Wednesday, January 16, 2013

SUPPORT Nluetooth Gin

re facts are few, experts are many

Tools, Whitepapers, Talks

Talks / LecturesDuring my career I had the opportunity to present my thoughts and views on Information Security to numerous people and organizations, below is a list of conferences I had the pleasure to present at.2006 Luxembourg - Hack.lu : " Bluetooth Hacking Revisited "2006 Luxembourg - Minerva Organised by the European Union, EUBAM2006 Germany (Frankfurt) - High Level Security Board : " Bluetooth Unsicherheiten " (NDA)2006 Germany (Berlin) - CCC 23C3 : " All your Bluetooth is belong to us " Complete Recording / Clip: Pre-Auth.Remote Root over Bluetooth2007 Germany (Frankfurt) - IT-Sicherheits Forum : " Scheunentor Bluetooth "2007 Germany (Hamburg, Munich, Frankfurt) - Heisec : " Scheunentor Bluetooth " &  BTCrack 1.1 release2007 Germany (Frankfurt) - M-Vision : " Scheunentor Bluetooth – wie Handys ausspioniert werden "2007 Luxembourg - Hack.lu : " The death of Anti-virus Defense in Depth ? "2008 Germany (Frankfurt) - Cebit Heise Events : " Wenn der Schutz dem Angriff dient - Antivirus-Lösungen ausgehebelt "2008 Germany (Frankfurt) - High Level Security Board : " Security Metrics and beyond " (NDA)2008 Canada - Cansecwest : " The Death of AV Defense in Depth ? – Revisiting AV Software "2010 Netherlands - OWASP BENELUX : " Cash-back system revisited " (NDA)2011 Israel - ISSA EMEA : " Application Risk Management in Enterprises - Thoughts and Recommendations " (to be released)2011 Germany (Berlin) - Bundesverband Deutscher Banken : " The Vulnerability Market and you " (to be released)"The Death of AV Defense in Depth?" - Cansecwest © hirsanWhitepapersTLS/SSL Renegotiation Vulnerability (CVE-2009-3555)This paper explains the SSLv3/TLS renegotiation vulnerability for a broader audience and summarizes the information that is currently available. It includes original research and Proof of concept code.Updates:Updated : Added SMTP over TLS attack scenarioUpdated : Added FTPS analysisUpdated : New attacks against HTTPS introducedUpdated : PoC files for TRACE and 302 redirect using TLS rengotiation flawReferences This paper is referenced by the US-CERT, DFN-CERT, BELNET-CERT, SWITCH-cert, Nessus, Qualys, c't Heise, and many more. Furthermore it has served as a internal Training paper for a major OS vendor.Details ▪ TLS/SSLv3 renegotiation protocol vulnerability▪ Blog post : SSLv3/TLS mitm vulnerability Tags: Whitepaper, TLS/SSL Renegotiation VulnerabilityTLS/SSL hardening and compatibility report 2011What started as an "I need an overview of best practise in SSL/TLS configuration" type of idea, ended in a 3 month code, reverse engineer and writing effort.This paper aims at answering the following questions : What SSL/TLS configuration is state of the art and considered secure enough ?What SSL/TLS ciphers do modern browsers support ?What SSL/TLS settings do server and common SSL providers support ?What are the cipher suites offering most compatibility and security ? Should we really disable SSLv2 ? What about legacy browsers ?How long does RSA still stand a chance ?What are the recommended hashes,ciphers for the next years to comeThe paper includes two free tools : SSL Audit : SSL/TLS scannerHarden SSL/TLS : Windows server and client SSL/TLS hardening toolDetails ▪ Download : SSL/TLS Hardening and Compatibility report 2010▪ Download : SSL/TLS Hardening and Compatibility report 2011Tags: SSL / TLS Compatibility ReportToolsLet me get this straight, I  do not consider myself to be a developer. During my career however I developed a lot of Proof of Concept Tools, offensive or defensive in nature and below are a few that became public.BTCrack 1.11 BTCrack was the worlds first Bluetooth Pass phrase (PIN) and linkkey brute-force tool. It was presented it the renowned SAAL1 at the 23C3 in Berlin. BTCrack will brute-force the Passkey and the Link key from captured Bluetooth pairing exchanges. To capture the pairing exchange it is necessary to have a Professional Bluetooth Analyzer : FTE (BPA 100, BPA 105, others), Merlin OR to know how to flash a CSR based consumer USB dongle with special firmware. (Update 2011: Ubertooth also is a possibility now) As of version 1.1, BTCrack started