Grey bar Blue bar
Share this:

Fri, 13 Jun 2014

Release the hounds! Snoopy 2.0

theHounds
Friday the 13th seemed like as good a date as any to release Snoopy 2.0 (aka snoopy-ng). For those in a rush, you can download the source from GitHub, follow the README.md file, and ask for help on this mailing list. For those who want a bit more information, keep reading.

What is Snoopy?


Snoopy is a distributed, sensor, data collection, interception, analysis, and visualization framework. It is written in a modular format, allowing for the collection of arbitrary signals from various devices via Python plugins.


It was originally released as a PoC at 44Con 2012, but this version is a complete re-write, is 99% Python, modular, and just feels better. The 'modularity' is possibly the most important improvement, for reasons which will become apparent shortly.


Tell me more!


We've presented our ongoing work with snoopy at a bunch of conferences under the title 'The Machines that Betrayed Their Masters'. The general synopsis of this research is that we all carry devices with us that emit wireless signals that could be used to:

  • Uniquely identify the device / collection of devices

  • Discover information about the owner (you!)


This new version of snoopy extends this into other areas of RFID such as; Wi-Fi, Bluetooth, GSM, NFC, RFID, ZigBee, etc. The modular design allows each of these to be implemented as a python module. If you can write Python code to interface with a tech, you can slot it into a snoopy-ng plugin.


We've also made it much easier to run Snoopy by itself, rather than requiring a server to sync to as the previous version did. However, Snoopy is still a distributed framework and allows the deployment of numerous Snoopy devices over some large area, having them all sync their data back to one central server (or numerous hops through multiple devices and/or servers). We've been working on other protocols for data synchronisation too - such as XBee. The diagram below illustrates one possible setup:


Architecture Diagram

OK - but how do I use it?


I thought you'd never ask! It's fairly straight forward.

Hardware Requirements


Snoopy should run on most modern computers capable of running Linux, with the appropriate physical adapters for the protocols you're interested in. We've tested it on:

  • Laptop

  • Nokia N900 (with some effort)

  • Raspberry Pi (SnooPi!)

  • BeagleBone Black (BeagleSnoop!)


In terms of hardware peripherals, we've been experimenting with the following:
TechnologyHardwareRange
Wi-FiAWUS 036H100m
BluetoothUbertooth50m
ZigBeeDigi Xbee1km to 80kms
GSMRTL2832U SDR35kms
RFIDRFidler15cm
NFCACR122U10cm


The distances can be increased with appropriate antennas. More on that in a later blog post.

Software Requirements


Essentially a Linux environment is required, but of more importance are the dependencies. These are mostly Python packages. We've tested Snoopy on Kali 1.x, and Ubuntu 12.04 LTS. We managed to get it working on Maemo (N900) too. We're investigating getting it running on OpenWRT/ddWRT. Please let us know if you have success.

Installation


It should be as simple as:
git clone https://github.com/sensepost/snoopy-ng.git
cd snoopy-ng
bash ./install.sh

Usage


Run Snoopy with the command 'snoopy', and accept the License Agreement. We'd recommend you refer to the README.md file for more information, but here are a few examples to get you going:


1. To save data from the wireless, sysinfo, and heartbeat plugins locally:

snoopy -v -m wifi:iface=wlanX,mon=True -m sysinfo -m heartbeat -d <drone name> -l <location name>

2. To sync data from a client to a server:


Server:

snoopy_auth --create <drone name> # Create account
snoopy -v -m server # Start server plugin

Client:
snoopy -v -m wifi:iface=mon0 -s http://<server hostname>:9001/ -d <drone name> -l <location name> -k

Data Visualization


Maltego is the preferred tool to perform visualisation, and where the beauty of Snoopy is revealed. See the README.md for instructions on how to use it.

I heard Snoopy can fly?


