Hacking » A curious mind

Sec-T – Facedancer

Sep 142012

I was at the Sec-T conference in Stockholm yesterday. It was great being back and to meet all the great people.

There were two presentations that really stood out among the others; Torbjörn Lofterud - iPhone raw NAND recovery and forensics, and Travis Goodspeed - Trashing USB layers using the Facedancer Board.

I wasn’t that interested in all the peeking and poking around inside the iPhone, but the insights and details that Torbjörn shared about NAND based memories was a nice refresh and also provided some more detail to the topic than I had read up on before. Awesome!

The USB trashing session, apart from just meeting people, is probably the main reason to go to this conference. It always awesome to hear Travis rant about everything in his personal way, but what he shares in knowledge is just outstanding. I am amazed about how much time this man must have on his hand to dig into things as deep as he does. And he’s then willing to share all his research hours like this. I would love to drink beer over a soldering iron with this guy!

I was lucky enough to get a Facedancer board from Traivs yesterday. Thank a million man!

Facedancer PCB

Robotizing the classic Labyrinth game

Build logs, Electronics No Responses »

Sep 062012

This is an ongoing project, and the blog post will be updated along the way. Please come back to see the progress we make.

I have for some time wanted to build something fun with the children. They are to much engaged with computer games etc., and I wanted to help them lift their heads away from that. One day I got the idea to robotize the classic labyrinth game by Brio.

Hooking it up to two servos, an analog joystick and an Arduino seems like a quite simple project, yet both visual and fun for two ten year old children. I hope this will stimulate their curiosity, and teach them a lot about electronics, micro computers, and programming. This is the base for this project, we might extend it along the way.

Please use this as a source of inspiration for fun things you could build with your own children. I would very much appreciate comments with tips about other things we can build, once this toy is completed.

I have as you might have seen recently ordered a few electronic components from China, the joysticks and servos arrived two days ago. I will pick up a used Labyrinth game tomorrow. Starting to robotize it will sadly have two wait two weeks due to other engagements.

Switch bounce counter

Electronics, Teensy No Responses »

Sep 022012

I was curious to see if the new switches were prone to switch bounces. This is why I wrote a quite simple Teensy program that can count switch bounces. The debounce example code that come with the Arduinio IDE was used as a template.

This is quite simple, and just here to make it simple to redo this kind of test when I get new types of switches.

S1 in the schematic is the switch you want to test. The resistor is used as a pull down resistor, to make sure that the input pin is properly grounded when the button is released.

The result for my switches is somewhat unstable. I get just one count most of the times, but sometimes up to 9 bounces. The end result is that I need to debounce them properly to eliminate weird results in my builds.

Schematic

// Count bounces
// Open the serial monitor in the Arudino IDE, it will be used for count feedback

const int buttonPin = 2; // Teensy pin to connect the switch to
const int ledPin = 11;   // Built in LED for visual feedback
int buttonState;
int lastButtonState = LOW;
long lastDebounceTime = 0;
long debounceDelay = 100; // Bounce period set to 0.1s
int bounces = 0;
int lastLedState = LOW;

void setup() {
  pinMode(buttonPin, INPUT);
  pinMode(ledPin, OUTPUT);
  Serial.begin(9600);    // Open the serial port to write the bounce counts to
}

void loop() {
  int reading = digitalRead(buttonPin);

  if (reading != lastButtonState) {
    lastDebounceTime = millis();
    bounces++; // Count bounces
  }

  if ((millis() - lastDebounceTime) &gt; debounceDelay) {
    if (reading != lastLedState) {
      Serial.println(bounces); // Write # bounces to serial console
      bounces = 0;             // Zero the counter
      lastLedState = reading;
    }
  }

  digitalWrite(ledPin, lastLedState);
  lastButtonState = reading;
}

// Count bounces

// Open the serial monitor in the Arudino IDE, it will be used for count feedback

const int buttonPin = 2; // Teensy pin to connect the switch to

const int ledPin = 11; // Built in LED for visual feedback

int buttonState;

int lastButtonState = LOW;

long lastDebounceTime = 0;

long debounceDelay = 100; // Bounce period set to 0.1s

int bounces = 0;

int lastLedState = LOW;

void setup() {

pinMode(buttonPin, INPUT);

pinMode(ledPin, OUTPUT);

Serial.begin(9600); // Open the serial port to write the bounce counts to

}

void loop() {

int reading = digitalRead(buttonPin);

if (reading != lastButtonState) {

lastDebounceTime = millis();

bounces++; // Count bounces

}

if ((millis() - lastDebounceTime) > debounceDelay) {

if (reading != lastLedState) {

Serial.println(bounces); // Write # bounces to serial console

bounces = 0; // Zero the counter

lastLedState = reading;

}

digitalWrite(ledPin, lastLedState);

lastButtonState = reading;

}

Comhem the most blocking ISP

Hacking No Responses »

Aug 302012

I wrote to Comhem yesterday, asking them to stop blocking outbound connections to TCP 25. I also asked them if they are blocking more ports. This interferes when I perform pen.tests, but also forces me to change SMTP in my phone every time I leave my home. It further prevents me from connecting directly to my co-located SMTP server. Luckily I also have a VPN to that server that allows me to connect to it.

Their response was quite unexpected and extremely dis-satisfactory.

