Tech Star

  • Home
  • App Development
    • Topics
    • Getting Started with Android
      • Installing the Android SDK
      • Creating the first Android application
      • Create a Simple Menu
      • Creating an Emulator
    • Android with Maven
      • Creating Android Project with Maven Archetypes
    • Gradle
      • Migrating Java project from Maven to Gradle
    • Location based applications
      • Getting Started with Maps
      • Google Maps Application with Google Maps Android API v2
      • Google Maps Android API v2 Key (New)
      • Get the Map API key (Deprecated)
      • Current Position
      • Process of putting a marker
      • Simply view Google maps data
      • Testing the Current Position on Emulator
    • Barcode Reader application
      • QR/Bar-code Scanner using “Zxing Fragment Library”
      • Barcode/QRcode Scanner using ‘android-zxinglib’ library project
    • GCM
      • Google Cloud Messaging for Android (GCM)
      • Process of sending a Push Notification using GCM in a nutshell
    • Internal Database
      • Creating SQLite internal databases
      • SQLite Database Browser
      • Export Android internal databases
    • Android Testing
    • Genymotion VM
      • Genymotion Virtual Device
      • Fix error: adb server is out of date. killing…
    • Discuss Issues
      • Android Studio
        • “Module not Specified” in Android Studio
      • Memory full Issues
        • Extend internal storage of android device with Link2SD (free) and Link2SD Plus
        • Partitioning external SD Card using “MiniTool Partition Wizard Free”
        • Work out to fix “Memory full” error on android device
      • Maven or Gradle Issues
        • Fix Issue: Failed to install artifact : (Access is denied) while installing 3rd party jars with maven
        • Gradle Build Issue: an unrecognized jvm option is used
      • Issues on Ubuntu
        • Fix Issue: Android SDK Manager is not executable on Ubuntu 14.0 ?
        • Fix Issue: while calling repo init; fatal: unable to auto-detect email address…
      • Ecipse Issues
        • Fix Issue: Problem updating the ADT plugin
      • VM Issues
        • Fix error: adb server is out of date. killing…
  • Operating System
    • System Execution Environment
      • System Execution Sequence – BIOS/UEFI and Bootloader
    • Flashing Firmware
      • Flashing Unofficial AOKP Nougat (Android 7.1.2) and Xposed on Galaxy S4 GT-19500
      • Installing Xposed on Galaxy S4 GT-19500 Android 6.0.1 CM13
      • Flashing Custom Firmware Android 6.0.1 CM13 on Galaxy S4 GT-19500
      • Flashing Official Lollipop 5.0.1 on Galaxy S4 (GT-19500) using Odi3 v3.13.1
    • Build Android OS
      • 1. Getting CyanogenMod source code
      • 2. Get-prebuilts requires while building
      • 3. Getting device-specific code
      • 4. Enable ADB on Linux to link your device and LinuxVM
      • 5. How to connect your mobile device to LinuxVM
      • 6. Extracting proprietary files from the device
      • 7. Extracting proprietary files from an already built CyanogenMod ROM
      • 8. Start Building OS…
    • Android Kernel
      • Android Kernel Overview
      • How to Build Android Kernel from source (Part 1)
      • How to Build Android Kernel from source (Part 2)
    • Android Rooting
      • Detecting Rooted Android Devices
      • Get Root Access- Root my phone with Root Genius
    • Android Security Model
      • Android security model (4.2 and earlier)
      • Android security model (4.3 and later)
    • Build Issues
      • Android AOSP download error – fatal: error no host given
      • Make error “could not find jdk tools.jar”
      • AOSP Build Issues: Invalid Java Version
    • Octoplus Box
      • Octoplus Box for unlock, flash, and repair mobile phones
      • “Read Unlock Codes” with Octoplus
  • Security
    • Tracers
      • Peekaboo Tracer
    • Certificate Pinning
      • Move Android User Installed Certificates to System CA Store
    • Xposed (Dynamic Testing)
      • Xposed: Hook Java Anonimous Inner Classes
      • Tips for writing Xposed Module to Hook Android App’s Methods
      • Xposed: Hook and Read okhttp3.Response Body Without Failures
      • Fix Bootloop Caused By Xposed Module
      • Running Xposed Module: “Default Activity not Specified” error
    • Fuzzing
      • AFL/Kelinci: Fuzzing a java program
    • Ethical Hacking
      • Scanning & Enumeration: Step 1. Scanning Hosts
      • Create a Simple Port Scanner on Kali Linux
      • Tools for Passive Reconnaissance on Kali
      • Traffic Mirroring with OpenWrt
        • 1.Enable OpenWRT on TP-link TL-WR841N router
        • 2.Reinstall the firmware on the OpenWRT enabled TP-link TL-WR841N.
        • 3.Unbrick a TP-link TL-WR841N router
        • 4. Install chaos_calmer on OpenWRT device TP-Link WR841n router
        • 5.Solving internet connection problem on openWRT device for package installations
        • 6. Traffic mirroring using OpenWRT router
    • Web Scrapping
      • Scraping JavaScript Web Sites which requires Authentication
    • Kali Linux
      • Create Kali Linux Live USB stick with Etcher on Windows
      • Install Kali Linux using USB drive
      • Use MongoDB Cloud with Python on Kali 2020
      • Use MongoDB on Kali Linux with PyCharm
      • Install MongoDB on Kali 2020
      • Setup Chrome Driver for Selenium on Kali Linux
      • Create an Open Hotspot on Kali Linux
      • Install JD_GUI on Kali
      • Solving apt-get update error on kali linux
      • Fiddler on Kali Linux
      • Use MySQL Database with Pycharm Community Edition on Kali Linux
      • Wi-Fi Connection Settings For Kali Linux
      • Python GUI with PySide2 and QtCreator
    • Reverse Engineering
      • 1. Getting familiar with “Radare2”
      • 2. Disassembling and Rebuilding with ‘Apktool’
      • 3. ‘Dex2jar’ with ‘JD-GUI’ decompiler
      • 4. Python script to automate decompiling Android apk files
      • 5. Python script to automate “search-text” in decompiled files
      • 6. Decompiling APK with jadx
    • mitmproxy
      • Use mitmproxy to Capture Traffic on the Same Machine
    • Fiddler
      • Running PyCharm Traffic through Fiddler
      • Fix ERR_CONNECTION_TIMED_OUT error on Android with Fiddler Proxy
    • SSL
      • SSL: 01 Creating a self-signed SSL certificate
      • SSL: 02 Installing a self-signed SSL certificate
      • SSL: 03 Force HTTPS using .htaccess
    • Articles
      • Article on Mobile Secuirty
  • Internet of Things (IoT)
    • Why Smart Homes Require Integration Analysis?
    • Did you know that your Philips Hue bulb can be hijacked by a malicious hub in the neighborhood?
  • About Kulani Mahadewa
    • About Kulani Mahadewa

