Grey bar Blue bar
Share this:

Sat, 1 Jun 2013

Honey, I’m home!! - Hacking Z-Wave & other Black Hat news

You've probably never thought of this, but the home automation market in the US was worth approximately $3.2 billion in 2010 and is expected to exceed $5.5 billion in 2016.

Under the hood, the Zigbee and Z-wave wireless communication protocols are the most common used RF technology in home automation systems. Zigbee is based on an open specification (IEEE 802.15.4) and has been the subject of several academic and practical security researches. Z-wave is a proprietary wireless protocol that works in the Industrial, Scientific and Medical radio band (ISM). It transmits on the 868.42 MHz (Europe) and 908.42MHz (United States) frequencies designed for low-bandwidth data communications in embedded devices such as security sensors, alarms and home automation control panels.

Unlike Zigbee, almost no public security research has been done on the Z-Wave protocol except once during a DefCon 2011 talk when the presenter pointed to the possibility of capturing the AES key exchange ... until now. Our Black Hat USA 2013 talk explores the question of Z-Wave protocol security and show how the Z-Wave protocol can be subjected to attacks.

The talk is being presented by Behrang Fouladi a Principal Security Researcher at SensePost, with some help on the hardware side from our friend Sahand Ghanoun. Behrang is one of our most senior and most respected analysts. He loves poetry, movies with Owen Wilson, snowboarding and long walks on the beach. Wait - no - that's me. Behrang's the guy who lives in London and has a Masters from Royal Holloway. He's also the guy who figured how to clone the SecureID software token.

Amazingly, this is the 11th time we've presented at Black Hat Las Vegas. We try and keep track of our talks and papers at conferences on our research services site, but for your reading convenience, here's a summary of our Black Hat talks over the last decade:

2002: Setiri : Advances in trojan technology (Roelof Temmingh)

Setiri was the first publicized trojan to implement the concept of using a web browser to communicate with its controller and caused a stir when we presented it in 2002. We were also very pleased when it got referenced by in a 2004 book by Ed Skoudis.

2003: Putting the tea back into cyber terrorism (Charl van der Walt, Roelof Temmingh and Haroon Meer)

A paper about targeted, effective, automated attacks that could be used in countrywide cyber terrorism. A worm that targets internal networks was also discussed as an example of such an attack. In some ways, the thinking in this talk eventually lead to the creation of Maltego.

2004: When the tables turn (Charl van der Walt, Roelof Temmingh and Haroon Meer)

This paper presented some of the earliest ideas on offensive strike-back as a network defence methodology, which later found their way into Neil Wyler's 2005 book "Aggressive Network Self-Defence".

2005: Assessment automation (Roelof Temmingh)

Our thinking around pentest automation, and in particular footprinting and link analyses was further expanded upon. Here we also released the first version of our automated footprinting tool - "Bidiblah".

2006: A tail of two proxies (Roelof Temmingh and Haroon Meer)

In this talk we literally did introduce two proxy tools. The first was "Suru', our HTTP MITM proxy and a then-contender to the @stake Web Proxy. Although Suru has long since been bypassed by excellent tools like "Burp Proxy" it introduced a number of exciting new concepts, including trivial fuzzing, token correlation and background directory brute-forcing. Further improvements included timing analysis and indexable directory checks. These were not available in other commercial proxies at the time, hence our need to write our own.

Another pioneering MITM proxy - WebScarab from OWASP - also shifted thinking at the time. It was originally written by Rogan Dawes, our very own pentest team leader.

The second proxy we introduced operated at the TCP layer, leveraging off the very excellent Scappy packet manipulation program. We never took that any further, however.

2007: It's all about timing (Haroon Meer and Marco Slaviero)

This was one of my favourite SensePost talks. It kicked off a series of research projects concentrating on timing-based inference attacks against all kinds of technologies and introduced a weaponized timing-based data exfiltration attack in the form of our Squeeza SQL Injection exploitation tool (you probably have to be South African to get the joke). This was also the first talk in which we Invented Our Own Acronym.

2008: Pushing a camel through the eye of a needle (Haroon Meer, Marco Slaviero & Glenn Wilkinson)

In this talk we expanded on our ideas of using timing as a vector for data extraction in so-called 'hostile' environments. We also introduced our 'reDuh' TCP-over-HTTP tunnelling tool. reDuh is a tool that can be used to create a TCP circuit through validly formed HTTP requests. Essentially this means that if we can upload a JSP/PHP/ASP page onto a compromised server, we can connect to hosts behind that server trivially. We also demonstrated how reDuh could be implemented under OLE right inside a compromised SQL 2005 server, even without 'sa' privileges.

2009: Clobbering the cloud (Haroon Meer, Marco Slaviero and Nicholas Arvanitis)

Yup, we did cloud before cloud was cool. This was a presentation about security in the cloud. Cloud security issues such as privacy, monoculture and vendor lock-in are discussed. The cloud offerings from Amazon, Salesforce and Apple as well as their security were examined. We got an email from Steve "Woz" Wozniak, we quoted Dan Geer and we had a photo of Dino Daizovi. We built an HTTP brute-forcer on and (best of all) we hacked Apple using an iPhone.

2010: Cache on delivery (Marco Slaviero)

This was a presentation about mining information from memcached. We introduced go-derper.rb, a tool we developed for hacking memcached servers and gave a few examples, including a sexy hack of It seemed like people weren't getting our point at first, but later the penny dropped and we've to-date had almost 50,000 hits on the presentation on Slideshare.

