Well here I am in Roswell NM, looking at the vast flat expanse of a town at 3571 foot elevation, on what used to be a military air base and is therefore really really big. Dry, pleasant weather (but cold in the evenings.)
Monday, October 30, 2017
Tuesday, October 17, 2017
Parsing Grepable nmap formats
I was recently tasked with finding a way to output all the IPs and associated open ports found during an engagement. My primary data source was from nmap, so that's what I used.
Here's my method (doubtless to be improved). The tips I got from scripts and files somewhere:
1. cat.gnmap | awk '{printf "%s\t", $2;
for (i=4;i<=NF;i++) {
split($i,a,"/");
if (a[2]=="open") printf ",%s",a[1];}
print ""}' | sed -e 's/,//' | sed -e 's/\t/ /' > parsed.txt
2. In Excel, either open the parsed.txt file, or in a new sheet, click the "Data" tab, and click "From Text" to open the Text Import Wizard.
3. Choose "Delimited", and click "Next".
4. In the Delimiters section, only "Space" should be checked. Click "Next".
5. Select each Column and click the "Text" radio button. It should look as below.
6. Finish Importing. If using the Text Import Wizard, click OK.
Here's my method (doubtless to be improved). The tips I got from scripts and files somewhere:
1. cat
for (i=4;i<=NF;i++) {
split($i,a,"/");
if (a[2]=="open") printf ",%s",a[1];}
print ""}' | sed -e 's/,//' | sed -e 's/\t/ /' > parsed.txt
2. In Excel, either open the parsed.txt file, or in a new sheet, click the "Data" tab, and click "From Text" to open the Text Import Wizard.
3. Choose "Delimited", and click "Next".
4. In the Delimiters section, only "Space" should be checked. Click "Next".
5. Select each Column and click the "Text" radio button. It should look as below.
6. Finish Importing. If using the Text Import Wizard, click OK.
Tuesday, October 10, 2017
Getting GPS dongle (BU-353S4) working on Raspberry Pi
I followed this guide:
http://blog.boberglund.com/Build_GPSD_from_sources.txt
found on this forum topic: https://www.raspberrypi.org/forums/viewtopic.php?t=138711
but ultimately found something on https://www.raspberrypi.org/forums/viewtopic.php?t=128045
To run gpsd as daemon:
cat /etc/default/gpsd
START_DAEMON="true"
GPSD_OPTIONS=""
DEVICES="/dev/ttyUSB0"
USBAUTO="false"
GPSD_SOCKET="/var/run/gpsd.sock" this I did not follow, choosing instead to include that when running
http://blog.boberglund.com/Build_GPSD_from_sources.txt
found on this forum topic: https://www.raspberrypi.org/forums/viewtopic.php?t=138711
but ultimately found something on https://www.raspberrypi.org/forums/viewtopic.php?t=128045
To run gpsd as daemon:
cat /etc/default/gpsd
START_DAEMON="true"
GPSD_OPTIONS=""
DEVICES="/dev/ttyUSB0"
USBAUTO="false"
Building a Raspberry Pi Hacking Box
This has been on my mind for some time now, on and off. The emphasis is almost exclusively on having a lightweight wireless reconnaissance and hacking device, instead of carrying out a laptop with a 2-hour battery life during wireless testing.
The current setup is as follows:
Raspberry Pi 3 Model B (onboard wifi) + heatsinks for CPU and LAN
LiFePO4wered long-life battery backup/UPS: Expensive but worth it. Now the Pi can be moved between locations and plugs without needing to be turned off. It also has a touch-sensitive power button. (Minor downside is that the UPS itself is always in very low power mode.) Actual power will be provided by an external battery pack during engagements, and with the UPS backup it is assured that power loss caused by accidentally removing the battery pack connection doesn't cause wireless data to be lost.
Raspbian: The Kali Linux image for Pi3 has proved to be quite frustrating, as it does not allocate all the space on a 16 GB SD card to itself, instead requiring manual resizing which always fails due to either read-only issues or a fake bad superblock. I tried several times without success, which is unfortunate as having the base Kali install plus the Kali wireless metapackage would be much easier to build.
I also tried to add the Kali repo but ran into issues using the latest version of Raspbian (Stretch) and java dependencies.
Instead I installed Raspbian Jessie and followed the following steps:
1. Sudo raspi-config.
2. Sudo apt-get update && sudo apt-get upgrade && sudo apt-get install git screen htop && sudo apt-get install nmap
3. Rather than connecting the pi via a cable to a travel router, or connecting the Pi to a wireless travel router AP and connecting a phone to that same AP, you can make the Pi its own AP with hostapd using this guide: http://www.ericescobar.com/wordpress/raspberry-pi-3-wireless-hacking-platform-wifipi/ and connect to the AP with a phone and SSH connection. Update 10-11-17: The end result was flaky, so I tried https://gist.github.com/Lewiscowles1986/fecd4de0b45b2029c390 which worked perfect on a clean install of Raspbian Jessie.