Scanning & Enumeration: Step 1. Scanning Hosts

Posted by Kulani Mahadewa on March 22, 2021
Posted in: Ethical Hacking. Tagged: address resolution protocol, ARP, arp-scan, detect vulnerable host, enemeration, Ethical Hacking, netdiscover, network discovery, nmap, pro, scanning, vmware, workstation. Leave a comment

Hi! 🙂 Today we are going to learn about tools on Kali Linux to perform scanning to detect potential vulnerable hosts and ports in the network. The assumption here is that the hacker has access to the network of the vulnerable host. Further, the technique we use here is an exploiting of the Address Resolution Protocol (ARP) which is used by hosts to find other hosts/devices in the same network when joining a new network.

Disclaimer: Ethical Hacking should be always performed on services that provide permissions on doing so, otherwise it cause legal issues and cost you. Generally, ethical hacking is performed to find vulnerabilities of a service by its owner or an authorized party.

Setup:

I’m using VMware Workstation Pro on my Windows machine, to run two VMware (vulnerable Linux machine and Kali Linux host). The advantage of the Pro version is that it allows to play both VMwares and interact with both at the same time. Both hosts are in the same network. The network adapter setting is setup as NAT for both VMware.

Objectives:

In Ethical Hacking, the next step after passive reconnaissance of target is scanning & enumeration. The scanning is done to detect vulnerable hosts in the network and information about those hosts. The information may include host IP, open ports, OS version, fingerprinting, and etc.

Vulnerable Host:

We are using a Kioptrix VMware as the vulnerable host. In this analysis, we know the actual vulnerable host in the network. Therefore, for the verification purpose, let’s first check what is the actual IP on vulnerable host. Since, this host do not run all the commands, we use ping to check the host IP.

ping 8.8.8.8

Press Ctrl+ C to stop pinging. In the results we can observe that the PING is from host 192.168.5.129, which is the IP of this machine.

Scanning using Network ARP-SCAN:

ARP stands for Address Resolution Protocol. The discovery is done by broadcasting ARP packets to the hosts in the local network. Accordingly, this is what done by ARP-SCAN command to find hosts in the network.

Command: arp-scan -l or arp-scan --localnet (generate network addresses from network interface configuration)
The IP (192.168.5.129) and MAC address of the vulnerable host are detected in the results

Scanning using Netdiscover:

The netdiscover is another tool on Kali Linux that can be used for scanning the network to find live vulnerable hosts. The methodology used by this tool is also broadcasting ARP packets to the local network. The command netdiscover has option -r to specify the range of IP addresses that we are going to scan. To detect all the hosts in a network we can specify the range in CIDR notation (network ID e.g., 192.168.5.0 / subnet length).

Command: netdiscover -r 192.168.5.0/24
The IP (192.168.5.129) and MAC address of the vulnerable host are detected in the results

Now we have detected the IP address of the vulnerable host. Next, we can gather more information about the this host by using Nmap tool.

Scanning with Nmap:

With Nmap scanning, we can obtain information about the hosts in the same network such as open ports, service/version info, OS detection. The command is specified as nmap <speed – default is 4 , 5 could be too fast hence miss some info> <port range> <what information we scan><target IP>

Command: nmap -T4 -p- -A 192.168.5.129 
(-p- means scan all the ports from 0 to 65535, -A means scan everything)
Command: nmap -T4 -A 192.168.5.129 
(not specifying port range results in scanning for the top 1000 ports including all )
Command: nmap -T4 -p 80 -A 192.168.5.129 
(specify a specific port or few ports)

The results for the first command which scan for all ports and all information:

┌──(kali㉿kali)-[~]
└─$ nmap -T4 -p- -A 192.168.5.129
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-21 15:28 EDT
Nmap scan report for 192.168.5.129 (192.168.5.129)
Host is up (0.0043s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION


22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)
| ssh-hostkey:
| 1024 b8:74:6c:db:fd:8b:e6:66:e9:2a:2b:df:5e:6f:64:86 (RSA1)
| 1024 8f:8e:5b:81:ed:21:ab:c1:80:e1:57:a3:3c:85:c4:71 (DSA)
|_ 1024 ed:4e:a9:4a:06:14:ff:15:14:ce:da:3a:80:db:e2:81 (RSA)
|sshv1: Server supports SSHv1

80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b) | http-methods: | Potentially risky methods: TRACE
|http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b |_http-title: Test Page for the Apache Web Server on Red Hat Linux

111/tcp open rpcbind 2 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2 111/tcp rpcbind | 100000 2 111/udp rpcbind | 100024 1 32768/tcp status | 100024 1 32768/udp status


139/tcp open netbios-ssn Samba smbd (workgroup: MYGROUP)


