The Evolution of Software Development: From Manual Coding to AI-Generated Code and the Security Implications

The journey of software development is a fascinating tale of innovation, creativity, and technological advancement. I started learning how to code in the late 80s as a kid with languages such as Pascal and Clipper, later came C and assembly. When my high school introduced a computer science class to teach Basic language, I already had years of experience under my belt.

I had the privilege of witnessing and participating in this evolution, which can be broadly categorized into three distinct stages: the initial development phase, the composition phase, and the current era of AI-generated software. Each stage not only marks a leap in how software is created but also brings its own set of security implications. Let’s explore them in detail.

Stage 1: The Birth of Software Development

Development Phase

In the early days of computing, software development was a meticulous and manual process. Developers wrote code line by line in low-level programming languages like Assembly and later in high-level languages such as Fortran, COBOL and C/C++. This era was characterized by a hands-on approach where every function, algorithm, and data structure had to be explicitly defined by the programmer. All the code was written from scratch.

Security Implications

  • Vulnerability to Human Error: Manual coding was highly prone to human errors, which often led to bugs and security vulnerabilities. Simple mistakes like buffer overflows or improper input validation could compromise the security of the entire system.
  • Lack of Standardized Security Practices: In the infancy of software development, there were few established security protocols. Developers focused more on functionality than on safeguarding against potential threats, leaving many early systems exposed to basic exploits.
  • Reactive Security Measures: Security measures were mostly reactive. Patches and fixes were applied after vulnerabilities were discovered, which often meant that systems were left vulnerable for extended periods.

Security Questions:

  • Who introduced the bug?
  • When was the bug introduced?
  • How was detected?
  • What can be done to prevent it?

Bug Rate: x1 – bugs in code were introduced by developers.

Stage 2: The Composition Era

Composition Phase

As software systems grew more complex, the industry shifted towards a compositional approach. This phase saw the rise of modular programming, libraries, frameworks, and APIs. Developers could now leverage pre-existing components and services to build applications more efficiently. By compositing a project, the building time decreases.

Security Implications

  • Dependency Management: The reliance on third-party libraries and frameworks introduced new security challenges. Vulnerabilities in these dependencies could propagate to the applications using them, necessitating robust dependency management and regular updates.
  • Standardization of Security Practices: With the maturation of software development, standardized security practices began to emerge. Concepts like secure coding guidelines, code reviews, and penetration testing became integral parts of the development lifecycle.
  • Enhanced Security Tools: The composition era also brought about advanced security tools and practices, such as static and dynamic analysis, to identify vulnerabilities early in the development process.

Security Questions:

  • Where are the bugs coming from: developers or third-party components?
  • Are all third-party components identified?
  • Are all third-party components updated?
  • What process and tools are in place to prevent or mitigate bugs?

Bug Rate: x2 – Bugs are introduced by developers and third-party components.

Stage 3: The AI-Generated Software Era

AI-Generated Software

We are now entering an era where artificial intelligence (AI) plays a significant role in software creation. AI and machine learning models can generate code, suggest improvements, and even autonomously develop entire applications. This evolution is driven by advancements in natural language processing (NLP) and the availability of vast amounts of training data.

The use of AI to generate code drastically decreases developing timeframes and developers needed. An explosion of software created by no-developers and layoff of technical people is coming.

Security Implications

  • Automated Vulnerability Detection: AI can significantly enhance security by automating vulnerability detection and remediation. Machine learning models can analyze vast codebases and identify potential security flaws much faster than human developers.
  • Sophisticated Threats and Defenses: As AI becomes more prevalent in software development, it also becomes a tool for attackers. AI-driven attacks can adapt and evolve, making traditional security measures less effective. However, AI can also be used defensively to predict and counteract these sophisticated threats.
  • Ethical and Compliance Concerns: AI-generated software raises questions about accountability and compliance. Ensuring that AI systems adhere to ethical standards and regulatory requirements is crucial. Additionally, there is a need for transparency in how AI models make decisions to avoid introducing unintentional biases or vulnerabilities.

Security Questions:

  • Where are the bugs coming from: developers, third-party or AI?
  • How is proprietary code protected when working with AI? Submitting proprietary code to AI can be a company privacy violation.
  • Who is responsible for a security bug?
  • Can a company blame it on an AI emitted code?
  • Do processes and tools address all code origins: developers, third-party and AI?

