I'm the sort of hip fashionista who only wears free conference t-shirts.

GDS

@GDSTeam

We support open source. And we’ve got the t-shirts to prove it (thanks @github @digitalocean). GDS took part in #Hacktoberfest this year, contributing to open source projects as part of a global community hacktoberfest.digitalocean.com pic.x.com/AkM09LGono

---

Sadly, after several years of constant catwalk modelling, my beloved Hacktoberfest shirts are full of holes. I couldn't find any for sale on eBay or Vinted - so I decided to make my own.

Note: DigitalOcean's Brand Guidelines say that you shouldn't create physical merchandise or sell any products featuring the logo. Well, I'm not selling these nor, do I think, they are merchandise. Hacktoberfest aren't using these to incentivise anyone any more. They're just cool t-shirts.

The Logos

There are lots of photos of the t-shirts but it is surprisingly hard to find the original assets.

Low Resolution

Kotis - a design agency - did the Hacktoberfest swag from 2015-2020. They have a brand portfolio with the t-shirt icons. Sadly, all a bit low resolution for printing, but good for getting accurate background colours for the material.

• 2020
• 2019
• 2018
• 2017
• 2016
• 2015

Similarly, there are a few low resolution promo shots of the t-shirts or their logos:

• 2022 (back of t-shirt)
• 2021 (t-shirt)
• 2016 (more accurate colours)
• 2015 (logo)
• 2014 (logo)

AI upscaling looked typically rubbish.

Higher Resolution Bitmaps

Some designers have their logo designs on Dribbble. Not very high resolution, but good enough for stickers.

• 2019
• 2018
• 2017
• 2016

Archived Logos

The official Hacktoberfest website had some logos embedded on it:

• 2022 (SVG logo)
• 2019 (SVG)
• 2018 (PNG with transparent background)
• 2017 (SVG)

Best of the bunch

These are the best available logos. The SVGs are suitable for printing at any size, the PNGs may be harder.

• 2022 (SVG logo)
• 2020 (SVG)
• 2019 (SVG)
• 2018 (WebP 1155x898)
• 2017 (SVG embedded in page)
• 2016 (SVG)

Missing

The following are missing 2014, 2015, 2021, 2022 (comic). There are photos of the shirts, and some low-resolution artwork available, all of which are too low quality to be printed. If you know how to get high-resolution images of them - please leave a comment!

2021

There are some elements out there. For example:

• This Behance profile of Hacktoberfest 2021
• The official logo
• The logo with the t-shirt colour scheme
• The brand guidelines for more accurate colour reproduction.

2014

There's not much available about the first t-shirt. There's a version of the logo used and some photos but that's about it.

Photos of T-Shirts

If you want to compare the logos to the originals, and see what colour fabric they used, there are lots of photo online:

• Reddit collection
• History of Hacktoberfest

End Result

If I can't find the missing logos, I'll create my own design for my own personal use. Something like this:

If you have a source for vectors of the missing logos, please drop me a comment.

I can now read all the passport information, including biometrics.

Background

The NFC chip in a passport is protected by a password. The password is printed on the inside of the physical passport. As well as needing to be physically close to the passport for NFC to work⁰, you also need to be able to see the password. The password is printed in the "Machine Readable Zone" (MRZ) - which is why some border guards will swipe your passport through a reader before scanning the chip; they need the password and don't want to type it in.

I had a small problem though. I'm using my old passport¹ which has been cancelled. Cancelling isn't just about revoking the document. It is also physically altered:

Cut off the bottom left hand corner of the personal details page, making sure you cut the MRZ on the corner opposite the photo.

So a chunk of the MRZ is missing! Oh no! Whatever can we do!?

Recreating the MRZ

The password is made up of three pieces of data:

1. Passport Number (Letters and Numbers)
2. Date of Birth (YYMMDD)
3. Expiry Date (YYMMDD)

Each piece also has a checksum. This calculation is defined in Appendix A to Part 3 of Document 9303.

Oh, and there's a checksum for the entire string. It's this final checksum which is cut off when the passport cover is snipped.

The final password is: Number Number-checksum DOB DOB-checksum Expiry Expiry-checkum checksum-of-previous-digits

Python code to generate an MRZ

If you know the passport number, date of birth, and expiry date, you can generate your own Machine Readable Zone - this acts as the password for the NFC chip.

def calculateChecksum( value ):
    weighting = [7,3,1]
    characterWeight = {
        '0': 0, '1': 1, '2': 2, '3': 3, '4': 4, '5': 5, '6': 6, '7': 7,  
        '8': 8, '9': 9, '<': 0, 'A':10, 'B':11, 'C':12, 'D':13, 'E':14, 
        'F':15, 'G':16, 'H':17, 'I':18, 'J':19, 'K':20, 'L':21, 'M':22, 
        'N':23, 'O':24, 'P':25, 'Q':26, 'R':27, 'S':28, 'T':29, 'U':30, 
        'V':31, 'W':32, 'X':33, 'Y':34, 'Z':35
    }
    counter = 0
    result = 0
    for x in value:
        result += characterWeight[str(x)] * weighting[counter%3]
        counter += 1
    return str(result%10)

def calculateMRZ( passportNumber, DOB, expiry ):
    """
    DOB and expiry are formatted as YYMMDD
    """
    passportCheck = calculateChecksum( passportNumber )
    DOBCheck      = calculateChecksum( DOB )
    expiryCheck   = calculateChecksum( expiry )
    mrzNumber  = passportNumber + passportCheck + DOB + DOBCheck + expiry + expiryCheck
    mrzCheck = calculateChecksum( mrzNumber ).zfill(2)
    mrz =  passportNumber + passportCheck + "XXX" + DOB + DOBCheck + "X" + expiry + expiryCheck + "<<<<<<<<<<<<<<" + mrzCheck
    return mrz

print( calculateMRZ("123456789", "841213", "220229") )

Can you read a cancelled passport?

I would have thought that cutting the cover of the passport would destroy the antenna inside it. But, going back to the UK guidance:

You must not cut the back cover on the ePassport

Ah! That's where the NFC chip is. I presume this is so that cancelled passports can still be verified for authenticity.

Cryptography and other security

The security is, thankfully, all fairly standard Public Key Cryptography - 9303 part 11 explains it in excruciating levels of detail.

One thing I found curious - because the chip has no timer, it cannot know how often it is being read. You could bombard it with thousands of password attempts and not get locked out. Indeed, the specification says:

the success probability of the attacker is given by the time the attacker has access to the IC, the duration of a single attempt to guess the password, and the entropy of the passport.

Can you brute-force a passport?

Wellllll… maybeeeee…?

Passports are generally valid for only 10 years. So that's 36,525 possible expiry dates.

Passport holders are generally under 100 years old. So that's 3,652,500 possible dates of birth.

That's already 133,407,562,500 attempts - and we haven't even got on to the 1E24 possible passport numbers!

In my experiments, sending an incorrect but valid MRZ results in the chip returning "Security status not satisfied (0x6982)" in a very short space of time. Usually less than a second.

But sending that incorrect attempt seemed to introduce a delay in the next response - by a few seconds. Sending the correct MRZ seemed to reset this and let the chip be read instantly.

So, if you knew the target's passport number and birthday, brute forcing the expiry date would take a couple of days. Not instant, but not impossible.

Most commercial NFC chips support 100,000 writes with no limit for the number of reads. Some also have a 24 bit read counter which increments after every read attempt. After 16 million reads, the counter doesn't increment. It could be possible for a chip to self-destruct after a specific number of reads - but I've no evidence that passport chips do that.

Is it worth brute-forcing a password?

If you were to brute-force the MRZ, you would discover the passport-holder's date of birth. You would also get:

• A digital copy of their photo,
• Their full name,
• Their sex²,
• The country which issued their passport, and
• Their nationality.

All of that is something which you can see from looking at the passport. So there's little value in attempting to read it electronically.

Installing

As mentioned, I'm using https://github.com/roeften/pypassport

The only library I needed to install was pyasn1 using pip3 install pyasn1 - your setup may vary.

Download PyPassport. In the same directory, you can create a test Python file to see if the passport can be read. Here's what it needs to contain:

from pypassport import epassport, reader

#   Replace this MRZ with the one from your passport
MRZ = "1234567897XXX8412139X2202299<<<<<<<<<<<<<<04"

def trace(name, msg):
    if name == "EPassport":
        print(name + ": " + msg)

r = reader.ReaderManager().waitForCard()

ep = epassport.EPassport(r, MRZ)
ep.register(trace)
ep.readPassport()

Plug in your NFC reader, place your passport on it, run the above code. If it works, it will spit out a lot of debug information, including all the data it can find on the passport.

Getting structured data

The structure of the passport data is a little convoluted. The specification puts data into different "Data Groups" - each with its own ID.

By running:

ep.keys()

You can see which Data Groups are available. In my case, ['60', '61', '75', '77']

• 60 is the common area which contains some metadata. Nothing interesting there.
• 61 is DG1 - the full MRZ. This contains the holder's name, sex, nationality, etc.
• 77 is the Document Security Object - this was empty for me.
• 75 is DG2 to DG4 Biometric Templates - this contains the image and other metadata.

Dumping the biometrics - print( ep["75"] ) - gives these interesting pieces of metadata:

'83': '20190311201345',
'meta': {   'Expression': 'Unspecified',
            'EyeColour' : 'Unspecified',
            'FaceImageBlockLength': 19286,
            'FaceImageType': 'Basic',
            'FeatureMask': '000000',
            'FeaturePoint': {0: {'FeaturePointCode': 'C1',
                                'FeatureType': '01',
                                'HorizontalPosition': 249,
                                'Reserved': '0000',
                                'VerticalPosition': 216},
                            1: {'FeaturePointCode': 'C2',
                                'FeatureType': '01',
                                'HorizontalPosition': 141,
                                'Reserved': '0000',
                                'VerticalPosition': 214}},
            'Features': {},
            'Gender': 'Unspecified',
            'HairColour': 'Unspecified',
            'ImageColourSpace': 'RGB24',
            'ImageDataType': 'JPEG',
            'ImageDeviceType': 0,
            'ImageHeight': 481,
            'ImageQuality': 'Unspecified',
            'ImageSourceType': 'Static Scan',
            'ImageWidth': 385,
            'LengthOfRecord': 19300,
            'NumberOfFacialImages': 1,
            'NumberOfFeaturePoint': 2,
            'PoseAngle': '0600B5',
            'PoseAngleUncertainty': '000000',
            'VersionNumber': b'010'
        }

If I understand the testing document - the "Feature Points" are the middle of the eyes. Interesting to see that gender (not sex!) and hair colour are also able to be recorded. The "PoseAngle" represents the pitch, yaw, and roll of the face.

Saving the image

Passport images are saved either with JPEG or with JPEG2000 encoding. Given the extremely limited memory available photos are small and highly compressed. Mine was a mere 19KB.