443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b |_http-title: 400 Bad Request | ssl-cert: Subject: commonName=localhost.localdomain/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=– | Not valid before: 2009-09-26T09:32:06 |_Not valid after: 2010-09-26T09:32:06 |_ssl-date: 2021-03-22T08:29:50+00:00; +13h00m15s from scanner time. | sslv2: | SSLv2 supported | ciphers: | SSL2_DES_64_CBC_WITH_MD5 | SSL2_RC2_128_CBC_WITH_MD5 | SSL2_DES_192_EDE3_CBC_WITH_MD5 | SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 | SSL2_RC4_128_EXPORT40_WITH_MD5 | SSL2_RC4_128_WITH_MD5 | SSL2_RC4_64_WITH_MD5


32768/tcp open status 1 (RPC #100024)

Host script results:
|_clock-skew: 13h00m14s
|_nbstat: NetBIOS name: KIOPTRIX, NetBIOS user: , NetBIOS MAC: (unknown)
|_smb2-time: Protocol negotiation failed (SMB2)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.13 seconds

Based on the results we have discovered the open ports of the vulnerable machine as 22, 80, 443, 139, 111, and 32768.

Cheers ! 🙂

Advertisement

Share this:

  • Twitter
  • Facebook
  • LinkedIn

Like this:

Like Loading...

Tools for Passive Reconnaissance on Kali

Posted by Kulani Mahadewa on March 16, 2021
Posted in: Getting Started with Android. Leave a comment

Hi 🙂

Disclaimer: Ethical Hacking should be always performed on services that provide permissions on doing so, otherwise it cause legal issues and cost you. Generally, ethical hacking is performed to find vulnerabilities of a service by its owner or an authorized party.

To perform ethical hacking on a service that welcomes it, the first step is to gather information about the service. In particular, passive reconnaissance is the process of information gathering about a target service such as a web application. This could include personal or social information such as

  • textual data: name, email, phone number, and job information
  • image data: computer and desk at the office/home (could leak applications/tools used by a target person)

or location information (mostly physical).

Following are some tools that can be used on Kali Linux for passive reconnaissance.

  • theHarvester (built-in to Kali)

For a given domain, it searches information on sources such as google, twitter and yahoo

Command: theHarvster -d <domain> -b <source>

  • sublist3r

For a given domain (e.g., example.com) this tool finds subdomain (e.g., sub.example.com) information. It can be installed by command apt install sublist3r. Additionally, this is another online tool that can be used to perform similar information gathering.

Command: sublist3r -d <domain>

  • Wappalyzer (Browser add-on)

This tool provides meta information about the implementation of a web application such as version numbers, frameworks used, programming language used, content management used, etc.

  • Google Search

It is possible to perform effective search on Google by using specific keywords such as to find for particular type of files at a website you can use

site:<domain> filetype: <file type e.g., pdf, docx, etc>

Cheers !

Share this:

  • Twitter
  • Facebook
  • LinkedIn

Like this:

Like Loading...

Create a Simple Port Scanner on Kali Linux

Posted by Kulani Mahadewa on March 16, 2021
Posted in: Ethical Hacking. Tagged: Kali, port, port scanner, python, python3, scanner, simple. Leave a comment

Hi 🙂 This is about a simple port scanner which searches for the open ports for a given IP address. It uses python socket module. Script uses python version 3.

import socket 
import sys

start_port = 1
end_port = 65535

try:
    for port in range(start_port, end_port):
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        socket.setdefaulttimeout(1)
        host =  socket.gethostbyname(sys.argv[1])# take IP of host as input
        result = s.connect_ex(host, port)
        if result == 0:
            print("port {} is open".format(port))
        s.close()
except Exception as ex:
    ################### check exception details ######################
    template = "An exception of type {0} occurred. Arguments:\n{1!r}"
    message = template.format(type(ex).__name__, ex.args)
    print (message)
    print('exception caught')
    sys.exit()
     

How to run this script:

$ python scanner.py <host IP>

Cheers !

Share this:

  • Twitter
  • Facebook
  • LinkedIn

Like this:

Like Loading...

Create Kali Linux Live USB stick with Etcher on Windows

Posted by Kulani Mahadewa on October 7, 2020
Posted in: Kali Linux. Tagged: 1 failed device, balena etcher, dual boot, fast-restart, kali linux live usb stick, kali linux startup missing. Leave a comment

Hi, You can create a bootable USB stick for Kali Linux Live with few steps using the BalenaEtcher tool on Windows.

  • Step 1: Download the Kali linux live image from https://www.kali.org/downloads/ I select Kali Linux 64-Bit (Live) 2020.3. After downloading you can verify the image by comparing the SHA 256 value shown in the website.

certutil -hashfile <pasth to iso image> SHA256

  • Step 2: Next, Download BalenaEtcher from https://github.com/balena-io/etcher/releases.

Once installed, you can simply select the ISO image of the kali linux live at “Flash from URL” –> Then select the USB drive for flashing at “Select target”–> Select “flash”.

Once the flashing is done, you may see as “1 failed device” due to checksum fail (during verification) on Windows. However, the writing to the USB was successful. This error has identified as a false positive case seen on Windows.

What else can you do with the Live USB stick of Kali Linux?

Add kali linux to startup on dualboot with Windows: You can find a guide to add kali linux startup on a dual boot with Windows at https://networkwolves.wordpress.com/2015/04/13/repair-kali-linux-grub-after-installing-window-in-dual-boot/amp/

Boot the live USB stick –> select “Live system” -> Open a terminal.-> login as root user

(If you have a fresh version install root user by following command)

sudo apt-get install kali-root-login
super su

Next, you can use the following commands. Then reboot the system to see the boot menu with kali linux option.

mount /dev/sda3 /mnt
mount –bind /dev /mnt/dev
mount –bind /dev/pts /mnt/dev/pts
mount –bind /proc /mnt/proc
mount –bind /sys /mnt/sys
chroot /mnt
grub-install /dev/sda
update-grub
exit
umount /mnt/dev/pts
umount /mnt/dev
umount /mnt/proc
umount /mnt/sys
umount /mnt

Resolving kali linux startup problem on dual boot desktop due to Window’s fast-restart: To resolve this also, you can use the Kali Linux Live USB stick.