You heard right! Well, almost right. He's more of a passenger on a UAV:



There sure is a lot of stunt hacking in the media these days, with people taking existing hacks and duct-taping them to a cheap drone for media attention. We were concerned to see stories on snoopy airborne take on some of this as the message worked its way though the media. What's the benefit of having Snoopy airborne, then? We can think of a few reasons:


  1. Speed: We can canvas a large area very quickly (many square kilometres)

  2. Stealth: At 80m altitude the UAV is out of visual/audible range

  3. Security: It's possible to bypass physical security barriers (walls, men with guns, dogs)

  4. TTL (Tag, Track, Locate): It's possible to search for a known signature, and follow it


We're exploring the aerial route a whole lot. Look out for our DefCon talk in August for more details.

Commercial Use


The license under which Snoopy is released forbids gaining financially from its use (see LICENSE.txt). We have a separate license available for commercial use, which includes extra functionality such as:

  • Syncing data via XBee

  • Advanced plugins

  • Extra/custom transforms

  • Web interface

  • Prebuilt drones


Get in contact (glenn@sensepost.com / research@sensepost.com) if you'd like to engage with us.

Mon, 20 Jan 2014

January Get Fit Reversing Challenge

Aah, January, a month where resolutions usually flare out spectacularly before we get back to the couch in February. We'd like to help you along your way with a reverse engineering challenge put together by Siavosh as an introduction to reversing, and a bit of fun.

The Setup


This simple reversing challenge should take 4-10+ hours to complete, depending on your previous experience. The goal was to create an interactive challenge that takes you through different areas of the reverse engineering process, such as file format reverse engineering, behavioural and disassembly analysis.


Once you reached the final levels, you might need to spend some time understanding x86 assembly or spend some time refreshing it depending on your level. To help out, Siavosh created a crash course tutorial in x86 assembly for our malware workshop at 44con last year, and you can download that over here.


The zip file containing the reversing challenge and additional bytecode binaries could be found here.


Send your solution(s) to challenge at sensepost.com

The Scenario


You've been called into ACME Banks global headquarters to investigate a breach. It appears Evilgroup has managed to breach a server and deploy their own executable on it (EvilGroupVM.exe). The executable is software that accepts bytecode files and executes them, similar to how the Java Virtual Machine functions. Using this technique, Evilgroup hopes they can evade detection by antivirus software. Their OPSEC failure meant that both the virtual machine executable and several bytecode files were left behind after the cleanup script ran and it's your job to work out the instruction set of EvilGroupVM.exe.


Disclaimer: When using the term "virtual machine" we mean something like the Java Virtual Machine. A software based architecture that you can write programs for. This particular architecture, EvilGroupVM.exe, has nine instructions whose operation code (opcode) you need to find through binary reverse engineering.


The tools you will require are:


  • A hex editor (any will do)

  • A disassembler like IDA (the free version for Windows will work if you don't have a registered copy)

  • A debugger, Olly or WinDBG on Windows, Gnu GDB or EDB on Linux https://www.gnu.org/software/gdb/


Basic Usage: Unzip the reverseme folder, open a command line and cd to it. Depending on operating system, type
Windows: EvilGroupVM.exe <BytecodeFile>
Ubuntu Linux: ./EvilGroupVM <BytecodeFile>

For example, to run the helloworld bytecode file on Windows, you would type:
EvilGroupVM.exe helloworld

IMPORTANT: Note that the EvilGroupVM.exe architecture has debugging capabilities enabled. This means, it has one instruction that shows you the thread context of a binary when it is hit. Once you start developing your own bytecode binaries, it is possible to debug them (but you need to find the debug instruction/opcode first).


The outcome of this exercise should include the following key structures in your report:


  1. A description of the binary file format. For example:

    • What does the bytecode file header look like?

    • What determines where execution will start once the bytecode is loaded in the VM?

    • Does the architecture contain other parts of memory (like a stack) where it can store data and operate on them?


  2. The instruction set including their impact on the runtime memory. You should:


    • Find all instructions that the EvilGroupVM.exe accepts

    • Analyse each of them and understand how they make changes to the runtime memory of the bytecodes thread


  3. Write a proof of concept self modifying bytecode file that prints your name to the screen. The binary must be self modifying, that is, you may not use the "print_char" instruction directly, rather, the binary must modify itself if it wants to make use of "print_char".

  4. For the advanced challenge, if you have the ability and time, send us back a C file that, when compiled, will give an almost exact match compared to EvilGroupVM (Ubuntu Linux) or EvilGroupVM.exe (Windows). Focus on getting pointer arithmetic and data structures correct.


