Friday, November 3, 2017
Thursday, November 2, 2017
Ok....no bullshit...no easy stuff...on the bootloader
Finding the Encryption Key
Now that we have our traces, we can go ahead and perform the attack. As described in the background theory, we'll have to do two attacks - one to get the 14th round key, and another (using the first result) to get the 13th round key. Then, we'll do some post-processing to finally get the 256 bit encryption key.
14th Round Key
We can attack the 14th round key with a standard, no-frills CPA attack:
- Open the ChipWhisperer Analyzer program and load the
.cwpfile with the 13th and 14th round traces. This can be either theaes256_round1413_key0_100.cwpfile downloaded or the capture you performed. - View and manipulate the trace data with the following steps:
- Switch to the Trace Output Plot tab
- Switch to the Results parameter setting tab
- Choose the traces to be plotted and press the Redraw button to draw them
- Right-click on the waveform to change options, or left-click and drag to zoom
- Use the toolbar to quickly reset the zoom back to original
- Notice that the traces are synchronized for the first 7000 samples, but become unsynchronized later. This fact will be important later in the tutorial.
- Set up the attack in the Attack settings tab:
- Leave the Crypto Algorithm set to AES-128. (Remember that we're applying the AES-128 attack to half of the AES-256 key!)
- Change the Leakage Model to HW: AES Inv SBox Output, First Round (Dec).
- If you're finding the attack very slow, narrow down the attack a bit. Normally, this requires a bit of investigation to determine which ranges of the trace are important. Here, you can use the range from 2900 for 4200. The default settings will also work fine!
- Note that we do not know the secret encryption key, so we cannot highlight the correct key automatically. If you want to fix this, the Results settings tab has a Highlighted Key setting. Change this to Override mode and enter the key
ea 79 79 20 c8 71 44 7d 46 62 5f 51 85 c1 3b cb. - Finally, run the attack by switching to the Results Table tab and then hitting the Attack button.
the closest i can get is for software is...silentbreaksec/Throwback...HTTP/S Beaconing Implant
Throwback
HTTP/S Beaconing Implant
- Run the python script to encode strings. python tbManger.py encode http://mydomain.com/index.php
http://mydomain.com/index.php -> {57,37,37,33,107,126,126,60,40,53,62,60,48,56,63,127,50,62,60,126,56,63,53,52,41,127,33,57,33}
Note: Don't forget to add ,-1 to end of the integer array for an LP. So the above would become.
{57,37,37,33,107,126,126,60,40,53,62,60,48,56,63,127,50,62,60,126,56,63,53,52,41,127,33,57,33,-1}
- Update DNSARRAY to reflect the number of LPs listed in DNSCODE array.
- Compile!
- Setup ThrowbackLP.
Wednesday, November 1, 2017
and about the rubber ducky, from yesterday (?) .
ARD Stick One is available from:
- Adafruit (US)
- Hacker Warehouse (US)
- HakShop (US)
- iSource Asia (CN)
- Maes Electronics (BE)
- ML&S Martin Lynch & Sons (UK)
- NooElec (US/CA)
- Store4Geeks (SE)
- OFC / Ouverture Fine (FR)
- Oz Hack (AU)
- Passion Radio Shop (FR)
- Passion Radio Shop UK (UK)
- RFIDIOt.org (UK)
- Rysc Corp. (US)
- Seeed Studio (CN)
- VCTEC (KR)
- Wall of Sheep (US)
YARD Stick One (Yet Another Radio Dongle) can transmit or receive digital wireless signals at frequencies below 1 GHz. It uses the same radio circuit as the popular IM-Me. The radio functions that are possible by customizing IM-Me firmware are now at your fingertips when you attach YARD Stick One to a computer via USB.
Capabilities:
- half-duplex transmit and receive
- official operating frequencies: 300-348 MHz, 391-464 MHz, and 782-928 MHz
- unofficial operating frequencies: 281-361 MHz, 378-481 MHz, and 749-962 MHz
- modulations: ASK, OOK, GFSK, 2-FSK, 4-FSK, MSK
- data rates up to 500 kbps
- Full-Speed USB 2.0
(Official operating frequencies are guaranteed to work. Unofficial operating frequencies work in our experience.)
YARD Stick One comes with RfCat firmware installed, courtesy of atlas. RfCat allows you to control the wireless transceiver from an interactive Python shell or your own program running on your computer. YARD Stick One also has CC Bootloader installed, so you can upgrade RFCat or install your own firmware without any additional programming hardware. An antenna is not included. ANT500 is recommended as a starter antenna for YARD Stick One.