When you try the first command (mount /dev/sda3 /mnt) you can see the error is shown as follows. You can disable the fast-restart which is a new feature on Windows 10, by selecting control panel->system and security -> power options–> “choose what the power buttons do” -> “Change the settings that are currently unavailable” -> untick “Turn on fast-startup”.

Cheers ! 🙂

Share this:

  • Twitter
  • Facebook
  • LinkedIn

Like this:

Like Loading...

System Execution Sequence – Part 1: BIOS/UEFI and Bootloader

Posted by Kulani Mahadewa on July 6, 2020
Posted in: System Execution Sequence. Tagged: bios, bootloader, system execution, uefi. Leave a comment

Execution Environment

Computing is about running algorithms. It is achieved by executing code. So, what is the order of executing codes in a computer?

Different kinds of computers (e.g., desktops/server platforms, mobile, and embedded devices) may organize the system execution order slightly differently. In general, on top of hardware is the kernel space, and on top of the kernel is the user-space software. However, in simple embedded software like in IoT devices, the firmware code can be on top of the hardware. The kernel provides system calls, for the user libraries to access system functionalities, and the libraries provide library calls for the applications to access the functionalities of libraries. Despite this organization, the CPU receives the data as a flat instruction stream.

Is it possible to run the binaries of different architecture on another architecture? For example, Linux binary on Windows.

Yes. In particular, there are compatibility layers that facilitate the execution of binary belongs to a different architecture. Wine is such a compatibility layer, which supports the execution of Windows binaries on Unix-like OSs. Windows Subsystem for Linux  (WSL) is another compatibility layer, which facilitates the execution of Linux native binaries on top of Windows OS.

Virtual machines (VM) are a way to provide an isolated execution environment. It can provide the same or different execution environment as the underlying architecture. Such as Linux VM provides the Linux execution environment on Windows OS. A VM provides both kernel space and userspace. Hence, the end-users can work without worrying about the underlying architecture.

Docker is another way to provide an isolated execution environment. However, docker provides isolation for application through containers, whereas VM provides isolation for the OS environment. The VM’s userspace is similar to the container of Docker.

Firmware Booting Code

When the PC is power on, firmware booting code is the first thing to run. When this booting code runs, you will see the logos on the screen. During this time, in the backend, it probes all the hardware devices, to check whether they work well. Only the keyboard is enough to communicate with this code.

BIOS (Basic I/O System) and UEFI (Unified Extensible Firmware Interface) are two types of booting codes or booting firmware. It comes pre-installed on the PC board.

BIOS vs UEFI:

  • BIOS is legacy booting firmware. It only supports up to 4 partitions of Hard Disk.
  • UEFI is a new booting firmware. It supports more than 4 partitions of HD, and additionally provide a secure mode and network support during booting to download missing codes.

Another main function of booting code is, it requires to find the next code to be executed and put it in the memory. What is the next code to execute? Bootloader.

Bootloader

It is a small program to load other OS programs and data in memory and executes them. It can be automatic or ask for manual options. With bootloader can load single or multiple kernels. It becomes the main application running on the microprocessor during normal operation.

Is it required to have a bootloader on a computer system? No. Simple embedded systems may not come with bootloader to save space.

Can you replace the existing bootloader? Yes. You can use U-boot to replace the bootloader.

Different bootloaders:

  • Linux: GRUB bootloader
  • Windows: BCD bootloader
  • Android: Fastboot (to load recovery image)
  • iOS: iboot
  • Embedded systems: Uboot (a general bootloader tool)

A main function of the bootloader is to find where the kernel image resides, and put it in the memory and execute it.

What if the bootloader cannot find the kernel or the kernel image is missing? PXE (Preboot Execution Environment) comes to the scene. An advantage of UEFI booting firmware is that it supports PXE. Hence, if the kernel image is not found, it can download it from a remote server.

The general procedure of PXE:

  • The host requests the IP for a network adapter from the DHCP server. The DHCP server replies with a temporary IP and TFTP Server address.
  • Next, the host requests a network bootloader from the TFTP server. TFTP server replies with reboot and support files.
  • Next, the host requests for kernel from the Web or TFTP server, and receives the kernel.
  • Finally, it acquires an IP for the kernel from the DHCP server.

Bootloader Security

Archived through TPM

What is TPM?

Trusted Platform Module (TPM) is a hardware component (comes on-chip of the motherboard ) that guarantees the integrity of the booting process.

Threat Model: A malicious code that replaces bootloader or kernel.

With TPM it can check the integrity of code and prevent the attacker from modifying the code at the initial stages of booting the OS. It uses simple cryptographic techniques and supports saving some sensitive data. The advantage is that it can hash a large amount of data.  The hash value is stored at PCR (Platform Configuration Register).

Chain of Trust

  • First, check whether the root of trust (BIOS/UEFI) is secure by checking the signature of the bootloader.
  • Next, transfers the control to the bootloader. At the bootloader, check the integrity of the hash value.
  • Next, transfers the control to the kernel. Check the integrity of the kernel.

UEFI Secure Mode

First, the signature of the kernel bootloader has to be generated. This is done by the manufacture. Next, when it loads check for its signature for integrity.

This adds trouble if you have to add a customized bootloader.

In fact, the UEFI secure boot + TPM is recommended for preserving security.

