that to binary we can compare with what we decoded WAV from our previous blog.
Since we are already in a python terminal you can type the following to see the binary representation:
Lets break that up into 8 bit bytes and compare it to our previous blogs binary, hmm its lot different then what we originally decoded the signal to be:
If we take the above capture data and format it correctly for RFcat with the replay code from the last blog. When we send it over, it does indeed ring the doorbell, thats interesting. A completely different value in both hex and in binary and still we get a doorbell to ring. So the variance we talked about last time extends a bit more. Below is the code with the new hex from the capture data:
I will also take a minute to note something before we continue. I had a little trouble at first when using a telescopic antenna in RFcat and the YardStick.So I will list those issues below as notes for you to play with if you run into random looking captures when pressing your doorbell button.
When using a telescopic antenna closed I had almost repeating output with some random bits flipped
When extending the antenna it went crazy output with random noise
I then used a small rubber ducky antenna and got the repeating output shown above.
What we have done so far:
So above, we managed to figure out the following all in RFCat
Verify the frequency with RFCat
How can I listen for it and capture a transmission with RFCat
How can I send this transmission with RFCat
We have basically eliminated the immediate need for the graphical tools that we were using in the last blog. Not to say that they are not useful. They absolutely are, and we should use them often and know how to work with all kinds of formats and understand everything.. However, if we are living in a reality that all we have is a Yardstick and no other tools. We are not helpless and we can still kick some serious RF butt.
Now we are going to take this a bit further so we can learn some more about RFCat, Python and mistakesI made when trying to automate this stuff. I found some interesting quirks I had to work through and I would like to save others some time who are also in the learning process as I am.
Using RFrecv() for Listening:
Ok first thing I learned is that RFListen() is not all that useful when it comes to automating this stuff. I tried to set its output to a variable but that did not seem to work.. So instead we will be working with another feature that lets us listen and that is RFrecv().If we fire up our RFCat in the terminal again we can give that a try:
Destroy:~ ficti0n$ rfcat -r
>>> d.setFreq(315000000)
>>> d.setMdmModulation(MOD_ASK_OOK)
>>> d.setMdmDRate(4800)
>>> d.setMaxPower()
>>> d.lowball()
>>> d.RFrecv()
Traceback (most recent call last):
File "", line 1, in
File "/Library/Python/2.7/site-packages/rflib/chipcon_nic.py", line 1376, in RFrecv
data = self.recv(APP_NIC, NIC_RECV, timeout)
File "/Library/Python/2.7/site-packages/rflib/chipcon_usb.py", line 664, in recv
raise(ChipconUsbTimeoutException())
ChipconUsbTimeoutException: Timeout waiting for USB response.
OK thats not cool we are getting a weird error if we don't get a signal right away regarding ChipconUsbTimeoutException.
No problem since we are in a python terminal we can just capture this exception and pass it, then continue with sniffing.This is done with a Try/Except block.
try:
... d.RFrecv()
... except ChipconUsbTimeoutException:
... pass
...
That looks a little better, I am no longer receiving errors, but lets put this in a loop so we are continuously listening with RFrecv() and press our doorbell so we can capture our doorbell signal.Below is the output of a random signal that came in followed by our doorbell.. but its all kinds of crazy looking and a bit hard to read:
try:
... d.RFrecv()
... except ChipconUsbTimeoutException:
... pass
...
while True:
... try:
... d.RFrecv()
... except ChipconUsbTimeoutException:
... pass
Lets try to fix the output a little and make it more readable by encoding it before we view it. Open up your text editor and use the following code.What we are doing here is simply setting up our listener as we did before and then setting it to a variable we can use.
Line 12: Setting our RFrecv() output to the variable y and z. The y variable is the output that we want
Line 13: We will wrap the y variable with an encode function to encode it with a HEX encoding.
Line 14: After that we just print it out.
When we run this script from the command line we will get a much nicer output shown below, much like we did with the RFlisten function above. The big difference being that our data is now set to the variable "capture"on line 13 and we can do what we want with that data. For example we can directly replay that data rather then manually performing the actions.