1. They can’t open ports for one specific customer – Erhm, NO, you are just too lazy

2. They listed all the other ports they are blocking. Random idiotic ports that are blocked for no reason. Why the hell should they decide if I want to use 12345 or 31337? I actually understand now why my Meterpreter daemons sometimes doesn’t get a return connection. Comhem idiots!

135-139TCP

135UDP

445TCP+UDP

593TCP+UDP

12345TCP

31337UDP

25 TCP

This is the complete list of ports they are blocking according to themselves.

Just another delivery

Electronics No Responses »

Aug 292012

…or not so just, I am smiling every day the little parcels are rolling in to the mailbox. Today I got a little packet containing ten rotary encoder that will be perfect for menu navigation. I am just waiting for the displays no, to be able to really start building my password leakage killing device. =)

More is dropping in

Electronics No Responses »

Aug 282012

Yeah, I hope it keeps coming in this pace. One of the Chinese packages arrived today. 100 small push buttons that can be used in whatever projects. Let’s hope there will be more coming tomorrow.

The Teensys have arrived

Electronics, Teensy No Responses »

Aug 282012

The new Teensys arrived from PJRC yesterday. That was a really nice surprise since the expected delivery time said to be one to three weeks. So I got my delivery well in the lower region of that span, a really nice surprise.

And guess what, it was my lucky day yesterday. I got another shipment as well yesterday, from Sparkfun Electronics. Mostly breakout boards for various cards like SD, microSD, SIM and smart cards. Nice to have at home when I start to get curious about fuzzing around with those. also got some new lab cables that I am quite short of. I also got a transparent RFID tag, for demos and presentations and a little IRDA-receiver that will be used in my XBMC setup.

I hope the Chinese stuff start to arrive soon as well. There are some displays and other fun things that I am waiting for, before the real fun can start.

Windows print queue

Hacking, Windows No Responses »

Aug 242012

I just experienced a nice little information disclosure, and thought it could be nice to share.

In Windows all the jobs in the spool queue have a title, usually matching he name of the document printed. This can of course be leading and interesting. But it is quite more interesting when the job in question is a web page. Then the entire URL gets printed as the document name, which of course might reveal session information and all sorts of interesting stuff. It might of course be hard to catch this since the queue normally gets purged quite quickly as jobs become printed. I happened to notice this on a printer that was out of service.

Another way might be to write a little job that polls the print queue every second and filter for URLs.

Here’s a little PowerShell script that could be used as a starter

"{0,-35}{1,-10}{2,-9}{3,-6}{4}" -f "Printername", "Owner", "Size(KB)", "Pages", "Document name"

$PrintJobs = get-wmiobject Win32_PrintJob -computername localhost
If ($PrintJobs -ne $NULL){
  Foreach ($PrintJob in $PrintJobs) {
    "{0,-35}{1,-10}{2,-9}{3,-6}{4}" -f $printjob.name, $printjob.Owner, [Math]::Round([decimal]($printjob.Size/1024)), $printjob.totalpages, $printjob.document
  }
}

"{0,-35}{1,-10}{2,-9}{3,-6}{4}" -f "Printername", "Owner", "Size(KB)", "Pages", "Document name"

$PrintJobs = get-wmiobject Win32_PrintJob -computername localhost

If ($PrintJobs -ne $NULL){

Foreach ($PrintJob in $PrintJobs) {

"{0,-35}{1,-10}{2,-9}{3,-6}{4}" -f $printjob.name, $printjob.Owner, [Math]::Round([decimal]($printjob.Size/1024)), $printjob.totalpages, $printjob.document

}

Resurrecting the electronics lab

Electronics No Responses »

Aug 222012

There hasn’t been much going on in my lab since I moved one and a half years ago. Everything has been stashed in boxes in the basement. There has been no where to re-create the lab in my new home, and there still isn’t to be honest. But my fingers start to itch and I really need to get some place to get new projects started, and to finish at least one of them that was already started when I packed everything. Ideas with how to make a portable lab is welcome

There are loads of boxes in the basement, not all of them house lab stuff. It took almost a day some weekends ago to go through all the boxes to locate where the interesting stuff is. I had found everything, and yesterday I actually had good use for some of it when the boy’s aquarium light died. I was happy that I had already spent a weekend to locate the soldering iron and my multimeter. Now the fishes, shrimps and plants have lights again.

I have also made sure to treat my self with some new things from eBay and other sites. I have already written about the RasPi and the Teensys, but I’ve also made sure to buy an eight channel relay board, some thumb joysticks, servos, displays and other stuff that can be fun to have when the things actually land on a desk. There will be about 10 packets from various sites dropping in with toys over the coming 30 days. Don’t really know how long it will take with the deliveries, most coming from China.

This post will be updated with photos as stuff start to drop in.

New Teensys on the way

Electronics, Teensy No Responses »

Aug 182012

My old Teensy 2.0 always seem to end up in more than one project. Constantly having to be reprogrammed for different stuff I wanna try. The most common are to use it for injecting malicious code with SET or to have it act as a USB disk with various bad formatted vendor tag etc. Now I have another thing I want to use it for that involves a lot of prototyping so I can’t carry it with me as I usually always do.

The simple solution was of course to order some more So now I have two more Teensy 2.0, one Teens++ 2.0 and one of each with pre-mounted protoboard pins. I hope I won’t run out of Teensys now for a while.

I did of course make sure to by some fun breakout boards for sim-, sd-, micro sd-, and smartcards as well. The fun will begin in a few weeks, stay tuned for more fun coming projects.

Older Entries