Monday, October 23, 2017

You want to hack the general you can not stand donkeys ....you're just next door...Mousejack Transmit – Wireless Mouse/Keyboard Attack With Replay/Transmit PoC


This is code extending the mousejack tools http://ift.tt/1PX8IIT.
Replay/transmit tools have been added to the original tools.
POC packets based on a Logitech Wireless Combo MK220 which consists of a K220 wireless keyboard and an M150 wireless mouse are included in the logs folder.
More details available here http://ift.tt/2p83Mcg
Pseudo-promiscuous mode device discovery tool, which sweeps a list of channels and prints out decoded Enhanced Shockburst packets.
usage: ./nrf24-scanner.py [-h] [-c N [N …]] [-v] [-l] [-p PREFIX] [-d DWELL]optional arguments: -h, –help show this help message and exit -c N [N …], –channels N [N …] RF channels -v, –verbose Enable verbose output -l, –lna Enable the LNA (for CrazyRadio PA dongles) -p PREFIX, –prefix PREFIX Promiscuous mode address prefix -d DWELL, –dwell DWELL Dwell time per channel, in milliseconds
Scan for devices on channels 1-5
./nrf24-scanner.py -c {1..5}
Scan for devices with an address starting in 0xA9 on all channels
./nrf24-scanner.py -p A9
sniffer
Device following sniffer, which follows a specific nRF24 device as it hops, and prints out decoded Enhanced Shockburst packets from the device. This version has also been modified to log the packets to a log file
usage: ./nrf24-sniffer.py [-h] [-c N [N …]] [-v] [-l] -a ADDRESS -o OUTPUT [-t TIMEOUT] [-k ACK_TIMEOUT] [-r RETRIES] optional arguments: -h, –help show this help message and exit -c N [N …], –channels N [N …] RF channels -v, –verbose Enable verbose output -l, –lna Enable the LNA (for CrazyRadio PA dongles) -a ADDRESS, –address ADDRESS Address to sniff, following as it changes channels -o OUTPUT, –output OUTPUT Output file to log the packets -t TIMEOUT, –timeout TIMEOUT Channel timeout, in milliseconds -k ACK_TIMEOUT, –ack_timeout ACK_TIMEOUT ACK timeout in microseconds, accepts [250,4000], step 250 -r RETRIES, –retries RETRIES Auto retry limit, accepts [0,15]
Sniff packets from address 8C:D3:0F:3E:B4 on all channels and save them to output.log
./nrf24-sniffer.py -a 8C:D3:0F:3E:B4 -o logs/output.log
replay/transmit
Replay captured packets or transmit generated ones. It follows a specific nRF24 device as it hops, and sends packets from a log file.
usage: ./nrf24-replay.py [-h] [-c N [N …]] [-v] [-l] -a ADDRESS -i INPUT_FILE [-t TIMEOUT] [-k ACK_TIMEOUT] [-r RETRIES] optional arguments: -h, –help show this help message and exit -c N [N …], –channels N [N …] RF channels -v, –verbose Enable verbose output -l, –lna Enable the LNA (for CrazyRadio PA dongles) -a ADDRESS, –address ADDRESS Address to sniff, following as it changes channels -o INPUT_FILE, –input INPUT_FILE Input file that has the packets to sned -t TIMEOUT, –timeout TIMEOUT Channel timeout, in milliseconds -k ACK_TIMEOUT, –ack_timeout ACK_TIMEOUT ACK timeout in microseconds, accepts [250,4000], step 250 -r RETRIES, –retries RETRIES Auto retry limit, accepts [0,15]
Send packets from file keystroke.log to address 8C:D3:0F:3E:B4 on hopping channel
./nrf24-replay.py -a 8C:D3:0F:3E:B4 -i logs/keystroke.log
network mapper
Star network mapper, which attempts to discover the active addresses in a star network by changing the last byte in the given address, and pinging each of 256 possible addresses on each channel in the channel list.
usage: ./nrf24-network-mapper.py [-h] [-c N [N …]] [-v] [-l] -a ADDRESS [-p PASSES] [-k ACK_TIMEOUT] [-r RETRIES]optional arguments: -h, –help show this help message and exit -c N [N …], –channels N [N …] RF channels -v, –verbose Enable verbose output -l, –lna Enable the LNA (for CrazyRadio PA dongles) -a ADDRESS, –address ADDRESS Known address -p PASSES, –passes PASSES Number of passes (default 2) -k ACK_TIMEOUT, –ack_timeout ACK_TIMEOUT ACK timeout in microseconds, accepts [250,4000], step 250 -r RETRIES, –retries RETRIES Auto retry limit, accepts [0,15]
Map the star network that address 61:49:66:82:03 belongs to
./nrf24-network-mapper.py -a 61:49:66:82:03
continuous tone test
The nRF24LU1+ chips include a test mechanism to transmit a continuous tone, the frequency of which can be verified if you have access to an SDR. There is the potential for frequency offsets between devices to cause unexpected behavior. For instance, one of the SparkFun breakout boards that was tested had a frequency offset of ~300kHz, which caused it to receive packets on two adjacent channels.
This script will cause the transceiver to transmit a tone on the first channel that is passed in.
usage: ./nrf24-continuous-tone-test.py [-h] [-c N [N …]] [-v] [-l]optional arguments: -h, –help show this help message and exit -c N [N …], –channels N [N …] RF channels -v, –verbose Enable verbose output -l, –lna Enable the LNA (for CrazyRadio PA dongles)
Transmit a continuous tone at 2405MHz
./nrf24-continuous-tone-test.py -c 5
Packet generator script
This uses a dictionary to map keyboard presses to the equivalent packets. It reads stdin input and logs the mapped packets to logs/keystrokes.log. It will accept input until Ctrl+C is pressed.
usage: ./keymapper.py
Log files
The folder logs contains various pre-saved packets for various keyboard operations.Shell.log is for exploitation of a Windows machine by running a powershell one-liner which connects back to the attacker machine.
The file keys.log serves as a reference where various key presses and combinations are mapped to their equivalent packets.Demo
A demo of exploiting a Windows machine:
Download Mousejack Transmit http://ift.tt/2o5wtVx http://ift.tt/2aM8QhC

