0x7678 Security LABS : 2014

Monday, December 8, 2014

SMH here , guess who i mean what << Tracking Android Phones [NO APP] (part 1)

So today I got a rather exciting email, someone (not a regular client / they still state i shouldn't disclose their identity) anyway, they actually gave me consent to publish my methods (per say)

Now heres the conundrum, police shoot down a robber can't question him especially on where his other pals are/ his locations etc, so on and so forth ... So who they call :) regular old* me, why cant they get all this information from a mobile service provider? well apparently it takes time and thats what they want to save on,

So:
Challenge > Track a victims location/hideout/commonly visited places (without target moving with phone, while having targets phone) << well this was going to be fun, and probably difficult , noting that this was not GPS, and no GPS app was running on the android phone, so..... here we go.

The advantage is I had the victims phone, though this was just a tip of the ice berg:

So what do we have to do,

Track a phone with no tracking application, and entirely not on the process of moving around.

So a googling my ass off I came a cross a method Google/Android uses to find the location of a user especially when searching for content using the android OS, this API not known to many even the documentation is a little frail is also quite confidential so Reverse Engineer it? (too much work, so less time)

So while googling I come across this useful piece of info that some logs are contained on the phone that just require a little tweaking to show quite alot :) , so I go at it here are some from my phone,

so next command is pretty much easier done on a computers console via adb
heres the command.

# cd /dev/log ; for f in *; do logcat b $f g; done

# hexdump C radio | head

# logcat v time b radio d s RILJ:D

Now, I will break this commands down for you, but for now, we managed to get LACs from the 3rd command, LAC is a mapping coordinate for BTSs this is unique for every BTS, such as a cell phone has its unique MSISDN a BTS has the following MCC,MNC,LAC and CIDs :)

Now for a small show of what we have (this image is borrowed the real images will be uploaded pending finalizing of the criminal activity burst)

So , in the next part, I will show you how to map the following location with affordable equipments :)
by the meantime :) have more fun , source of reference by the way, "Cheap mans GPS"

Tuesday, December 2, 2014

GSM Hacking Tools {arg: Voice and SMS}

Hacking GSM and phones in general is my passion, and most of all fixing the issues posed is an even better indulgence for my company and I, so here is a tool(s) to do recon, capture Voice/SMS data from the Um (Air interface - BTS and Phone) and breaking the encryption used (A5/1 - used by around 80% of telcos in the world) and passively listening to someones conversations ... so enough chit chatter .. here are the sources ( p.s this was an outdated project that i took upon to continue with as the project masters gave up on it :( ... however, am hoping to integrate it to my OS (typhon) that includes a full RF hacking and research tool kit)

This is the structure of the tools attack method:

the above setup allows 8 channels sniffing, and will cost around 400 USD, this is a passive GSM sniffer and should be used only in a controlled environment. The tool includes an optimized keystream guesser “napalmex” (peaking at 99% success rate on insecure networks and with approx. 50% success rate even on secured networks), now again chit chatter.

here is the github source page: typhon-vx

so, setup procedure :

***

 What you will need

  + A recent Linux distribution (tested Debian Wheezy and Fedora on x86 and amd64)
  + An osmocom-compatible phone (Motorola Cxxx) or modem (openmoko/freerunner) and serial interface to it
  + Wireshark 1.8.0 or newer
  + ~600 MB of disk space
  + some good skills

It would be nice to have
  + More phones
  + Uplink filters removed
   Phones have bandpass filter that they don't receive uplink well (only 10-30m).
    http://bb.osmocom.org/trac/wiki/Hardware/FilterReplacement or here
  + Access to a fast A5/1 cracker (demand 1s/burst throughput and 10s latency :)
    It is possible to do some work on desktop with 2TB harddrive, but it's extremely slow.
  + Genuine brmbora™ hardware with Next-Businness-Day support (or a typhon-Box << coming soon)

The compilation of all sources will take several minutes on a modern Core i* computer or 2 hours on Intel Atom netbook.

