mitmproxy

An interactive console program that allows traffic flows to be intercepted, inspected, modified and replayed.

mitmdump

Think tcpdump for HTTP - the same functionality as mitmproxy without the frills.

---

install

pip install mitmproxy

See the installation instructions for more.

source

GitHub: github.com/mitmproxy/mitmproxy

releases

See the latest release on Github for source, OSX and Windows builds.

RFID password authentication

http://www.techno-holics.com

So.... I finally got hold of a couple of the Parallax serial RFID readers from Radioshack. I had the Northwest depot send a couple to my local store. $9 each is quite a steal. I set to work repurposing my Arduino to interpret the signal and output the RS232 into the virtual com port that the Arduino driver installs.

I'm running Windows 7 and there used to be a super awesome option called serial keys in Windows XP. This option no longer exists. I had to find a way to get the input from the com port to dump into the keyboard buffer. After some searching, I located a program called AAC Keys, which is an alternative to the Windows serial keys application. It's lightweight, runs in the tray, and can be configured to any com port you wish. 

My original goal was to do a sort of Windows login authentication using my RFID implant's unique tag.... But i'm not going to get into what a headache that was to try to do using an Arduino to interpret the signal. So I have put that project aside and decided to have some fun logging into various sites and applications using my tag as the password. For demonstrative purposes, I changed my Guild Wars password as well as the password to the RFIDtoys forums to match that of my tag. Since the sketch I uploaded for my Arduino automatically sends a 'return' at the end of the tag, it was a simple matter of scanning my tag when my cursor was in an active text box.

This is a video of it in action.

The programs I used for this were:

Arduino FTDI drivers:

http://www.ftdichip.com/Drivers/VCP.htm

AAC Keys:

http://www.aacinstitute.org/downloads/aackeys/AACKeys.html

Notable mentions:

Guild Wars

Google Chrome

All in all, it's a fairly simple little project. I am quite happy with how it turned out. And it gave me a nice little break from fighting with Windows to get my station login system working. 

http://usabuzz.net/page/watch/vid2016W6FRRaWo60w 

bb pistol to .22 conversion tutorial

   List of Officer Names Identified in the Panama Papers.pdf by Elsa Cristina David on Scribd

Defeating Drones: How To Build A Thermal Evasion Suit

Homemade Electric pick

Processor microcode manipulation to change opcodes?

I had recently thought of an extreme way of implementing security by obscurity and wanted to ask you guys if it's possible.
Would a person with no access to special processor documentation be able to change the CPU's microcode in order to obfuscate the machine's instruction set?
What else would need to be changed for a machine to boot with such a processor - would BIOS manipulation be enough?