Unlock Bootloader

  • PC’s supports both BIOS and UEFI as booting methods. It is possible to switch between the two types. However, data loss and compatibility issues could happen.
  • In Android, the bootloader is locked by default. The fastboot tool can be used to unlock. When the bootloader is unlocked it is possible to changes the OS. (Whereas rooting will only allow the control of the whole OS. It provides access to the system partition, while bootloader unlocking provides boot or recovery partitions access).
  • In Iphones and MacOS, iboot is the bootloader.  DFU is required to downgrade iOS OS.

Booting Disk Creation and Disk Management

  • Etcher: can be used to locally generate a bootable USB with 3 steps. Select image, select drive with USE, and flash.
  • Unetbootin: Universal Netboot installer.
  • dd: direct dump, is a Unix utility. It can securely erase all files block by block.
  • Clonezilla

Online Resources that can be referred:

  • Booting code in firmware/ROM
    • BIOS https://en.wikipedia.org/wiki/BIOS
    • Mac Open Firmware
    • UEFI&BIOS https://www.partitionwizard.com/partitionmagic/uefi-vs-bios.html
  • Bootloader:
    • Linux GRUB:
      https://www.gnu.org/software/grub/manual/grub/html_node/index.html
    • Windows Bootloader:
      https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/boot-options-in-windows
    • Embedded device bootloader:
      https://www.embedded.com/bootloaders-101-making-your-embedded-design-future-proof/
    • Android Bootloader (Recovery, Fastboot)
      https://source.android.com/devices/bootloader
      https://www.howtogeek.com/249439/how-to-enter-androids-bootloader-and-recovery-environments/
    • iOS Bootloader:
      https://www.theiphonewiki.com/wiki/IBoot_(Bootloader)
    • UBoot:
      https://www.denx.de/wiki/U-Boot
    • Network Bootloader: PXE https://en.wikipedia.org/wiki/Preboot_Execution_Environment
    • (Backgroun Knowledge) MBR and GPT https://www.howtogeek.com/193669/whats-the-difference-between-gpt-and-mbr-when-partitioning-a-drive/
  • Bootloader security, TPM
    • Boot security modes and recommendations: https://media.defense.gov/2019/Jul/16/2002158058/-1/-1/0/CSI-BOOT-SECURITY-MODES-AND-RECOMMENDATIONS.PDF
    • UEFI and the TPM:
      https://resources.infosecinstitute.com/uefi-and-tpm-2/#BIOSBootProcess
    • Use TPM to improve boot security at BIOS layer: https://ieeexplore.ieee.org/document/6161909
    • Unlock Bootloader (Android):
      https://www.quora.com/What-is-the-meaning-of-an-unlocked-bootloader-in-mobile-phones
      https://www.getdroidpro.com/how-to-unlock-bootloader-on-any-android-smartphone/
    • Unlock Bootloader (iPhone):
      Device Firmware Upgrade (DFU): https://blog.elcomsoft.com/2018/10/everything-about-ios-dfu-and-recovery-modes/
      https://ifixelectronics.com.au/what-is-dfu-mode/

 TPM overview: https://www.trustedcomputinggroup.org/wp-content/uploads/TPM-Overview.pdf (optional)

  • Trusted boot loader: https://elinux.org/images/2/28/Trusted_Boot_Loader.pdf (Optional)
  • TPM manual: https://trustedcomputinggroup.org/wp-content/uploads/PC_Client_TPM_PP_1.3_for_TPM_1.2_Level_2_V116.pdf (optional
  • Windows TPM usage: https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/trusted-platform-module-overview (Optional)
    https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm#measured-boot (Optional)
  • Boot disk (USB/CD-R), system installation process, system image cloning
    • dd: https://www.unixtutorial.org/commands/dd
    • Etcher: https://www.balena.io/etcher/
    • UNetbootin: https://unetbootin.github.io/
    • Clonezilla: https://clonezilla.org/

Share this:

  • Twitter
  • Facebook
  • LinkedIn

Like this:

Like Loading...

Did you know that your Philips Hue bulb can be hijacked by a malicious hub in the neighborhood?

Posted by Kulani Mahadewa on May 25, 2020
Posted in: Article, Internet of Things. Tagged: 2018, 2019, attacks, bulb hijacking, Chromecast, finite state machine, fsm, hijacking, HomeScan, iceccs, inegration, integration analysis, iot, iot attacks, iot security, iot system, LIFX, malicious, phd research, Philips Hue, reachability analysis, reachability check, research, security analysis, Security Research, smart bulb, smart home attack, smart lighting, state transitions, TSE, vulnerabilities, ZigBee, ZLL. Leave a comment

Philips Hue is a popular smart home lighting system. This smart lighting system provides you with flexibility and ease in controlling, and diverse customizations in terms of colour range and functionalities that a typical light bulb cannot provide you. However,  there can be vulnerabilities in these new Internet of Things products due to lack of security hardening or challenges in adopting existing security solutions into them.

With reference to the previous post, HomeScan [1, 2] has discovered a vulnerability in the Philips Hue lighting system that leads to hijacking a Philips Hue bulb which is already connected with a victim’s hub at the presence of a malicious hub. As stated by HomeScan,  the vulnerability introduced due to the use of the existing communication protocol ‘ZigBee’ by the Philips Hue bulbs as a low power solution. Specifically, Philips Hue uses ZigBee Light Link (ZLL) protocol. It allows the ZigBee enabled bulb to accept and reply to the discovery beacons even after the bulb is already connected to a hub. Consequently, a malicious hub can discover the victim’s bulb by sending a discovery beacon. Following that the attacker can launch the ZLL authentication which results in the bulb disconnect itself from the victim’s hub and establish authentication with the malicious hub.