***

 OsmocomBB firmware

http://bb.osmocom.org/trac/wiki/GettingStarted

  + Install ARM toolchain. The phone is an arm, so we will cross-compile on our x86.
  + git clone git://git.osmocom.org/osmocom-bb.git
  + git checkout sylvain/burst_ind
    this branch has patched DSP so it allows us to sniff traffic off-the-air
  + make

***

 Installing other tools

  + Copy mysrc/.omgsm to ~
  + edit ~/.omgsm/config and ~/.omgsm/phones
    GSMPATH=path to this
    GSMDEFSESSION=where sniffed data are stored (usually several MB per hour)
    GSMMAXCELLS=when scanning for BTS, pick N strongest
    GSMKRAKENHOST,GSMKRAKENPORT=where your A5/1 cracker lives
      they tend to listen only on localhost, so try ssh -L 6666:localhost:6666
    GSMBRMBORACTL=where brmbora™ conTROLLer is
      leave blank if you don't have a brmbora™ genuine device and order on at shop.brmlab.cz
    GSMSESSION=current session, will be set automatically on first run
  + cd mysrc; make
  + Kraken will tell you the secret state at some round of A5/1 keystream generator. You need something to backclock (revert and extract original key) the cipher. Use find_kc from Kraken-Utilities patched with our version to support uplink.
    git clone git://git.srlabs.de/kraken.git
    cd kraken/Utilities
    cp mysrc/find_kc.cpp .
    make find_kc
    deposit the binary to GSMPATH/kraken/Utilities/

***

 Initializing hardware

Check scripts in bin/
  + gsm_init_hw.sh
  + Without a brmbora™ genuine device you need to press button on your phone.
  + You should see the firmware loading. The correct output should have the following features:
     Received PROMPT1 from phone, responding with CMD
     read_file(../../target/firmware/board/compal_e88/hello_world.compalram.bin): file_size=27192, hdr_len=4, dnload_len=27199
     Received PROMPT2 from phone, starting download
     handle_write(): finished
     Received DOWNLOAD ACK from phone, your code is running now!
     LOST nnnn!
    If it got stuck before the "LOST" message, try again. Contact your brmbora™ authorized reseller in case of problems.

***

 Initianing a new session, scanning BTS

  + gsm_bts_scan.sh

***

 Investigating the SESSION direstory

arfcn    - what channels we will sniff on
new/     - captured data
tmsi2bursts.txt - phones seen on air and their data

***

 Start sniffing

gsm_start_sniff.sh

Some .dat files should appear in SESSION/new/. They are usually 5-15 kB each.

FIXME We now have better sniffer using master-slave architecture useful if you have 4+ phones. See bin/gsm_spawn_master_slave.sh for more info.

***

 Viewing sniffed data with Wireshark

iptables -A INPUT -p UDP --dport 4729 -j DROP
# we will send dummy packets and kernel will reply with ICMP port unreachable

start Wireshark on localhost

gsm_convert -f SESSION/new/file-to-view.dat -d
will convert data to GSMTAP frames and send them to Wireshark

Some packets should appear in Wireshark: http://bb.osmocom.org/trac/wiki/WiresharkIntegration

***

 Cracking your own data from your very own phone of course!

Use napalmex.py for a statistical keystream guesser with up to 100% efficiency on less-secure networks and ability to crack about 50% of traffic even on secure networks!

***

 Viewing cracked data

start Wireshark on localhost

gsm_convert -f SESSION/new/file-to-view.dat -k KEY

Interesting .dat files are the bigger ones (10kB). Interesting frames are "GSM-SMS CP-DATA".
See gsm_evenlog.sh for tips how to extract phone numbers, SMS messages etc.
See this link for guessing which types of communication are in the file even before it is cracked:
http://jenda.hrach.eu/brm/sms_analysis.png

P.S an acknowledgment to the original creators at brmlab kindly check out their superb projects, p.p.s modify it all you can :)

Monday, November 17, 2014

BINARY SMSs [PART 2] that cool thing you dint know SMSs could do

Find the XML structure of the message to be sent

Here’s a sample one, I will add the references on how to find the basic XML structure and where to find them,