to include FPGA support through picocomputing E-Series.Speed Comparison :▪ P4 2Ghz - Dual Core  :      200.000 keys/sec▪ FPGA E12 @ 50Mhz :   7.600.000 keys/sec▪ FPGA E12 @ 75Mhz : 10.000.000 keys/sec▪ FPGA E14                 :   30.000.000 keys/secDetails ▪ Download BTCrack 1.1▪ More information ▪ Talk : 23C3 - All your Bluetooth is belong to us▪ Video : 23C3 All you Bluetooth is belong to us ▪ Talk : Heisec Scheunentor Bluetooth Tags : Offensive, Proof of ConceptBTCrack Open Source Version (GPL) This is a straight forward linux port of BTCrack.Details ▪ Download BTCrack Open Source VersionTags: Offensive, Proof of ConceptSecure-It Secure-It™ is a local Windows security hardening tool, proactively secures your PC by either disabling the intrusion and propagation vectors proactively or simply by reducing the attack surface by disabling unimportant functions.The tool secured Windows workstation  as-well as servers against new dangers by blocking the root cause of the vulnerabilities exploited by malware, worms and spyware. Secure-it had a track record of preventing several 0-day exploits pro activelyHistory of real-life proactive protection : 2004 Protected against the Help Active X control exploit in advance.  2004 Protected against the second Help Active-X control exploit not correctly patched 2004 Protected against the DHTML Active-x Control exploit in advance.  2005 Protected against the Microsoft MSHTA Script Execution Vulnerability in advance.Note: Secure-it last update was in 2005 and some settings, like the active-x blacklist are outdated and should no longer be used.Details ▪ More information Tags : Defensive, Hardening, ToolHarden-it Harden-It™ is a Network and System hardening tool for Windows, by hardening the IP stack your Network can sustain or completely thwart various sophisticated network attacks : Harden your server's TCP and IP stack (ICMP, SYN, SYN-ACK..) Reduces or mitigates effects from DoS and other network based attacksEnable SYN flood protection when an attack is detected  ▪ Set the threshold values that are used to determine what constitutes an attackVarious other protections.History of real-life proactive protection : ▪  2006 Protected against the Windows IGMP Denial of service attack in advance.Details ▪ More information TagTags : Defensive, Hardening, Tool Remote Administration Tool (GPL) Remote Administration Tool is a small free remote control software package derived from the popular TightVNC software.With "Remote Administration Tool", you can see the desktop of a remote machine and control it with your local mouse and keyboard, just like you would do it sitting in the front of that computer. Small, easy, no installation required.Details ▪ More informationTags :  Administration, ToolCSS-DIE CSSDIE is a community-developed fuzzer for verifying browser integrity, written by H D Moore, Matt Murphy, Aviv Raff, and Thierry Zoller. CSSDIE will look for common CSS1/CSS2/CSS3 implementation flaws by specifying common bad values for style valuesDetails ▪ More informationTags: Fuzzer, Offensive, ToolOmron Communicator This software is based on my efforts to reverse engineer the Hitachi Omron Hybrid Card readers. Omron Card readers are used in various commercial setups like ATM, identity management, payment systems, parking systems. The effort displayed on this blog is purely done out of research and awareness purposes.Details  ▪ Part 1 - Omron hybrid card reader - New toy ▪ Part 2 - Omron hybrid card reader protocol partly reversed ▪ Part 3 - Demo of implementation (This one)Tags: Reverse Engineering, Smartcard, ToolAcademic Papers - Please get the SarcasmThe Influence of Bayesian Methodologies on Algorithms Consistent hashing must work. Given the current status of random configurations, biologists famously desire the deployment of PKI, which embodies the intuitive principles of cryptanalysis.Signed, Large-Scale Methodologies for Public-Private Key Pairs The implications of certifiable configurations have been far-reaching and pervasive. After years of confirmed research into flip-flop gates, we disprove the analysis of robots that would make simulating context free grammar a real possibility, which embodies the confusing principles of stenography.Moo : Investigation of Hierarchical DatabasesOur focus in this work is not on whether multiprocessors can be made authenticated, random, and empathic, but rather on presenting new semantic communication (Moo).A Methodology for the Exploration of DNSThe study of the location-identity split has evaluated linked lists, and current trends suggest that the analysis of evolutionary programming will soon emerge.Valence : Simulation of Thin ClientsUnified optimal symmetries have led to many extensive advances, including SCSI disks and agents [10]. After years of appropriate research into cache coherence, we prove the improvement of digital-to-analog converters, which embodies the robust principles of cryptanalysis. Valence, our new heuristic for the construction rasterization, is the solution to all of these problems.ApodAni : A Methodology for the Analysis of CompilersThe emulation of erasure coding is an essential challenge. ApodAni, our new framework for pseudo random theory, is the solution to all of these grand challenges.Excerpt of discovered VulnerabilitiesBelow is an overview of new vulnerabilities I have discovered, coordinated and disclosed, this list does not include vulnerabilities that were being discovered during my professional career.2010Checkpoint Privilege Escalation To be completed2009[NON-TZO-Release] Internet Explorer 5 & 6 Remote code execution - BID31618 [TZO-12-2009] SUN Java Remote code execution - BID34667[TZO-01-2009] Multiple Avira Antivir Denial of Service (remote) - BID33270[TZO-02-2009] Avira Antivir Privilege escalation - BID33291[TZO-04-2009] IBM Proventia multiple bypasses (forced release) - BID34345[NON-TZO-Release] Jscape SSH Man-in-the-Middle through key validation error- BID29882[TZO-26-2009] Firefox Denial of Service (unclamped loop) forced disclosure[TZO-27-2009] Firefox Denial of Service (Keygen) forced disclosure - BID351322008[NO-TZO Release] F-Secure CAB,RAR evasion2007[TZO-1-2007] Citrix SSL-VPN Remote code execution (pre-auth) - US CERT 5552002006[TZO-01-2006] F-Secure Remote code execution vulnerability in ZIP RAR[TZO-02-2006] F-Secure Anti-virus Bypass - CVE-2006-0337[TZO-04-2006] Safe'nsec HIPS & Anti-Spyware- Priviledge Escalation[TZO-05-2006] XAMPP - Multiple Priviledge Escalation and Rogue Autostart[TZO-06-2006] When you trust WehnTrust - Priviledge Escalation[TZO-07-2006 ] Zango Adware - Insecure AutoUpdate and remote file execution2005[TZO-01-2005] F-prot Antivirus bypass - ZIP[TZO-02-2005] Silent Firefox Adware Install - Proof of concept[TZO-03-2005] CheckPoint VPN-1 SecureClient Privilege escalationAnti-virus bypasses / evasions[TZO-25-2009] Panda generic evasion (TAR) -BID35027 [TZO-24-2009] Panda generic evasion (CAB) - BID35027 [TZO-23-2009] Bitdefender generic evasion (PDF) - BID35010 [TZO-22-2009] Avira Antivir generic evasion (PDF) - BID35008 [TZO-21-2009] F-Prot CAB bypass / evasion - BID34896 - CVE - DOE CIRC [TZO-20-2009] AVG ZIP bypass / evasion -BID34895 [TZO-18-2009] Mcafee RAR,ZIP multiple evasions -BID34780 [TZO-17-2009] Trendmicro RAR,ZIP,CAB evasion (no patch) -BID34763 [TZO-16-2009] Nod32 CAB bypass / evasion - BID34764 [TZO-15-2009] Aladdin eSafe generic evasion / bypass- BID34726 [TZO-14-2009] Comodo RAR evasion - BID34737 [TZO-13-2009] Avira Antivir ZIP evasion - BID34723 [TZO-11-2009] Fortinet - Generic evasion (Limited details) - BID34583 [TZO-10-2009] Nod32 - Generic evasion (Limited details) - BID34764 [TZO-09-2009] Avast! - Generic evasion (Limited details) - BID34578 [TZO-08-2009] Bitdefender - Generic evasion (Limited details) - BID34580 [TZO-07-2009] F-Prot - ZIP Method evasion - BID15293 - CVE [TZO-06-2009] IBM Proventia - Generic evasion (Limited disclosure) [TZO-05-2009] ClamAV below 0.95 - Generic evasion (Limited disclosure) - BID34344Hardware I am by far not an electronic engineer - I learned to solder and modified a bit of hardware as a hobby and out of interest.Bluetooth Sniper WeaponThis is my version of the the Bluetooth Sniper weapon, it features a medium sized YAGI antenna combined with a 10* magnification scope and a metalized parabolic which may bundle the Bluetooth signal, thus further enhancing the range.USB HW FuzzerA long term project with regards to USB devices and security.Thierry Zoller