Here, is the attack demo video showing how the Philips Hue bulb is hijacked by the malicious hub over the ZigBee network. This demo uses the Perytons tool and a USB pluggable sniffing stick that supports ZigBee traffic capturing. This traffic was captured at the presence of a real Philips Hue bulb and two Philips Hue Hubs (one as the benign or belongs to the victim and the other as the malicious or belongs to the attacker). There are several other vulnerabilities that were discovered by HomeScan from including Chromecast and LIFX devices. You can check the HomeScan demo site for other findings.

 

References

[1] Scrutinizing Implementations of Smart Home Integrations. Kulani Mahadewa, Kailong Wang, Guangdong Bai, Ling Shi, Yan Liu, Jin Song Dong, and Zhenkai Liang. IEEE Transactions on Software Engineering, TSE 2019

[2] HOMESCAN: Scrutinizing Implementations of Smart Home Integrations. Kulani Mahadewa, Kailong Wang, Guangdong Bai, Ling Shi, Jin Song Dong and Zhenkai Liang. 23rd International Conference on Engineering of Complex Computer Systems, ICECCS 2018, Melbourne, Australia, December 12-14, 2018

Share this:

  • Twitter
  • Facebook
  • LinkedIn

Like this:

Like Loading...

Why Smart Homes Require Integration Analysis?

Posted by Kulani Mahadewa on May 24, 2020
Posted in: Article, Getting Started with Android. Tagged: 2018, 2019, discovering flaws, end to end, finite state machine, HomeScan, iceccs, integration, integration analysis, Internet of Things, iot, iot system, model, model checker, model checking, model extraction, security analysis, security flaws, semi-automatic, smart home, smart home security, smart home system, smart home system security, specification extraction, state machine, state transitions, system model, TSE, Vulnerability Analysis. Leave a comment

In the HomeScan[2]  paper (in ICECCS 2018),  we highlight the importance of the security analysis of a smart home system from the integration perspective and propose a semi-automatic approach to perform the integration analysis. Later, an extended version [1] of this work was published in the 2019 TSE journal.

Why integration analysis?

Unlike the traditional ubiquitous smart home systems, the IoT (Internet of Things) driven smart home systems are more complex with the inherent attributes of IoT such as heterogeneity in technologies, standards, protocols, and platforms they are built upon while supporting a low-cost and a low-power system over the Internet.

Screenshot 2020-05-25 03.23.52

The Figure shows the diversity of communication protocols and smart devices by different manufacturers supported by a smart home system that uses Smarthings hub.

The HomeScan paper suggests two factors which make securing of a smart home system challenging as incompatibilities and invalidated assumptions exist in a smart home system due to its complexity. Therefore, it highlights the requirement of analyzing the security of a smart home system from the integration perspective to discover insecurities arrises due to the challenges in providing security for smart home systems.

How to perform integration analysis?

The paper proposes HomeScan, a semi-automatic approach to perform a security analysis of a smart home system from the integration perspective. The idea is that, if you have a model (a finite state diagram) of the integrated system, you can perform model checking against different attack models to find security problems in the integrated system. Hence, the paper first provides a set of techniques to extract the model of the integrated system as a Labeled Transition System (LTS) from the available implementations. Next, it shows that reachability checking over the generated integrated system model can be used to find security problems in the smart home integration. For more information please refer to the Homescan [2] paper or its extended version [1].

References

[1] Scrutinizing Implementations of Smart Home Integrations. Kulani Mahadewa, Kailong Wang, Guangdong Bai, Ling Shi, Yan Liu, Jin Song Dong, and Zhenkai Liang. IEEE Transactions on Software Engineering, TSE 2019

[2] HOMESCAN: Scrutinizing Implementations of Smart Home Integrations. Kulani Mahadewa, Kailong Wang, Guangdong Bai, Ling Shi, Jin Song Dong and Zhenkai Liang. 23rd International Conference on Engineering of Complex Computer Systems, ICECCS 2018, Melbourne, Australia, December 12-14, 2018

Share this:

  • Twitter
  • Facebook
  • LinkedIn

Like this:

Like Loading...

Use mitmproxy to Capture Traffic on the Same Machine

Posted by Kulani Mahadewa on April 10, 2020
Posted in: mitmproxy. Tagged: capture traffic, capture traffic of the same machine, desktop, Fiddler, fiddler alternative, firefoex, Firefox ESR, https, intercept, intercept ssl traffic, iptables, Kali, Kali Linux, Kali Linux 2020, Linux, linux machine, man-in-the-middle, mitm.it, mitmproxy, mitmproxy 5.0.1, mitmproxyuser, modify, nat, pip3, python3, redirect traffic, redirect traffic originating from the same machinej, same machine, save, ssl, traffic, transparent mode. 1 Comment

Hi, In this post I’m giving a detailed guide to use mitmproxy on kali Linux to capture the traffic. The mitmproxy tool provides many attacker capabilities in traffic analysis such as intercept, modify, replay, save, etc. You can check here for more details. I wanted to use this tool to capture traffic on the same machine (The tool is by default designed to use as a man-in-the-middle attacker to monitor the traffic of a victim device) to analyze the web protocols.  On my windows machine I used Fiddler to capture and analyze traffic. However, it was not enough support for Linux machines, if required to do further processing. Hence, I decided to use mitmproxy on Linux.

Note: In order to use mitmproxy to monitor traffic in the same machine we need to consider two users; one user as to provide the proxy; the other user as the victim. So following are the steps to set up your environment on a kali Linux machine. Although kali Linux comes with mitmproxy as pre-installed, I removed the existing version and installed the latest mitmproxy version 5.0.1. The newest version claims to be 4X faster.

Step 0: Remove previously installed mitmproxy

You may have to install the existing old version of mitmproxy if you are using kali Linux

sudo apt-get remove --auto-remove mitmproxy

Step 1: Create a new account for the proxy.