<?xml version="1.0"?>

<!DOCTYPE si PUBLIC "-//WAPFORUM//DTD SI 1.0//EN" "http://www.wapforum.org/DTD/si.dtd">

<si>

<indication href=http://blog.0x7678.com/ si-id="bin">

hack random

</indication>

</si>

Now to convert to WBXML

HexCode Meaning

02 WBXML Version 1.2

05 SI 1.0 Public Identifier

6A Charset UTF-8

00 String table length = 0

45 <SI>

C6 <indication>

0C href=”http://

03 String starts

* 7777772E6465762E6D6F62692F69735F66756E2E68746D6C www.0x7678.com

00 String ends

07 Action attribute (signal – medium)

01 Ends of attributes, now the content

03 String starts

* 446576446F744D6F62692069732046756E2021 hack random

00 String ends

01 </indication>

01 </SI>

* These are strings used to pass contents to the SI, each character in the string is converted to its hexadecimal representation.

** “6532” is to be considered a string of characters and not a number, so don’t use the calculator to convert this number

Our body is, putting all the numbers together:

02056A0045C60C037777772E6465762E6D6F62692F69735F66756E2E68746D6C0 011033635333200070103446576446F744D6F62692069732046756E2021000101

(which is 130 chars)

PREPARE THE UDH

Preparing the UDH is pretty easy. Just start with “06 05 04” and then add the port numbers. Eg WAP push messages uses “destination port” 2948 while source port is 9200. Convert decimal port numbers to hexadecimal formats, so 2948 becomes 0B84 and 9200 becomes 23F0. Magically, the UDH is : 06 05 04 0B 84 23 F0

SENDS THE SMS AND THE UDH

Now, what you need to do with this? Pretty simple, just put everything together and the SMS is ready to be sent.

UDH: 06 05 04 0B 84 23 F0 BODY: 02056A0045C60C037777772E6465762E6D6F62692F69735F66756E2E68746D6C0

The complete message is then:

0605040B8423F0 02056A0045C60C037777772E6465762E6D6F62692F69735F66756E2E68746D6C0 011033635333200070103446576446F744D6F62692069732046756E2021000101

Which is 137 chars long (hey, it’s a binary SMS, and my favorite language Java uses UTF-8 encoding for binary messages, so the limit for 1 SMS is 140 chars, aren’t we cool?)

For now that’s what I will teach, this however is a beginning to something bigger such as the OpenBTS am optimizing by adding binary SMS support.

NB: the above WBXML is only an example the converted WBXML is not as on my blog (for security purposes, link to original document can be found from the decoded wbxml :) cheers)

Friday, November 14, 2014

BINARY SMSs >> so far this is the coolest thing since me ok or rather this security Lab [Part 1]

BINARY SMSs

Basically SMSs are small number of packed bytes sent over the operator networks. Many people will speculate the Text Messages are the only types of SMSs that exist, well they are one of the many types that ideally exist, hence the term ‘texting’

So how do SMSs work and what are the basic constructs of an SMS

SMSs use the concept of ‘ports’ just as a standard internet sockets does;

SMS messages have limits of 140-160 characters (depending on encoding type);

The body is not the only thing you can edit in SMSs, there’s also UDH (User Header Data)

So J Those Ports

Say you go to the my website http://0x7678.com/ you basically called to port 80 of the webserver by convention. The connection will be initialized on port 80 and then switched to a higher port to let other users access the same port of the web server. Port 80, as stated by IANA refers to the HTTP protocol, this means that a server, which is able to understand HTTP protocol request, will be awakened and will be ready to answer and process HTTP requests. The same happens with SMS messages. You can send an SMS to a specific port of a phone and you will wake up a specific service on that device. Now, just as , not all computers have a standard service (e.g web server) also not all mobile devices have services listening to ports. (this is manufacturer specific, so you will need to check your phone what is enabled to accept.

NOW >> BORING STUFF OUT … WE GO ON TO BINARY SMSs

Ok long story short going through the whole bit about how SMSs work is too tedious

But here we go ….