To save the image, grab the bytes and plonk them onto disk:

photo = ep["75"]["A1"]["5F2E"]
with open( "photo.jpg", "wb" ) as f:
   f.write( photo )

As expected, the "FeaturePoints" co-ordinates corresponded roughly to the centre of my eyes. Nifty!

What didn't work

I tried a few different tools. Listed here so you don't make the same mistakes as me!

mrtdreader

The venerable mrtdreader. My NFC device beeped, then mrtdreader said "No NFC device found."

I think this is because NFC Tools haven't been updated in ages.

Jean-Francois Houzard's and Olivier Roger's pyPassport

I looked at pyPassport but it is only available for Python 2.

beaujean's pyPassport

This pypassport only checks if a passport is resistant to specific security vulnerabilities.

d-Logic

Digital Logic's ePassport software only works with their hardware readers.

Android reader

tananaev's passport-reader - works perfectly on Android. So I knew my passport chip was readable - but the app won't run on Linux.

Is it worth it?

Yeah, I reckon so! Realistically, you aren't going to be able to crack the MRZ to read someone's passport. But if you need to gather personal information³, it's perfectly possible to do so quickly from a passport.

The MRZ is a Machine Readable Zone - so it is fairly simple to OCR the text and then pass that to your NFC reader.

And even if the MRZ is gone, you can reconstruct it from the data printed on the passport.

Of course, this won't be able to detect fraudulent passports. It doesn't check against a database to see if it has been revoked⁴. I don't think it will detect any cryptographic anomalies.

But if you just want to see what's on your travel documents, it works perfectly.

First up, as the research paper's abstract says:

The attack requires physical access to the secure element

So, straight off the bat, this reduces the likelihood of attack. Someone would need to actively target you. Of course, if you're the sort of person who secures all their secrets and cryptowallets with a FIDO token, you may be a juicy target!

Secondly, the attack relies on:

the adversary steal[ing] the login and password of a victim’s application account protected with FIDO

So, you need to lose your username, password, and token for this attack to be successful. Again, this is unlikely to happen as a "drive-by" attack.

Once the attacker gets your FIDO token, they need to analyse it using "expensive equipment". A cost of approximately $11,000 according to Ars.

That moves the attack away from the hands of casual criminals. It isn't an insurmountable barrier for organised crime or nation states.

Finally, Appendix A discusses how difficult it is to actually get the equipment close enough to the circuitry:

[…] capturing the EM signal with a small EM probe would not work if this probe is too far from the chip. We hence have to open the YubiKey plastic case to access its logic board. […] In both cases however, the device needs to be re-packaged if the adversary wants to give it back to legitimate user without him noticing. We did not study further this issue.

Here's what it looks like when that probe is placed next to the circuitry:

If you suddenly find your Yubikey smashed or cracked, then you may have been a victim of this attack!

A reasonable way to defend against this is to get some glittery nail polish. No, seriously! Put a blob of glitter polish on the seam of your device. Something like this:

Take a photo. If the baddies grab your YubiKey and crack it open, they won't easily be able to get the pattern correct when they re-seal it. Regularly compare your photo to your device.

The Real Issue With FIDO Tokens

Physical tokens require physical security. I've moved to a an Encrypter Ring. I literally wear my FIDO token. I am extremely likely to notice someone removing my ring (or my finger).

Is your token on your keyring? Where is your keyring right now? In your pocket or hanging up somewhere? Most people either leave their FIDO token laying around out of sight or have it permanently plugged in to their machine. I'm not sure which is worse.

The other major issue is that it is impossible to revoke a FIDO token from all your accounts at once!

You've used your token to register with a few dozen sites, you either lose your key or discover it has been tampered with. What do you do?

There is no way to tell which sites you have used a FIDO token with. You have to remember (or keep a list somewhere). You will need to manually go to each site and revoke the stolen token. If you've forgotten one, you can't revoke it from your key, which means attackers could have unfettered access to that account.

What should I do?

The discoverers of this vulnerability take great pains to say:

it is still safer to use your YubiKey or other impacted products as FIDO hardware authentication token to sign in to applications rather than not using one.

I think they are correct. But there are still a few things you should do to secure yourself against this class of attack.

0. Ensure the physical security of your token. Either wear it as jewellery, implant it in your skin, or reduce the likelihood of it being taken.
1. Ensure the physical integrity of your token. Use nail-varnish or something similar to help you detect if it has been physically compromised.
2. Ensure that you know which sites have been secured with a Yubikey. Make a note of it in your password manager or other secure vault.
3. Ensure that you are less of a target. Don't brag about your security. Certainly don't post on the Internet about which security products you use and the countermeasures you take. Oh shit.

Naturally that eventually leads into an international conspiracy involving the FBI, NSA, and an excellent recipe for chocolate chip cookies. It is a fast paced, high-tension, page turner. There's also a sweet moral core to the story - as well as the somewhat saddening death of naïvety.

It's hard to overstate just how fun this book is. Yes, with the benefit of hindsight running unpatched machines and letting any old hippy connect to them was always going to be a security nightmare. But some of the problems faced by those early pioneers are still present today.

Default passwords, unmonitored systems, uninterested law enforcement, dictionary attacks, buggy permissions, the moral quandary of responsible disclosure - it's all in here.

Of course, there are a few bits which look pretty dated now. Especially some of the attitudes to online privacy:

“You’re not the government, so you don’t need a search warrant. The worst it would be is invasion of privacy. And people dialing up a computer probably have no right to insist that the system’s owner not look over their shoulder. So I don’t see why you can’t.”

It's also nice seeing how internecine warfare between hackers has barely evolved:

From long tradition, astronomers have programmed in Fortran, so I wasn’t surprised when Dave gave me the hairy eyeball for using such an antiquated language. He challenged me to use the C language ... VI was predecessor to hundreds of word processing systems. By now, Unix folks see it as a bit stodgy—it hasn’t the versatility of Gnu-Emacs, nor the friendliness of more modern editors. Despite that, VI shows up on every Unix system.

There's some deep wisdom in there for any programmer to reflect on:

If people built houses the way we write programs, the first woodpecker would wipe out civilization.

I urge anyone with an interest in computer security to read it. There's a huge amount of entertaining history in there - and plenty of lessons that we still need to learn.

I recently found a popular website which echoed back user input. It correctly sanitised < to < to prevent any HTML injection.

Except…

It let through <h2> elements unaltered! Why? I suspect because the output was:

<h2>Your search for ... returned no results</h2>

And, somehow, the parser was getting confused. OK, what can we do with this little vector?

The first thought is to use Javascript event handlers like onclick() or onmouseover() - but they were (sensibly) blocked. The <h2> element only has access to the Global Attributes. So we could inject content which use Right-To-Left text, or add some metadata attributes - but that's not particularly useful.

The most useful Global Attribute is style="". Yup! Good old CSS!

The limitation of the style attribute is that it only applies to the specific element it is attached to. So you can't rewrite the entire page. You also can't use the content: property - as that only applies to ::before and ::after directives.

Using normal CSS, we can change the colour and size of our newly injected <h2>, faff around with the background colour, change the font, and move it about the page. Good for a bit of digital graffiti, but not much else.

Except…

What about using background-image? Using that, we can pull in an external resource.

<h2
  style="background-image:url('https://evil.site/whatever.png');
  width:512px;
  height:512px;"> ... </h2>

That will load an external picture on the site. It could be an animated GIF saying "You're a winner! Visit www.... to claim your prize!". It wouldn't be clickable, but might catch a few people out.

It is possible to load an SVG. And SVG can contain JS. But - alas and alack - the JS doesn't run in background mode - even if the JS is bundled as Base64.

Changing the content-disposition of the image won't force the browser to download it, either.

And that, I think, is about the limit of it. If Javascript is blocked, the worst you can do is inject a malicious image. Short of finding a zero-day in a browser's codec, all that can happen is a bit of temporary defacement.

But Wait! There's More!

While fuzzing around with the input, I made an interesting mistake. I mistyped <svg> as <sgv>. That invalid element was added to the page's HTML! That means there's a parser somewhere which is stripping out only the elements it knows about. Browsers typically ignore elements they don't understand - so there's no danger to users there. But it points to the idea that there may be some elements the sanitiser doesn't know about.

And, indeed, there were! For example, it happily took the obsolete <plaintext> element, and dumped it into the markup. Which caused the page to break.

It also, delightfully, took the <marquee> element!

Terence Eden is on Mastodon

@edent

Replying to @edentOMG…!
I legit did not expect that to work… pic.x.com/5q4ymmzjdg

---

I reported the issue immediately, and got an acknowledgement. But, sadly, after a few months the website was still not fixed.

Take a bow, ACM Digital Library!

Verdicts

Some of the lab tasks were impossible without looking at the cheat sheet. I got stuck on one because the question told me to go to one URl, but I had to guess the one which was vulnerable. Felt like a bit of a "gotcha" moment. Perhaps in a proper lab environment it might have made more sense - but because we're mostly just learning how to use tools, I wasn't really prepared to use my critical thinking skills!

Only a half day, again. Good discussion of XSS and CSRF - but only a surface discussion of what they can do and how to prevent them. That's the problem with these sorts of courses - they can only say "sanitise user input", they can't explain how to do it for every environment.

SQL Injection. Good length of session. The standard Little Bobby Tables joke. And quite focused on Burp Suite and SQLMAP. A small bit on preventing them with parametrised queries.

CIA triad was briefly mentioned - but not really discussed. I would have expected more on that as it is fairly fundamental.

XXE. Malicious XML files. Billion Laughs Attack was (very) briefly covered.

Web shells from insecure file upload. A few tricks on how to fool UGC checkers. But not too much on defending.

The object serialisation stuff seemed a bit obscure. Not sure how relevant that is to the real world - but interesting none the less.

In the end, my overall verdict is that this is a good practical course. But because it covers so much, and spends so long setting up environments, it only gives a brief overview. It's rather geared towards specific tools - and that means lots of syntax memorisation for the exam.

The Exam

I fucking hate exams. There are very few times in life where you have a hard deadline, no one to help, and no ability to consult external sources.

Because of the intrusive spyware used on their proctoring system (more on that tomorrow), I'm going to have to go to a test centre to take the exam.

The exam gives 70 minutes to complete 50 multiple choice questions. 50% needed for a pass mark. That seems achievable. But it really depends on how many Windows questions there are, and how many ask me to precisely remember command line options.

