Blackberry 10

March 20th, 2013

I’ve started to poke around with the BB10 simulator. Found a couple interesting things, will post more when I have a writeup.

G13 Security

Egg on my face

November 5th, 2012

I just realized that the APK available for download as part of my FTPServer DoS is the incorrect version.  This has been fixed and the proper version has been uploaded.

G13 Security

October Research

October 28th, 2012

I was able to find some time to do a bit more research this month.  The Allscripts vulnerability is an old one I finally got around to publishing:

G13 Security

Hacking Android Apps for Fun and Profit

October 26th, 2012

A short while ago I wrote up a brief paper detailing some of the research I have been doing on the Android platform.  The paper has been published on Exploit-DB and can be found here:

Hacking Android Apps for Fun and Profit

G13 Security

GrrCON and DerbyCON wrapup

October 26th, 2012

I know it has been a few weeks since these conferences ended, but life is very busy!  Both conferences were simply amazing.  I met many new people and was able to put faces to names of people I have been talking to for awhile.

A big shout out to all the staff at the two cons for putting on an amazing show.  I can’t wait for next year and hopefully I’ll be able to speak at both again!

I would also like to thank all those who attended my talks and to those who came up to me afterward!  Both talks were recorded but as of right now only the DerbyCON talk has been posted:

G13 Security

GrrCON and DerbyCON

August 16th, 2012

Wow I totally spaced about posting these updates on here.  I have been selected to speak at both DerbyCON and GrrCON!!

GrrCON is Sept 27-28 in Grand Rapids, MI.

DerbyCON is Sept 28-30th in Louisville, KY.

I will be presenting my Android in Healthcare: A Case Study talk at both conferences.  Come check it out!

G13 Security

Installing BeEF on the Raspberry Pi

July 6th, 2012
Comments Off

The Raspberry Pi( is a $25 ARM GNU/Linux box that is the size of a credit card.  The applications for this little device are seemingly endless.  So naturally I picked one up and started working on some penetration testing scripts for this box.  One of my goals was to get BeEF running; which I have done.

BeEF comes with a couple installation scripts.  I used these as a starting ground to get BeEF running on the Raspberry Pi.  The script I started with was the “install-beef” script.

After running the script, I noticed that the install failed after trying to install rvm.  It appeared that even though rvm installed, it was not available to run.  I was able to track this down to a PATH issue.  In the install-beef script, the $HOME/.rvm/scripts/rvm file is referenced.  That file was never created.

I changed the install-beef script to contain a line which created the symbolic link between /usr/local/rvm/scripts/rvm and the one in my local path. After that, everything went off without a hitch!  I also removed some of the code to detect other OSes as the script is intended to only run on the Raspberry Pi.

I would also like to note that during the installation, Ruby 1.9.2 is compiled and installed. I highly recommend changing the RAM allocation from 128/128 to 224/32.  This will speed up compile time.  If you are not familiar with how to do that, here is the command:

As Root: cp /boot/arm224-start.elf /boot/start.elf

BeEF takes about 1 minute to load after the RAM changes are made.  It is not recommended to run X while running BeEF.  Navigating to the UI from another machine is decent, but not as snappy if BeEF was run from more powerful hardware.  I tested hooking a few clients and the performance in the UI did not degrade.

Of course, what would this post be without a screen shot of BeEF running on the Pi:

I have included my modified install script in the PwnBerryPi pentesting suite which is available on github.

G13 Security


June 25th, 2012

I have finally gotten around to releasing my own set of scripts/packages for the Raspberry Pi!  I would like to introduce everyone to PwnBerryPi!  What started off as contributions to PwnieExpress’s Raspberry Pwn project has been spun off on its own.

Why another Raspberry Pi pentesting distro?  Short answer: because I can.  Long answer: my goals for the project are different from PwnieExpress’s.  I have a feeling that PE is trying to align both their commercial set and the Raspberry Pi suite.  They are also working on some other cool projects that just don’t meet what I am looking for.

I also plan on making several OS customizations and a downloadable image; I don’t think these are in the pipeline for Raspberry Pwn.  These are still in the works.

What else makes it different?  Metasploit, reverse shells, and webshells.  When the RAM settings are changed, Metasploit is usable on the device.  Also I included several reverse shells; Rel1k’s encrypted HTTP shell, a PHP shell, and a perl shell.  The webshells were from a collection on Backtrack.

So please give PwnBerryPi a try and let me know of any changes/issues.

Download the code from github:

G13 Security

Adventures with Raspberry Pi

June 13th, 2012

If you have been living under a rock and don’t know what a Raspberry Pi is, it is a $35 ARM GNU/Linux computer.  When I first heard of it, my first thoughts were that this would make an awesome pentesting tool.  It is the size of a credit card and has low power requirements(5V 7mA).  I ordered mine in March and it finally arrived this week.

On the idea of pentesting, I was not alone in thinking this is a cool platform to use.  My first Google searches brought me to Pwn Pi.  They eventually released a standalone OS on sourceforge.  After looking at the tool list, I noticed they were missing a key competent; having the system call back home.

So I started a project, Raspberry Pwn.  The goal of the project was to create a distro that would aid pentesters once they got inside the network.  It was not to be a Backtrack copy, but a focused set of tools.  The main thing for it is to provide scripted reverse shells to give the pentester access once the device has been delivered/plugged into the target network.

As I found out yesterday, the name Raspberry Pwn was not very unique.  Pwnie Express came out with a set of scripts that they call Raspberry-Pwn.  It seems pretty straight forward; prep an SD card and run the install scripts.  Now where does this leave my project?

Pwnie Express’ current scripts include no reverse shell scripts.  It is also missing exploits.  Exploit-DB and Metasploit are not included in the initial script release.  With the project on github, it gave me a starting point.

I forked the project and have already begun making changes.  The script gives me a good starting point and hopefully I can have a decent release soon.  I also have to come up with a new name.  My plan is to also deploy a standalone OS which already has the script run to install the tools.

Stay tuned for more!

G13 Security

April Research Roundup

May 7th, 2012

April has been over for awhile now.  I was slightly busy in that month and have added 4 disclosures to my list:

With travel for work calming down, I’m hoping to have my time to hack stuff in May!

G13 Security