You're very much getting into the realm of "Here be dragons" when you look into hardware manipulation like this. I don't know of any research or in-the-wild attack that has done any practical experimentation with this, so my answer will be purely academic.
First, it's probably best if I explain a bit about how microcode works. If you're already clued up on this stuff, feel free to skip ahead, but I'd rather include the details for those who don't know. A microprocessor consists of a huge array of transistors on a silicon die that interconnect in a way that provides a set of useful basic functions. These transistors alter their states based on internal changes in voltage, or on transitions between voltage levels. These transitions are triggered by a clock signal, which is actually a square wave that switches between high and low voltage at a high frequency - this is where we get "speed" measurements for CPUs, e.g. 2GHz. Every time a clock cycle switches between low and high voltage a single internal change is made. This is called a clock tick. In the simplest devices a single clock tick might constitute a whole programmed operation, but these devices are extremely limited in terms of what they're capable of doing.
As processors have gotten more complex, the amount of work that needs to be done at the hardware level to provide even the most basic operations (e.g. an addition of two 32-bit integers) has increased. A single native assembly instruction (e.g. add eax, ebx) might involve quite a lot of internal work, and microcode is what defines that work. Each clock tick performs a single microcode instruction, and a single native instruction might involve hundreds of microcode instructions.
Let's look at an extremely simplistic version of a memory read, for the instruction mov eax, [01234000], i.e. move a 32-bit integer from memory at address 01234000 into an internal register. First, the processor has to read the instruction from its internal instruction cache, which is a complicated task in itself. Let's ignore this for now, but it involves a lot of various operations inside the control unit (CU) that parse the instruction and prime various other internal units. Once the control unit has parsed the instruction, it then has to execute a group of microinstructions to perform the operation. First, it needs to check that the system memory pipeline is ready for a new instruction (remember that memory chips take commands too) so that it can do a read. Next, it needs to send a read command to the pipeline and wait for it to be serviced. DDR is asynchronous, so it must wait for an interrupt to say that the operation has completed. Once the interrupt is raised, the CPU continues with the instruction. The next operation is to move the new value from memory into an internal register. This isn't as simple as it sounds - the registers you would normally recognise (eax, ebx, ecx, edx, ebp, etc.) aren't fixed to a particular physical set of transistors in the chip. In fact, a CPU has a lot more physical internal registers than it exposes, and it uses a technique called register renaming to optimise the translation of incoming, outgoing and processed data. So the actual data from the memory bus has to be moved into a physical register, then that register has to be mapped to an exposed register name. In this case we'd be mapping it to eax.
All of the above is a simplification - the real operation might involve a lot more work, or might be handled by a dedicated internal device. As such, you might be looking at a large sequence of microinstructions that do very little on their own but add up to a single instruction. In some cases special microinstructions are used to trigger asynchronous internal hardware operations that handle a particular operation, designed to improve performance.
As you can see, microcode is immensely complicated. Not only would it wildly vary between CPU types, but also between release versions and revisions. This makes it a difficult thing to target - you can't really tell what microcode is programmed into the device. Not only that, but the way the microcode is programmed into the chip is also specific to each processor. On top of that, it's undocumented and checksummed, and potentially requires some signature checks too. You'd need some serious hardware to reverse engineer the mechanisms and checks.
Let's assume for a moment that you could overwrite microcode in a useful way. How would you make it do anything useful? Keep in mind that each code simply shifts some values around in the internals of the hardware, rather than a real operation. Obfuscating opcodes by juggling microcode around would require a complete custom OS and bootloader, but the BIOS would (likely) still work. Unfortunately more modern systems use UEFI rather than the old BIOS spec, which involves some execution of code on the CPU in real mode. This means you'd need an entirely new BIOS and OS, all written from scratch. Hardly a useful obfuscation method. On top of that, you may not even be able to remap instructions, because the seemingly arbitrary byte values aren't so arbitrary - the individual bits map to codes that select different areas of the CPU internals. Changing them might break the CPU's ability to even parse the instruction data.
A more interesting exercise would be to implement a new instruction that transitions you from ring3 to ring0 and another that switches back, all without performing any checks. This would allow you to do some fun stuff with privilege escalation without ever needing OS-specific backdoors.

http://security.stackexchange.com/questions/29730/processor-microcode-manipulation-to-change-opcodes

Ambient Computer Noise Leaks Your Encryption Keys

[Daniel, Adi, and Eran], students researchers at Tel Aviv University and the Weizmann Institute of Science have successfully extracted 4096-bit RSA encryption keys using only the sound produced by the target computer. It may sound a bit like magic, but this is a real attack – although it’s practicality may be questionable. The group first described this attack vector at Eurocrypt 2004. The sound used to decode the encryption keys is produced not by the processor itself, but by the processor’s power supply, mainly the capacitors and coils. The target machine in this case runs a copy of GNU Privacy Guard (GnuPG).
During most of their testing, the team used some very high-end audio equipment, including Brüel & Kjær laboratory grade microphones and a parabolic reflector. By directing the microphone at the processor air vents, they were able to extract enough sound to proceed with their attack. [Daniel, Adi, and Eran] started from the source of GnuPG. They worked from there all the way down to the individual opcodes running on the x86 processor in the target PC. As each opcode is run, a sound signature is produced. The signature changes slightly depending on the data the processor is operating on. By using this information, and some very detailed spectral analysis, the team was able to extract encryption keys. The complete technical details of the attack vector are available in their final paper (pdf link).
Once  they had the basic methods down, [Daniel, Adi, and Eran] explored other attack vectors. They were able to extract data using ground fluctuations on the computers chassis. They even were able to use a cell phone to perform the audio attack. Due to the cell phone’s lower quality microphone, a much longer (on the order of several hours) time is needed to extract the necessary data.
Thankfully [Daniel, Adi, and Eran] are white hat hackers, and sent their data to the GnuPG team. Several countermeasures to this attack are already included in the current version of GnuPG.

http://hackaday.com/2013/12/20/ambient-computer-noise-leaks-your-encryption-keys/

emvlab.org	PINBlock Calculator
emv emv tags tlv decoder cap calculator cryptogram calc crypto des calc asn1 decoder banking pin translation keyshare tools misc hex dump char converter research pre-play attack no-pin attack emv cap ped tampering relay attack cambridge security group contact us

converting from to Please use the automated test vector button above to generate sample data, or if you prefer, you can fill out the form below and click the individual action buttons to decrypt, convert and encrypt the PIN block. You can copy ready to use test data from the bottom.