Practice questions

The first time I scored 10/10. I know this stuff ☺

1. John has run dirbuster against a target website looking for possible pages to investigate and receives the following results. What does the 401 response mean?
   • HTTP 401 response means that the page is not available
   • HTTP 401 response means that the server has returned an internal error
   • HTTP 401 response means that the client should use the version in its cache
   • HTTP 401 response means that the resource is available, but requires authentication credentials to be able to be accessed
2. What port does BurpSuite use by default?
   • 80
   • 4444
   • 8888
   • 8080
3. What file is commonly used to inform search engines about the folders/files they are forbidden to index?
   • robots.txt
   • index.html
   • search.csv
   • spider.txt
4. Sally wishes to retrieve all the pdf documents from targetsite.com. Which of the following Google Dorks would satisfy that demand?
   • intitle:index_of *.pdf location:targetsite.com
   • site:targetsite.com filetype:pdf
   • pdf domain:targetsite.com
   • targetsite.com filetype:pdf
5. Connor is experimenting with a XSS vulnerability on a website. He uploads the following script but gets no response. What is the issue here? <script>alert(XSS);</script>
   • The syntax should be <script>alert("XSS");</script>
   • The syntax should be <script alert("XSS); />
   • syntax should be <script>alert="XSS";</script>
   • syntax should be <script>display.alert("XSS");</script>
6. Fiona has identified a vulnerable web app that allows her to perform SQLi. She wants to identify what database is behind the web app. What SQLi command would allow Fiona to get this data?
   • SELECT @@information_schema --
   • @@version --
   • @@database --
   • @@schema--
7. Jonas has identified a vulnerable web app that allows SQLi. He is using SQLMap to explore the system. What command should Jonas use to enumerate the available databases on the server?
   • --database
   • --layout
   • --dbs
   • --db
8. Which of the following file uploads should you prohibit if you wanted to ensure no-one can upload malicious files to your webserver?
   • file.asp:.jpg
   • file.php.jpg
   • php%00.jpg
   • All of them
9. True or False, SSL v3.0 offers better encryption than TLS v1.2
   • True
   • False
10. Complete the sentence... HTTP is classed as a ________ protocol
    • secure
    • stateless
    • web 2.0
    • dynamic

Notes

XSS. Recap. Can be from HTTP headers, cookies, and other weird things - not just GET. Can persist on the server.

Impact - phishing, hijack cookies, use browser exploitation, BitCoin mining.

Bug bounties available.

How not to prevent. Don't use blacklist regex - easy to bypass. XSS can work without script tags, eg onmouseover. UTF-7 encoding, URL encoding.

CSRF - cross site request forgery. Not stealing cookies and credentials. Force the user's browser to connect to a previously authorised site. Session Riding or Confused Deputy. Eg craft a link which forces the user to change their password on a different site. Relies on predictable patterns. Use of random tokens per request - which are then verified. Tokens shouldn't be reusable.

SQL injection. Can take input from the user, no filtering, pass requests directly to the DB. Good way to exfiltrate data - or even destroy it. Use of single quotes, boolean operators, balancing syntax.

Error based SQLi - see the stack trace etc from error messages. UNION operator - concatenate multiple queries - first legit, 2nd malicious. Blind - you can't see the results. Time Based - if my request is OK, sleep for 5 seconds. Out of Band - rare, depends of privileges being enabled when they shouldn't be.

String vs integer.

Select X from Y where Z UNION SELECT @@version--

Metadata table - information_schema

Pentest Monkey cheat sheets.

Concatenate results.

UDF - user defined functions to run code on machine. Local File Access. Create web shell by browsing to maliciously uploaded code.

Use of ASCII values rather than quoted strings. Blind injection - observe the difference in what is returned by a true or false query.

Principle of least privilege. Make sure the website can only read. A separate trusted process to write. root and sa(?) shouldn't be enabled from the web.

SQLMAP tool. Use of, find vulns, get tables, set up proxy to Burp.

Defend using input validation - blocklists not enough. Paramatise the SQL. ORM(?) Object-relational-mapping Frameworks. Principle of Least Privilege. Don't roll your own!

CIA (Confidentiality, Integrity, Availability)

XXE to get /etc/passwd - weakly configured XML parser. Anything which accepts user-created XML could be vulnerable. Very common on SOAP.

Insecure file upload. Get Web Shell. Filenames can have XSS. Distribute malware or warez.

%00 null byte to avoid extension check file.php%00.jpg

Change content type header - send a .php file as image/jpg. Fiddle with magic bytes. malicious.asp;jpg on IIS. Or file.php.jpg

WebDAV and Put might be available.

WebShell provides a web interface to the OS level commands. What context are you running in? Might not be root. Upload and download. Execute SQL. Kali stores them in /usr/share/webshells

C99 Shell - and other tools. Hacking tools are often backdoored. The creator has access to the shell you've created.

EICAR test to see if anti-malware is running. Change MiMe type when uploading. Is JS checking for file types?

Validate headers and MIME. Check file size. Don't rely on client side - always server side. Only upload to web root. Rename files after upload. Upload to temporary, then virus scan. Change the extension. Restrict folder permissions.

Serialise / Deserialise.

Take PHP, serialise it to an object. PHP warms of passing untrusted user input to unserialize. JSON is better than serialised objects. Must use magic method to attack (??) eg __construct() Trying to force the server to gadget chain??

pickle.load in Python. Marshal.load() in Ruby. Allow list for the things you want to serealised. Some firewalls

Use !ENTITY (variables). Inject external XML files. Calls to SMB servers to get NTLM hashes. Then SMBRelay to pass the hash. Using PSexec. Back to Windows ☹. Disable XXE in the parser - or have very strict allow-lists.

The penultimate day. Try not to worry about the upcoming exam!

Today was lots of HTTP, TLS, and other low-ish level stuff like that. But mostly focussed on common website attacks.

Verdict

Bit of a repeat of yesterday's Windows session to make up for the broken labs. The exam requires 50% right answers to pass - so I feel quite relaxed if I fail the Windows portion. I reckon I should be about to get a few correct questions either by guesswork or memorising metasploit commands. With a bit of luck, I'll never have to interact with Windows in my professional life!

Painful start trying to get half-a-dozen students to correctly configure Burp suite. Sort of thing which either needs to be built into the labs, or have fool-proof instructions.

Discussion of OWASP - but only up to 2017. Lots of the stuff is a bit outdated. Tutor seemed to think the 2021 Top 10 was only in draft...

There was a good demo website to attack NotSoSecureApp.com - lots of playing around with Burp and DirBuster.

Again, only a short bit on mitigation. I think that would have been more useful for the target audience.

And, again, lots of trivia. There was one slide on Certificate Authorities. What could have been an interesting discussion on how they work and their weaknesses, was reduced to "they exist".

Similarly - there's an attack called POODLE. What is it? How does it work? Can it be defended against? Nothing.

But, overall, good. It was really focussed on Burp and SSLscan - just learning the tools rather than the underlying problems.

Practice Questions

From the Windows session. Through guesswork, I got 7/10.

1. What Windows service typically uses UDP port 5353? (This question was wrong. Should be 5355.)
   • Kerberos
   • LLMNBR
   • NBTNS
   • NetBIOS
2. Responder is often used with the -f switch, but what does that switch do?
   • Perform DNS lookups
   • Enables fast mode
   • Responds with false answers to DNS lookups
   • Enables fingerprinting of hosts that issue LLMNR queries
3. James has run the nbtstat command against a device and receives a code 1C. what does this code denote?
   • The machine is a File Server Service
   • The machine is a Domain Master Browser
   • machine is a Workgroup member
   • machine is a Domain Controller
4. What does the RID value 502 denote?
   • The account is an administrator account
   • The account is a guest account
   • The account is a bespoke user account
   • The account is a Kerberos Key Distribution service
5. A common command when using PowerShell is the IEX command. What does IEX stand for?
   • IEX is an alias for Invoke-Expression
   • IEX stands for Import Executable
   • IEX stands for Interactive Executable
   • IEX is an alias for Import-External module
6. Simon has PowerShell capabilities on a Windows 10 device and wants to record details about the default program installation paths, etc. What command should Simon use?
   • Get-ChildItem env:
   • ComputerInfo
   • System
   • AppvStatus
7. Carl has attempted to run enum4linux against a Windows host device and has received the following error message: Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible. What is the most likely cause of this error message?
   • The host isn't a Windows host
   • Carl needs to run enum4linux with the -NT switch
   • RestrictAnonymous registry key on the host is most likely set to 1
   • RestrictAnonymous registry key on the host is most likely set to 0
8. Sandra has access via PowerShell to a Windows 10 host and wants to enumerate the machine to try to identify those users who are members of the Domain Admins group. What does she need to do to do in order to get this information?
   • Import the Microsoft.ActiveDirectory,Management.dll and then run Get-ADGroupMember -identity "Domain Admins"
   • Import the Microsoft.ActiveDirectory,Management.dll and then run Get-ADGroup -identity "Domain Admins"
   • Use the Get-SmbShare command to access the $IPC share on the domain controller and then run Get-GroupMember -Identity "Domain Admins"
   • Run the Get-DomainAdmins command
9. Vernon has downloaded a ps1 file he wrote from his server to a Windows Server device, and now wishes to execute the file. What should he check before attempting to run the script?
   • The ExecutionPolicy should be checked to allow Vernon to run the unsigned script which has been downloaded from the Internet
   • That the PowerShell service has been started
   • That windows bitlocker is disabled
   • That he is an administrator
10. James has gained access to a Windows network and has enumerated a device for SIDs. He has received the following 4 SIDs: S-1-5-21-2000478354-1708537768-1957994488-500 S-1-5-21-2000478354-1708537768-1957994488-502 S-1-5-21-2000478354-1708537768-1957994488-1000 S-1-5-21-2000478354-1708537768-1957994488-1001
    • Which of the SIDs is identified as the default admin account?

Notes

HOSTS file manipulation

Basics of HTTP. Statelessness. Requests. Headers. User Agents.

curl -v -X TRACE http://www.example.com

Intro to Burp. Would have been better off watching https://www.youtube.com/embed/nECt-0zW0O4

DirBuster. Automated finding of common directories

Passive Scanning with Google.

Bug Bounties (!)

Useful info - defaults, directories, plugins, cms, server version, error messages. Extra methods like WebDAV being enabled.

Google "Dorks" - search for filetypes and common patterns.

2FA, authentication, OAuth.

GitHub info leakage.

OWASP cheat sheet.

Base64 basic auth. Digest MD5. NTLM.

Username enumeration. Login error messages can leak info.

Burp intruder - generates lots of server side logs. Intruder to iterate through usernames and passwords.

Password strength, HaveIBeenPwned. Password recovery. Stored hashed and salted. Poor account recovery questions like Mother's Maiden Name,

Increase security means reduced usability.

Use of sslscan to look for SSL/TLS errors.

Hash collisions. Store above SHA1. Token expiration times and reuse.

Don't store sensitive info in logs etc.

TLS to encrypt in transit. How to share keys? Diffie-Helman!

AES for symmetrical.

TLS stages - asym to start, then sym. Certificate authorities issue certs and validate them.

SSL is obsolete. TLS1.1 also obsolete. Disable old ones. Cupers > 128 bit.

Vertical attack - standard user elevating themselve. Horizontal - accessing someone else's info. Business logic attacks.

Parameter tampering.

WebScarab to check entropy of cookies. Session fixation - copy cookies to get access. Session ID in URl. Can be resused to get access. Use POST for those requests.