In case you missed it earlier, the zip file containing the reversing challenge and additional bytecode binaries could be found here.


Send your solution(s) to challenge at sensepost.com


Good luck!

Mon, 30 Dec 2013

Goodbye to 2013, hello to 2014

With 2013 coming to a close, I thought it pertinent to look back at the year we've had and also forward to what's promising to be an incredibly exciting 2014 for us.


2013 for SensePost, was a year of transition. With a new leadership structure in myself, Shane and Dominic, we had a chance to stamp our style and vision and also learn from Charl and Jaco. One of the first leadership choices was to expand our reach and open our first office in London, aptly in a borough called Hackney. Here, we grew our family and welcomed some amazing people into the plak. After a few short months, we had outgrown the office and needed to look for bigger premises, this time in another aptly named area: Whitechapel (think Jack the Ripper).


Back in South Africa, after moving to bigger premises down the road, we finally got a chance to make it feel like home. These two new offices have allowed us to continue to grow at a steady pace, whilst still keeping the SensePost vision and vibe alive.


On a technical level, as this is what we are really about, we've had an amazing year. As part of this new vision, we made some key appointments:


Craig Swan, who originally was part of the assessments team and left, returned home to assume the role of Training Manager. On a training front, we've had one of the busiest years to date. From Blackhat in Las Vegas, Brasil and Seattle, to 44Con in London, for our friends in the US and our courses held in Southern Africa, we've trained hundreds of students in the art of offensive security. We've also created two new courses for the Hacking by Numbers series, one concentrating on mobile assessments and the other on malware reverse engineering. However, we are not resting on our laurels and with Craig on-board, 2014 is looking like being an amazing year for education at SensePost.


Victor Tadden, an experienced technical Project Manager, joined the assessment team to help us be more efficient with our delivery of projects. He brings with him a wealth of software dev experience and has already made a significant impact in the way we work, especially managing to wrangle pen testers together daily for scrum meetings, a feat many will tell you is akin to herding cats.


Tiago Rosado joined us from Portugal to head up our Managed Vulnerability Service, a key service line that many of our clients rely on for a more holistic view of their security posture. Our MVS service line is being revamped for 2014 and Tiago will help us achieve this.


Marc Peiser became our IT Manager and with him, brought a wealth of UNIX experience, having worked for a massive global bank. Marc's aim for 2014 is to ensure that our internal networks are not only robust but also allow us to do what we do. Surprisingly enough, we are frequently attacked and having defense in depth approach to IT is as important to us as it is to our clients.


Internally, we've welcomed some new family members, said goodbye to some.We value those who choose to work here very highly, we want work to be a creative environment where people can have fun, grow and most importantly enjoy coming to work. Nothing makes me more proud than seeing a plakker accepting new challenges, often defining the way the security industry works, or helping others with their security needs. As the penetration industry matures, one of my main goals for 2014 is to ensure that our proven hacker ethos remains.



2013 saw us presenting at conferences throughout the year and for the first time in our history, in a total of eight different countries over five continents. Our research included vulnerabilities in the Internet of things, distributed surveillance frameworks, security analysis of the Trustzone OS and Mobicore and finally using Spatial Statistics to detect Fast-Flux botnet Command and Control (C2) domains.


Technical prowess is still at the very heart of what we do at SensePost. We love to pwn and 2014 will see us continuing to write new tools, approach old problems with a new way of thinking and just being, well, us.


In November, after months of negotiations, came the news that we were to be acquired by SecureData Europe. This new chapter for us will usher in a new era of growth and development for us at SensePost and we are truly excited to be part of the SecureData Europe family.


Overall it was a fantastic year, especially for us, the new EXCO. I am extremely proud to stand alongside some incredibly talented people and call them colleagues and look forward to 2014 and what it brings.


From everyone at SensePost, we wish you a Merry Christmas and best wishes for the New Year.

Thu, 12 Dec 2013

Never mind the spies: the security gaps inside your phone

For the last year, Glenn and I have been obsessed with our phones; especially with regard to the data being leaked by a device that is always with you, powered on and often provided with a fast Internet connection. From this obsession, the Snoopy framework was born and released.