Ok so SMSs on default use 7 bits to handle a character. This means that you can write in an SMS only characters on the basic ASCII char table … i.e 127 characters. If you want to go onto more complex stuff and send more ‘interesting’ characters , then a group of 8 bits is needed and the table of available chars get bigger. The available space is 1120 bits per SMS, no more, no less. You can have 160 chars using 7 bits or 140 chars using 8 bits.

NB: note this carefully … you will find this letters looking alike but are very different, " É " and this " È " are very very different the first is contained in the 7 bit basic ASCII and the second contained in the 8 bit larger ‘interesting’ table, so if you use it without checking it, you wont have enough space so be very precise.

UDH (User Data Header)

The UDH is what a ‘high level developer’ can set while to do something more than a simple “text message”. A UDH is very useful because you can send “invisible text messages” to mobile application (where to “mobile applications” I mean those running on mobile devices for example) or you can tell a device that the message will contain special information. It’s very similar to an XML file: you have to tell the parser what you are sending, and the content following the prolog which will be handled by the parser itself.

The UDH is mainly used to specify what ports our client (phone) will send SMS to. Its made by a set of hex number which describe:

As a practical example, say I want to create a UDH to send a WAP PUSH. Where the standard destination port for WAP pushes is 2948, the UDH will be:

06 05 04 0B 84 23 F0

Where:

06 means “hey the read the following 6 bytes”

05 is the format for numbers, in this case hexadecimal numbers

04 will tell the UDH that each port is represented using 4 characters

0B84 is the destination port, 2948 (decimal representation) or 0B84 (hexadecimal representation)

23F0 is the source port, 9200 (decimal representation) or 23F0 (hexadecimal representation).

NOTE: Use a simple calculator to convert decimal numbers to hex: select “Dec”, put 2948 in the calculator, then press the button “Hex”.

NOW REALLY >> BINARY SMSs

A binary SMS is an XML-formatted textual SMS, which has been transformed with WBXML (a tag transformer), this means that for each XML tag, a binary byte is associated. E.g , the tag <SI> is converted as the binary character 

When you think WHY WBXML?

WBXML transformation is smaller in the number of generated bytes than the verbose textual XML file itself.

Note: many tags are converted to bytes, but sometimes also contents (such as URL addresses

) e.g the URL http://www.0x7678.com can be written in WBXML as 0D0x7678.com, where “0D” stands for http://www.

“OC” is more generic and stands for http:// so you can write the URL in two ways.

0D0x7678.com

0Cwww.0x7678.com

The first uses 9 chars (0D is one byte), the second 13 chars

So far so good ….. ?

· Decide what we want to send

· Find the docs about that topic

· Find the XML structure of the message to be sent

· Customize the XML

· Convert the XML to WBXML

· Prepare the UDH

· Send the UDH and the BODY

Binary SMSs have two indicators whilst been sent, either a “Service Indication <SI>” or “Service Load <SL>” the two have a difference only in <SI> prompts the owner to the phone that content is coming through and you need to authorize it...

[Cont. in Part 2....]

Thursday, November 13, 2014

POC bypassing 2FA (2 Factor Authentication)

one thing i love about trying to secure systems is that people forget "you are as strong as your weakest link"

Today, we hack a system that has 2FA this where as an example to googles gmail, you would sign in using your password, then to put enough secure activity you would have another token required such as a code sent t your phone via SMS.

Pretty secure huh? not really.... it still can be broken, of course many people would start by assuming we will be stealing a phone by the end of this write up but the truth of the matter is, I wont need to touch your phone, so here we go.

The setup:

first we would have the users password (am not willing to engage in this as many a tutorials already exist to try and achieve this , from phishing to down right plain brute force)

second we would obviously require the SMS token sent to the user (hint: this tutorial is about that)
I will break this down to 2 parts, the explanation only then the POC .