Basics of XSS. Reflected (sent by user). Stored (on server). Header manipulation.

Day 3 - the day I was dreading most of all… Windows!

I've been avoiding M$ WinDoze (LOL!!!) since long before it was fashionable. Even at my earliest jobs, I'd find a way to convince the IT department to let me run Linux on their kit. I'm penguin-powered, baby!

So, what can an Ubuntu toting geek learn about the gentle art of cracking Windows wide open?

Not much. It was mostly a whistle-stop tour of various Linux tools and a brief explanation of Windows security models.

Verdict

The demo Windows network wasn't working, so all a bit theoretical to start. Once it was up, we had another "script kiddie" day. Run nmap, run enum4linux, run metasploit. Vaguely interesting, but not sure what parts we need to remember for the exam.

Some of the tasks weren't possible unless you had a Windows machine. Most people had a "GoToMyPC" instance they could use - but those of us on Linux machines were basically stuck watching the tutor run some demos. Lots of memorising of Windows Powershell commands. But, again, no idea if they'll be on the exam.

Some team exercises which was a nice change. I hosted an exploit, another student executed it. But, in the end, the code didn't work. The labs are a bit broken.

Afternoon descended into farce because GoToMyPC went down and lots of students couldn't get back in. Combined with yesterday's inexplicable half-day, meant a lot of confused and frustrated students.

The course description was:

Unlike [Certified Ethical Hacker], where the focus is to run a tool to achieve an objective which helps attendees pass the exam, we focus on the underlying principles on which tools work and provide attendees an understanding on what is the root cause of the vulnerability and how does the tool work to exploit it. We also talk about how the vulnerability should be mitigated.

But, at the moment, it is just running metasploit and a few other tools. Nothing much about the principles. And only a passing comment on how to defend against things.

Similarly, it says:

we do not talk about hacking windows XP and 2003 servers (unlike CEH) but talk about circumventing controls in Modern OS such as Windows 2012 / 16 servers. High impact vulnerabilities such and or mass compromise vulnerabilities are taught in the class.

Yet there was lots of discussion of Windows 7 and outdated versions of Chrome. Not quite what was advertised.

Turns out the exam isn't on Friday. We have a voucher and we can book the exam in the next 12 months. Think I'll take it sooner rather than later - but will give myself enough time to cram and memorise every command line option in existence.

Practice Questions - Linux Hacking

Here are the test questions from yesterday. Once again, it's mostly "can you remember the exact command line without running --help - which I'm not sure is useful. I got 6/10. This really needs a practical exam. A CTF or similar. Sure, with a bunch of hackers, it could turn into the "Kobayashi Maru" exercise. But that's better than trying to rote learn the command line.

1. Which of the following is NOT an attack against SSL?
   • Heartbleed
   • POODLE
   • FREAK
   • RowHammer
2. What is the maximum amount of data retrievable by each Heartbleed heartbeat?
   • 64kb
   • 1Mb
   • 512kb
   • 256kb
3. True of false, Shellshock affects BASH v 4.4
   • True
   • False
4. Which command allows you to display the full kernel version on a Linux system?
   • cat /etc/kernel
   • uname -a
   • echo version
   • cat /env/kernel
5. Jenkins is a popular continuous integration service, often run on Linux servers. What port does Jenkins listen on by default?
   • 80
   • 443
   • 666
   • 8080
6. True or false - The Jenkins web console is vulnerable to a deserialization attack?
   • True
   • False
7. Simon has managed to obtain a meterpreter shell on a remote Linux machine by exploiting a weak implementation of WordPress. What command should he run to see what user-instance he is using?
   • sysinfo
   • ps
   • whoami
   • getuid
8. Rebecca has managed to get a meterpreter payload on a victim machine which is configured with a reverse TCP setting which will attempt to connect to ker Kali machine on 80.17.222.34:4444. She needs to set up a netcat listener on her Kali machine to receive any TCP sessions from the victim machine when the payload is executed. Which of the following commands would do this?
   • nc --listen 4444
   • nc -nlp 4444
   • nc -tup 4444
   • nc -nl 4444
9. James has obtained a meterpreter shell on a remote machine but only has restricted user access. He decides to try using a post-exploitation command to try to elevate his privilege level, but he needs to return to his msfconsole prompt to load an auxiliary tool. What command should James use to keep the meterpreter session alive, but allow him to return the msfconsole prompt
   • back
   • exit
   • suspend
   • background
10. James has identified a suitable auxiliary command to use in conjunction with an existing meterpreter instance. How can James identify which meterpreter instance to use?
    • session -i
    • session -l
    • sessions -l
    • meterpreter -l

Notes

netbios - old and unused, should probably be disabled. LLMNR useful is DNS resolution has failed. Generates a lot of sniffable traffic. Can force Windows machines to give up data. Set up a fake server to received the LLMR broadcasts.

Some services are blocked on IPv4 but open on IPv6.

If DNS fails to resolve a host, LLMNR and NBT-NS will ask other hosts in the network if they know the IP address. Net NTLMv2 Challenge response hash is sent by the victim, the fake machine intercepts the hash and can start to crack it. Tell john the --format=netntlmv2 to crack it.

If SMB signing is disabled on the target, you can relay the original hash to a new target.

NetBT is netbios over TCP/IP. It does IP to name resolution. A legacy protocol, should probably be disabled.

EPM is End Point Mapping (?). RPC is Remote Procedure Call (an API?). Bunch of other random acronyms and port numbers.

nbtstat on Window, nmblookup on Linux.

1c for domain controllers.

Windows enumeration usually on 135, 137 (UDP), 139, 445. Harder to detect attacks on 135 as it gets lots of traffic. 139 is obsolete from Vista.

Used to be able to connect to InterProcess Communication shares using anon / null session. rpcclient -U "" -N 192.168...

Relative Identified - RID. Unique but sequentially assigned. Can cycle through them, RID also identifies role of the user.

SID is the security ID. Primary key for objects in active directory. Unique. Has relative level, top level authority, the domain, the RID.

RID 500 is Admin, 501 Guest, 502 Kerberos. Everything else 1000+.

RPC can do user to SID and SID to user. ridenum and enum4linux both good tools for this.

Registry key has restrict anonymous usernames. Can be set to default, don't allow enumeration, no access.

RID cycling over NULL doesn't work on Win 2008+. If you can do RID cycling with a valid domain user it might leak interesting information.

Use of hash-identifier to see what sort of hash it is. Online services to check weak MD5 hashes.

Once into a Windows machine, use PowerShell as it runs in memory and isn't detected by antivirus. Use GetExecution Policy to change policies. Powershell is case insensitive. Variables start with $. There are per-user preferences. Can declare arrays $a = 1,2,3 etc.

To execute Import-Module .\scriptname.ext

IEX (iwr 'url') to execute a URL??

Get-ComputerInfo and Get-ChildIntem env to find out about the target. Get-ADDomainControler to find other stuff.

Open Shares an issue - can allow us to read and write.

Default installations of web apps are often insecure.

Printers are highly trusted, they receive all the hashes, so if you can get in with default credentials you can sniff everything. Printers have LDAP - can start malicious LDAP services.

Use of client side attacks. Use metasploit (again) to host the exploit - get the target to access the metasploit server. Can host malicious web pages, documents with macros. Use Metasploit handler to listen to what's going on. Chrome 72-73 are vulnerable to Array.map, buffer overflow, read arbitrary memory. Chrome must be in --no-sandbox

Electron - a shell around Chromium rendering and Node.js runtime - basically a web browser specifically for cross platform apps. Multiple processes.

Joplin, also built on Electron. Can POST to the /notes API to deploy a payload. Can use JS to exec() a local .exe

Looks for Kernel exploits, weak permissions, DLL hijacking etc with post/multi/recon/local_exploit_suggester. Look for PATH environment variable, and place DLLs earlier in the enumeration.

Look for credentials using things like findstr or reg query. Or User Access Controls.

Windows 7 issues. Cleartext creds in memory. No default antivirus. All apps are trusted.

Win10 security features. Device guard - hard and software, locks down device, code integrity, prevents malicious code. Cred guard. Virtualised, isolates LSASS secrets. Enabled via the registry. Returns encrypted strings rather than NTLM hash.

Local Security Authority (LSA). Prevents memory access to creds.

AMSI - anti malware scan interface. In memory scans for malicious powershell script execution.

whoami /priv to see privileges.

winpeas to automate searching.

CVE against things like IE, AppX, allow you to elevate privs.

CVE against cryptoAPI - crypt32.dll allows you to self sign a malicious executable.

RDP vulns.

EternalBlue (ancient!) and Fuzzbunch.

Microsoft COM RCE with device deserialisation flaws.

AMSI can be bypassed via signatures? And ScanBuffer? and C# version? WHAT?

Mimikatz can register a malicious DLL for a Security Support Provider and get creds. Can also bypass LSA.

ColdFusion - lots of exploits. Directory traversal, misconfiguration, default password, FCK Editor - doesn't sanitise input so can upload and execute.

Metasploit web server can bypass AV.

Post exploitation is vital. Once you're in, what can be done? Dump users, password hashes, escalate, pivot (use as a staging post to get further into the network), replay credentials to masquerade as someone else, persistent access, permanent backdoor.

Windows credential vault can store web passwords in plaintext. LSA has logged in user's passwords.

Security Accounts Manager (SAM) - can't be accessed while system is running. Might be able to grab a backup snapshot. Can be accessed on the Domain Controller.

Meterpreter can run hashdump in memory - so AV isn't triggered.

Previous 10 unique logins are cached if DC not available. This is to allow the user to login to the system. Salted hashs. Salt is the username. Encrypted with LSA NL$KM account (??) cachedump can do this.

LSA protected storage for passwords for users and tasks. System privs needed to extract.

LSASS process memory - cleartext passwords for RDP login.

Mimikatz is the main tool for this.

Adding new accounts to Domain Admin group is very noisy - great way to get noticed.

NTLM challenge response. 16 bit challenge, hashed with the user??

Pass the hash

Day 1 was all about password cracking and metasploit. Today? Linux Hacking! Sadly, we aren't learning anything to do with distributing 1337 cracks for warez (so 1998!).

One point to note is that the questions we're set are extremely vague. Here's a sample:

Exploit the HeartBleed vulnerability on 192.168.123.123 to get administrative access to the login interface on the server

That doesn't tell me anything about what HeartBleed is, what tools I should be using, or - importantly - what exactly I'll be tested on. Do I need to know the exact sequence of bit to fire at a server? The name of a tool? How it could be defended against? The teaching slides we have are OK - but make large logical leaps. For example, telling us to run a curl command against a specific path without telling us how we would know about that specific URl.

Practice Questions

Got a bit more info about the sort of questions. Mostly trivia really. Some of the topics weren't really discussed yesterday.

Here are the Port Scanning questions. I was a bit narked to get 50% (a barely passing grade). How well would you do?