Bug Rate: x3 – In this stage bugs can be introduced by developers, third-party components and AI emitted code.

Conclusion

The evolution of software development from manual coding to AI-generated solutions has dramatically transformed the industry. Each stage has introduced new efficiencies and capabilities but also brought about distinct security challenges. As we continue to embrace AI in software creation, it is imperative to adopt robust security practices that evolve alongside technological advancements. By doing so, we can harness the full potential of AI while safeguarding against emerging threats and ensuring the integrity and security of our software systems.

Reflecting on my journey through these stages, I’m excited about the future of software development and the possibilities that AI brings. But we must remain vigilant and proactive in addressing the new security challenges that come with it, AppSec is evolving.

–SRF

Posted in Uncategorized | Leave a comment

Information Warfare Strategies (SRF-IWS): Offensive Operations at the Davos Forum

Disclaimer: Everything described here is pure imagination and any resemblance to reality is coincidental. The author is not responsible for the consequences of any action taken based on the information provided in the article.

The Davos Forum organized by the World Economic Forum (WEF) is the economic event of the year that brings together thousands of people from all over the world, from politicians to well-known businessmen, in the town of Davos, Switzerland.

Thousands of people gather in Davos from political personalities and businesses to support, administrative and security personnel. We define as primary objectives politicians (presidents, prime ministers, and the like) and relevant businessmen (presidents and CEOs); and secondary objectives such as support personnel, who, by compromising their security, allow the surveillance or exploitation of primary objectives.

During the Davos Forum, the security of the people is protected between police, military and security personnel, different security rings, access control, special permits for vehicles, anti-drone systems, etc. are established.

For this exercise we will assume that a Nation-State deploys a unit of cyber operatives and field agents in Davos to carry out offensive operations such as spying, installing implants or other subversive activities.

This operation is divided into different phases: preparations before the forum, actions during the forum and post-forum actions. The post-forum actions would be related to persistence, command and control of the objectives and exfiltration of information that we are not going to comment on in this post. Therefore, we are going to focus on the phases before and during the forum.

Preparations before the forum

Preparations prior to the offensive campaign during Davos would include at least the following points:

  1. Selection of objectives: We have previously defined between primary and secondary objectives, at this point we are going to focus on the primary ones only. Politicians and businessmen usually carry high-end smartphones, mainly the latest model iPhone or an older model. Cyber operatives will use OSINT techniques to search for images or videos that can be used to identify the smartphone model. They can also search for public documentation on the acquisition of devices, such as the Spanish Congress did in 2023 with the purchase of iPhones 13 for all deputies.
  2. Identification of RF devices: By using portals such as Wigle and similar, cyber operatives can obtain names of WIFI access points, Bluetooth devices and mobile phone towers in the geographical area. This information is useful for planning RF attacks, also known as proximity attacks, which are generally unknown and undervalued by organizations.
  3. Identification of CCTV devices: Using portals such as Shodan and similar, cyber operatives can search for cameras in Davos to compromise their security and use them for surveillance and monitoring tasks. In the following images we see some Google Dorks
    , also known as Google Hacking, to search for cameras on the Internet and on the Hacked.camara
    web portal we can find hacked cameras in the Davos area.
  4. Development and/or purchase of Exploits: Exploits are the cyber weapons that cyber operatives will use to compromise the targets’ devices. Zero-day vulnerability exploits (vulnerabilities not known to the manufacturers and unpatched) will surely be necessary for systems such as Windows, MacOS, iPhone (iOS) and Android. These types of exploits are expensive (from hundreds of thousands to millions of euros) and nowadays it is usually necessary to have several to be able to compromise the security of a device and be able to bypass all security levels. To get an idea of the cost and complexity, I recommend reading about Operation Triangulation, a recent campaign against a well-known cybersecurity manufacturer in which some of its iPhones were compromised using several zero-day exploits.
  5. Development of Implants: Once access is achieved, it is necessary to deploy implants in the compromised systems to control them and exfiltrate information. As with exploits, cyber operatives must have implants for the different Windows, MacOS, iPhone (iOS) and Android systems. These implants can be developed or purchased on the market and the reality is that many times they do not have to be anything sophisticated to achieve good results. A real example is the use of Pegasus spyware to spy on politicians in Europe.
  6. Equipment: Cyber operatives will have to carry all the software and hardware equipment they may need such as: laptops, WIFI access points, “Lock Picking” tools, antennas, drones, WIFI and Bluetooth adapters, offensive hardware (see my article about it to get an idea), cameras, microphones, and a long etcetera.