2011: Sour pickles (Marco Slaviero)

Python's Pickle module provides a known capability for running arbitrary Python functions and, by extension, permitting remote code execution; however there is no public Pickle exploitation guide and published exploits are simple examples only. In this paper we described the Pickle environment, outline hurdles facing a shellcoder and provide guidelines for writing Pickle shellcode. A brief survey of public Python code was undertaken to establish the prevalence of the vulnerability, and a shellcode generator and Pickle mangler were written. Output from the paper included helpful guidelines and templates for shellcode writing, tools for Pickle hacking and a shellcode library.We also wrote a very fancy paper about it all...

We never presented at Black Hat USA in 2012, although we did do some very cool work in that year.

For this year's show we'll back on the podium with Behrang's talk, as well an entire suite of excellent training courses. To meet the likes of Behrang and the rest of our team please consider one of our courses. We need all the support we can get and we're pretty convinced you won't be disappointed.

See you in Vegas!

Mon, 3 Jan 2011

Happy New Year gift: source code!

If you use the Gregorian Calendar, then Happy New Year! Down here in South Africa, we've also ushered in a new year and in celebration SensePost is releasing source code for our in-house web proxy, Suru, under a BSD-style license.

When released in 2006, Suru introduced a number of unique features to the world of inline proxies including trivial fuzzing, token correlation and background directory brute-forcing. Further improvements include timing analysis and indexable directory checks. These were not available in other commercial proxies at the time, hence our need to write our own. Since then, most of these features have been incorporated into more full-featured commercial proxies, negating the need for Suru.

Internally, Suru use has dwindled and at this point the code is in maintenance-only mode. As such, it's being released to the world along with the rider that the software is end-of-life and unsupported.

Source code is available off the Suru webpage. Code will compile cleanly on VS 2005 though you'll need to add your own certificate in order to get SSL intercepts working.

Have a great year.

Mon, 18 Feb 2008

WebScarab-NG HTTP Mangler Functionality

H said that there is a tool that will do the HTTP Mangler functionality out of the box.

So here goes. WebScarab-NG is the tool that will do the trick. First we select the feature that will allow us to setup the proxy listener as seen in the image below.


Then we need to configure the proxy listener to the ports etc we need as seen below.


And pretty instantly we have the HTTP Mangler functionality. Apparently this is going to become a feature of SURU as well!

Fri, 1 Feb 2008

HTTP Mangling, Redirection etc.

So - here's the scenario.

Lohan is busy testing an application which uses remote web-services on a server called (example), but the program bypasses all proxy servers etc, making it impossible to trap and mangle requests.

So, we do the following:

1 - We make a note of the IP address of (in this case, we'll assume it is 196.310.150.126 )

2 - Add a host entry in hosts, mapping to

3 - Fire up a quick C# app written by yours truly which listens on

4 - Fire up a proxy server

5 - Configure the C# app to use proxy server of proxy
Now, the C# app does the following:

1 - Intercepts the HTTP request addressed to

2 - Mangles the HTTP request to convert it into a proxied request (ie: Request "GET / HTTP/1.0" now becomes "GET HTTP/1.0")

3 - Writes the request to the proxy server

4 - Writes the response back to the application

So, we're now able to intercept, fuzz, mangle etc all the requests and responses between the application and the web service. Not really rocket science, but rather handy...

The screenshot shows something similar, but using a web browser in place of the application here. I am using paros in this example because I am still doing large chunks of work on Suru...

HTTP Mangling


Tue, 1 Jan 2008

Applescript for HTTP BruteForcing..

A long time ago i blogged on the joys of using VBS to automate bruteforcing [1|2]when one didnt want to mess about duplicating an applications functionality at the protocol level.. Yesterday i had need to brute-force a web application which tried hard to be difficult and annoying..

Normally i would have used crowbar, Suru or a ugly mangled Python script, but the application was strangely difficult..

i.e. the login process is multi staged, with new cookies being handed out at various stages. 302 redirects are used heavily and then to top it off a healthy dose of JavaScript is sent back in replies that also affect your navigation.. Now all of this can be scripted (obviously) but i figured i would try automating Safari with applescript to get the same effect..

Co-opting the browser means i dont have to worry about redirects and javascript and (other stuff i didnt want to be messing with on new years day).. and so..

(click for full-size)

So this script effectively fires up Safari and iterates through my list of usernames. It then uses JavaScript to fill in the parts of the forms i need to fill in (only a few samples left in this example) and clicks submit when needed.. It uses username+123 as a password. Once it jumps through all the hoops it needs to, it screenshots the result and saves it in ~/captures/XXXX.png (where XXXX is the username being tested).

This was quick and dirty, if i had more time i would have chosen to read the results and only screenshot results that didnt match "your credentials are invalid".. ahh.. for another day..

*** a word of warning.. AppleScript is described as "an English-like language used to create script files that control the actions of the computer and the applications that run on it." This english-like-ness makes it extremely obtuse at times..

In a subsequent version of the brute force, i wished to use the username from my list, and the users First Name as his password. Now this is an obvious call for a hash/dictionary/associative array.. The sparse documentation that i was able to find on AppleScript records did not appear to help me a jot (but this could just be poor google skills).

Instead i opted for saving the username and password as a ":" delimited string. I then split the string at runtime and submit as before.. ugly, but effective..

its not perfect, but its neat and a nice tool to keep in your arsenal..