1. Sam has scanned a device in his network with nmap, and has identified a service running on port 22. What service should Sam assume this is?
   • FTP
   • SSH
   • HTTP
   • SNMP
2. Jackie wants to scan all TCP ports with her nmap scan. What switch will enable Jackie to scan all ports?
   • -P
   • -p
   • -p-
   • -A
3. Simon wants to scan a number of devices in his network with a half-connect scan. What switch should Simon use to accomplish this?
   • -sU
   • -sT
   • -oA
   • -sS
4. If an nmap scan is executed with the -F (fast) switch set, how many ports does nmap scan?
   • The 1st 1000 ports
   • The first 100 ports
   • The top 1000 most common ports
   • The top 100 most common ports
5. Which timing switch is more commonly known as the insane mode?
   • -T1
   • -T5
   • -T0
   • -T9
6. James wants to scan the SSH service on his device. Which of the following will allow James to do this?
   • -p 22
   • -p ssh
   • -p T:22
7. Sandra has run the following scan; what does it do? nmap -Pn -O -sV -oA scan_results 192.168.0.1
   • Performs a ping scan, OS enumeration, Service enumeration, and outputs data to a file called scan_results
   • Performs a scan of all ports, performs OS enumeration, performs a half-connect scan and outputs results to a file called scan_results
   • Does not perform any nmap discovery scans, performs an overt scan, a verbose scan and outputs results to a file called scan_results
   • Does not perform any nmap discovery scans, performs an OS scan, a service enumeration scan, and outputs results to a file called scan_results
8. Which of the following outputs is NOT a nmap file output type
   • Normal
   • Grepable
   • XML
   • HTML
9. True or False, performing a TCP Half-Connect (-sS) scan required privleges on the scanning computer?
   • True
   • False
10. How many TCP ports does nmap scan by default unless told otherwise?
    • 100
    • 1,024
    • 1,000
    • 10,000

Mostly convinced me that most UNIX tools need a better CLI UI!

A DB quiz. Again, mostly trivia. And some stuff not covered. I got 7/9.

Art of Hacking - Database hacking

1. Sarah has scanned a server and has identified a service running on port 3306. What is this service likely to be?
   • MySQL
   • Postgresql
   • Microsoft SQL
   • Mongo DB
2. When attacking a MySQL server, which common account should you try to attack that is normally not configured to lockout?
   • Admin
   • User1
   • MySQL
   • Root
3. Gary has identified a weakness in a MySQL database installation and has managed to use the database to extract the contents of the /etc/passwd file from the underlying server. what command would Gary have used to do this?
   • select LOAD_FILE('/etc/passwd');
   • select READ_FILE('etc/passwd');
   • select * from /etc/passwd
   • select all from FILE('/etc/passwd');
4. What is the default port for a postgres SQL database?
   • 1234
   • 5544
   • 2345
   • 5432
5. What is the default user for a postgres SQL database?
   • root
   • admin
   • postgres
   • user0
6. James has recovered a set of credentials for a MySQL database running on IP address 192.168.0.43. The credentials he has discovered are: user = root password = P@55w0rd. What syntax should James use to gain access to the database?
   • mysql -u root -p P@55w0rd -h 192.168.0.43
   • mysql -u root -p -h 192.168.0.43
   • mysql -a root -p -u 192.168.0.43
   • mysql -u root --password -h 192.168.0.43
7. David has managed to locate a vulnerable Microsoft SQL database application and wants to find out the version of database in use. What syntax should David use to obtain the version data?
   • UNION SELECT @@version --
   • SELECT * FROM DB_VERSION #
   • VERSION FROM TB_DATABASE WHERE V >1 --
   • SELECT * FROM @@version #
8. What is the name of the file that all databases have that describes the database structure, including database names, table names, column names, and data types, amongst others?
   • DB_STRUCTURE
   • db_schema
   • data_definitions
   • information_schema
9. What sqlmap switch would you use to retrieve all the contents from a targeted database table?
   • --ALL
   • --download
   • --dump
   • --loot

Password questions - again, trivia. I got 7/10 with a few guesses.

1. Kali Linux comes with some pre-installed word lists for use when conducting password attacks. What is the location of these files?
   • /usr/share/wordlists
   • /var/temp/wordlists
   • /usr/wordlists
   • /etc/wordlists
2. What switch should Carl use to provide hydra with a single username to try in an online password attack?
   • -L
   • -D
   • -p
   • -l
3. Denise is trying to use hydra to attack an ftp server which is running on the non-standard port (2121) - what syntax should Denise use when configuring hydra to target this service?
   • :2121
   • -p 2121
   • -s 2121
   • p:2121
4. Joanne has extracted the following data from a Linux server; What hashing algorithm is the system using to generate the password hash? root:$1$/avpfBJ1$x0z8w5UF9Iv./DR9E9Lid.:14747:0:99999:7:::
   • SHA-512
   • Blowfish
   • SHA-256
   • MD5
5. What encryption standard did Windows LanMan use to secure its hashes?
   • DES
   • AES
   • 3DES
   • RSA
6. In order for John-the-Ripper to process Linux passwd & shadow files, they have to be unshadowed first and the results placed into a new file. What is the correct syntax to achieve this?
   • unshadow /etc/passwd /etc/shadow > hashfile
   • unshadow /etc/shadow /etc/passwd > hashfile
   • /etc/passwd /etc/shadow unshadow | hashfile
   • unshadow /etc/passwd /etc/shadow | hashfile
7. What does the "-a0" switch denote when using hashcat?
   • To use only 1 core of the CPU for processing
   • To output all results to the screen
   • To use a brute-force attack
   • To use a dictionary attack
8. Which password hashes does Windows salt
   • The SAM file
   • NTLM hashes
   • Cached domain hashes
   • The NTDS.dit file
9. Which of the following is not a hash function
   • MD5
   • Blowfish
   • SHA-1
   • RIPEMD-160
10. What is the maximum length of a LanMan password
    • 14 charters
    • 20 characters
    • 7 characters
    • 32 characters

Verdict

Lots of students hadn't been exposed to Linux or these tools before. Concern expressed about lots of rote memorisation. All the above questions could be answered with -h - but not able to do that one a proctored exam.

Quite a "script kiddie" day. Lots of loading up metasploit and just guessing until things work. A few infrastructure problems - broken test servers made things quite frustrating.

Lots of technical jargon without any explanation. Jenkins, Groovy, Sandbox, Metaprogramming. What are they? What definitions are needed for the exam?

Nothing so far about law and ethics… Which is a bit worrying. We're only working on a restricted demo lab, and all the exploits are ancient.

There's still no checking if students have done the tasks. It would be helpful if each student had to, say, retrieve a specific file or string from the target and present it back to the tutor. I know a couple of students who are a bit bewildered but a bit nervous to ask for help.

A short day - so off to Cloud Academy to brush up on my skills.

Notes

Heartbleed - get up to 64KB data from memory. Ask for specific length, bounds aren't checked. Only on old versions of TLS. Can also check key length - under 128bit may be vulnerable.

Heartbleed to find username / password. Log in via the web. View source to find .cgi path.

Metasploit - use the right module and configure. Exploit and then cat the /etc/passwd file.

Shellshock - as above. Copy and paste commands.

LD_PRELOAD need to ensure you keep privileges.

Use of nc to get remote machine to connect to your machine in order to get a shell on it.

Use of history to check for entered passwords and other interesting bits.

Weak Linux permissions. Can you overwrite a command run by root?

cron jobs a good source of this.

Use of local Python server to transfer files across. linpeas.sh

Always compile exploits on target machine to ensure architecture compatibility.

Basic use of wget and chmod

Exploiting other Linux things like JBoss, Tomcat, Jenkins. What is our attack surface? Weak defaults. Outdated versions with CVE.

Data Serialisation. Can be weaponised into a payload which will be parsed and executed. Tools like CommonsCollections1.

CMS targets like Joomla, Drupal, WordPress. Lots of complexity leads to misconfiguration. Vulnerable plugins and add-ons. Version leakage.

joomscan and wpscan both useful automated tools. As are DroopeScan and DruPwn for Drupal

Injection of serialised objects into HTTP_HEADER. Chain with x-forward-for to trigger the payload.

Basics of scanning for unknown ports then running droopescan and wpscan.

EXIF metadata can also be used to hide information - old WP plugins particularly vulnerable.

Use of dirb to find directories on remote webservers.

As regular readers will know, I'm pretty reasonable at hacking. I have received bug bounties from Google, Twitter, Samsung, and a bunch of others. I don't claim to be an expert - and I doubt I'll be on any top-10 lists - but I have a reasonable, albeit informal, background. It's that "informal" which is annoying me. I want a bit of paper which says that, yes, actually, I do know what I'm talking about.

Computer Science - and hackers especially - eschew formal qualifications. The earliest hackers and phreakers learned their craft on the mean streets of the early Infobahn. Geeks don't need qualifications! We're not nerds!

But, hey, a free qualification is not to be sniffed at. I know it probably won't be as rigorous as some other certifications - but it was all that was available to me.

Looking through the course agenda there were a few things I knew well - XSS, Port Scanning, Password Hashing - but it's always good to pick up a reminder. Some things I've heard of but not used - Burp, Heartbleed, Metasploit - so will be good to get a solid understanding. And some things way outside my experience - Windows stuff, Tomcat, XXE - yay new learning!

The thing that I'm looking forward to the least is the exam at the end. It's multiple choice and requires 50% correct - but I always find myself second-guessing those sorts of questions. Especially if there's lots of "well, technically" type questions. Also - concentrating for 70 minutes!!? And proctored? Does that mean I can't run to Wikipedia for help?!?

Anyway, I'm going to try and keep a diary of what I've learned. Hopefully that will let other learners know what the course is like, and if it is worthwhile.

Verdict

A bit more theory than I was expecting. Diving straight in to TCP flags was a bit alienating for some students - although I already knew about them. Similarly, lots of discussion of ports - but didn't actually explain the fundamentals of what they are.

Lots of terminology thrown at people - so probably not great for complete beginners.

Similarly, the nmap discussion was a bit whistle-stop. It was mostly a case of following the PDF instructions without much explanation. Lots of people (me included!) got tripped up by the command line flags.

Some of the practical exercises were a bit copy-and-paste without much understanding of what was going on.

Not much feedback from students. No one was asked to prove they'd got the right answer.

Crucially - I have no idea what sort of questions are going to be on the exam! Is it the port numbers? The name of tools? The specific syntax?

Had to ask. Turns out will need to remember port numbers, nmap options, etc.

Day 1 Notes

Started on a poor note - had to use GoToMyPC which doesn't have a Linux client. The Linux option was use OpenVPN to connect to the provider's infrastructure, and then SSH into a Kali Linux image. Installing your own Kali would also be possible, but you still need to connect to the VPN to "attack" the provided vulnerabilities.

Would have been useful if they gave those instructions beforehand. Wasted half an hour while people worked out what to do.