Originally based on the ToorCon 14 Badge design, YARD Stick One has several featured not previously seen in CC1111 platforms:
- SMA connector for external antennas such as ANT500
- receive amplifier for improved sensitivity
- transmit amplifier for higher output power
- strong RF performance across the entire operating frequency range
- low pass filter for elimination of harmonics when operating in the 800 and 900 MHz bands
- antenna port power control for compatibility with antenna port accessories designed for HackRF One
- GoodFET-compatible expansion and programming header
- GIMME-compatible programming test points
technical information
For documentation and open source design files, visit the project wiki.
getting help
For assistance with YARD Stick One and RfCat usage or development, please subscribe to the YARDStick mailing list. This is the preferred place to ask questions so that others may locate the answer to your question in the list archives in the future. Additionally, you may want to join us in the #rfcat IRC channel on freenod
which is an App PandwaRF is a RF analysis tool with a sub-1 GHz wireless transceiver controlled by a smartphone or a PC. Its purpose is to capture, display & transmit RF data very easily. It can be connected to an Android smartphone using BLE or USB, and to Linux using USB. It is based on the well-known RfCat & Yard Stick One tools with the Texas Instruments CC1111 RF transceiver, but with a lot of new features, making PandwaRF the perfect portable RF analysis tool.
my wild guess for the embebbed software is wiced-emw3165, for this electronic board we're talking about Support for various MCU host platforms- ST Microelectronics STM32F2xx (in this case STM32F7) the great about this is Wi-Fi & Bluetooth SmartBridge Features: Authenticate to Wi-Fi Access Points with the following security types: Open, WEP-40, WEP-104, WPA (AES & TKIP), WPA2 (AES, TKIP & Mixed mode)
The WICED SDK provides a full compliment of application level APIs,
libraries and tools needed to design & implement secure embedded wireless
networking applications.
Major features of the WICED SDK include ...
- Low-footprint embedded Wi-Fi Driver with Client (STA), softAP and Wi-Fi Direct
- Wi-Fi <-> Bluetooth SmartBridge
- Various RTOS/TCP stack options including
- ThreadX/NetX (IPv4), ThreadX/NetX Duo (IPv6), FreeRTOS/LwIP (IPv4)
- Support for various Broadcom Wi-Fi & combo chips
- BCM4390 Integrated Apps + Wi-Fi SoC
- BCM43909 Integrated Apps + Wi-Fi SoC
- BCM43362 Wi-Fi SoC
- BCM43364 Wi-Fi SoC
- BCM43341 Wi-Fi SoC
- BCM43438 Wi-Fi SoC
- BCM43341 Wi-Fi + Bluetooth combo SoC
- Support for various MCU host platforms
- ST Microelectronics : STM32F2xx, STM32F4xx
- Atmel : AT91SAM4S16B
- Freescale : K61
- NXP : LPC17xx, LPC18xx
- RTOS & Network abstraction layer with a simple API for UDP, TCP, HTTP, HTTPS communications
- SSL/TLS Security Library integrated with an HTTPS library for secure web transactions
- WICED Application Framework including Bootloader, OTA Upgrade and Factory Reset
- Automated Wi-Fi Easy Setup using one of several methods
- SoftAP & Secure HTTP server
- Wi-Fi Protected Setup
- Apple Wireless Accessory Configuration (WAC) Protocol
- Simple API to provide access to MCU peripherals including UART, SPI, I2C, Timers, RTC, ADCs, DACs, etc
- Support for multiple toolchains including GNU and IAR
- Support for Apple AirPlay and HomeKit
The WICED SDK release is structured as follows:
apps : Example & Test Applications
doc : API & Reference Documentation
include : WICED API, constants, and defaults
libraries : Bluetooth, daemons, drivers, file systems, inputs, and protocols
platforms : Evaluation board support package, including Eval Board and Module Schematics
resources : Binary and text based objects including scripts, images, and certificates
tools : Build tools, compilers, debugger, makefiles, programming tools etc.