EXPLANATION

we will be intercepting the SMS by attacking the um (air) interface between the victims mobile phone and the BTS (Base transmission station)

why does this work and what might be a solution/remediation to it.
1. I have covered this topic before but am going to explain. GSM is a broken technology (so far if you use a CDMA phone you are safe read so far)
2.GSM in most countries use a weak/broken encryption these are either
A5/0 ---- no encryption
A5/1 ---- most commonly used very low encryption and breakable with 2 TB rainbow tables in less than 5-30 minutes on a decent computer
A5/2 ---- much weaker version not commonly used... already broken
A5/3 --- new version (KASUMI) theoretically broken
3. Phones dont do authentication checking to which BTS they are connected to or if any sniffing* activity is ongoing
4. Non hopping on BTSs allow passive sniffing (explained on part 2)

POC? as usual find it on part two meanwhile google up what those terms that may have eluded you on this piece , as we will indulge even deeper later on.

Wednesday, July 9, 2014

A hackers Guide to Mac/MacBooks/Mac OS X

Well I remember when i started this blog i kinda wrote an article that had 'fuck macports' somewhere... am sorry, i take that back>> now lets start:

Mac OS --- Unix like (darwin actually from berkley) see image

, Closed source (for the most part) ,graphical interface even windows questions in supremacy and no i wont do a h/ware review...
So Mac OS X to be specific...

10.7----> love it totally do....
10.8---->just as above love it...
10.9----> owww what have we here? blot? clang no gcc smh!!!! xcode doesnt help as much so what do we do

newbies.... when you want linux* based binaries on your mac and you think theres no package managers like on debian/ubuntu(apt) fedora/centOS(yum)...

think twice ... theres:

HomeBrew (very clean ..but thats it... clean) uses ruby and git to work its package magic and amazingly .... its very easy to re-write and write its rules (ruby ease and power)
Fink (so far... not really wanting to call it problem...but it is) this is basically an apt manager honestly it has everything ubuntu/debian packages would do... repositories however have been a bitch to me :(
MacPorts (so far... loving it) now this is a package manager... clean, stable... well it lacks a few binaries but hey nothings perfect... cant really complain :)

but first you need XCode to install this (its pretty huge btw) and it has all developers tools from make to clang(replacing gcc(g++)) [i had to install gcc49 from homebrew to facilitate a better compilation clang sucks]

anyway once you done doing that heres the fun bit... install the necessary tools... for me:

hacking tools:
nmap
hydra
john the ripper
reaver
metasploit3
wireshark
p0f
yerssinia*
yarra

...tonnes of them ... for me :) i basically have my own set (actually porting TYPHON here) if it works you will know aight

Thursday, June 26, 2014

Evil Twin [GSM Style]

Now I have an Evil twin... lol not exactly what you think about me having another like me only evil hell no, in a security sense/point of view.... an evil twin from wikipedia [full article]

Evil twin is a term for a rogue Wi-Fi access point that appears to be a legitimate one offered on the premises, but actually has been set up to eavesdrop on wireless communications.^[1]

An evil twin is the wireless version of the phishing scam. An attacker fools wireless users into connecting a laptop or mobile phone to a tainted hotspot by posing as a legitimate provider.

This type of evil twin attack may be used to steal the passwords of unsuspecting users by either snooping the communication link or by phishing, which involves setting up a fraudulent web site and luring people there.^[2]

works as above , now i actually saw a demo of this at AfricaHackOn (first information security conference in Africa) on the 28th of february 2014, where a hacker named Casper and D3crapt did the demo on stage to fake wi-fi connections and did a a major MITM attack on unsuspecting people, now with this knowledge, i found it quite interesting and i wanted to take this a notch further, and you know what :) .... I succeeded, now what i wanted to do, was simply achieve the same attack but not on a small scale factor as WIFI no... a bigger scale say GSM(SMS/VOICE/DATA/Mobile-Payment platform) [the whole 9 yards]

Did I make it? now i know thats the main question but lets look at MITM (Man In The Middle attack)

[full article]

The man-in-the-middle attack (often abbreviated MITM, MitM, MIM, MiM, MITMA) in cryptography and computer security is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle).^{[citation needed]}

Now with this given info we know what attack we are carrying out as Evil Twin really relies on MITM and most of all we do want data right? and all variables check out right?

lets see:

GSM: relies heavily on the same concept as wi-fi no actually wi-fi relies heavily on the same structure GSM was/is created on so if it works for wi-fi ...might work for GSM.
GSM: (for a successful MITM [A man-in-the-middle attack can succeed only when the attacker can impersonate each endpoint to the satisfaction of the other — it is an attack on mutual authentication (or lack thereof).]
Evil Twin (create a fake Broadcast channel/transmission unit)
MITM capture sessions, Data and even encryption methods

Now.... what works ... well long story short, everything alas....