1 comment:

EAP-TTLS said...In conclusion, many organisations that have implemented 802.1x believe that their wireless networks are more secure than their wired networks. This is because 802.1x implements authentication and data encryption, which are absent in many wired networks

3 comments:

  1. This is the man with the answer,
    http://www.zoller.lu/research/bluetooth.html

    USB DongleThe soldering process was a mess, I never soldered in my life and hence I wasted a dongle trying. The Antenna hole is really thin, so instead of poking the cable through the hole I soldered it directly on to existing solder by lightly heating it up indirectly through the cable. Anyway after several hours of work trying different cable combinations and temperatures I succeeded. Great care should be taken not to heat up the chip to much while soldering. (Hint: I used Aluminum foil to shield it from excess heat)After I successfully soldered it to some coax cable, I closed the USB dongle and glued the cable in place using a hot glue gun.YAGI AntennaThen modifications to the YAGI had to be made, initially the YAGI Antenna has the cable ending come out of the side of the antenna, I wanted the end of the cable to come out at the horizontal end of the Antenna. The goal was that the cable directly enters the gun through the parabola without any cable visible. This was done by simply bending the cable inside, drilling a hole here and there and have it go out at the end of the antenna. Combining YAGI and the Bluetooned DongleNow both had to be interconnected while taking care that the cable, dongle and USB connector fit inside the plastic molding of the main part the gun. The tricky part here was that the Yagi, the parabola, the gun, the cables and the dongle had to align correctly for the whole to fit. The ParabolaThe parabola was clear plastic and had to be metalised in order to correctly reflect the bluetooth wavelength, I used 99% zinc spray to create a flat metal surface. Bluetooth uses a different part of the electromagnetic spectrum with quite different signal propagation characteristics then Wifi. The signal wavelength used with Bluetooth communication (about 12.5 cm, at its associated frequency of 2.4GHz). At this wavelength, radio frequency (RF) communications can penetrate many non metallic obstacles.  The ScopeThe scope gives a 10 fold magnification directly through the parabola, the lens itself can be accommodated to compensate for vision problems.Pictures   

    Wait, what's this?

    This is my Personal "Blog", well kind of, my name is Thierry Zoller I am currently working as a Security Engineer and Penetration Tester for "some company" in Luxembourg.On these pages i'll treat everything I enjoy and I get in touch with. This may not be strictly related to security but may also touch parts of my personal life. Speaking of which, on the left that's me, I am 26 and have been involved in the security field since I was 16. I do sports, Fitness and Body Building, I hack various things such as cars, electronics...

    Disclaimer

    The views and opinion expressed herein are my personal views and are not intended to reflect the views of my employer or any other entity.

    Quick Links

    Research and DevelopmentSp2 monitors Search queries

    Related Links

    Trifinite.org - Nice toolsDigital Munition - Kevin Finiseter (Thank you)HowStuffWorks - BluetoothYAGI Antenna - Seatle Wireless

    ReplyDelete
  2. YLTOOLS AND DETAILS

    http://www.nruns.com/_downloads/23C3-Berlin-Bluetooth-Hacking-Revisited-Thierry-Zoller.pdf

    http://media.ccc.de/browse/congress/2006/23C3-1733-en-bluetooth_hacking_revisited.html

    http://secdev.zoller.lu/btcrack.zip






    ReplyDelete
  3. Here is the link to the PDF with images that explain how it worked

    http://secdev.zoller.lu/23C3-Bluetooth-Hacking-Revisited-Thierry-Zoller.pdf

    ReplyDelete