Use the following commands to create a new user. This user will be used as the attacker.

useradd -m mitmproxyuser// it creates a new direcotry 
 passwd mitmproxyuser //provide a password 
usermod -a -G sudo mitmproxyuser //add the user to sudo user list

Step 2: Download the mitmproxy version 5.0.1

  • Visit https://mitmproxy.org/ and download the v5.0 binary of mitmproxy.
  • Extract the downloaded .gz file. It contains following executables:
    • mitmproxy
    • mitmdump
    • mitmweb

Step 3: Install the mitmproxy as the newly created user

Change the directory to the directory with the extracted content of mitmproxy

  • Use the following command to install the mitmproxy.

Note: I’m using pip3 to install the mitmproxy, the pip gave errors for me.

sudo -u mitmproxyuser bash -c 'cd ~ && pip3 install --user mitmproxy'

If the command was successful, the following hidden files will be generated

0installmitmproxyasdiffuser(1)genfiles

Step 3: Update IP forwarding settings and add rules to the iptables.

sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv6.conf.all.forwarding=1
sysctl -w net.ipv4.conf.all.send_redirects=0
iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 443 -j REDIRECT --to-port 8080
ip6tables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 80 -j REDIRECT --to-port 8080
ip6tables -t nat -A OUTPUT -p tcp -m owner ! --uid-owner mitmproxyuser --dport 443 -j REDIRECT --to-port 8080

Note*: Once the iptables are updated you will not be able to browse the internet unless the mitmproxy is started

Step 4: Start the mitmproxy as the user mitmproxyuser

sudo -u mitmproxyuser bash -c '$HOME/.local/bin/mitmproxy --mode transparent --showhost --set block_global=false'

00runmitmproxyNote*: Now, when you visit a web site on Firefox browser, it will still say that the certificate is not trusted.

01waring

Step 5: Install the mitmproxy certificates on Firefox browser

Once the mitmproxy is started …

  • Open the browser and visit http://mitm.it/

02installcert

02details

  • Click on ‘other’ for Linux. It will download the certificate and prompt for acceptance. You can view the certificate and accept it.

02trustcert

02certdetails(2)

Step 5: Capture traffic on mitmproxy

Finally,  after installing the CA certificate, you can use the mitmproxy to analyze your traffic as follows.

03successmitmproxy

Click on an item to view the details.

03details

Cheers ! 🙂

Share this:

  • Twitter
  • Facebook
  • LinkedIn

Like this:

Like Loading...

Running PyCharm Traffic through Fiddler

Posted by Kulani Mahadewa on April 6, 2020
Posted in: Fiddler. Tagged: (ssl.SSLError, accept certificate, certificate, certificate verify failed, CERTIFICATE_VERIFY_FAILED, do_not_trust, Fiddler, fiddler root certificate, fiddlerroot, HTTP Code 422, http proxy, Invalid Data, jetbrains.com, PyCharm, PyCharm traffic through Fiddler, python, python3, requests, server certificates, urllib, urllib3. Leave a comment

Hi, Here is a brief guide to setup PyCharm to send its traffic generated by requests through Fiddler.

Usage:  If you get errors while  implementing an extracted  protocol from a Fiddler traces, you can forward the traffic to Fiddler, so that you can check the captured traces against the traffic generated from PyCharm to debug your code. For example, you can solve issues when receiving Code 422 in response.

Running PyCharm Traffic through Fiddler

First, you need to update proxy settings at PyCharm with Fiddler proxy details. This will ask to install Fiddler generated certificates at PyCharm. However, this step only allows PyCharm to direct it’s traffic to Fiddler, but your python code fails since this setting does not apply to urllib3 used by requests. Hence, we have to bypass certificate verification in the code.

Step 1: Add Fiddler Generated Certificates to PyCharm

  • At PyCharm IDE Goto -> File -> Settings ->Appearance & Behaviour -> System Settings -> HTTP Proxy -> Provide Fiddler proxy settings as follows (Host: 127.0.0.1, Port: 8888)

update proxy settings

  • Restart PyCharm -> It will prompt to Accept the Fiddler generated certificates for JetBrains.

Screenshot 2020-04-06 19.32.00

  • You can check the saved certificates at File -> Settings ->Tools-> Server Certificates

Step2: Update Python Code

In the python code, I’m using requests package to send HTTPS requests. Update the request with an additional argument as verify=False. Otherwise, it will throw an verification failed exception (ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:646))

import requests

initResponse = requests.get(initURL, params=initParams, headers=headerInit,verify=False)

Now, it will only give a warning (InsecureRequestWarning: Unverified HTTPS request is being made to host ‘127.0.0.1’. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning,) and pass the code. Assuming you are aware of the security of the URL you are visiting, this can help you forward PyCharm traffic through Fiddler without much hassle.

Cheers ! 🙂

Share this:

  • Twitter
  • Facebook
  • LinkedIn

Like this:

Like Loading...

Fix ERR_CONNECTION_TIMED_OUT error on Android with Fiddler Proxy

Posted by Kulani Mahadewa on March 12, 2020
Posted in: Fiddler. Tagged: 8888, After setting Fiddler proxy on Android, Allow remote computers to connect, Android, Android application Lose internet connection once connec, Android with Fiddler Proxy, Connected, Decrypt HTTPS traffic, ERR_CONNECTION_TIMED_OUT, Fiddler, Fiddler causes my Internet access to stop working, fiddler no interent with android, Fiddler Proxy on Android, Fiddler with Android, Fix ERR_CONNECTION_TIMED_OUT error, http://ipv4.fiddler:8888, no internet, No internet on Android device, Remove interception certificates. Leave a comment

Hi, When setting up an Android device with Fiddler on the host machine, you need to set up proxy settings on Android Wi-Fi giving the IP address shown on Fiddler (Online) as host and port as 8888. After that, you need to visit http://ipv4.fiddler:8888 on your browser to download the Fiddler Root Certificate. However, when visiting the http://ipv4.fiddler:8888 on the Android browser, you might get ERR_CONNECTION_ TIMED_OUT.  This could be due to many reasons.

