Bought a Ladybird

A friend of mine invited me and my wife to an RC flight show the other day, and they had a little tent where they sold stuff as well.
Unluckily I had just transfered some money to my card, so I couldn’t resist in buying this rather cute little quad copter.

It’s a Ladybird QR Series V939 and it went at 400 SEK (~$62), but normally it’s around 650 SEK (~$100).

It’s rather difficult to fly at first, and you need to take it very easy and simply go up and down for a while until you get the hang of it.
So far I have been able to fly around pretty well, but turning it around in the air is very difficult, since the up and down acceleration is on the same switch, which makes it harder since it tends to go either up or down then at the same time as you turn it, so that requires some practice.
I have crashed mine at least 50 times now, and it’s still working like a charm, so I’m pretty confident when I say that it can take quite a few hits without any problems.
So although you shouldn’t throw it into walls or drop it from buildings, it’s fine to play around and learn by doing wrong quite a few times.
As long as you turn off the engines when you feel that you are loosing control, it should be fine (since if you don’t, the propellers might get stuck somewhere when/if you crash, and that will damage the engines and the quad wont live for very long).

I made a short demo of when I fly it at home, and although it’s not much, and I don’t want to fly around too much in here, it still shows you how it looks when it moves around, and how it sounds.
As you can see, there are diodes and the propellers have different colors.
This is so that you can see which direction it’s facing.
Blue light and orange propellers means front.

<video removed>

I have tried flying it outside as well, and it does remarkably well there as well, although it can’t handle much wind. But it’s still loads of fun.

The controller has a few buttons, the sticks to control the directions, the upper left button to change the effect of the engines (higher percentage makes it more sensitive), the upper right button makes the quad do a loop, which is not recommended inside (tried it a few times, and you need a lot of altitude to manage it if you don’t want it to crash). Then there’s 4 buttons for trimming the engines, which can be used if the quad is not flying stable enough when idle in the air, and thus you can compensate for lost power in any of the directions (or possibly if it’s windy outside).
And then of course we have the power button.

I would highly recommend this little toy for almost any kind of person.
Since it flies around at pretty high speed and is not “that small”, it can still damage stuff that it hits, so I don’t recommend it as a toy for children, at least not for playing inside the house.

That’s it for now I guess 🙂

CloudCracker.com

So a friend told me about cloudcracker.com, which is a service for cracking password hashes and password protected files.
I was thinking about trying it out on my home WiFi, but they only support phone numbers, English words and 2WIRE default passwords.
And since my password is a long one with random chars in it, there wont be any point in trying it at the moment, even though I’ve read on forums around the net that their service is effective, so I’ll just take them for their words 🙂

Currently the algorithms they support are

  • WPA / WPA2
  • LM / NTLM
  • SHA-512 (Unix)
  • MD5 (Unix)
  • MS-CHAPv2

I was curious if I could create a hypothetical service in my mind that was better than cloudcracker, and still realistic enough for me to accomplish.
So I started calculating how large a dictionary would be, uncompressed, if I wanted all words with the length 8, using 62 chars (A-Za-z0-9).
It would become ((62^8)*9)/(1024^4) = ~1787 TB (TeraBytes), which is just too much right now, seeing that the cheapest 2TB harddrive right now costs around 700 SEK (~$116), and then times 1000 would be 700000 (~$116000), and yeah, not within my budget :).
So I’ll just wait for the PetaByte drives to arrive, whenever that will happen :D.

I wrote a small Perl script for fun, to calculate it

#/usr/bin/perl
use warnings;
use strict;

my $chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
my $length = 8;

print "Calculating dictionary size in TeraBytesn";
print "Size: " . (((length($chars) ** $length)*($length+1))/(1024 ** 4)) . " TBn";

Bought an NFC reader/writer

So I bought an NFC/RFID unit for reading and writing to and from different NFC/RFID tags.
It can also communicate via P2P with other devices.

I bought it for a project at work (I intend to make the company pay me back if it turns into a real project, as it’s only in the “idea stage” at the moment), but also because I want to learn how this technology works, how to write applications that use it and so on, so that I can add it to my trunk of “hey I know that!”-stuff.

The model is called ACR122U and is a newer model that is compatible with a lot of different standards.
Some of these being;

  • ISO 14443 Type A and B
  • Mifare
  • FeliCa
  • All 4 types of NFC (ISO/IEC 18092) tags
  • New Mifare Ultralight C
  • Mifare Plus
  • DESFire EV1
  • All 3 modes of NFC: reader, card emulation and peer-to-peer modes

I just read that in the product sheet, so that list probably covers it all.
The sheet can be found at the link below

Download sheet here

For the uninformed, NFC stands for Near Field Communication and RFID stands for Radio Frequenzy Identification.
And they are both typically used for train/bus cards, newer credit cards and together with the kind of App you can use for your smartphone when paying in a store.

If you want to read more specifically what it is, you can go to the links below, since I wont cover that here:

http://en.wikipedia.org/wiki/Radio-frequency_identification
https://en.wikipedia.org/wiki/Near_field_communication

But basically they are both used for identifying objects that they (the RFID tags) are attached to, like the tags you use to open doors sometimes.
NFC is a bit more advanced and newer, but is based on the RFID standard.

