Author: Baab

Posted on

More Anomaly Hunting with Proxmark3 RDV4

I decided to audit my large collection of RFID hotel keys I’ve collected over the years. Just to get an idea what’s out there, and look for patterns and anomalies.

One strange set I found is from the Waldorf Astoria in Park City. Didn’t respond to HF or LF search, but it clearly says right on the card, “hold key within 1/2 inch of locking device.” I wonder what they’re using if it doesn’t register at all on the Proxmark? I have four of them, maybe I’ll see if I can crack one open to see what’s inside.

The Hilton cards, for the most part, revert to hardnested attacks, but fall rather quickly, as opposed to the Sheraton card I was battling earlier in the week.

I guess I have about 75 card dumps in total now, about 40 of which are Hilton.

Posted on

Proxmark hotel travels

I’ve been playing with reading/cracking hotel room keys using the Proxmark3 RDV4 lately.

Most hotel room keys I have collected are MiFare Classic 1K. MOST of them are susceptible to autopwn within a minute or so. Coincidentally, most of my collection are from Hilton properties. Recently I came across a Sheraton room key that didn’t fall within the expected timeframe.

The “Weak PRNG” method did not work on this particular card, and so pm3 (RRG/Iceman fork) reverted to a hardnested attack. On my macbook M1 air, that was slated to take 2 days. I moved the task to a more powerful Kali desktop, and it’s now slated to take 9 hours to complete.

I will update this post when experience either success or failure. I do like a challenge.

Hours later: The first run stopped in midstream with “Could not connect to Proxmark.” Running it again for good measure.

Hours later again: Collapsed again after a couple of hours. Might have to try a different approach.

I learned some stuff in my reading, though. Apparently it’s all a game of spy vs spy. There are RFID systems that will detect cloned cards by attempting to write to block 0. If successful, it’s a writable clone card and the system can deny and alert. There are also more advanced CARDS that can be written and then locked, to defeat those features.

Posted on

IN-person tonight @ Social House

For those who choose to join us, Social House in South Riding/Chantilly. We’ll try to get our usual outdoor table. Tonight’s topics are badge artwork and stickers. 1830, first one there grab the big table.

Posted on

Update on running MS Office in closed lab networks

Some of you might have been subject to my old-man ranting about how difficult it has become to install software that “just works.” My raging against the cloud, against everything-as-a-subscription, and against software that requires the capability of phoning home, either during install or on a continual basis.

My task was to install MS Office in a closed lab network, so that the users doing the work in the lab could write reports, etc., without having a separate machine just for that purpose. This network does not connect to the internet. It is a self-contained lab network with only what is needed for the lab installed on it.

It’s been a while since I fucked around with Microsoft products, and I naively assumed it would be a piece of cake. Just install it, give it a key, and be good to go. I was warned by those who had gone before me that it’s no longer that simple. Everything in Microsoft-land requires internet, they told me. “Surely they understand that a use case exists for no internet/no cloud,” I started to respond, before reliving the trauma of having to kill Atlassian when they made their on-prem product completely out of reach for small groups/businesses.

So I started down the road. I bought 12 licenses for “standalone” office 2016, went through the process of installing it on one of the lab machines, and yep, it requires internet to activate. OK, I’ll play along. We use FOG to image these lab workstations, so I set up a fresh install on a golden image candidate, activated it over the internet (very ugly process, by the way, if you buy multiple licenses), confirmed it was functional, and then captured an image of it. Rolled it out to other workstations, only to find that each new clone required its own activation. Well, this will never work.

I managed to get MS to refund the product after a lengthy discussion with a support rep. I decided I wanted to go the way of a volume license, only to learn that the KMS server too needs to touch the internet. I kept reading and reading and learning, and finally came across vlmscd, which is a linux-based open-source KMS server. Its only job is to say yes. When configured as the KMS server for a workstation (using DNS or manually via slmgr), any activation requests received by that KMS server are simply approved.