Reasons and Solutions:

  • If you are connecting your Android with Fiddler for the first time recheck the settings on Fiddler. Goto -> Tools -> Options -> Connection -> Tick “Allow remote computers to connect”.  To allow HTTPS decryption, ensure you have ticked “Decrypt HTTPS traffic” under Options-> HTTPS, and then install the root certificate.
  • If you are trying to reconnect you Android with Fiddler which was working with a different host, and now getting  ERR_CONNECTION_ TIMED_OUT on the Android browser,
    • You can first try removing current certificates on the Fiddler host machine and try reinstalling the certificates..
      • First, Goto -> Tools -> Options -> HTTPS-> Untick “Decrypt HTTPS traffic”.
      • Then, select ‘Actions’ on the same dialog -> select “Remove interception certificates”
      • Then follow the normal procedure to enable HTTPS traffic decryption
    • The ultimate try is to uninstall and reinstall the Fiddler from the beginning on your host machine. After that, your Android browser can visit http://ipv4.fiddler:8888 and download a new Fiddler Root Certificate.

Plus:

Even after successfully installing the Fiddler root certificate on your Android device, if you are not able to capture the HTTTPS traffic. It might be that you are using an older fiddler root certificate or a certificate you installed when working with a different Fiddle r host machine. Hence, remove the current installed certificate from your android device. After that, try reconnecting with the Fiddler host to reinstall the new root certificate.

adb shell
cd /data/misc/user/0/cacerts-added
ls
rm < current root certificate e.g. e5c3944b.0>

In the worst case It may be due to certificate pinning used in the application you are trying to test. In that case, you may have to use an instrumentation tool like Xposed to bypass such conditions.

Cheers ! 🙂

 

Share this:

  • Twitter
  • Facebook
  • LinkedIn

Like this:

Like Loading...

Posts navigation

← Older Entries
  • Welcome to Tech Star World… !

  • Blog Stats

    • 161,103 hits
  • Kulani Mahadewa

    Kulani Mahadewa

    I’m a Ph.D. candidate with the Department of Computer Science, National University of Singapore. I am interested in Python, Java, and Android developments. My research interests are IoT security and privacy, program analysis, fuzzing, and protocol verification. This blog was started in 2012 while I was working as an intern in software engineering. However, I recently started posting content about my research work and research interests. I hope you enjoy my blog posts.

    View Full Profile →

  • Enter your email address to follow this blog and receive notifications of new posts by email.

  • Advertisements
  • Archives

    • March 2021 (3)
    • October 2020 (1)
    • July 2020 (1)
    • May 2020 (2)
    • April 2020 (2)
    • March 2020 (6)
    • February 2020 (3)
    • January 2020 (1)
    • December 2019 (1)
    • June 2019 (1)
    • April 2019 (3)
    • March 2019 (6)
    • February 2019 (8)
    • January 2019 (3)
    • January 2018 (9)
    • November 2016 (1)
    • August 2016 (2)
    • May 2016 (2)
    • February 2016 (1)
    • January 2016 (2)
    • December 2015 (3)
    • September 2015 (1)
    • August 2015 (1)
    • May 2015 (2)
    • April 2015 (1)
    • March 2015 (6)
    • February 2015 (4)
    • January 2015 (7)
    • December 2014 (2)
    • October 2014 (5)
    • July 2014 (1)
    • June 2014 (1)
    • May 2014 (1)
    • April 2014 (3)
    • March 2014 (1)
    • September 2012 (1)
    • August 2012 (5)
    • July 2012 (9)
  • Recent Posts

    • Scanning & Enumeration: Step 1. Scanning Hosts
    • Tools for Passive Reconnaissance on Kali
    • Create a Simple Port Scanner on Kali Linux
    • Create Kali Linux Live USB stick with Etcher on Windows
    • System Execution Sequence – Part 1: BIOS/UEFI and Bootloader
    • Did you know that your Philips Hue bulb can be hijacked by a malicious hub in the neighborhood?
    • Why Smart Homes Require Integration Analysis?
    • Use mitmproxy to Capture Traffic on the Same Machine
    • Running PyCharm Traffic through Fiddler
    • Fix ERR_CONNECTION_TIMED_OUT error on Android with Fiddler Proxy
  • Advertisements
  • Topics

  • Tags

    ADB Android Android application android kernel android studio apk Apktool automate AVD barcode brunch classes.dex connection current position custom rom CyanogenMod decompile eclipse Eclipse IDE Emulator export Fiddler file explorer firmware flashing galaxys4 Genymotion GitHub google gps gps provider Gradle GT-19500 GT-I8150 https iceccs install internal databases iot java jd-gui Kali Kali 2020 Kali Linux Kali Linux 2020 Linux Maven mongoDB Octoplus box openwrt PyCharm python python3 qrcode reverse engineering root Samsung scanner security Server Key smart home source code sqlite ssl ssl certificate Testing tplink TSE Ubuntu Ubuntu 14.0 Vulnerability Analysis web security Windows xposed xposed module
  • Flag Counter
  • Advertisements
  • Relax …

  • Advertisements
    Advertisements
    Advertisements
    Advertisements
    Advertisements
    Advertisements
Blog at WordPress.com.
Tech Star
Blog at WordPress.com.
  • Follow Following
    • Tech Star
    • Join 39 other followers
    • Already have a WordPress.com account? Log in now.
    • Tech Star
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Report this content
    • View site in Reader
    • Manage subscriptions
    • Collapse this bar
 

Loading Comments...
 

    %d bloggers like this: