Kali Nethunter for the NVIDIA Shield Tablet

January 2, 2018 Alex 8 Comments

Hello all,
Last week I wanted to add Android 7 support to Kali Nethunter for the NVIDIA Shield Tablet.

I used to have a Nexus 9 with Nethunter (for which I built a Nougat kernel as well: https://github.com/SecurityAddicted/ElementalX-N9-Nethunter – now merged into Nethunter main repo) which did an awesome work, but unfortunately Wi-Fi/Bluetooth suddenly didn’t work anymore (it seems prone to damage to the internal wireless chip, lots of malfunctioning mainboards can be found on eBay), so I bought a Shield Tablet to replace it.

It’s a nice piece of hardware, almost as fast as the N9 (but it misses the 64bit architecture), a bit smaller (but still good to work on) and definitely lighter. However, current Nethunter only has support to Android 5.1 and 6, and I didn’t want to work in such old platforms with unpatched security vulns (KRACK anyone?), but wanted to stay up-to-date with the current LineageOS release for the Shield Tablet.

After a few hours of work, I finally built a new kernel using the awesome work of BitOBSessiOn (https://github.com/BitOBSessiOn/android_kernel_nvidia_shieldtablet) with patches on top to enable the features needed by Nethunter. I’m running the kernel since a few days without problems.

I submitted the pull request to the official Nethunter repo (https://github.com/offensive-security/nethunter-devices/pull/125), but while it is accepted into the mainline, a test build can be downloaded from https://mega.nz/#!A0xVwQwA!QETEOWj-a5p6Wzbf11UaSp51b4fShyazOVqzdvDdujQ

Please report any bug here or in the Github page of the project (https://github.com/SecurityAddicted/android_kernel_nvidia_shieldtablet).

Enjoy!

How-To

Weaponizing the GL.iNet GL-AR150

November 17, 2016 Alex 117 Comments

UPDATE 06/02/2019:

I apologize for the delay I’m posting this. Unfortunately for me has become too time consuming maintaining this firmware port. Additionally, Hak5 seems to have started embedding hardware checks into their binaries.

Since I use this device for work, I don’t want to bother solving firmware problems while I should focus on the actual work, so I’m deprecating this project. The last working version will be 2.0.2, and no other updates on this project will be released from my side.

I actually bought one of the amazing Hak5 Pineapples to have peace of mind so when I need it, it works as expected.

Thanks for all the interesting this project has attracted over the years, it has been much appreciated!

UPDATE 15/01/2018:

Please make sure you use the TP-Link TL-WN722N version 1, as version 2 is not compatible. In general, all WiFi adapters using the Atheros AR9271 chip should work fine.

Also, I’ve updated the firmware into the Github repo to the latest Pineapple v2.0.2 firmware.

Hi all, so much time since I posted something here. I’ll try to post more regularly from now on.

Last week I was wondering if somebody had ported the latest Pineapple firmware (v.1.1.3) to the GL-AR150. As you may know, this small router has the same hardware of the WiFi Pineapple Nano (minus the second radio, of course, but there is an USB port to which you can plug a wifi adapter).

After spending some time looking for it without luck, I tried to build it myself.

Patrick Sapinski, on his own blog, posted earlier this year a small guide to do that, and it has been very helpful for me as starting point.

Those are the steps I followed to build a working WiFi Pineapple firmware for the GL-AR150:

Download the latest WiFi Pineapple Nano firmware from https://www.wifipineapple.com/downloads
Extract the WiFi Pineapple firmware with binwalk (using the -e switch)
Clone the repo https://github.com/domino-team/openwrt-cc
Copy the content of the squashfs-root folder extracted by binwalk in the files/ folder on the repo just cloned (create the folder if it doesn’t exist)
Build OpenWRT (steps here)

Just remember, in make menuconfig, to select the GL-AR150 as target and to include the driver of the USB WiFi adapter you’re going to use (you must use one, the pineapple firmware is mostly useless without the second WiFi interface).

For your convenience, the firmware I built is available on my Github repo at https://github.com/SecurityAddicted/pineapple-ar150

I compiled it with support to all common USB WiFi adapters (I tested it with a TP-Link TL-WN722N).

Hope some of you will find this useful.

Enjoy!

General

Good news

October 31, 2014 Alex Leave a comment

Hi to all!

Today I’ve completed my personal 10 month security training schedule, and I gained my Offensive Security OSCP and OSCE certifications!

These months have been very fun and challenging, and now I feel more prepared than ever! I recommend these courses to anyone that would acquire some deep understanding of information security in his very practical aspects. Obviously, some prerequisites are necessary, but the most important is willingness.

Here some advice for anyone wants to start these courses:

For OSCP (PWK course) I recommend to read all the course materials first, then dive deep into the labs. Try to own all the machines, with and without Metasploit (even if its use is restricted into the exam, you should take advantage of the lab to learn it, because it will be your best friend in a future work in security). Research all topics in what you’ll find yourself weak. Try, try, try.
For OSCE (CTP course) I recommend to read all the course materials and do all the exercises. Then, read thru all the Corelan Exploit Writing tutorials (VERY recommended!) and perform all the guided exercises. Lastly, create a little lab (some Windows VMs and a Kali VM) and redo ALL the exercises in the course materials. If you have time, try to fuzz some applications and create exploits for the vulns you’ll find.

And remember, when things start go wrong and you feel tired, it’s time to TRY HARDER!

How-To

[HOWTO] Setup your debugging and reverse engineering environment with Python tools

February 7, 2014 Alex 5 Comments

Hi to all, today I’ll explain how to install some Python tools for debugging and reverse engineering under a Windows XP box.
These tools are:

Python 2.7 (obviously)
Immunity Debugger (great debugger completely scriptable in Python)
pefile (Python library for inspecting PE file format)
pydasm (Python library for disassembly binary code)
paimei (reverse engineering framework written in Python)
pydbg (pure-Python win32 debugger interface)

Python 2.7 and Immunity Debugger
We can start with the installation of Immunity Debugger. He will installs also the Python 2.7 interpreter on our system.
Download it from the Immunity website (or from here if you don’t want to register). Say Yes when he asks for the permission to install Python (you should install it in the default path specified by the installer).
When the installation is finished, then it’s important to add the Python path to your system PATH, so you can run it from anywhere in the system.

pefile
Download the latest version of pefile from here, unzip it in a folder and run within this folder the following command:

python setup.py install

pydasm
Download pydasm from here, unzip it in a folder and run within this folder the following command:

python setup.py install

paimei & pydbg
Download paimei from here and pydbg from here. Now unzip paimei, it will create a folder named paimei-master. Unzip pydbg, move all pydbg files under paimei-master\pydbg, open a cmd window within paimei-master and launch the command:

python setup.py install

Now, go to C:\Python27\Lib\site-packages\pydbg and delete the pydasm.pyd file (it’s compiled for an older python version and it causes the pydbg library not to load)

Now all these tools are properly installed and ready to go.
Enjoy 😉

How-To

How to repair the broken Freeradius-WPE default install on BackTrack 5 r2

April 4, 2012 Alex 2 Comments

Hi to all!

In my last hack lab I’ve played with some WPA-Enterprise hacking techniques. Then, I’ve see that the Freeradius-WPE default install in BackTrack 5 r2 don’t work out of the box (Segmentation fault problem). So, after some searching on Google, I’ve make this to work.

If you need to make Freeradius-WPE work on BackTrack 5 r2, follow this steps.

First, install the package libssl-dev:

apt-get install libssl-dev

Next, download the new Freeradius-WPE package:

wget http://www.opensecurityresearch.com/files/freeradius-server-wpe_2.1.11-1_i386.deb
dpkg --install freeradius-server-wpe_2.1.11-1_i386.deb
ldconfig

Create your certs:

cd /usr/local/etc/raddb/certs/
./bootstrap

Now, Freeradius-WPE should work. Launch it with:

radiusd -s -X

Feel free to leave a comment or to contact us. Any feedback will be appreciated!

How-To

How to create a fake AP on BackTrack 5 r2

March 16, 2012 Alex 11 Comments

Hi to all!

In my last MITM test I needed to create a fake AP that can relay all incoming traffic to a wireless interface connected to Internet.

I’ve some trouble doing this with brctl (because you cannot create a bridge with a wireless interface), so I have create a little laborous setup with the help of iptables. Obviously, you need two wireless card to follow this (one for the softAP – wlan1 in this tutorial – and one connected to Internet – wlan0 in this tutorial).

First, you need to install a dhcp server:

apt-get install dhcp3-server -y

Backup the default DHCP server configuration file:

mv /etc/dhcp3/dhcpd.conf /etc/dhcp3/dhcpd.conf.backup

Create a new DHCP server configuration file:

nano /etc/dhcp3/dhcpd.conf

and add these lines into the file:

ddns-update-style none;
default-lease-time 600;
max-lease-time 7200;
subnet 10.0.0.0 netmask 255.255.255.0 {
    option subnet-mask 255.255.255.0;
    option broadcast-address 10.0.0.255;
    option routers 10.0.0.254;
    option domain-name-servers 8.8.8.8;
    range 10.0.0.1 10.0.0.140;
}

Then, start wlan1 in monitor mode:

airmon-ng start wlan1

Now, you have the interface mon0. So start your softAP (the -e option is used to specify the softAP ESSID, while the -c is used to specify the 802.11 channel):

airbase-ng -e SAhotspot -c 6 mon0

This will create a new interface called at0. Setup this interface:

ifconfig at0 10.0.0.254 netmask 255.255.255.0 up

Now add a route for the traffic:

route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.254

and setup new iptables rules:

iptables -F
iptables -t nat -F
iptables -X
iptables -t nat -X
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
iptables -A FORWARD -i at0 -j ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward

Start the DHCP server on the at0 interface:

dhcpd3 -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcp3-server/dhcpd.pid at0

Now all the people that connect to your fake AP will be routed trasparently to the Internet.

If you are too lazy to follow this tutorial, you can use a script I make to speed up fake AP creation.

Download it -> FakeAP.tar. Now decompress all the files in the same directory. Launch the script with:

./setupAP.sh <fakeAP-interface> <fakeAP-ESSID> <fakeAP-channel> <internet-interface>

When your test are done, destroy the AP with:

./destroyAP.sh

Feel free to leave a comment or to contact us. Any feedback will be appreciated!

General

TV interview (in italian) to an exponent of Anonymous

March 9, 2012 Alex Leave a comment

Yesterday in Italy an interview to an exponent of Anonymous was aired on TV.

These are some Q/A’s:

D: Cos’è Anonymous

R: Anonymous è un insieme di persone di qualsiasi tipo, età, natura e provenienza che lotta per un ideale, la libertà di espressione e la libertà di comunicazione. Non ha colore politico.

D: Qual è l’obiettivo di Anonymous

R: Garantire la libertà di informazione nei posti in cui sono i governi a limitarla.

D: Com’è organizzata?

R: Anonymous non è organizzata. Non ha una struttura, non ha una gerarchia, non ha capi. Il segreto sta nel cercare di organizzare in piccole cellule un’attività, un programma. Esistono dei gruppi di persone un po’ più responsabili che cercano di coordinare le varie attività.

You can watch the video HERE.

Tools

BackTrack 5 r2 released!

March 7, 2012 Alex Leave a comment

The last version of the popular linux distribution for pentesting is out!

http://www.backtrack-linux.org/

After months of development, bug fixes, upgrades, and the addition of 42 new tools, we are happy to announce the full release of BackTrack 5 R2 available for download now. Running our custom-built 3.2.6 kernel with the best wireless support available, this is our fastest and best release of BackTrack yet. In the past few weeks, we have had a flood of submissions to our BackTrack Redmine Tracker with submissions for many new tools and dozens of packages that needed to be updated and this has helped to make this one of the strongest releases we’ve ever had.

Once again, our good friends over at Paterva have created a special BackTrack edition of Maltego 3.1.0 for your data mining pleasure and we have also included their recently-released CaseFile tool to help you organize and collate data from numerous sources. If you have never used these tools before, you really need to…they will change the way your interact with data and conduct reconnaissance.

You will also find we have included Metasploit 4.2.0 Community Edition, version 3.0 of the Social Engineer Toolkit, BeEF 0.4.3.2, and many other tool upgrades too numerous to mention.

In addition to the aforementioned updates and additions, we have also added the following new tools to BackTrack:

arduino bluelog bt-audit dirb dnschef dpscan easy-creds extundelete findmyhash golismero goofile hashcat-gui hash-identifier hexorbase horst hotpatch joomscan killerbee libhijack magictree nipper-ng patator pipal pyrit reaver rebind rec-studio redfang se-toolkit sqlsus sslyze sucrack thc-ssl-dos tlssled uniscan vega watobo wce wol-e xspy

Download it HERE.

Thanks to all guys at Offensive Security!

Books

Best Books Richard Bejtlich read in 2011

February 2, 2012 Alex Leave a comment

Richard Bejtlich is one of the most authoritative person in computer security field. You can follow his blog at TaoSecurity.

He is an acclamated reviewer of most books on the subject. This is his personal rank of the books he has read and reviewed in 2011:

10. pfSense by Jim Pingle; Reed Media Services.

9. Beginning Visual C++ 2010 by Ivor Horton; Wrox

8. Windows System Programming, 4th Ed by Johnson M. Hart; Addison-Wesley.

7. Beginning C, 4th Ed by Ivor Horton; Apress

6. Robust Control System Networks by Ralph Langner; Momentum Press.

5. Managed Code Rootkits by Erez Metula; Syngress.

4. Ghost in the Wires by Kevin Mitnick and William L. Simon; Little, Brown and Company.

3. America the Vulnerable by Joel Brenner; Penguin Press HC.

2. Windows Internals, 5th Ed by Mark Russinovich, David A. Solomon, and Alex Ionescu; Microsoft Press.

And, the winner is…

Hacking: The Art of Exploitation, 2nd Ed by Jon Erickson; No Starch.

This is the last in a recent collection of reviews on “hacking” books. Jon Erickson’s Hacking, 2nd Ed (H2E) is one of the most remarkable books in the group I just read. H2E is in some senses amazing because the author takes the reader on a journey through programming, exploitation, shellcode, and so forth, yet helps the reader climb each mountain. While the material is sufficiently technical to scare some readers away, those that remain will definitely learn more about the craft.

H2E accomplishes a very difficult task. The book strives to take readers with little to no real “hacking” knowledge to a level where they can at least understand, if not perform, fairly complicated digital security tasks. Other books aren’t as successful, e.g., “Gray Hat Hacking,” which features material on C, assembly, Python, etc. into one short chapter. In contrast, H2E, in my opinion, does a credible job leading the reader from pseudo-code to C and assembly. Now, I would not recommend this book as a reader’s sole introduction to programming, let alone C or assembly. Please see my older reviews for recommendations on books devoted to those topics. Still, H2E credibly integrates programming into the hacker narrative in a compelling and educational manner.

The author also has a great eye for consistency and style. I welcomed reading his examples using gdb, where he presented code, explained it, stepped through execution, showed memory, transitioned from displaying source, then assembly, and so on. This was a compelling teaching method that technical authors should try to emulate.

Overall I really liked H2E, hence the 5 star review. My only main gripe was the author seems to believe that it’s in society’s benefit for black hats to test and exploit defenses. His claims on p4 and p 319 that hackers improve security reminds me of the broken window fallacy, meaning it’s economically beneficial to break windows so a repairman has a job. In reality, the security world is more a redirection of resources away from more beneficial innovation, not a way to build “good security jobs.” Furthermore, all of the supposed advances spurred by reacting to intruder activity do not result in increased security in the enterprise. At this point so much legacy software and equipment is deployed that intruders can always find a way to accomplish their mission, thanks often to the discoveries of so-called hackers. At the end of the day one has to accept the reality that intruders will always try to breach defenses, so it behooves defenders to understand attackers for the benefit of defense.

Hacking: The Art Of Exploitation, 2nd Edition is the book I currently read. I recommend it to all people that would gain some knowledge in the computer security field, in the right way: coding, coding, coding.

Enjoy it!

General

Finally here!!!

December 31, 2011 Alex 1 Comment

Hi to all!!!

Finally Security Addicted is here!!!

Security Addicted is the new resource for the Internet underground.

In the last years Internet has pervaded the real world and has changed our habits.

We dream to help people establish trust with all the opportunities that can be found on Internet.

Ok, now it’s time to start work.

Stay tuned on all the news! Subscribe to RSS, like our Facebook Page or follow us on Twitter!