Image: Davos devices seem in Wigle

Image: Google Dorks

Image: Hacked CCTV at Davos

Good preparation is crucial for successful cyber-attacks during Davos.

During the forum

During the days of the Davos Forum, cyber operatives can execute a wide range of cyber-attacks to achieve their objectives. Next, we will look at possible attacks and with real examples when possible.

  1. Deployment of fake phone towers to intercept traffic and/or send exploits to mobile phones. These devices are also known as IMSI-catcher. Cyber operatives could deploy these devices before the event, but for their operational security (OPSEC) they decide to use this attack during the event. A real case was the detection of fake cell towers around the US White House.
  2. Social engineering: This old and well-known attack still works, although it has been modernized with the use of emails, SMS, and instant messaging (IM). Without a doubt, female operatives in Davos could gain a wealth of valuable information or access to targets’ electronic devices that would allow them to install an implant. A real case is the use of female Russian spies to infiltrate NATO.
  3. USB Drop attack: consists of leaving USBs lying on the floor or in some visible place such as a table and containing malware. When they are found and someone inserts them into a computer to see what’s inside, exploiting human curiosity, and perhaps returning it to its owner, it is infected by malware and now the cyber operatives control the device. A well-known and simple offensive programming language is DuckyScript, supported by a multitude of offensive devices, and which allows you to create scripts with payloads for Windows, MacOS, Linux, iPhone (iOS) and Android. I recommend the payloads repository available to understand its capabilities. The following image is a well-known script to steal passwords on Windows in a matter of seconds using a USB Rubber Ducky, a known offensive device.
  4. WIFI attacks: another well-known attack is to attack WIFI access points or create malicious WIFI points. There are many offensive devices such as the popular WIFI Pineapple although a laptop, a Wi-Fi card and a good antenna are sufficient. A real case is the use of drones equipped with offensive devices such as the WIFI Pineapple that allow them to land on a rooftop to launch WIFI attacks, as happened in the US against a financial company. Cyber operatives can also walk around the Davos area with covert offensive devices that allow them to break WIFI networks automatically or capture the “handshakes” of WIFI connections, to break them and gain access. All access points and WIFI clients are susceptible to different attacks.
  5. Bluetooth attacks: Bluetooth attacks are on the rise, although they require proximity, they can be devastating since in some cases they allow control of the victim device, and best of all, they are undervalued by most organizations. There are many attacks available but two attacks that cyber operatives could use to compromise the security of devices is BlueBorne and a new attack on the Bluetooth protocol has recently been published affecting Android, MacOS, iPhone (iOS) and Linux that connects a fake keyboard without user approval. Today billions of devices remain vulnerable to these attacks.

Image: DuckyScript

Despite the high security measures during the Davos Forum, it is undoubtedly a very interesting objective for a Nation-State with so many politicians and businessmen concentrated in the same place.

As we have seen throughout the article, the possibility of offensive operations in Davos is a reality and all necessary physical and digital security measures must be taken.

Leave me your comment on the article, please, and what topics would you like me to go into more depth?

— See you on @simonroses

Posted in Hacking Etico, RF, Security | Tagged , , , | Leave a comment

Modern Wardriving

Let’s start by defining the word Wardriving: it is the search for WIFI wireless networks from a vehicle equipped with a computer. This would be the classic definition. I define modern wardriving as the search for WIFI networks, Bluetooth devices and GSM towers independently whether we are in any type of vehicle (plane, boat, bicycle, scooter, skateboard, etc.) or even walking.

I have been analyzing wireless networks since the beginning of 2000 and in 2022 I obtained the well-known Offensive Security Wireless Professional (OSWP) certification, you can read my post about it. Below is an image of the old cards that I used at that time for wardriving and WIFI audits that I still have out of nostalgia.