You want play Snowden, or spy on a russian, or spy on a japonese high tek company, you plug this into the electrical current, over the next wall, or on the down floor. KeySweeper is a stealthy Arduino-based device, camouflaged as a functioning USB wall charger, that wirelessly and passively sniffs, decrypts, logs and reports back (over GSM) all keystrokes from any Microsoft wireless keyboard in the vicinity.







you want to track maritime police, you dive and plug in on the radio Transmitters, Single-channel high power VHF TX

You want to blow up a car, or a bus, or an airplane; you will use sabotage. and interfer with the motor, the speed, the battery power, and the performance.

CAN BUS HACK 

CAN / CANopen / J1939 / NMEA2000 / DeviceNet - Analyzer

Very simple tool for users who need to interface with a device based on CAN (CAN/CANopen/J1939/NMEA2000/DeviceNet) such as motors, sensors and many other devices. 

http://www.adfweb.com/Home/products/CAN_BUS_analyzers.asp?frompg=GooHardware&loc_phy=1011747&k001=p&c1-k1=can%20bus%20sniffer&d=c&gclid=EAIaIQobChMIpJzI8KmG1wIVcjPTCh1HqwR4EAAYASAAEgIobvD_BwE

drones with taser weapons - make you're own fire


Sunday, October 22, 2017

ChipWhisperer laughs at your AES-256 implementation. But it laughs with you, not at you.



The objective of ChipWhisperer is nothing short of revolutionizing the entire embedded security industry. Every designer who uses encryption in their design should be able to perform a side-channel attack, and understand the ramifications of these attacks on their designs. The open-source nature of the ChipWhisperer makes this possible, and my hope is that it becomes the start of a new era of hardware security research.

https://hackaday.io/project/956-chipwhisperer-security-research





Defends Against: Fault injection attacks Physical attacks Side channel attacks Differential fault analysis attacks RNG attacks Sensor and test mode attacks Dictionary attacks

Crypto.Noise.Tutorial oise is a suite of cryptographic protocols similar in spirit to NaCl's crypto_box, or network solutions like TLS, but simpler, faster, with higher-security elliptic-curve cryptography, and stronger guarantees about deniability and identity hiding.

Introduction

The noise package defines two sets of APIs: boxes and pipes. Boxes handle standalone messages, and pipes encrypt communication channels.
To begin, a sender and a receiver must create a keypair:
sender(senderPK, senderSK)       <- code="" style="line-height: 16.12px; margin: 0px; padding: 0px;">createKeypair
receiver
(receiverPK, receiverSK) <- code="" style="line-height: 16.12px; margin: 0px; padding: 0px;">createKeypair
Send the public keys around, and keep the private keys safe.

Box API

Boxes are created using seal, and opened using open:
>>> b <- 32="" ello="" pack="" receiverpk="" seal="" sender="" span="" ust="" world="">>>> print $ open receiverSK (Just senderPK) b
Just "Hello world!"
When creating a box, you specify the sending keypair, the receiving public key, the amount of random padding you want (to obscure the plaintext length), and the message. To open it, you specify the secret key of the receiving party, and the public key of the sender.
Attempting to open a box from someone other than the sender will result in failure.
Senders may also be anonymous, where the sender does not specify a long-term key pair:
>>> b <- 32="" ello="" nothing="" pack="" receiverpk="" seal="" span="" world="">>>> print $ open receiverSK Nothing b
Just "Hello world!"
In the above example, the sender of the box is anonymous without a keypair, and attempting to use a value other than Nothing as the key will error. When the sender is anonymous, they are only identified by a short-term ephemeral key, which is used only once for the corresponding box.
Once you have encrypted a value using seal, it can only be decrypted by the receiving party with the secret key. This property means that boxes are forward secret: once you are done creating them and have 'forgotten' the message, you cannot recover it. Furthermore, boxes are deniable: a recipient of a box can authenticate the sender. But they cannot produce signed evidence binding the sender to anything. Finally, boxes do not produce any evidence of who created them or who the receiver is, and resist tampering with a strong MAC.

UPK-2 - Russian Shotgun slug that destroys nearly everything

Xirance - Taser X12 Less Lethal Shotgun

The new Extended Range Electronic Projectile (XREP) is launched from a standard 12-gauge shotgun platform and is the first wireless TASER device