Now Materials,

Hardware .... in the case of Wi-Fi, Routers(broadcast station) in case of GSM ,SDR (software defined radios)

Now heres a tricky bit which i will throw in tonnes of comparison, now for SDRs we have

USRP---> Expensive (i kid you not) around 2500USD for a full good set ... after that it has enough documentation to set up, run, configure, tweak, create applications (so easy after purchasing it)has been ported to nearly every single platform out there (mac,linux and windows)
RTL/SDR---> Enters the familiar and easy to configure , cheap affordable RTL this is a DVB/TV usb tuner that will act as an SDR owww trust me its powerful and cheap at 20 USD or less, has a lot of documentation and has been ported to nearly every single platform out there (mac,linux and windows)
OsmocomBB---> This are specific devices used to run special firmwares that will do wild things on GSM frequency and when i say wild owwww i mean wild from acting as phones (calypso based (Motorola c113,115,139,123) this phones are ultra cheap) with costs of 20 or less dollars) but the real price to pay is probably the part where you pay for the following.... nearly primitive code (oww its good code but oww you will pay for having a whole read up of how raw GSM works like ave been here for 14 or so months and ave not fully mastered the whole thing yet) , No documentation (ok there is but its new so expect a lot of few faults) in short not the best thing to start of as a noob (sadly[as this is what we will use])
Now there are other options (sadly i wont recommend them as yet as i am to get my hands on them [talking bout BladeRF HackRF and others])

ok so we have hardware and we have softwares which ave also listed with their hardwares,

what we need to do... i guess now its basically setup > run or what else?

ok we can learn but am already on my second full page scroll and we aint done nothing yet.... setup is easy if you ask me (ok it wasn't when i started but talk to me and i can give you a script to do all that :) alright) moving on....

After the setup, what do we expect :) ...

HAVOC.... ok ok am on sugar... lets relax...

Setup a Fake (evil twin capable of) Intercepting Mobile (Modem [GSM]) /Traffic hence:

Location Disclosure (find victims vicinity)
SMS (uplink) capture (downlink can be done with RTL-SDR
VOICE (uplink) (same as above)
DATA (uplink and downlink)
Mobile-Payment Platform infiltration (yes its possible to hack both agent and client
Umm yes this is the best i think so far but i wont disclose further details (update sim-card details owww not simple things like contacts only even trivial things like the sim-card apps on it)
lastly falsify information (spoof) information to our captured assailants :)

So what did we just do there :) everything....

POC? you want it.... find me, buy me a big KFC lunch and i will sort you out, yes knowledge should be paid for with food and maybe an occasional bank account top-up like a donation but hey am #iOut.

Tuesday, June 17, 2014

Am explaining, don't arrest me, its called consultancy.... and heads up.... am the good guy

Now I really hate doing this.... honestly I do, why ... o one actually brands me as the good guy... it sucks coz am trying to live a good guy life, but good guys dont get the recognition they deserve, anyway....

now todays news

well so a friend of mine asked me how ca someone block/jam a cell(mobile in this case) network....
so many ways....

1. Broadcast Noise
2. Fake a network signal hence intercept and interrupt network
3. Kill Transmission

1. now this is simple... broadcast noise on the same frequency as the mobile network just a little louder than the phones can listen and ...baaam out

2. now i did illustrate all this earlier when i put this post up about creating a fake BTS.....
now people think this is very trivial, surprising thing... it kinda isnt, now here is my cell jammer budget
USRP N210/200 plus a laptop and a very good antennae .... cost 6000 or so USD or in Kenya Shillings about 500,000 KSH....
or since we dont want all that expense.... here we go, 600 USD or in Kenya shillings a laptop and a 2000 KSH phone yes the motorola c118 comes in handy here....