Modern wardriving requires more advanced hardware as we now have WIFI on 2.4GHz and 5GHz with WIFI 6 and 7 looming on the horizon, Bluetooth devices (with billions of devices in the world and counting) and GSM towers. In addition, we must combine it with a GPS device to save their location.

As you can see in the image, I use different devices for Wardriving and Radio Frequency (RF) audits from my company VULNEX. And what is shown here is not all the gadgets I use 😊 With these devices we can perform everything from wardriving to sophisticated RF attacks (a story for another day).

Starting from the left below we have:

  1. Flipper Zero + WIFI Devboard
  2. Raspberry PI Zero + Pwnagotchi
  3. AWUS036NEH
  4. AWUS036NHA
  5. M5 Stack Fire + ESP32 WiFi Hash Monster
  6. Google Píxel 5 + WiGLE WiFi Wardriving
  7. Hack5 WIFI Pineapple Nano
  8. Wardriving Kit (463n7 Driver kit & Wardriver)
  9. AWUS1900
  10. Raspberry Pi 4 + touch screen

Do you want to get started in wardriving? My advice is that you buy an Android phone (it doesn’t have to be expensive or top of the range) and install the WiGLE WiFi Wardriving App. It is the fastest and most comfortable way to enter this fascinating world. As you progress you can expand your collection of wardriving devices.

What would you like me to delve into in another article?

Merry Christmas and don’t forget the ABC of wardriving: “Always Be Collecting” 😊

@simonroses

Posted in Hacking Etico, RADIO, RF, Security, Technology, Wireless | Tagged , , , , , , | Leave a comment

Fun in a Wild West shooting range with the Flipper Zero

For years I always thought about hacking the classic shooting range set in the Wild West powered by infrared shotguns. We can find these shooting ranges in amusement parks and fairs. Well, that moment has come and using the Flipper Zero. A security and pentesting device designed for ethical hackers and IT security professionals that fits in your pocket.

If you want to know in detail the infrared capabilities of the Flipper Zero for remote control, signal analysis and device emulation, I recommend reading my article about it here: Infrared Dominance with Flipper Zero.

Below are some images of the shooting range and videos of the hack, where we observe that when we send the signal previously captured from a shotgun many infrared sensors are activated at the same time.

Videos

Disclaimer: I am not responsible for any misuse of the information presented here.

Here I leave you the signal captured in an .IR file for the Flipper Zero.


Filetype: IR signals file
Version: 1
#
name: Kat
type: raw
frequency: 38000
duty_cycle: 0.330000
data: 470 373 889 376 886 800 462 381 892 795 467 798 464 801 461 382 891 796 467 377 885 379 883 804 469 14718 467 377 885 379 883 804 469 374 888 799 463 802 460 804 469 375 887 799 463 380 882 384 889 798 464 14723 461 381 892 374 888 798 464 379 883 804 458 806 467 799 463 380 882 804 469 375 887 378 884 802 460 14727 468 375 887 377 885 802 460 383 890 797 465 800 462 803 459 384 889 798 464 379 883 381 892 796 466 14720 464 378 884 381 881 806 467 376 886 800 462 803 459 806 467 376 886 801 461 804 469 796 466 799 463

The next step will be to test this hack with the powerful IR Blaster that expands the infrared capabilities of the Flipper Zero.

The conclusion: never leave home without the Flipper Zero 😊

Leave in comments if you would like to see more articles about the Flipper Zero and what topics.

@simonroses

Posted in Uncategorized | Leave a comment

Information Warfare Strategies (SRF-IWS): Unveiling the Risks: Paris Protests and the potential to compromise the cybersecurity of companies while looting their stores

Introduction

The world has witnessed countless protests throughout history, as people express their grievances and demand change. Paris, known for its passionate demonstrations, has experienced its fair share of protests in recent times. Other places such as Barcelona (September 2022) and USA (Black Lives Matter 2020) has suffered looting and even deaths while protests. However, a concerning new trend has emerged, where protesters take advantage of the chaos to break into stores, including prominent ones like Apple Store, Orange, Supermarkets, and a Motorcycle shop among others. While the immediate impact of such actions is evident, there is a lesser-known risk that these protesters could exploit the opportunity to install Red Team hardware and compromise the cybersecurity of these companies. In this post, we explore this potential threat and shed light on the implications it poses.