Incoming PINBlock 0E05B5E65352F1F1	Incoming PAN 0000724125271176
Incoming ZPK 78AF2F990751D42B70157D04104E2B81

Incoming Clear PINBlock 045658FFFFFFFFFF

to

Outgoing Clear PINBlock 045658FFFFFFFFFF	Outgoing PAN 0000724125271176
Outgoing ZPK 7013A2730EB38BFD26B9F7A4894DD71C

Outgoing PINBlock E3ED2695B72EDED8

Test Data

http://www.emvlab.org – the one stop site for banking techies – © 2009–2012

This site is run by members of the Security Group at the University of Cambridge Computer Laboratory.

EMV® is a registered trademark of EMVCo LLC. This site and its operators are not affiliated or associated with or endorsed by EMVCo. All other trademarks and registered trademarks are the property of their respective owners.

http://www.emvlab.org/pinblock/ 

COPY A SMART CARD

   Copy smart cards.docx by Elsa Cristina David

Copy smart cards

z/OS Cryptographic Services ICSF TKE Workstation User's Guide
SA23-2211-08


This function allows you to copy keys and key parts from one TKE smart card to another TKE smart card. You can copy these types of keys:

• Crypto adapter logon key
• TKE authority signature key
• ICSF operational key parts
• ICSF master key parts
• Crypto adapter master key parts

Notes:

1. The two TKE smart cards must be enrolled in the same zone; otherwise the copy will fail. To display the zone of a TKE smart card, exit from the TKE application and use either the Cryptographic Node Management Utility or the Smart Card Utility Program found in the Trusted Key Entry category's Applications list on the TKE Workstation Console. See Cryptographic Node Management Utility (CNM) or Smart Card Utility Program (SCUP).
2. To copy ECC key parts, the applet version of the target smart card must be 0.6 or greater.

To copy a smart card:

1. Select Copy smart card contents... from the Utilities menu. A message box prompts you to “Insert source TKE smart card in smart card reader 1”.
2. Insert the source TKE smart card in smart card reader 1 and press OK. A message box prompts you to “Insert target TKE smart card in smart card reader 2”.
3. Insert the target TKE smart card in smart card reader 2 and press OK. The utility reads the TKE smart card contents. This may take some time. The card ID is displayed, followed by the card description. Verify that these are the TKE smart cards you want to work with.
   The Copy smart card contents window lists the following information for a TKE smart card:
   

   Card ID

   Identification of TKE smart card

   Zone description

   Description of the zone in which the TKE smart card is enrolled

   Card description

   Description of the TKE smart card; entered when the smart card was personalized

   Card contents

   Key type, Description, Origin, MDC4, SHA1, ENC-Zero, AES-VP, Control Vector or Key Attributes (for operational keys only), and Length.

4. Highlight the keys that you want to copy. By holding down the control button on the keyboard, you can select specific entries on the list with your mouse. By holding down the shift button on the keyboard, you can select a specific range of entries on the list with your mouse. Click on the Copy button or right click and select Copy.
   Note:

   Smart card copy does not overwrite the target TKE smart card. If there is not enough room on the target TKE smart card, you will get an error message. You can either delete some of the keys on the target TKE smart card (see Manage smart cards) or use a different TKE smart card.
   Figure 86. Select keys to copy

   
5. At the prompts, enter the PINs for the TKE smart cards on the smart card reader PIN pads. The keys will then be copied to the target TKE smart card. The target TKE smart card contents panel is refreshed.

Note:

You can display the key attributes associated with a CIPHER, EXPORTER, or IMPORTER AES operational key part stored on either the source or target smart card. Left click to select the key part, then right click to display a popup menu. Select the Display key attributes option to display the key attributes.