Brief discussion of password cracking. Looking at HaveIBeenPwned and various top 10 lists.

Basics of the Cyber Kill Chain. Enumerate, identify vulnerabilities, exploit, post-exploit, use privileges, repeat. No real discussion of it, or its shortcomings.

Module 1 - port scanning

ARP - layer 2 of OSI. Below IPv4. ARP maps hardware MAC to IP. Note - only for IPv4. ARP broadcast can ask machines on a local network for the IP addresses.

arp-scan to find the live hosts.

Basics of TCP. 3 way handshake. Flags. Segment Header format. SYN. SYN/ACK. ACK.

Use of Wireshark to examine TCP packets.

UDP - what it is, why it is unreliable, header formats.

Ports - what they are, reserved ports, port state. Basics of netstat.

Basics of nmap. 3 way handshake then RST. Don't need special privileges - handy if you have compromised a machine. Plays by the rules, so less likely to trip firewalls. Slower than a half-open scan, so use -sS for SYN, SYN/ACK, RST. Requires privileges, and might get picked up by Intrusion Detection Systems (IDS).

UDP scan -sU. Requires privileges, sends empty UDP packet to every targeted port. Can send specific data --data. Might be blocked by firewalls. Ports can be filtered. UDP is often used on VPN, NTP, DNS, SNMP.

Dump to file(s) for later ingestion into metasploit: nmap -sS -sV -nvv -O 192.168.3.0/24 -oA portscan_tcp

Module 2 - password attacks

Online and offline attacks. Sending repeated requests vs looking though a dumped file.

Enumerate users. What are lockout policies? Admins are often exempt from lockout. Throttle brute-force attempts. Often generates lots of log entries and / or alarms.

Intro to SNMP. UDP 161. 1 & 2c have no auth or encryption. Need to know the "community string" or use manufacturer's default. Public string vs Private string.

onesixtyone can bruteforce common strings.

OID values. No real explanation of what they were.

snmpwalk -v 1 -c ???? 192.168.?.? <OID> Need to learn that syntax.

Attacking MySQL

Old RCE. SQL Injection. Abusing phpMyAdmin. Brute force. Root user is almost always there and has no lockout.

hydra to guess passwords

Once logged in, can use Select LOAD_FILE('/etc/passwd'); Or Select * from mysql.user; to get all users.

Quite a good exercise, find a MySQL server via nmap, use hydra to try common passwords, log in, get credit card data and other password info.

Chaining

Using the above, use nmap to find the ssh port. Use one of the users found and brute force their password.

use ssh -t to exfiltrate data. ssh -t user@192.168.3.123 -p 1234 "cat /etc/passwd"

Then brute the postgres user password and get shell using sqlmap -f -d postgres://postgres:password@192.168.3.123:5432/postgres --os-shell

Metasploit basics

Loading output of nmap into it. msfconsole. Most exploits can be detected by common anti-virus. Use show axillary and show exploits and show payloads to get list.

bind - waits for a response. reverse shell - the machine connects directly to you. Useful for bypassing firewalls.

meterpreter is the most advanced payload.

Grepping through metasploit. Getting reverse shell on an IRC (!) server.

Cracking Passwords

MD5, SHA1, LM/NTLM, Blowfish, SHA256, SHA512 hashing etc. Rainbow tables to use offline attacks. Salting etc.

Encoding, encrypting, hashing. Transforming clear text via a reversible algorithm eg Base64. Asymmetric encryption relying on public and private keys. Hashing is a one-way function - usually produces a fixed length string.

Salting - a way to obfuscate the hash.

openssl passwd -1 -salt 123 password use MD5 password with salt.

Salt can be cached domain credentials like the username. Unix uses random salt.

LM (LanMan) is an insecure Windows hashing for XP and earlier.

John The Ripper - can brute force per character (slow) or a word list (faster). unshadow /etc/passwd /etc/shadow > hashes john --single hashes john -w=wordlist

Hashcat can use a GPU for password cracking.

I hated playing sports as a teenager quelle surprise. In a vain attempt to get me to love the beautiful game, a PE teacher once made me team captain for a kickabout. My rival? Sporty Dave. Head boy, house captain, and conqueror of puberty.

The PE teacher made us pick our teams. I went first and, naturally, chose the weakest of my classmates - Fat Derek. He was overjoyed not to be picked last for once.

"You idiot!" whispered Dave. He picked his mate Phil - who was similarly blessed in the sporting department.

I chose Asthmatic Gary next, while Dave signed up another sporting hero.

And so it went. I assembled a team of wheezers, misfits, and the terminally unfit. Dave had the cream of the crop - all of whom snickered at us. We went off to give our teams a pep-talk before kick-off.

"Right lads," I said, "Do any of you actually enjoy playing football?"

They looked around sheepishly and agreed, collectively, that they found the whole experience pretty miserable.

"OK, so here's how we have fun while making the other team feel as crappy as we usually do..." at which point, in the TV adaptation of my life, the camera pulls out and the sound trails off.

In reality, my plan was simple. Our aim was to help the opposing team score as many goals as possible. If the ball looked like it was coming towards us, we had to sidestep it. If we were ever unlucky enough to be in possession of the ball, we had to pass it to an opposing player. Whenever they scored a goal, we had to applaud them.

The whistle blew, and we were off.

The opposing team couldn't believe their luck! Goal after goal flowed. By the time we were 5-nil down, the novelty of it had worn off. Once the score was 15-love, Sporty Dave jogged over to me.

"Ummm... Do you think you could play, please?"

"What do you mean?"

"Errr... It just isn't fun doing it like this?"

"I dunno mate," I looked over at my team who were grinning away, "We seem to be having a lot of fun. We're not tired and sweaty, we're not getting pushed, shoved, or humiliated, and we're enjoying helping you win."

"But it doesn't count!" He whined. "It's just too easy."

"You're scoring lots of goals. Isn't that what you wanted?"

"Yes... but..."

"Well then? My team get to be fresh and alert for the double-maths we've got after this. And you get to run around chasing the ball. Let's carry on!"

And so we did. We rewrote the rules of the game so that we could have fun. Our idea of fun was radically different from the sporty-boys - but we didn't care.

You don't have to play the same game as other people on the pitch. Even if you're bound by the same rules of play, you can alter your success criteria to be something that you want to achieve.

We ended the game triumphant. For the first time in living memory, we were happy after PE. Our rivals, despite their 37 goals, looked miserable and dejected.

They didn't want to win. They didn't even want to play. They wanted to humiliate their rivals. Once we were no longer able to be humiliated, they found the entire experience as demoralising as we usually did.

After that incident, I was only ever picked to be team captain once more. But that's tomorrow's post.

But the version I created relied on Google Calendar which, sadly, isn't that great. It doesn't look wonderful, especially on small screens, and is limited to only one calendar feed.

So I used the mighty power of Open Source to build my own! https://edent.tel/calendar It uses two cool components. First, the DHTMLX Scheduler tool - a GPL-licensed project to make beautiful web calendars.

Secondly, Open Web Calendar by Nicco Kunzmann. It takes multiple ICS feeds and transforms them into a format suitable for the scheduler.

With a little bit of prodding and poking, I was able to create a responsive web calendar which shows my personal, work, social, and group calendars all at once.

There are a few snags. The project uses Python Flask - which meant learning a new programming paradigm. I might try to rewrite parts of it to use PHP. Because I'm using someone else's code, I've hacked away parts which aren't of use to me - let's hope nothing was load bearing! Similarly, as it's a small personal project, there are no tests. There are a few aesthetic touches I'd like to make - but it is quite serviceable. I also need to set up a better way to deploy it rather than FTP'ing files and restarting Flask.

But, for a weekend of sporadic hacking, I'm quite pleased with the result! The code is available on my GitLab.

Privacy and Risks

All the entries on my various calendars are set to private. That means if you send me a meeting invite, your details shouldn't appear on the page.

This co-mingles my personal and work calendars. Because I don't want someone booking a meeting when I've got an evening Zumba class. Is there a risk that you knowing that I'm busy from 19:30 to 21:56 reveals the train journey I'm taking?

If something is in both my personal and work calendar - it shows up as a double booking. Should I merge these?

Could advertisers mine my data to better target me? It's not very granular, and I block adverts.

If someone annoying wants to meet with me, it's harder to fob them off with "my diary's chockablock."

When I jet off to an exotic foreign country (*sobs in pandemic*) will it be obvious what timezone I'm in based on my appointments?

By opening up this data, am I participating in a destructive form of "quantified self"? Will people judge me / themselves on how busy I am?

Edward Snowden, the man who risked everything to expose the US government’s system of mass surveillance, reveals for the first time the story of his life, including how he helped to build that system and what motivated him to try to bring it down.

I'm a civil servant in the UK. Luckily, I suppose, I don't often have access to TOP SECRET information. I suppose I could leak the canteen's lunch menu, but that won't make headlines.

What drives a person to jeopardise their career, their family, their life, and - depending on who you believe - their country and its allies?

This is a good book, badly written.

The opening few chapters are a bore. I suspect it's to "prove" he's a genuine, mom-and-apple-pie, red-blooded American. But that's not really why we're here - you can happily skip the first third of the book. I'd recommend skimming from there to about the halfway point.

Even then, it's flabby. Meandering descriptions which go nowhere. He conflates wasteful public spending with mass surveillance. There's a page randomly dedicated to what the word "whistle-blower" means in different languages. And some pedantic nitpicks of what sort of software career he had. It becomes a mish-mash of political ideas and workplace gripes.

The end is spectacular. A gripping description of the emotional and practical side of exfiltrating data and going on the run.

I've seen Snowden speak (via telescreen) at a conference. He's articulate and passionate. His knowledge and persuasive manner make him a fascinating character. But the book feels like half autobiography and half political manifesto - without doing either particularly well.

The Netherlands is a world leader in responsible disclosure. The Dutch like to resolve conflicts through a process of general consultation: the famous ‘polder model’. In this book, we hear from the hackers, system owners, IT specialists, managers, journalists, politicians and lawyers who have been key players in a number of prominent disclosures. Their stories offer a glimpse into the mysterious world of cyber security, revealing how hackers can help us all.

A short but essential volume. A pleasing ramble through Dutch infosec and how they built up a culture of responsible disclosure. Lots of great examples of where things have gone well - and some shocking examples of where disclosure has failed.

It's a well written look at what happens when a responsible security researcher finds a vulnerability. There are court cases, intrigue, international diplomacy, and some spectacularly inept decisions on display.

It is, by its nature, a little parochial - but provides an excellent template for how industry can work with "freelance infosec professionals".

I'm doing everything a geek can to protect their online life. Is it enough?

Terence Eden is on Mastodon

@edent

Is there a market / service for *personal* pen-testing or social engineering?

I like to think I've got all my security set up. But how easily could a fraudster take over my life?

---

This is not an invitation to hack me. I'd like to pay a professional to see how far they can infiltrate my online life. Is my bank particularly vulnerable to social engineering? Does my hosting provider accept a fax to transfer away my domains? Is an image of my passport floating around the dark web? What OSINT should I be scrubbing from the web?

I've got a stupid amount of smarthome tech - and I know there's no way to secure my network - but I imagine that's a target for someone more dedicated than a casual thief.

I can find pentesting services for companies. I can find some which claim to test the security of CEOs and celebrities. But I can't find anything for ordinary people.

Does this service exist? If not, is this a million-dollar start-up idea?

Getting started

You will need:

• A Tado (duh!)
• Your Username (usually your email address)
• Your Password
• A Client Secret

Getting the client secret

I'm using this client secret: wZaRN7rpjn3FoNyF5IFuxg9uMzYJcvOoQ8QWiIqS3hfk6gLhVlG57j5YNoZL2Rtc This secret may change in the future. In the examples, I'll shorten it to wZa to make it easier to read. You will need to use the full length secret when running this code.

To get the current secret, you can visit https://my.tado.com/webapp/env.js and get the secret from there.

var TD = {
    config: {
        version: 'v587',
        tgaRestApiEndpoint: 'https://my.tado.com/api/v1',
        tgaRestApiV2Endpoint: 'https://my.tado.com/api/v2',
        susiApiEndpoint: 'https://susi.tado.com/api',
        oauth: {
            clientApiEndpoint: 'https://my.tado.com/oauth/clients',
            apiEndpoint: 'https://auth.tado.com/oauth',
            clientId: 'tado-web-app',
            clientSecret: 'wZaRN7rpjn3FoNyF5IFuxg9uMzYJcvOoQ8QWiIqS3hfk6gLhVlG57j5YNoZL2Rtc'
        }
    }
};

If that ever changes, you will need to open your web browser's development tools, and then look in the network tab. Then, log in to https://my.tado.com/webapp/.

You should see the token:

Get Bearer Token

These examples use the curl command on Linux.

Here's how to turn your username and password into a "Bearer Token" - this is needed for every subsequent API call:

curl -s "https://auth.tado.com/oauth/token" -d client_id=tado-web-app -d grant_type=password -d scope=home.user -d username="you@example.com" -d password="Password123" -d client_secret=wZa

The response will be:

{
    "access_token": "abc",
    "token_type": "bearer",
    "refresh_token": "def",
    "expires_in": 599,
    "scope": "home.user",
    "jti": "xyz-123"
}

The real access_token will be very long. I've shortened it to abc make things easier to read in these examples.

The access token expires after 600 seconds. You can either request a new one with the username and password, or use the provided refresh_token like so:

curl -s "https://auth.tado.com/oauth/token" -d grant_type=refresh_token -d refresh_token=def -d client_id=tado-web-app -d scope=home.user -d client_secret=wZa

Get your details

The next step is to get your homeId - this will also be needed for subsequent API calls:

curl -s "https://my.tado.com/api/v1/me" -H "Authorization: Bearer abc"

You'll get back your data, like this:

{
    "name": "Terence Eden",
    "email": "you@example.com",
    "username": "your_user_name",
    "enabled": true,
    "id": "987654321",
    "homeId": 123456,
    "locale": "en_GB",
    "type": "WEB_USER"
}

Your homeId is what's important here. I'm going to use the example 123456 - you should use your own.

Check it all works

This request will check that you've got the right details.

curl -s "https://my.tado.com/api/v2/homes/123456" -H "Authorization: Bearer abc"

You'll get back information about your installation. I've redacted mine for privacy.

{
    "id": 123456,
    "name": " ",
    "dateTimeZone": "Europe/London",
    "dateCreated": "2015-12-18T19:21:59.315Z",
    "temperatureUnit": "CELSIUS",
    "installationCompleted": true,
    "partner": " ",
    "simpleSmartScheduleEnabled": true,
    "awayRadiusInMeters": 123.45,
    "usePreSkillsApps": true,
    "skills": [],
    "christmasModeEnabled": true,
    "contactDetails": {
        "name": "Terence Eden",
        "email": " ",
        "phone": " "
    },
    "address": {
        "addressLine1": " ",
        "addressLine2": null,
        "zipCode": " ",
        "city": " ",
        "state": null,
        "country": "GBR"
    },
    "geolocation": {
        "latitude": 12.3456789,
        "longitude": -1.23456
    },
    "consentGrantSkippable": true
}

Get your data

OK, here's where the fun begins. This gets the data about your installation - including firmware details, device names, etc.

curl -s "https://my.tado.com/api/v2/homes/123456/zones" -H "Authorization: Bearer abc"

Here's what you get back - I've redacted some of my details.

[{
    "id": 1,
    "name": "Heating",
    "type": "HEATING",
    "dateCreated": "2015-12-21T15:46:45.000Z",
    "deviceTypes": ["RU01"],
    "devices": [{
        "deviceType": "RU01",
        "serialNo": " ",
        "shortSerialNo": " ",
        "currentFwVersion": "54.8",
        "connectionState": {
            "value": true,
            "timestamp": "2019-02-13T19:30:52.733Z"
        },
        "characteristics": {
            "capabilities": ["INSIDE_TEMPERATURE_MEASUREMENT", "IDENTIFY", "OPEN_WINDOW_DETECTION"]
        },
        "batteryState": "NORMAL",
        "duties": ["ZONE_UI", "ZONE_LEADER"]
    }],
    "reportAvailable": false,
    "supportsDazzle": true,
    "dazzleEnabled": true,
    "dazzleMode": {
        "supported": true,
        "enabled": true
    },
    "openWindowDetection": {
        "supported": true,
        "enabled": true,
        "timeoutInSeconds": 1800
    }
}, {
    "id": 0,
    "name": "Hot Water",
    "type": "HOT_WATER",
    "dateCreated": "2016-10-03T11:31:42.272Z",
    "deviceTypes": ["BU01", "RU01"],
    "devices": [{
        "deviceType": "BU01",
        "serialNo": " ",
        "shortSerialNo": " ",
        "currentFwVersion": "49.4",
        "connectionState": {
            "value": true,
            "timestamp": "2019-02-13T19:36:17.361Z"
        },
        "characteristics": {
            "capabilities": []
        },
        "isDriverConfigured": true,
        "duties": ["ZONE_DRIVER"]
    }, {
        "deviceType": "RU01",
        "serialNo": " ",
        "shortSerialNo": " ",
        "currentFwVersion": "54.8",
        "connectionState": {
            "value": true,
            "timestamp": "2019-02-13T19:30:52.733Z"
        },
        "characteristics": {
            "capabilities": ["INSIDE_TEMPERATURE_MEASUREMENT", "IDENTIFY", "OPEN_WINDOW_DETECTION"]
        },
        "batteryState": "NORMAL",
        "duties": ["ZONE_UI", "ZONE_LEADER"]
    }],
    "reportAvailable": false,
    "supportsDazzle": false,
    "dazzleEnabled": false,
    "dazzleMode": {
        "supported": false
    },
    "openWindowDetection": {
        "supported": false
    }
}]

State

This command will tell you if you're home or not. Or, in other words, whether the Tado thinks you're nearby:

curl -s https://my.tado.com/api/v2/homes/123465/state -H "Authorization: Bearer abc"

This is what you'll get back if you're at home

{"presence":"HOME"}

Zones

My Tado has two "Zones". 0 is for Hot Water, 1 is for Heating. Yours may be different.

Hot Water Information

curl -s https://my.tado.com/api/v2/homes/123456/zones/0/state -H "Authorization: Bearer abc"

Here's information about your hot water:

{
    "tadoMode": "HOME",
    "geolocationOverride": false,
    "geolocationOverrideDisableTime": null,
    "preparation": null,
    "setting": {
        "type": "HOT_WATER",
        "power": "OFF",
        "temperature": null
    },
    "overlayType": null,
    "overlay": null,
    "openWindow": null,
    "nextScheduleChange": {
        "start": "2019-02-13T19:00:00Z",
        "setting": {
            "type": "HOT_WATER",
            "power": "ON",
            "temperature": null
        }
    },
    "link": {
        "state": "ONLINE"
    },
    "activityDataPoints": {},
    "sensorDataPoints": {}
}

Heating

It's much the same for Heating information:

curl -s https://my.tado.com/api/v2/homes/123456/zones/1/state -H "Authorization: Bearer abc"

This also gets you humidity data etc:

{
    "tadoMode": "HOME",
    "geolocationOverride": false,
    "geolocationOverrideDisableTime": null,
    "preparation": null,
    "setting": {
        "type": "HEATING",
        "power": "ON",
        "temperature": {
            "celsius": 15.00,
            "fahrenheit": 59.00
        }
    },
    "overlayType": null,
    "overlay": null,
    "openWindow": null,
    "nextScheduleChange": {
        "start": "2019-02-13T17:30:00Z",
        "setting": {
            "type": "HEATING",
            "power": "ON",
            "temperature": {
                "celsius": 18.00,
                "fahrenheit": 64.40
            }
        }
    },
    "link": {
        "state": "ONLINE"
    },
    "activityDataPoints": {
        "heatingPower": {
            "type": "PERCENTAGE",
            "percentage": 0.00,
            "timestamp": "2019-02-13T10:19:37.135Z"
        }
    },
    "sensorDataPoints": {
        "insideTemperature": {
            "celsius": 16.59,
            "fahrenheit": 61.86,
            "timestamp": "2019-02-13T10:30:52.733Z",
            "type": "TEMPERATURE",
            "precision": {
                "celsius": 0.1,
                "fahrenheit": 0.1
            }
        },
        "humidity": {
            "type": "PERCENTAGE",
            "percentage": 57.20,
            "timestamp": "2019-02-13T10:30:52.733Z"
        }
    }
}

Weather

Tado also provides you with data about the external weather:

curl -s https://my.tado.com/api/v2/homes/123456/weather -H 'Authorization: Bearer abc'

You get back a basic weather report for your location:

{
    "solarIntensity": {
        "type": "PERCENTAGE",
        "percentage": 68.10,
        "timestamp": "2019-02-10T10:35:00.989Z"
    },
    "outsideTemperature": {
        "celsius": 8.00,
        "fahrenheit": 46.40,
        "timestamp": "2019-02-10T10:35:00.989Z",
        "type": "TEMPERATURE",
        "precision": {
            "celsius": 0.01,
            "fahrenheit": 0.01
        }
    },
    "weatherState": {
        "type": "WEATHER_STATE",
        "value": "CLOUDY_PARTLY",
        "timestamp": "2019-02-10T10:35:00.989Z"
    }
}

Controlling your home

It's possible to turn the heating and hot water on / off.