Understanding Red Team Hardware

Before delving into the potential cybersecurity risks posed by protesters, it’s crucial to understand what Red Team hardware entails. Red Team hardware refers to devices or equipment used to simulate cyberattacks, often employed by ethical hackers or security professionals to evaluate the security posture of an organization. These tools aim to identify vulnerabilities and assess the effectiveness of security measures in place.

The Protester’s Advantage

During large-scale protests, chaos often ensues, leading to vandalism, looting, and destruction of property. In the case of high-profile stores such as the Apple Store or Orange, these incidents attract widespread attention. Amidst the pandemonium, protesters who possess knowledge about Red Team hardware might exploit the opportunity to install such devices within the compromised stores.

Installation of Red Team Hardware

Protesters who gain access to these stores can potentially plant Red Team hardware, ranging from small devices to sophisticated equipment, within the store’s infrastructure. These devices may go undetected initially, as the focus of security teams and law enforcement is primarily on controlling the protests and minimizing damage. The installed hardware can serve as an entry point for cybercriminals to gain unauthorized access to the store’s network, compromising the cybersecurity of the company and potentially accessing sensitive customer data.

Let’s explore different attack vectors that an attacker could use (I used these devices and more in my Red Team engagements):

  1. Search for passwords in the store: post-it, router and access points contain stickers with the password.
  2. Install a dropbox: a Red Team dropbox is a tiny computer such as a Raspberry PI deployed and hidden to launch network and wireless attacks. I have talked about dropboxes at different conferences.BSidesSF 2019
    Mundo Hacker Day 2021
  3. Bash Bunny: from pentesting vendor Hak5, the Bash Bunny is a multi-vector USB attack platform.
  4. EvilCrow Cable: is a BadUSB cable.
  5. EvilCrow Keylogger: USB keylogger with WIFI support for data exfiltration.
  6. Jack Shark: Hak5 device for network attacks, plug in to an Ethernet port.
  7. />

  8. Key Croc: Another Hak5 gadget for keylogging.
  9. Lan Turtle: Hak5 covert USB Ethernet adapter for network attacks.
  10. Packet Squirrel: A man-in-the-middle network sniffer by Hak5.
  11. Rubber Ducky: the mighty USB keystroke injection attack platform by Hak5.
  12. WHID Cactus: USB HID injector with WIFI support.
  13. WIFI Pineapple: The powerful wireless attack platform by Hak5. The Nano (left) and the Mark VII (right).

Keep in mind these devices are just some options, many more exist with all kinds of capabilities.

Cybersecurity Implications

The consequences of compromised cybersecurity are severe, not only for the affected companies but also for their customers and business partners. Here are a few potential implications:

Data Breach: A successful infiltration can lead to unauthorized access to customer data, including personal and financial information. This breach can have far-reaching consequences, such as identity theft, fraud, and reputational damage to the affected companies.

Intellectual Property Theft: Companies like Apple often possess valuable intellectual property that is highly sought after by competitors or malicious actors. Breaching their cybersecurity can expose trade secrets, patents, and proprietary information, jeopardizing their competitive edge and potentially leading to financial losses.

Customer Trust: A data breach or compromised cybersecurity can erode customer trust in the affected companies. Customers may hesitate to share their information or engage in business transactions, leading to a loss of revenue and long-term damage to the company’s reputation.

Supply Chain Vulnerabilities: If a compromised company is part of a larger supply chain, the cyber attack can extend its reach to other organizations connected to the network. This ripple effect can further amplify the impact of the initial breach, potentially disrupting entire industries and causing significant economic damage.

Preventive Measures and Mitigation Strategies

To mitigate the risks highlighted above, it is imperative for companies to prioritize their cybersecurity efforts. Here are some recommended preventive measures:

Robust Physical Security: Strengthening physical security measures, including improved surveillance, alarms, and reinforced entry points, can help deter unauthorized access and limit opportunities for protesters to install Red Team hardware.

Network Monitoring: Implementing advanced network monitoring tools can aid in the detection of any suspicious activities or unauthorized access attempts, enabling a swift response to potential threats.

Regular Security Audits: Conducting regular security audits and vulnerability assessments can identify weaknesses in the system and help implement necessary safeguards.