4. sudo apt-get install kismet iw wireshark tshark tcpdump masscan wifite
5. Install giskismet (which failed, but here are the steps):
7. Install hax0rpi collection of hacking tools.
Update 10-10-17: This guide from BlackHillsInfosec had the flag that helps Kali take up all the space (in red):
Once that was done, it was possible to successfully use gparted to resize the partition, without losing any data from the fresh install.
The current setup is as follows:
Raspberry Pi 3 Model B (onboard wifi) + heatsinks for CPU and LAN
LiFePO4wered long-life battery backup/UPS: Expensive but worth it. Now the Pi can be moved between locations and plugs without needing to be turned off. It also has a touch-sensitive power button. (Minor downside is that the UPS itself is always in very low power mode.) Actual power will be provided by an external battery pack during engagements, and with the UPS backup it is assured that power loss caused by accidentally removing the battery pack connection doesn't cause wireless data to be lost.
Raspbian: The Kali Linux image for Pi3 has proved to be quite frustrating, as it does not allocate all the space on a 16 GB SD card to itself, instead requiring manual resizing which always fails due to either read-only issues or a fake bad superblock. I tried several times without success, which is unfortunate as having the base Kali install plus the Kali wireless metapackage would be much easier to build.
I also tried to add the Kali repo but ran into issues using the latest version of Raspbian (Stretch) and java dependencies.
Instead I installed Raspbian Jessie and followed the following steps:
1. Sudo raspi-config.
2. Sudo apt-get update && sudo apt-get upgrade && sudo apt-get install git screen htop && sudo apt-get install nmap
3. Rather than connecting the pi via a cable to a travel router, or connecting the Pi to a wireless travel router AP and connecting a phone to that same AP, you can make the Pi its own AP with hostapd using this guide: http://www.ericescobar.com/wordpress/raspberry-pi-3-wireless-hacking-platform-wifipi/ and connect to the AP with a phone and SSH connection. Update 10-11-17: The end result was flaky, so I tried https://gist.github.com/Lewiscowles1986/fecd4de0b45b2029c390 which worked perfect on a clean install of Raspbian Jessie.
4. sudo apt-get install kismet iw wireshark tshark tcpdump masscan wifite
5. Install giskismet (which failed, but here are the steps):
- cpan configuration
- sudo reboot
- cpan install YAML
- cpan install DBI (like to do the packages separately)
- cpan install DBD::SQLite
- sudo apt-get install libxml++2.6-2
7. Install hax0rpi collection of hacking tools.
Update 10-10-17: This guide from BlackHillsInfosec had the flag that helps Kali take up all the space (in red):
xz -cd kali-2017.01-rpi2.img.xz | dd of=/dev/mmcblk0 bs=4M iflag=fullblock oflag=direct status=progress
Once that was done, it was possible to successfully use gparted to resize the partition, without losing any data from the fresh install.
Monday, October 09, 2017
Raspberry Pi cases
My favorite raspberry pi case so far was this one, with pretty colors. With a heatsink on the CPU, the temperature averaged around 56 degrees C. Other cases I've used include this one without the top for air ventilation, and this one for Pi Zero, which is simple and utilitarian.
Recently I decided to try to clean up the mess of Raspberry Pis by the router, and got a "cluster-type" case to put them all together. Assembly was trickly, but the end result looks clean. The only issue is the temperatures, which are roughly 10-15 degrees C warmer inside the cluster than outside, where the devices were exposed to ambient room temperatures and air currents. Although the case did come with extra heatsinks for LAN and CPU, some devices did not receive the new addition (for space reasons), and so they heat up. Average around 60 C, warmer for items nested deeper in the case. With temperatures going even higher when I leave for travel and raise the A/C setting, it behoves me to get something that could permit more air-flow, and thus it was. The next case will be a stackable dog-bone style set.
Recently I decided to try to clean up the mess of Raspberry Pis by the router, and got a "cluster-type" case to put them all together. Assembly was trickly, but the end result looks clean. The only issue is the temperatures, which are roughly 10-15 degrees C warmer inside the cluster than outside, where the devices were exposed to ambient room temperatures and air currents. Although the case did come with extra heatsinks for LAN and CPU, some devices did not receive the new addition (for space reasons), and so they heat up. Average around 60 C, warmer for items nested deeper in the case. With temperatures going even higher when I leave for travel and raise the A/C setting, it behoves me to get something that could permit more air-flow, and thus it was. The next case will be a stackable dog-bone style set.