tools/drivers : Drivers for WICED evaluation boards
WICED : WICED core components (RTOS, Network Stack, Wi-Fi Driver, Security & Platform libraries)
WICED/WWD : The WICED Wi-Fi Driver (equivalent to the Wiced directory in previous SDK-1.x releases)
README.txt : This file
CHANGELOG.txt : A log of changes for each SDK revision
to compile, download and run the Wi-Fi scan application on the Broadcom BCM943362WCD4 evaluation platform, enter the following text on a command line (a period character is used to reference applications in sub-directories) : $> make snip.scan-BCM943362WCD4 download run The default RTOS and Network Stack components are defined in the WICED configuration makefile at/tools/makefiles/wiced_config.mk. The default I/O bus component is defined in the platform makefile at /platforms/ / .mk. Defaults may be bypassed by specifying the component as part of the build string if desired as shown in the following example. $> make snip.scan-BCM943362WCD4-FreeRTOS-LwIP-SDIO download run Source code, headers and reference information for supported platforms are available in the /platforms directory. Source code, headers, linker scripts etc that are common to all platforms are available in the /WICED/platform directory. Supported Features --------------------------------------------------------------------- Wi-Fi & Bluetooth SmartBridge Features * Scan and associate to Wi-Fi access points * Authenticate to Wi-Fi Access Points with the following security types: Open, WEP-40, WEP-104, WPA (AES & TKIP), WPA2 (AES, TKIP & Mixed mode) * AP mode with support for security types : Open, WPA, WPA2 * Concurrent AP & STA mode (AP mode limited to 3 concurrent connected clients) * Wi-Fi Direct * WPS 1.0 & 2.0 Enrollee & Registrar (Internal Registrar only) * Wi-Fi APIs : Network keep alive, packet filters * Host <-> Wi-Fi SDIO & SPI interface * Bluetooth SmartBridge with multiple connections including the following features: Whitelist, Bond Storage, Attribute Caching, GATT Procedures, Configurable Maximum Concurrent Connections, Directed Advertisements, Device address initialisation, Passkey entry * Host <-> Wi-Fi via Memory to Memory DMA engine Bluetooth Features * A2DP v1.2 (Advanced Audio Distribution Profile) - A2DP Sink Functionality - SBC Decoder * AVRCP (Audio/Video Remote Control Profile) - AVRCP Controller v1.0 - AVRCP Target v1.4 (Absolute Volume) * Handsfree profile (Handsfree role) - HFP v1.6 - Accept/Reject/End incoming call - Outgoing call – Last number dial - Support for inband ringtone - Two-way calling - Caller-ID support * Man-Machine-Interface via buttons - AVRCP play/pause/Skip-forward/Skip-backward - A2DP Volume Up/Down - Connect to previously connected device - HFP Accept/Reject/End incoming call and Last number dial * SDAP (Service Discovery Application Profile) * GAP (Generic Access Profile) RTOS & Network Stack Support * FreeRTOS / LwIP (full source) * ThreadX / NetX (object file; free for use with WICED *ONLY*) * ThreadX / NetXDuo (object file; free for use with WICED *ONLY*) Networking Features (IPv4 & IPv6) * ICMP (Ping) * ARP * TCP * UDP * IGMP (Multicast) * IPv6 NDP, Multicast * DHCP (Client & Server) * DNS (Client & Redirect Server) * mDNS/DNS-SD Zeroconf Network Discovery (Broadcom Gedday) * TLS1.0/1.1/1.2 (object file with host abstraction layer; free for use with WICED *ONLY*) * HTTP / HTTPS (Client & Server) * SNTP * SMTP Application Features * Apple AirPlay (requires Apple authentication co-processor; available to Apple MFi licensees *ONLY*) * Apple HomeKit (available to Apple MFi licensees *ONLY*) * Bluetooth Audio * Peripheral interfaces * GPIO * Timer / PWM * UART * SPI * I2C * RTC (Real Time Clock) * Xively "Internet of Things" protocol * WICED Application Framework * Bootloader * Device Configuration Table (region in flash to store AP, security credentials, TLS certs, serial number, Wi-Fi country code, etc) * OTA upgrade * Factory reset * Automated configuration via softAP & webserver * Apple Wireless Accessory Configuration (WAC) protocol (available to Apple MFi licensees *ONLY*) * System Monitor to manage the watchdog Toolchains * GNU make * IAR Hardware Platforms BCM43362 * BCM943362WCD4 : Broadcom WICED Module with STM32F205 MCU mounted on BCM9WCD1EVAL1 * BCM943362WCD6 : Broadcom WICED Module with STM32F415 MCU mounted on BCM9WCD1EVAL1 * BCM943362WCD8 : Broadcom WICED Module with Atmel SAM4S16B MCU mounted on BCM9WCD1EVAL1 * BCM9WCDPLUS114 : WICED+ Eval Board (includes BCM43362+STM32F205 WICED+ Module and BCM20702 Bluetooth module) * BCM9WCD1AUDIO : Broadcom WICED Audio Evaluation Board (includes BCM43362, STM32F415, WM8533 audio DAC, and BCM20702 Bluetooth module) BCM943364 * BCM943364WCD1 : Broadcom WICED Module with STM32F215 MCU mounted on BCM9WCD1EVAL1 * BCM943364WCDA : Broadcom WICED Module with Atmel SAM4S16B MCU mounted on BCM9WCD1EVAL1 BCM943341 * BCM943341WCD1 : Broadcom BCM43341-based WICED Module with STM32F417 MCU mounted on BCM9WCD5EVAL1 BCM4390 * BCM94390WCD2 : Broadcom BCM4390 SiP-based WICED Module on BCM9WCD3EVAL1 BCM43909 * BCM943909WCD1 : Broadcom BCM43909 SiP-based WICED Module on BCM943909WCDEVAL_1 https://github.com/kamejoko80/wiced-emw3165
Subscribe to:
Posts (Atom)