Parsing and replaying data:
This actually took me a bit of time to figure out, so we need to do a few things to get this to work:
We need to parse out the data from the surrounding 0s
We need to convert it to a format we can send (tricker then it sounds)
We need to add padding and send that data over (We know how to do this already)
Parsing Data:
So with this I first tried all kinds of regular expressions, but for some reason the inverse of more then 3 zeros in a row does not seem to work. I am no regex master but that seemed like it should be working. I then tried a few creative solutions reducing repeating zeros down to pairs that I could split on with string functions. This actually worked well but then my buddy showed me this which was more efficient:
re.split ('0000*', capture)
All this is doing is using the regex library to parse on a set of 4 or more zerosand return whats left in a list of useable hex data for sending.So lets add that into our code and give it a try to see what we get back. I made the following code changes:
Line 2: Import the Regex library
Line 11: We defined the capture variable so we can access it outside of the Try Block and the loop
Line 21: We created a payloads variable and created a list from the capture file of non 0000 blocks
Line 22: We print out our list of useable payloads which can been seen in the below output
Data Format Woes:
So we have data in a list we can pull from, thats awesome but I ran into a few issues. I first tried to parse this data into the \x format we normally used when sending our attack payloads manually, but that actually does not work. Reason being that if I use a code snippet like the following to convert this data into the right format everything looks ok and something like this \x84\xe7\x08\x42\x10\x84\xe7.But it won't actually work when I send it with RFCat. For some reason when you paste in your own hex its in a different format then if you programmatically create hex like below. You don't really need to understand the code below, just know it takes our payload and creates the hex in a visual format to what we used in the last blog:
DON'T USE THIS.. IT WONT WORK!!!
for payload in payloads:
formatted = ""
if (len(payload) > 6) and (len(payload) % 2 == 0):
print "Currently being formatted: " + payload
iterator = iter(payload)
for i in iterator:
formatted += ('\\x'+i + next(iterator))
else:
continue
Formatted Hex Vs Manually Pasted Hex
So lets compare the outputs of our manually created Hex String versus what we get when we format with the above code
Below is the output of the following:
Your encoded capture
Your parsed payloads in a nice list
Your payload being processed into hex.
But this is where things go wrong, you then have :
Your nicely formatted Hex created by your code above (Yay for us)
Then you have your manually pasted in hex from your original attack payloads as unprintable characters(What?)
You can clearly see there is a major difference between when we manually paste in our hex like we did in the last blog and when we create it from our capture file.This led to another sleepless night of researching whats going on. I did a bunch of troubleshooting until I found some code on the RFcat site and saw it using the BitString library and something called BitArray.The examples for this library were using binary data instead of hex and then converting it.
BitString BitArray Formating FTW:
If you remember above we created binary input with some python, so lets use that code in our current program template and then feed it into byteArray and see what happens. We can install bitstring with the following:
Install Bitstring:
sudo pip install bitstring
Our New code using BitString:
Line 2: I imported bitstring
Line 25: I added a for loop to go through our payload list one by one
Line 27: I convert our current payload to binary
Line 28: I take that binary and I feed it into bitstring to fix the formatting issues
Lines 29-30:Print out our binary and our new data that match our manually pasted data format, shown below
With these conversions the data above looks like its correct to attack our target devices. I know this seems like a lot of steps, but honestly this is only 50 lines of code in all to automate our replay attacks in a simple way.It is also very easy if you know what your doing and don't spend all of your time figuring it out like I did. You just need to understand how to work with the types of data each component understands.
With this latest code update we are ready to send our code with a simple modification to our RFxmit line from the last blog. We will now change RXxmit to take our formatted variable and then append our padding:
Below is our full code to automate this attack, with a few changeups, but not many.. Really all I did was add some conditional statements to limit our data to longer payloads that are divisible by 2 since our hex takes 2 string characters for example \x41 is the string character 4 and 1.I originally did this for the iterator code which required the proper amount of characters but decided to leave it since it makes sense anyway.I also set it so that if there is a capture it breaks out of the loop. This way we are not continuously attacking every transmission we see. Instead for our testing we can hit our doorbell, replay all the values before our script finishes and exits.
Note: I sent similar code to a friend and had him run it against a black box real world target. He had permission to attack this target via the owner of a facility and it worked flawlessly. So although a doorbell is a trivial target. This same research applies to garages, gates, and any other signal not using protection mechanism such as rolling code, multiple frequencies at once etc.
Also note that when you run this, almost all of the payloads in your list will ring the doorbell which is why I put a timing variable before the sending command. This way your doorbell isn't overburdened. I already broke a few of these devices during testing LOL.
I have since modified this code to be more effective, and have additional features and more niceties, I will release that code when its ready.. For now enjoy the below code and hit me up with any questions or comments.
I hope this blog is helpful in demystifying RFCat in order to successfully perform/automate attacks with only Python and your Yardstick One. This is essentially a few nights of my research posted here for everyone to learn from. Because it was a pain to find useful information, and I would like to save other people a lot of sleepless nights. I am by no means the master of RF or RFCat, there is tons more to learn. Up next I will get back on track with a real world attack against a device and creating our own keyfobs to replay our attacks in the future.