Monday, October 02, 2017
Busy busy bee
How interesting that I'm more likely to post when super busy with a task that has a pending deadline. Anyway, just wanted to share a neat tool for combing segments of HTTP streaming files into one. Last night I decided to see if the content of a certain music video streaming site could be downloaded offline. The website can be clunky, and streaming over the internet is sometimes less preferable to watching offline and reducing system load (ish).
First, some basics. (This won't be an exhaustive list, just what I've encountered in the past.)
When you stream media, it will come to your browser via several methods.
One method is to simply provide a whole big file, and let the browser handle how to play it. Firefox has a built-in media player, and HTML5 has built-in tags, so why not have the user click on a link that hides an MP4 file and let the browser play it how it wishes.
An alternative method is to build your own serving capability and web application around serving media, such as Soundcloud, which appends all sorts of authentication and one-time-use tokens to actually get to a file, rather than just having a list of files.A corollary to this one is to encrypt the music and decrypt on-the-fly, such as with RTSP, which adds some level of restrictions against bypass, but can still be scripted away.
A third method, possibly more in use for large video files, is to "break the overall stream into a sequence of small HTTP-based file downloads, each download loading one short chunk of an overall potentially unbounded transport stream." (Wikipedia, HTTP Live Streaming) This works well for live video, such as on Youtube, Facebook Live, Snapchat, etc, where there is no defined end and therefore no file size to start with. It's also easier on the user, which only needs to load content chunk by chunk, and can be used in situations where the user's network might be unreliable.
Before the stream beings, an m3u8 playlist file is downloaded by the browser, with all the pieces listed. The segments have an extension of .ts, and if you look at just one, it'll be a few seconds or so of the overall piece.
Now, on to the process. If you open an intercepting proxy such as BurpSuite or Zap, load a webpage with streaming media on the associated browser, and watch the traffic, you'll see a series of requests being made. First the HTTP page where the media, for example's sake a piece of music, sits. Next will be some script and content style files which could have some use, but most likely not. Then a request will be made for something like "file_128kpbs.mp3", and a big file will show up, which is the entire mp3 itself. If we're loading a streaming movie, you'll see a request made for an m3u8 file with a response containing all 507 pieces.
There is a tool on Github called HLS-fetch, which can be given either the page with the content or the m3u8 link itself to download all the files and stitch them into a TS file. Plex can play that right off the bat, no transcoding.
First, some basics. (This won't be an exhaustive list, just what I've encountered in the past.)
When you stream media, it will come to your browser via several methods.
One method is to simply provide a whole big file, and let the browser handle how to play it. Firefox has a built-in media player, and HTML5 has built-in tags, so why not have the user click on a link that hides an MP4 file and let the browser play it how it wishes.
An alternative method is to build your own serving capability and web application around serving media, such as Soundcloud, which appends all sorts of authentication and one-time-use tokens to actually get to a file, rather than just having a list of files.A corollary to this one is to encrypt the music and decrypt on-the-fly, such as with RTSP, which adds some level of restrictions against bypass, but can still be scripted away.
A third method, possibly more in use for large video files, is to "break the overall stream into a sequence of small HTTP-based file downloads, each download loading one short chunk of an overall potentially unbounded transport stream." (Wikipedia, HTTP Live Streaming) This works well for live video, such as on Youtube, Facebook Live, Snapchat, etc, where there is no defined end and therefore no file size to start with. It's also easier on the user, which only needs to load content chunk by chunk, and can be used in situations where the user's network might be unreliable.
Before the stream beings, an m3u8 playlist file is downloaded by the browser, with all the pieces listed. The segments have an extension of .ts, and if you look at just one, it'll be a few seconds or so of the overall piece.
Now, on to the process. If you open an intercepting proxy such as BurpSuite or Zap, load a webpage with streaming media on the associated browser, and watch the traffic, you'll see a series of requests being made. First the HTTP page where the media, for example's sake a piece of music, sits. Next will be some script and content style files which could have some use, but most likely not. Then a request will be made for something like "file_128kpbs.mp3", and a big file will show up, which is the entire mp3 itself. If we're loading a streaming movie, you'll see a request made for an m3u8 file with a response containing all 507 pieces.
There is a tool on Github called HLS-fetch, which can be given either the page with the content or the m3u8 link itself to download all the files and stitch them into a TS file. Plex can play that right off the bat, no transcoding.
Subscribe to:
Posts (Atom)