Anyway, so I have only done a few experiments so far where I read from the card and then try to dump some data. I’ll write more posts later about this and my progress, but for now this is what I have done.

root@enma:/home/cats/Desktop/nfc/libnfc-1.7.0-rc7# nfc-list -v
nfc-list uses libnfc 1.7.0-rc7
NFC device: ACS / ACR122U PICC Interface opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04  
* UID size: single
* bit frame anticollision supported
       UID (NFCID1): fa  ee  8f  29  
      SAK (SEL_RES): 08  
* Not compliant with ISO/IEC 14443-4
* Not compliant with ISO/IEC 18092

Fingerprinting based on MIFARE type Identification Procedure:
* MIFARE Classic 1K
* MIFARE Plus (4 Byte UID or 4 Byte RID) 2K, Security level 1
* SmartMX with MIFARE 1K emulation
Other possible matches based on ATQA & SAK values:

0 Felica (212 kbps) passive target(s) found.

0 Felica (424 kbps) passive target(s) found.

0 ISO14443B passive target(s) found.

0 ISO14443B' passive target(s) found.

0 ISO14443B-2 ST SRx passive target(s) found.

0 ISO14443B-2 ASK CTx passive target(s) found.

0 Jewel passive target(s) found.

As you can see, just a very quick experiment with libnfc, to see that it can detect the card.

That’s all for now 🙂

Sin 4.5, some important changes

Just a quick post today about some changes in Sin.

I changed the arguments handling now so that it’s handled in a more normal way.
The help output looks like this now, which will give you a pretty good idea:

cats@enma:~$ java -jar Sin.jar --plugin Slowloris --help

[+] Sin version 4.5 starting
[+] Loading help menu

--plugin <plugin> - Specify plugin
--help - Bring up this menu, specify --plugin to show plugin help menu as well
--test - Specify that the test for the specified plugin should be run
--list - List all plugins
--scan - Run all plugin tests against target host (You can specify --host and --port, else defaults will be used)
--version - Show the Sin version, specify --plugin to show plugin version as well

[+] Loading Slowloris help menu

--host <host> - Target host to attack, default localhost
--port <port> - Target host port, default 80
--connections <connections> - Connections to open per thread, default 2
--threads <threads> - Number of threads to open, default 500
--timeout <timeout> - Time in seconds to wait between data sending, default 60
--tor <tor> - Use tor or not 1/0, default 1
--torPassword <torPassword> - Password to your local Tor service, default ''
--torChange <torChange> - The time in seconds between Tor identity change, default 10
--verbose <verbose> - Be verbose and output more data 1/0, default 0

Example: java Sin.jar --plugin Slowloris --host "127.0.0.1" --port 80 --tor 1 

And as you can see, there’s been a few changes.
One of them being a new argument called “–scan”, which will run a function in all plugins called “testSilent” (which has been added to the SinPluginAPI today).
The output is very chatty at the moment, but I plan on changing that soon.
For now it looks like this:

cats@enma:~$ java -jar Sin.jar --scan --host blog.alcor.se

[+] Sin version 4.5 starting
[+] Starting scan (Some of the tests might take a long time, so go and do something else while you wait)
[+] Running test for Slowread
[+] Connecting to blog.alcor.se on port 80
[+] Connected to blog.alcor.se/31.211.236.140:80
[+] Request sent, now we wait
[+] Connecting to blog.alcor.se on port 80
[+] Connected to blog.alcor.se/31.211.236.140:80
[+] Request sent, reading 28 bytes of the response (3 times)
[+] This will take about 3 times the initial timeout, if it succeeds
[+] Host appears to be vulnerable to Slowread
[+] Running test for SinfulCookie
[+] Checking target for Vulnerability
[+] Connecting to blog.alcor.se on port 80
[+] Connected to blog.alcor.se/31.211.236.140:80
[+] Headers sent
[-] Host is not vulnerable to SinfulCookie
[+] Running test for ApacheRangeHeader
[+] Checking target for Vulnerability
[+] Connecting to blog.alcor.se on port 80
[+] Connected to blog.alcor.se/31.211.236.140:80
[+] Headers sent
[-] Host is not vulnerable to ApacheRangeHeader
[+] Running test for Slowloris
[+] Connecting to blog.alcor.se on port 80
[+] Connected to blog.alcor.se/31.211.236.140:80
[+] Headers sent
[+] Connecting to blog.alcor.se on port 80
[+] Connected to blog.alcor.se/31.211.236.140:80
[+] Headers sent, sleeping 30 seconds
[-] Host is not vulnerable to Slowloris
[+] Running test for Slowpost
[+] Connecting to blog.alcor.se on port 80
[+] Connected to blog.alcor.se/31.211.236.140:80
[+] Headers sent
[+] Connecting to blog.alcor.se on port 80
[+] Connected to blog.alcor.se/31.211.236.140:80
[+] Headers sent, sleeping 0 seconds
[+] Post data sent, will wait for timeout now
[-] Host is not vulnerable to Slowpost
[+] Scan finished

But the ideal output would be something like this

cats@enma:~$ java -jar Sin.jar --scan --host blog.alcor.se

[+] Sin version 4.5 starting
[+] Starting scan (Some of the tests might take a long time, so go and do something else while you wait)
[+] Host appears to be vulnerable to Slowread
[-] Host is not vulnerable to SinfulCookie
[-] Host is not vulnerable to ApacheRangeHeader
[-] Host is not vulnerable to Slowloris
[-] Host is not vulnerable to Slowpost
[+] Scan finished

Which is what I will do tonight, since all it takes is to add a “verbose” flag to the methods that the test and testSilent methods have in common, so that I can make the “silent” one a bit more … silent 🙂