Disecting shellcode – Part:1

I recently competed in the “Cyber Security Challenge Australia 2013″

One of the challenges involved looking at a packet capture of an exploit of a system. We where given a tcpdump packet capture of an attack and asked to dissect it.

The first step is to find out what we where working with, this is the first of 4 TCP sessions and 1 UDP session. This is a TELNET session being setup and you can see the banner a few lines down showing “Free BSD/i386″ so we know what OS we are working with on the server side.

Payload 1

Exploit payloads generally are a bit on the larger size and usually appear as a jumble of non-printable or extended characters. We have a good possibility of a payload existing within the largest packet in red about half way down.

Most payloads are in assembler and one of the nuances about assembly is if you miss where the assembly starts by even one character the program wont make much sense. To really find out where the payload starts and stops we will have to see if we can find the exploit used here.

The payload takes place during key setup for telnet encryption so our attack is likely making use of a buffer overrun to do with encryption or keys.

Read more

A tale of 102 RFID cards

About 6 months ago i bought 102 EM4100 protocol RFID cards (From http://tinyurl.com/axrct2r) and a compatible RFID reader (https://www.sparkfun.com/products/8419).

EM4100 protocol cards are factory programed with an 8bit Customer or Version ID, 32bit unique code and some parity information. Once the card powers up from being within proximity of a reader it starts blasting out this code encoded in Manchester and looks something like this.

EM4100 Capture

The theoretical minimum transmission speed possible is about 28ms, however many readers require you to transmit this code twice for it to be accepted.

This gives a total keyspace of 4,294,967,296 (2^32) or 1,099,511,627,776 (2^40) if you are using unique Customer or Version ID’s. At the theoretical minimum transmission speed of 28ms this gives a worst case brute force time of 3.81086182 years or 975.580625 years if using unique Customer or Version ID’s.

Lets assume you don’t know the Customer or Version ID and you are attacking a door with 10,000 valid cards, at 0.028 seconds per card it would take 35.63 days. Knowledge of the Customer or Version ID takes this time down to 3.341 hours.

A more realistic example of 200 cards would take 6.959 days or 4.87895 years without knowledge of the Customer or Version ID.

One major security feature is the relatively slow transmission speed, you will have a hard time finding a commercial reader that can read cards back to back at 28 milliseconds each. Generally you get a reading time between 0.1 and 1 seconds.

However this security is relining on the numbers being uniquely random. If a company use the same Customer or Version ID and an attacker has knowledge of this number they have reduced the system entropy by 1,095,216,660,480 potential combinations, a 99.61% reduction.

So with the entire security of the system relying on the strength of the random number generator used to program these cards, lets have a look at two separate packs of 51 cards i bought on eBay from china.

99 of the cards had the same Customer or Version ID of 0×06 with the remaining 3 cards having 0×07.

Here is a graph showing the 99 cards in the order they where shipped in with their Customer or Version ID omitted.

RFID Graph

Min: 25773269859
Max: 25785845002
Range: 12575143

Right off the bat you can tell that there is a problem here, the vast majority of cards are with a very close proximity of others. The problem is even worse when the cards have been clustered.

Cluster % Mean STD Deviation
1 42.42% 25775067346.5 14166.12
2 39.39% 25774974455 11566.25
3 10.10% 25785758931.5 6361.64
4 4.04% 25785473311.5 9401.02
5 1.01% 25785845002 N/A One card only
6 1.01% 25785343243 N/A One card only
7 1.01% 25773269859 N/A One card only
8 1.01% 25775166994 N/A One card only

Even with a more realistic reading time of 0.2 seconds per card you have a 40.4% chance of guessing a valid RFID card within 5666.448 seconds or 95 minutes based on 1 card within cluster 1 alone. Including cluster 2 you have a 78.08% chance of guessing a valid RFID card in under 10292.948 seconds or 172 minutes.

This pattern persisted through two stacks of cards (individually packaged i might add) so if you know the supplier used you could have a good chance of guessing a valid card. The big “security by X” logo stuck on the door can be a big hint here. The clusters appear pretty quickly so buying even 10 cards from a company could be enough to start an attack with good chances.

Another scenario is if you obtain a lost invalid or partially valid (eg. low security areas only) card, you can use that to stage an attack by guessing numbers around it with potentially some success.

However the addition of even a 2 digit pincode along with the RFID card makes these attacks infeasible on increased input time alone.

Another mitigation strategy is to increase the processing time of cards into the range of seconds. This has the added benefit of not only decreasing the feasibility of such an attack but also not requiring users to change their behavior. This however does not protect from lost or stolen cards like an  additional pincode.

Raw Data available as an ODS file: RFID Results

Duplicating house keys using a 3D Printer

I had the idea to duplicate some house keys on my Makerbot Thing-O-Matic 3D printer after seeing a post about in on thingiverse here.

So after messing around with the script for a while i couldnt really get it to work so i decided to just make a script from scratch to improve my SCAD skills. (SCAD is like a programing language for creating parametric 3d CAD objects)

After a few hours with a key and a pair of digital calipers i got an object that fit in the lock but has not been cut (think of a blank key).

Key Blank Openscad

Blank comparison - front

Blank comparison - Top

From there i started working on the cuts. On this particular key the cut depth appeared to be a multiple of 0.58mm with spacing from every cut being equal to 4.12mm. Some of these measurements where gained by using this cheat sheet.

This step was mostly trial and error, i made modifications halfway through to reduce printing time and many modifications to the multipliers, cut depths, ect…

All keys

Eventually came up with some results as shown above. After the measurements where perfected the keys started to work. The keys are brittle but do work and most locks don’t have much resistance turning the key when the key fits. The use of a torsion bar to turn the lock could be used on rusted or heavy locks.

Every key has a bit-code, this is a set of numbers that identify the key’s ID number. Any similar style key with the same bit-code will work in the same lock. I was able to guess the bit-code but this photo will show what im doing. We are measuring the dips and not the ridges, the ridges exist to ensure the tumbler pins rest in place.

Note: In my script the bit-code goes from base to tip, other scripts or even official documentation may be different.

BitCode

The keys only have 7 ridges based on documentation linked above. This gives a total key-space of 7^7 or 823,543 different combinations.

With such a small combination of ridges its not hard to see why lock-picking isn’t difficult. Not only that but the keys are pretty easy to duplicate based off visual identification, the SNEAKEY system deminstrated this (Link: http://www.schneier.com/blog/archives/2011/07/duplicating_phy.html)

OpeSCAD Render

Cut comparison

Cut - Lock

In total i did this entire project in just a few hours, its scary how simple many of these keys are in design. I would estimate that i could duplicate high security keys in a similar time if my printer has the accuracy. Sure some of these high security keys are very difficult to pick but if all it takes is visual inspection of a key to breach a lock then this presents a problem for people who wish to keep things behind locked doors.

Perhaps now with the boom of consumer grade 3D Printers its important then ever to move to digital keys.

My SCAD source file: key1.zip