3.Kill transmission ... this is what was said to happen ..i.e the BTS (tower/booster) was disconnected from the power source.

now to expound on no.2
here we go:

since i explained how to make a BTS from cheap materials (a laptop and a 2000ksh (~20USD) phone)
we have the requirements to run the fake network... and with that let phones connect to our Network and they cant access the original network... so what distance can we cove .. from 50m to 6km
and how many BTSs ca we interrupt? well one at a time .... a full LAC is 6 BTSs, so is it possible, VERY possible.

Prevention ... as Chris Paget said "You can absolutely do nothing when someone Jams a cellphone using noise... absolutely nothing"

VX #iOUT

Monday, June 9, 2014

Making sure that data from two modems gets routed via the same channel it came through even when its split over two simultaneously connected modem

Ok so since i have shown a method to get access to the internet with multiple modems , someone asked what about if i need the same data to pass though the same modem (why? incase of a download that shouldnt be stopped/doesnt allow resume support) so... heres a method...

so we come up with names. Let $IF1 be the name of the first interface and $IF2 the name of the second interface. Then $IP1 be the IP address associated with $IF1 and $IP2 the IP address associated with $IF2. Next, let $P1 be the IP address of the gateway at Provider 1, and $P2 the IP address of the gateway at provider 2. Finally, let $P1_NET be the IP network $P1 is in, and $P2_NET the IP network $P2 is in.

One creates two additional routing tables, say T1 and T2. These are added in /etc/iproute2/rt_tables. Then you set up routing in these tables as follows:

   ip route add $P1_NET dev $IF1 src $IP1 table T1
   ip route add default via $P1 table T1
   ip route add $P2_NET dev $IF2 src $IP2 table T2
   ip route add default via $P2 table T2

Nothing spectacular, just build a route to the gateway and build a default route via that gateway, as you would do in the case of a single upstream provider, but put the routes in a separate table per provider. Note that the network route suffices, as it tells you how to find any host in that network, which includes the gateway, as specified above.

Next you set up the main routing table. It is a good idea to route things to the direct neighbour through the interface connected to that neighbour. Note the `src' arguments, they make sure the right outgoing IP address is chosen.

     ip route add $P1_NET dev $IF1 src $IP1
     ip route add $P2_NET dev $IF2 src $IP2

Then, your preference for default route:

     ip route add default via $P1

Next, you set up the routing rules. These actually choose what routing table to route with. You want to make sure that you route out a given interface if you already have the corresponding source address:

     ip rule add from $IP1 table T1
     ip rule add from $IP2 table T2

This set of commands makes sure all answers to traffic coming in on a particular interface get answered from that interface.

: 'If $P0_NET is the local network and $IF0 is its interface, the following additional entries are desirable:

ip route add $P0_NET     dev $IF0 table T1
ip route add $P2_NET     dev $IF2 table T1
ip route add 127.0.0.0/8 dev lo   table T1
ip route add $P0_NET     dev $IF0 table T2
ip route add $P1_NET     dev $IF1 table T2
ip route add 127.0.0.0/8 dev lo   table T2

Now, this is just the very basic setup. It will work for all processes running on the route itself, and for the local network, if it is masqueraded. If it is not, then you either have IP space from both modems or you are going to want to masquerade to one of the two modems. In both cases you will want to add rules selecting which modems to route out from based on the IP address of the machine in the local network.

Now Before you SUE me.... am helping ...like for real I AM. #ATTACKING MOBILE PAYMENT SYSTEM MiTM+SE

So a while ago i actually stated that attacking mobile payment systems is inevitable.... now i have not suggested i will be doing that though stick around and you might probably learn a thing or two about this.... now here goes nothing.

so the basic structure of a mobile system is pretty simple

for example I use Safaricoms MPESA ... this is their earlier structure (yet to find any major change though)

Ok first of all let it be known ... I am not doing this on Safaricoms MPESA except for the fact:

1.I use MPESA (actually never used any other service)
2.I own an MPESA sim (duuh) hence my test was restricted to only this
3.I am pretty sure this works on other networks (though not tested)

Ok variables....
MPESA on a standard KEYPAD is emulated by the numbers 67372 ..... now i found this out playing with my iPhone (twas a 3G) quite a while ago.... :) see i once tried saving is a contact and the above numbers poped up.... anyway trying to call the number (oww what could go wrong) it reverted to activating my sim-toolkit lol ...suprise .... and there was my first break through .... now how do we exploit this?