So I built one, making sure our licensing is properly paid for and accounted for,I of course. I added the SRV record for announcing the KMS service to the closed-network DNS, and installed the VL version of Office. Initially, running OSPP.VBS from the Office16 directory reported that the software was under a grace period with <30 days remaining, but after a reboot it reported it was fully licensed.

I wish vendors would provide a bit more flexibility in their product offerings, and understand that there are use cases that are outside the norm. I understand their need to protect their software from piracy, but this kind of heavy-handed control really makes it difficult for some of us who, for various reasons, don’t want to connect every network in our enterprise to the internet. We still exist.

Posted on

DC540 is Virtual this evening

Tune in to the Discord voice channel at 1830. Good chance to get to know some of us if you haven’t been to an in-person, or to participate in summer camp decisionmaking if you’re a regular.

Posted on

Resurrecting Carelessly Discarded Data

I picked up a large batch of MicroSD cards and adapters for an upcoming project. I’m cheap, and the data reliability isn’t critical, so I picked up used cards on ebay. After I made the purchase, it occurred to me that this was a potential teaching moment, both to freshen my own skills and to raise awareness for others who may not pay as much attention as those of us in the field.

TLDR: If you don’t know how deleted your data really is, don’t give, sell or return writable media. Either learn how to securely erase your data and confirm that it has been erased, or toss it in a fire.

So before they showed up, I installed the latest version of Autopsy on a fresh Windows box. Fresh because, well, just like I’m assuming that others might have been careless in data deletion, I have to guard against being careless about sticking random cards in my machines.

So they arrived. The moment of truth was here. I pulled out the first MicroSD, stuck it in the first adapter, and inserted it into a USB slot on the PC.

Predictably, it pops up as a blank, formatted card. Let’s see what Autopsy sees…

Let’s see, it’s been a while since I played with Autopsy. Let’s go with:
* Add Data Source

Let’s call it
* Card001
* Local Disk
* Select Disk. On my machine it showed up as H:
<Next>

I’m leaving everything checked here. If this was true forensics I might be more choosy, but I’m not.

Looks like the first test is examining the file system. “Adding $OrphanFiles,” it says.

After that, it tells me file analysis has started. I can hit finish, but I can tell by the progress bar in the lower right that it’s still analyzing stuff. This process goes on for a few minutes.

After the file analysis phase, it moves on to the data integrity phase.

Finally it’s done. I browse the card in the data source tree. Ooh, look, there are recovered files in the $CarvedFiles folder! Baby pics, family pics, and yes… porn. Folks, I recycled porn from the very first used SD card I tested.

So I’m up to card 28 now, and a few patterns emerged.

The metadata shows a strong preponderance of Nokia 5300 as the image source. This tells me these cards were likely sold by a shop servicing Nokia phones. The mp3 and video content I’ve extracted so far shows a strong trend toward Spanish-speaking content, and a few of the images with recognizable stuff on them actually mentioned Mexico.

I need to dig deeper into metadata, but visually it appears that at least some of the porn is homemade. Some of the cards had porn images which had likely been downloaded from the internet, as I discovered by running through through TinEye.

I’ve really got to refresh my Autopsy skills. I don’t do forensics for a living, but it helps to know the workflow of someone who does, in case you might one day find yourself protecting yourself from an enthusiastic forensic investigator.

Further learning: There are hash sets you can obtain that can validate files you find against known file hashes. Which might be the prudent thing to do if you don’t know what your found media might contain. Might be good to know if you’re handling CSAM before you actually view CSAM.

Posted on

DC540 Monday 4/18 VIRTUAL

We’ll be meeting up in the Discord voice channels on Monday evening @ 1830. We will likely break off into at least one non-public channel for badgedev discussion, but please feel free to join us in the main meeting channel anyway.

Posted on

In-Person @ Social House Again Tonight

We’ll be in person at the Social House tonight. Social House is a restaurant — not my house, FYI. Will have the Malort if anyone’s feeling stupid. Will have last year’s badge to compare and discuss w/r/t planning and measuring for this year’s badge.