Employee Awareness: Educating employees about the risks of social engineering and physical tampering can help them identify and report suspicious behavior promptly.

Conclusion

While protests serve as an important avenue for expressing grievances, the potential exploitation of such events to compromise cybersecurity is a growing concern. The recent incidents of protesters breaking into stores like Apple Store and Orange in Paris highlight the need for heightened security measures to mitigate the risks posed by Red Team hardware installation. Companies must remain vigilant, continuously enhance their cybersecurity practices, and collaborate with law enforcement agencies to prevent unauthorized access and safeguard sensitive data. By doing so, they can maintain the trust of their customers and protect themselves from potential cyber threats, ultimately ensuring the long-term sustainability of their businesses.

Thoughts? Would you like to learn more about Red Team devices? Let me know in the comments.

@simonroses

Posted in Economics, Pentest, Security, Technology | Tagged , , , | Leave a comment

Infrared Dominance with Flipper Zero

Flipper Zero is a portable and powerful multi-tool for hackers, security professionals or geeks. It was extremely well received when it was first launched on Kickstarter in 2020. I received my Flipper Zero in July 2021 and it’s time to show what this dolphin can do with a series of articles and videos. Pay attention to future posts 😊

Flipper Zero incorporates many capabilities (Sub-1 GHz Transceiver, RFID, NFC, Bluetooth, Infrared and iButton). In this article we are going to explore the Infrared (IR) and how Flipper Zero can control many electronic devices such as televisions, air conditioners (AC), musical devices, projectors, and fans. It would work as a universal remote.

One of the most attractive capabilities of Flipper Zero is the ease of changing the firmware, and the community has released several firmwares. I am using the RogueMaster firmware, which provides additional capabilities to the default firmware. The infrared works correctly regardless of the firmware, so it does not matter what firmware you use.

To understand how Infrared works in Flipper Zero I recommend this magnificent article in the Official Blog.

Universal Remote

In image 1 we see the app to control devices through Infrared called Universal Remotes or the way to learn about new devices: Learn New Remote, which we will explore later.


Image 1: Infrared App

Next, we are going to see two videos where the first controls an air conditioner (AC) and the second controls a television, a Smart TV.


Video 1: FlipperZero AC Infrared


Video 2: FlipperZero TV Infrared

As you can see, Flipper Zero works great as a universal remote for Infrared devices. In image 2 we see the remote to control air conditioners by sending a signal.


Image 2: Infrared AC App

Learn New Remote

Now let’s see how Flipper Zero behaves for new/unknown IR controllers.

Image 3 shows the Learn New Remote mode in operation, which consists of pointing the remote at the infrared port of Flipper Zero to capture the signal. It should be noted that the Infrared of Flipper Zero is very sensitive and it is not necessary to aim the signal directly – it can even capture the signal in transit, that is, between the remote control and the device.


Image 3: Learn New Remote App

In image 4 we can see that it has detected a Samsung television.


Image 4: Samsung detection

In the following example Flipper Zero is not able to recognize the device, in this case an air conditioner (AC). However, by sending the “Send” signal it will turn on the air conditioner without any problem. That is what we would call a Replay Attack, which allows us to capture the signal and send it as if it were the legitimate remote. Additionally, the app allows us to save the captured signal on the memory card (SD) – this option is really interesting to create our library of captured signals. See image 5.


Image 5: New AC signal captured

Curiosity: the air conditioning remotes work by sending all the information that the device may need (temperature, fan speed, modes, etc.) and that is why in image 5 we see that a large amount of data has been captured: 583 samples. This sending of data is done to avoid data desynchronization between devices if, for example, we use the same remote with different air conditioning devices.

IR Files

Infrared data are stored in text format in the SD card, as you can see if image 6. Using text files makes adding new data or making changes very easy.


Image 6: IR text file

Last October 2022 a blog was published on how to crash Flipper Zero by malforming the IR text files. Read this blog here.

Flipper-IRDB

Do you need more? Flipper-IRDB is a huge collection of IR files covering from Consoles, Air Purifiers, Cameras, Toys, LED Lighting, Monitors, etc. that you can easily upload to your Flipper Zero devices using the qFlipper app, see image 7.


Image 7: qFlipper App

The following images (8-10) show how to run the IR app using a file from the IRDB collection. Here lets run a IR file to manage CCTV devices.


Image 8: CCTV folder


Image 9: Run CCTV IR file


Image 10: CCTV App

Clearly Flipper Zero is a fascinating tool with many capabilities and expansion possibilities (see GPIO).

What other capabilities of Flipper Zero would you like to see explored/discussed in future articles? Some topics to explore are how to recover the firmware in case of failures, Bluetooth, WIFI attacks through an external module (hardware), NFC, RFID, among many others.

All the best,

@simonroses

Posted in Hacking Etico, Pentest, RF, Security, Technology, Wireless | Tagged , , , , | Leave a comment

Offensive Security Wireless Professional (OSWP): my experience

On July 24, 2022 I took the well-known Offensive Security Wireless Professional (OSWP) practical exam and although Offensive Security can take days to inform of the result of the exam (pass/fail), the next day on July 25 they informed me that I had passed 🙂 Kudos Offensive Security for the quick response.

The truth is that I personally have been performing WIFI audits since early 2000 as you can see some of my old WIFI cards that I keep for nostalgia (Figure 1) and it was logical to get this certification (yes, I took it easy).


Figure 1 – classic WIFI cards

Nowadays for my audits I use modern technology that I will discuss throughout this post as it will be useful to obtain this certification for the interested reader. Let’s start, this is my story.

The PEN-210 course is focused on wireless attacks both to access points (AP) and clients. We must keep in mind that the course is an introduction to WIFI attacks (foundation course) and alongside the PEN-200 (OSCP) course, so if you have years of experience in WIFI audits you may find the course somewhat simple, although you will always learn something new, I’m sure.

In this link you will find the course content.

Hardware

On the course website we find the hardware recommended by Offensive Security which are:

Routers

  • NETGEAR AC1000 (R6080)
  • Linksys WiFi 5 Router Dual-Band AC1200 (E5400)

WiFi card

  • Alpha AWUS036NHA

Personally, I did not find the recommended routers, but I used these others that have served me perfectly (see Figure 2). I recommend the TP-Link TL-WR841N as it allows all the necessary configurations for the course (WEP, WPA/WPA2, WPA Enterprise and WPS).

  • Tenda F3 Wireless N300
  • TP-Link TL-WR841N


Figure 2 – Routers

Although I have quite a few WIFI cards (2.4G and 5G) for the course, I used only the Alpha AWUS036NHA (which is the recommended one). In Figure 3 you can see some of my cards, I have more, that I used for my WIFI audits.

  • Alpha AWUS036NHA (top right)
  • Alpha AWUS036NH
  • Alpha AWUS036NEH
  • TP-LINK WN722N
  • CSL – 2 Wireless Dual Band Antenna


Figure 3 – WIFI cards

Exam

I can’t comment on the exam, so I recommend reading the official OSWP Exam guide very carefully.

The guide tells us that there are three attack scenarios and the total time we have is 3 hours and 45 minutes. At the end of the exam, we have 24 hours to send a report detailing the whole process.

Just tell you good luck 🙂

Conclusions

If you like WIFI audits and you can afford the cost of the certification (currently only available within the Learn One or Learn Unlimited subscriptions) then go ahead, I recommend it. Otherwise, no problem, you have different options such as other WIFI security certifications (Google is your friend) and keep learning on your own.

Some tips for OSWP certification:

  1. Join the Offensive Security Discord. Good people willing to help and lots of questions/answers that will be very helpful.
  2. If you buy the hardware I recommend, you should have no problem doing all the exercises in the course. If you buy another router, make sure it allows the different configurations needed. Buy the router on a website where you can return it without problems like Amazon.
  3. Remember that the exam is open book.
  4. Even if you have been doing WIFI audits for some time, don’t be overconfident and practice the different attacks before the exam (at least two or three times).
  5. Aircrack-ng is your friend. Use it wisely.

That’s it folks, and now to attack an AP (for an audit, of course 🙂

Anything you would like me to comment about OSWP or WIFI audits in another post or even video on my YouTube channel?

@simonroses

Posted in Hacking Etico, Pentest, RF, Security, Wireless | Tagged , , , , | 1 Comment

KringleCon / Holiday Hack 2021 Writeup

Another SANS Holiday Hack Challenge & Kringle (2021) CTF done. Please find my writeup for this awesome & fun CTF. I will continue to work on the few missing challenges so expect updates ASAP.

PDF MD5: 51bc75a10e1de548de2adef974a36201

Report Download

Enjoy & see you next year 😊

@simonroses

Posted in Security, Technology | Tagged , , , , | Leave a comment

Cool podcasts on cyber security, red team, and startups (1)

Here you will find some of the cool podcasts that I have been listening lately on topics like cybersecurity, red team, hacking, artificial intelligence (AI), and startups. Some in English and other in Spanish 🙂

You can listen to them on Spotify (all of them), Apple Podcast (most of them), Google Podcast (some of them) and their own websites.

Red Team

Cybersecurity

Startups

Artificial Intelligence (AI)

If you got any recommendation, send them my way, please.

Enjoy 🙂

@simonroses

Posted in Podcast, Security, Technology | Tagged , , , , , | Leave a comment

Your own Spy Numbers Station on a Raspberry PI

In this post we will talk about two fascinating topics and how to combine them: Numbers Station and Raspberry Pi. We’re entering the world of spies!!

Disclaimer: Do not interfere with radio stations in your area – I am not responsible for the misuse of this article, please check the legislation in your country.

Numbers Station remain a great mystery to all. There is speculation about them being used by intelligence agencies in various countries. According to The Conet Project, the first Numbers Station was in World War I and they were very popular during the Cold War.

Over the years many amateur radios (aka ham radio) have pursued and classified these broadcasts. Some of the most famous are:

Lincolnshire Poacher: believed to have been operated by MI6 and its signal emanated from the island of Cyprus.
The Spanish Lady: from Cuba.
Swedish Rhapsody: operated by Polish intelligence.

I recommend you continue reading the links and listen to the broadcasts to learn more about this dark but fascinating world.

The other topic is the use of Raspberry Pi, small computers that I personally use for all kinds of professional and personal projects (red team and blue team). I strongly recommend you to have several of these devices at hand. For my Numbers Station I used a rpi version 3, but it works the same with version 4 or even a Pi Zero.

The material used is as follows:

• Raspberry Pi 3
• Cable to make antenna, put on the GPIO4 Pin.
• As operating system I use Kali Linux, but you can use other options like Raspberry Pi OS (former Raspbian).

Raspberry PI

Before we go into the detail of the Numbers Station, let’s explore a software that allows us to mount a radio station: Pi-FM-RDS

Pi-FM-RDS

Using Pi-FM-RDS, a Python tool, we can broadcast radio with the Raspberry Pi. The whole process is very simple as we will see below.

The first thing is to download the source code of the project and compile it. In the image below we see the necessary steps.

Pi-FM-RDS setup

If everything was correct, now we are ready to mount our radio on Raspberry Pi. The good thing about this program is that it includes support for Radio Data System (RDS), so we can send data such as the name of our station and messages.

For this demo I used one of the sounds, wav files, included in Pi-FM-RDS and with the message “RADIO PIRATE”. I have left the default station name “RASP-Pi” and the default frequency “107.9 MHz”.

Pi-FM-RDS in action

PiNumberStation

For the creation of our Numbers Station we will use the PiNumberStation tool (also written in Python) that is quite easy to use.

Download the source code of the project to our Raspberry PI. Please see the following image.

PiNumberStation setup

The next thing is to modify the default.ini configuration file to fit our needs. For this test, the only change I have made is to modify the frequency to 107.9 MHz and the rest of parameters I have left them by default. Each parameter is well documented in case we want to make additional changes.

PiNumberStation default.ini configuration file

In the message.txt file we include the message we want to issue, numbers and/or words. And all we have left is to run the PiNS.py script.
As the PiNumberStation project itself tells us in the website FreeSound, you’ll find more sound files ready to use.

PiNumberStation in action

The following video, available on my YouTube channel, is a number broadcast that includes a small challenge (CTF). Can you break the encrypted message? 😉

THE END

I hope you found this post interesting and encouraging to set up your own Numbers Station, always within the legality 😊

Would you like to see more radio frequency (RF) posts?

@simonroses

Posted in Hacking Etico, RADIO, RF, Technology, Tecnologia, Wireless | Tagged , | 2 Comments