After 44con this year, Channel 4 contacted us to be part of a new experimental show named 'Data Baby', whose main goal is to grab ideas from the security community, and transform them into an easy-to-understand concept screened to the public during the 7 o'clock news.


Their request was simple: Show us the real threat!


To fulfil their request, we setup Snoopy to intercept, profile and access data from a group of "victim" students at a location in Central London. While this is something we've done extensively over the past twelve months, we've never had to do it with a television crew and cameras watching your every move!


The venue, Evans and Peel Detective Agency, added to the sinister vibe with their offices literally located underground. We were set up in a secret room behind a book case like friggin spies and got the drones ready for action. As the students arrived, we had a single hour to harvest as much information as we could. Using Snoopy, Maltego and a whole lot of frantic clicks and typing (hacking under stress is not easy), we were filmed gaining access to their inbox's and other personal information.


In the end, Snoopy and Maltego delivered the goods and Glenn added a little charm for the ladies.



After the segment was aired, we participated in a live Twitter Q&A session with viewers (so, so many viewers, we had to tag in others to help reply to all the tweets) and gave advice on how they could prevent themselves from being the next victim. Our advice to them, and indeed anyone else concerned is:


How to avoid falling foul of mobile phone snooping
- Be discerning about when you switch Wi-Fi on
- Check which Wi-Fi network you're connecting to; if you're connecting to Starbucks when you're nowhere near a branch, something's wrong
- Download the latest updates for your phone's operating system, and keep the apps updated too
- Check your application providers (like e-mail) security settings to make sure all your email traffic is "encrypted", not just the login process
- Tell your phone to forget networks once you're done with them, and be careful about joining "open" aka "unencrypted" networks

Fri, 22 Nov 2013

Mobile Hacking on the West Coast

December sees SensePost presenting Hacking by Numbers: Mobile at BlackHat West Coast Trainings. This course was first presented at BlackHat Vegas 2013 and 44Con 2013, growing in popularity and content with each iteration. For more information continue reading below or visit https://blackhat.com/wc-13/training/Hacking-by-Numbers-Mobile.html.


The mobile environment has seen immense growth and has subsequently seen organisations racing to be the first to market with the next best app. The rapid increase in mobile popularity and the speed at which developers are forced to produce new applications has resulted in an ecosystem full of security vulnerabilities. As more organisations are moving from web applications to mobile applications, penetration testers are required to adapt their testing methodology to keep pace with the changing platforms. Mobile applications developers have been lulled into a false sense of security due to the belief that "the platform will take care of the security". The Hacking by Numbers: Mobile course aims to help both penetration testers and mobile applications developers to find and understand common security vulnerabilities on a wide range of mobile platforms. The course teaches a mobile application security testing methodology that can easily be applied to mobile applications on Android, iOS, Blackberry and Windows Mobile.


Rather than focus on a specific mobile platform or a set of testing tools, the Hacking by Numbers Mobile course covers the following:


  • Android, iOS, RIM and Windows 8 Platform security

  • Communication protocols

  • Programming languages for mobile development

  • Building your own mobile penetration testing lab

  • Mobile application analysis

  • Static Analysis

  • Authentication and authorization

  • Data validation

  • Session management

  • Transport layer security and information disclosure


The structure of the course makes it ideal for testers and developers new to the mobile application security space, starting with the basic concepts of mobile security testing all the way through to decompilation, analysis and modification of mobile applications. As with all Hacking by Numbers courses, the mobile edition focuses on hands-on experience, with numerous lab exercises designed to provide students with practical experience to match the theory.Previous iterations of the course has seen real world applications being downloaded from the app store and common security vulnerabilities being identified.


Lab exercises include:


  • Finding and retrieving sensitive files.

  • Interception and Analysis of network traffic.

  • Runtime analysis of Application memory state.

  • Decompilation and static analysis of applications.

  • Runtime modification of application functions.
    And many more...


Training will be held from 11-12 December and more information can be found at https://blackhat.com/wc-13/training/Hacking-by-Numbers-Mobile.html.


Looking forward to seeing you all in Seattle!