Turn Heating On

This is a PUT request

curl -s 'https://my.tado.com/api/v2/homes/123456/zones/1/overlay' -X PUT -H 'Authorization: Bearer abc' -H 'Content-Type: application/json;charset=utf-8' --data '{"setting":{"type":"HEATING","power":"ON","temperature":{"celsius":21,"fahrenheit":69.8}},"termination":{"type":"MANUAL"}}'

Just to make it easier to read, this is the JSON data that you have to PUT:

{
    "setting": {
        "type": "HEATING",
        "power": "ON",
        "temperature": {
            "celsius": 21,
            "fahrenheit": 69.8
        }
    },
    "termination": {
        "type": "MANUAL"
    }
}

If it has worked, you'll get back this response:

{
    "type": "MANUAL",
    "setting": {
        "type": "HEATING",
        "power": "ON",
        "temperature": {
            "celsius": 21.00,
            "fahrenheit": 69.80
        }
    },
    "termination": {
        "type": "MANUAL",
        "projectedExpiry": null
    }
}

End Manual Heading Mode

This is a simple DELETE command:

curl -s 'https://my.tado.com/api/v2/homes/123456/zones/1/overlay' -X DELETE -H 'Authorization: Bearer abc'

Turn on Hot Water

Much the same as before

curl -s 'https://my.tado.com/api/v2/homes/123456/zones/0/overlay' -X PUT -H 'Content-Type: application/json;charset=utf-8' -H 'Authorization: Bearer abc'--data '{"setting":{"type":"HOT_WATER","power":"ON"},"termination":{"type":"MANUAL"}}'

Turn off Hot Water

Again, a DELETE

curl -s 'https://my.tado.com/api/v2/homes/123456/zones/0/overlay' -X DELETE -H 'Authorization: Bearer abc' 

Historic Information

You can get a complete view of historic data with:

curl -s 'https://my.tado.com/api/v2/homes/123456/zones/1/dayReport?date=2018-02-14' -H 'Authorization: Bearer abc' 

The date at the end is in ISO8601 format. You'll receive info on internal and external temperature, humidity levels, whether the heating and hot water were on, and a few other bits and bobs.

What's Next?

There are a bunch of other things you can do with the API, like setting a schedule etc. Sadly, I don't have time to document them all. But this should be enough to get you detailed information, and basic control.

I'd love it if someone could make OpenAPI documentation for this.

You authorise it - whereupon it promptly leaks to the world all your sexts, inappropriate jokes, and dank memes. Tragic!

What's going on?

Many years ago the official Twitter API keys were leaked. This means that app authors who can't get their app approved by Twitter are still able to access the Twitter API.

For some reason, Twitter's OAuth screen says that these apps do not have access to Direct Messages. But they do!

In short, users could be tricked into allowing access to their DMs.

Restrictions

There are some restrictions which Twitter has put in place in the name of good security. The most important of these is restricting callback addresses. After successful login, the apps will only return to a predefined URL. That means you can't take the official Twitter keys and send the user to your app. This is a sensible security decision.

Except... Not every app has a URL. Or supports callbacks. Or is an actual app. Twitter has a secondary authorisation mechanism for such cases. You log in, it provides a PIN, you type the PIN into your app.

It appears that these official PIN apps don't display the correct OAuth information to the user.

Fixing it

Will Twitter audit old apps and make sure the permissions are correctly displayed? I hope so!

Ideally, Twitter should have a much more granular permissions model. Allow apps to read DMs, but not send them. Write tweets, but not delete them. Read Tweets, but not follow people.

Timeline

• 2018-11-06 Submitted via HackerOne
• 2018-11-06 Provided clarification and PoC. Issue accepted.
• 2018-11-15 Proposed publication date of 30th November rejected due to US holidays.
• 2018-11-16 Bug Bounty of $2,940 offered. Filled in the W2 form to say I'm not a US taxpayer.
• 2018-11-17 Drank a fair amount of cider.
• 2018-11-21 £2,287.05 deposited in my UK bank account. There was also the option of receiving it via PayPal.
• 2018-12-06 Twitter fixed the issue and published the bounty payout. They let me know I was clear to publish.
• 2018-12-07 I provided clarification that the issue was still present on some API keys.
• 2018-12-14 Published this report.

Terence Eden is on Mastodon

@edent

I've hacked @edent_roomba to obey its true master.

(You'll want the volume up for this.) pic.x.com/urd5xuyuj1

---

The Roomba has a basic speaker. It can play pre-recorded status messages - but it can also chirp out basic musical notes.

Following their guide to adding new songs, I was able to customise my device to show true deference the ruler of our household!

I am thoroughly unmusical, so if any of you are able to magic up some delightful new tunes - that would be wonderful!

• URL http://[IP]/adm/file.cgi?todo=inject_telnetd
• Telnet username root
• Telnet password Aq0+0009

History

Four years ago to the day, I wrote an exposé of the hideous security failings of Sercomm IP Cameras. The blog has since attracted 200 comments - as people try to unlock their cameras, and find out what flaws they have.

Despite my best efforts at contacting Sercomm - the OEM who manufactures the cameras - and the "security" resellers who irresponsibly sell them to unsuspecting customers, the flaws remain unpatched.

Factory Reset

Most of the Sercomm cameras have a custom firmware which locks them down. As documented in my previous blog post, resetting the cameras is depressingly easy.

1. Stick paperclip in the reset hole for a few seconds.
2. The default login name is administrator
3. There is no password set!

Turning on Telnet

The process for enabling Telnet was first published in 2011. It depends on the firmware that Sercomm have pre-loaded, but you just need to visit the specially crafted URl: http://[IP]/adm/file.cgi?todo=inject_telnetd

Firmware Trickery

Over on my GitHub repo of Sercomm API commands, you'll find a copy of the firmware for the iCamera 1000.

A contributor to the blog, Paul Chambers, describes how he deciphered the firmware.

The firmware is a modified SquashFS filesystem. Inside, it contains a symlink from /etc/passwd -> /mnt/ramdisk/tmp/passwd

/etc/rc.sethost contains the string passwd

Running rc.sethost does various things including writing a passwd file to /mnt/ramdisk/tmp/passwd

Inside that, I saw root:9sXicXdz8JrVk:0:0:root:/root:/bin/sh

The string 9sXicXdz8JrVk is a traditional DES based hash

I patched rc.sethost to skip the call to crypt. Then I got:

root:Aq0+0009:0:0:root:/root:/bin/sh

I double-checked it was correct by running

squashfs-root$python -c "import crypt;print crypt.crypt('Aq0+0009', '9s')"

9sXicXdz8JrVk

So the username is root and the password is Aq0+0009

There you have it. Different cameras may have different firmwares with different passwords - but I'd guess that they all follow a similar pattern. This particular password works on Firmware version V3.0.01.29

Enjoy!

However! All is not lost. If you log in to your Renault Account - https://www.renault.co.uk/my-account/my-car.html - you'll get details back about your car including its make, model, date of next service, and mileage!

Why isn't this in the regular API? Who knows. But here's how to get it programmatically.

API

The API to call is:

https://www.renault.co.uk/content/renault_prod/en_GB/index/my-account/my-car/jcr:content.getvehicle.json?vin=VF1ABCDE012345678

You will need to stick your own VIN on the end.

That alone won't get you very far - the API requires authentication (not always a given with automotive services!) See bottom of this page for details.

Data

The data you get back is fairly unexciting:

{
    "lastMileageRefresh": "2017-10-15",
    "mileage": 2052,
    "averageMileage": 1973,
    "lastWorkshopVisitMileage": 1853,
    "portalServices": ["ZEPORTAL", "BATTERY", "RLINK"],
    "detailedVehicleName": "Dynamique Nav",
    "registrationNumber": "PK66LTE",
    "firstRegistrationDate": "2016-08-01",
    "electric": true,
    "vehicleManual": {
        "path": "//www.cdn.renault.com/content/dam/Renault/UK/owner-services/private/zoe/X101VE/manual.pdf",
        "size": "5.46MB",
        "extension": "pdf"
    },
    "upcomingServices": [{
        "year": "2018",
        "month": "september",
        "items": [{
            "date": "2018-08-01",
            "code": "13",
            "name": "Replace the cabin filter"
        }, {
            "date": "2018-08-01",
            "code": "185",
            "name": "Z.E. A service"
        }, {
            "date": "2018-08-01",
            "code": "186",
            "name": "Z.E. B service"
        }]
    }, {
        "year": "2019",
        "month": "september",
        "items": [{
            "date": "2019-08-01",
            "code": "13",
            "name": "Replace the cabin filter"
        }, {
            "date": "2019-08-01",
            "code": "180",
            "name": "Replace 12 V battery"
        }]
    }],
    "vin": "VF1ABCDE012345678",
    "vehicleName": "ZOE",
    "smallImage": "https://3dv1.renault.com/ImageFromBookmark?configuration\u003dSKTPOU%2FSSCALL%2FPRLEX1%2FSTANDA%2FB10%2FEA2%2FDD%2FCAREG%2FVT003%2FRET02%2FRALU16%2FDRAP03%2FOV369%2FRDAR02%2FALEVA%2FSOP02C%2FTRNOR%2FLVAVIP%2FLVAREL%2FNAV3G5%2FRAD06D%2FALAR06%2FSAN913%2FBT4MR1\u0026databaseId\u003da3750aea-330d-4c06-91fd-d2ec8d82e763\u0026bookmarkSet\u003dRSITE\u0026bookmark\u003dEXT_34_AV\u0026profile\u003dHELIOS_OWNERSERVICES_SMALL_V2",
    "largeImage": "https://3dv1.renault.com/ImageFromBookmark?configuration\u003dSKTPOU%2FSSCALL%2FPRLEX1%2FSTANDA%2FB10%2FEA2%2FDD%2FCAREG%2FVT003%2FRET02%2FRALU16%2FDRAP03%2FOV369%2FRDAR02%2FALEVA%2FSOP02C%2FTRNOR%2FLVAVIP%2FLVAREL%2FNAV3G5%2FRAD06D%2FALAR06%2FSAN913%2FBT4MR1\u0026databaseId\u003da3750aea-330d-4c06-91fd-d2ec8d82e763\u0026bookmarkSet\u003dRSITE\u0026bookmark\u003dEXT_34_DESSUS\u0026profile\u003dHELIOS_OWNERSERVICES_LARGE",
    "identifier": "X101VE"
}

Authentication

In order to get these data, you will need a username and password for the Renault website. Once logged in, you should be able to inspect the requests your browser makes. All you need is the X-Mapping and JSESSIONID part of the cookie. You'll end up with a request like:

curl 'https://www.renault.co.uk/content/renault_prod/en_GB/index/my-account/my-car/jcr:content.getvehicle.json?vin=VF1ABCDE012345678' -H 'Cookie: X-Mapping-pjobmcgf=123456789; JSESSIONID=abcdefghij;

If you dig around the Renault site, you'll see they use Apigee and helpfully include their clientKey and apiKey in some of the JSON they send to your browser. I'm sure people smarter than me can figure out how to use them.

The Cake Is A Lie

I am not convinced that this is live data. It looks to me like Renault are using your average yearly mileage and extrapolating what today's mileage will be. But it is better than nothing.