Well Man In The Middle is a nice way but how do you MITM someone when you cant clearly send a message without spoofing the sender ID .... THATS IT :) uh huh, so step one .... create a GSM network ... ok that's not so easy? well it is actually... i did it in 3 hours ok to be fair i had hard-coded something close to that in a few months lol ... just had to watch enough youtube videos ... join OpenBTS forum, revisit my DCE classes (digital comp eng) a little of my ADCE also, alot of soldering, ok long story short reused a lot of code and owww ave already posted that here (well thats just like the uM (air) layer only where you have a BTS that controls several phones at once ....

with a few configurations like setting

Control.LUR.OpenRegistration = .*

to allow any phone to connect to the BTS... MITM is more than inevitable ....

now here's the trick that makes all this work.... once you send an SMS to any phone with the numbers 67372 .... the result automatically displays .... MPESA ..pretty nifty huh :)

Now Safaricom has done a goodthing not to allow any SMSs to be sent to the AGENTs phones but hmmmm that's not enough.... they are still normal phones/SIM cards and basically have the IMSI that am sending the message/SMS to.... here is my proof of sending a message to myself (YES MYSELF) that aint ILLEGAL :) and deceiving my SIM its an MPESA message ... here is the screen shot you can see some other transactions below (legit i might add)

and with a little S.E we can craft an SMS and send it to an AGENT and pretend to withdraw the cash .... this is a serious felony right here, I will be contacting Safaricom by the meantime ... if you don't hear from me... well... take a wild guess :)

VX #iOut

(oww not only safaricom) also other telcos will be notified as my niece says BAI (bye)

Wednesday, June 4, 2014

TYPHON

I always go into hiding when things are in a knot... currently i have had some good news....

a new gsm hacking tool by VX is out... VX has been on this path for a while trying to come up with a good remedy to sort* all the newbies and experts in the gsm field (read RF)

what it do :) .....

So on a basic stand off in the field of hacking(read pen-test and vulnerability assessments) alot of the procedure goes like...

well you get the picture... so what we will do is debug entire scenarios of GSM in the same format...

we do recon of the area, networks, Base Stations (call them boosters if you like but am not saying its correct) and also rogue base stations (come on you wanna know when someone listening to you right?)
Scan the area (now this and step one basically have the same ideology here but other methods can be employed on step one that have a different point of operation from step two)
Gain access --- rather gain access to certain channels + frequencies (read ARFCN * (BTS in a very big nutshell))
Maintain access ... (this simply means camp(SYNC) to that BTS (ARFCN) and now isten very well to the SMS/voice/Data .... see we good righ?
we add our own step here .... crack the encryption (if any used)
Cover tracks (well till now i have yet to find any tracks to be covered so just run when you are done owkaeeey?

So this tool --- TYPHON who should be credited...

alot of people.... lets start with:

The FIRMWARE guys (Osmocombb)

Most of the scripts (BRMLAB)

The Guy who created it all and maintains it (VX)

well then how does it work?

>> basic explanation .... connect a GSM hardware to your computer to be able to debug the air interface (communication between the BTS and the MS) sort of the hardware acts as an ethernet card to our PC and Software... here comes in OsmocomBB (Open source mobile communications BaseBand) this is a stack running on your calypso based device (support for other may be added later on) e.g Motorola C115,118,123 (get all of them here) and interfaces to your laptop, this allows fluid communication and allows studying whats happening in the air interface.

and thats the most basic principle....

with this we can do alot of things as stated above... which the full details will be published as soon as the tool is released. thank you :)

so check the links out and also Follow @taeCode0h on twitter for more info and when he will release the tool.

0x7678 Security LABS