Gelf: L1 Emulation, L2 Tunneling, using an HTTP Client

Gelf: L1 Emulation, L2 Tunneling, using an HTTP Client

Simply: Gelf uses an HTTP client to bridge two or more networks. The iPhone is the primary use case; it has access to both AT&T's mobile network as well as an ad-hoc network. You can bridge the two using Gelf, without running any code on the iPhone, aside from client-side HTML and JavaScript.

This achieves a non-jailbroken, non-rooted, poor-man's network tether. Here's the catch, Gelf needs to run on a device inside each target network. Gelf functions as the L2 tunnel end-points, and the L1 emulation: achieved through an HTTP client.

Read More

CODEGATE 2012 - Network 100 Writeup

Take a look at Eindbazen's write-up on Network 100.

I wanted to do the same write-up, highlighting an alternate path. (This will be the last CODEGATE 2012 write-up of mine, since both Leetmore and Eindbazen have all the other challenges we solved well documented.)

You start with a file: A0EBE9F0416498632193F769867744A3

And a note:

Someone have leaked very important documents. We couldn't find any proof without one PCAP file. But this file was damaged.

¡Ø The password of disclosure document is very weakness and based on Time, can be found easily.

Cryptographic algorithm is below. Msg = "ThisIsNotARealEncryption!SeemToEncoding"
Key = 0x20120224 (if date format is 2012/02/24 00:01:01)
Cryto = C(M) = Msg * Key = 0xa92fd3a82cb4eb2ad323d795322c34f2d809f78

Answer: Decrypt(Msg)

Read More

CODEGATE 2012 - Forensics 200 Writeup

The challenge starts with a file and description:

File: C1E4775363DE0885E8360ED9A13A86B8


When IU who lives in Seoul tried to do SQL Injection attack a certain WEB site, suddenly the browser was closed abnormally. What is the SQL Injection value she tried to enter and when the browser was closed? The time is based on Korea Standard Time(UTC +09:00)

Time Format is YYYY-MM-DDThh:mm:ssTZD (TZD : +hh:mm or hh:mm)

Answer : injection_value|time ('|' is just a character)
Convert ' ' to '_' for injection value.

Read More

Forensic Challenge: Help stop the Sbuxnet trojan!

This is a fun forensic challenge created originally for NYU's CSAW Capture the Flag Finals event. The story behind the challenge, along with additional forensic challenges were also used for ACSAC's Tracer Fire class. Now I'm hosting both the forensic image and command and control server on the net so anyone can play.

Begin here: [] (the challenge is over, thanks to those who played!)

Tools / Techniques / Skills involved:

  • Filesystem forensic analysis
  • Email forensics and cryptographic tools
  • Python, small bit of source code analysis
  • Filetype header analysis, image forensics
  • Minor HTML/HTTP understanding
  • Patience, etc...
Read More

Offensive Defense: Protect your high-hanging fruit ...from birds and stuff

One of these days this webserver will be torn open by some low-hanging vulnerability. Sure, but that wont be very exciting, so let's think outside of the inevitable, and into the what-if.

What-if someone did break into this poor little webserver? Regardless of how they did it, what would they do? What would they find? Step 1: Break into my box, Step 2: ..., Step 3: Profit. You'll achieve profit without any 'Step 2' by killing my ego and any minuscule reputation I have among my friends. But assuming you're not out for defamation: let's think about the 'Step 2', and some possible defensive methods to protect a box once someone has broken in.

Read More

SIM card curiosity, and a little Hardware Hacking

A few months ago I took an interest in the layer 2/3 protocols (and their implementations) for mobile networks. I quickly arrived at SIM card hacking and like a young schoolboy thought, “man if only I could MitM the hardware communication I could spoof other’s SIM cards and use free Internet!” Nope. Well, not nope, but it’s not that easy.

Read More

Adventures in UAV Hacking

SkyNET demo flight SkyNET Drone

My first accepted workshop paper, accepted to USENIX WOOT 2011, was called "SkyNET: A 3G-enabled mobile attack drone and stealth botmaster". Catchy name, right? Check out the project page if you'd like a review. After the paper was published, presented, and let lie for a month, the project caught the attention of MIT Technology Review. Shortly after the story was published tons of other websites started duplicating and running their own. The relation between UAVs and "Skynet" did the trick in attracting media attention. Unfortunately there's very little AI incorporated thus far into the project. Nevertheless, it's been a blast reading the various comments on the project.

Read More

Rock The Flag network, CyberSecurity Education, and logging Capture The Flag Experiences

I want to make this as concise as possible, but I haven't written in a while, so stick with me.

Rock the Flag, network, (RTFn) is a project started by myself, and my friends Mike and Nick, designed to help students play Capture The Flag (CTF) competitions. RTFn's goal is improved CyberSecurity education through CTF competitions. We hope to improve CTF experiences with extracted-and-visualized team reports per-event.  The software implements robust logging, with the help of the users, to identify trends. These trends help users identify their team strengths and weaknesses, while profiling each competition they play. At the base of RTFn is an Etherpad (real-time document collaboration on steroids) installation with three major changes.

Read More

It's not the size of the vulnerability

It's how you exploit it. In the words of Dan Guido: "finding vulnerabilities in small projects is like clubbing baby seals."

Yes, but it's still fun! So why not have some fun, and exercise your brain muscles at the same time, by writing really cool/complicated exploits for them. Because yes, something is cool, when it's really complicated. I'll use a small stored XSS vulnerability on a simple web application as an example.

Read More

Route based on Source IP Address (Linux / BSD)

I ran into an interesting situation the other day which I expected would have more documentation online.

Situation: You have a multi-homed router and you would like to route traffic based on client IP addresses, or the source address. In my case I wanted a /24 (Net 1) to be directed (forwarded) through interface A, and another /24 (Net 2) to be forwarded through interface B. In my case I also NATed traffic forwarded to interface A.

This is called source address routing or policy-based routing.

Read More