diff --git a/docs/assets/hydrabus_pin_assignment.jpg b/docs/assets/hydrabus_pin_assignment.jpg new file mode 100644 index 00000000..81478f71 Binary files /dev/null and b/docs/assets/hydrabus_pin_assignment.jpg differ diff --git a/docs/assets/image_bus_pirate.png b/docs/assets/image_bus_pirate.png new file mode 100644 index 00000000..66696c64 Binary files /dev/null and b/docs/assets/image_bus_pirate.png differ diff --git a/docs/gadgets/bus-pirate.md b/docs/gadgets/bus-pirate.md index 22c973f9..60cce632 100644 --- a/docs/gadgets/bus-pirate.md +++ b/docs/gadgets/bus-pirate.md @@ -1,15 +1,20 @@ # Bus Pirate -![MOSI-MISO](https://iotmyway.files.wordpress.com/2018/05/mode-guide.png) +![BusPirate](../assets/image_bus_pirate.png) -## Update Bus Pirate +## Firmwares -```powershell -git clone https://github.com/BusPirate/Bus_Pirate.git -cd Bus_Pirate/package/BPv4-firmware/pirate-loader-v4-source/pirate-loader_lnx -sudo ./pirate-loader_lnx --dev=/dev/ttyACM0 --hex=../BPv4-firmware-v6.3-r2151.hex -``` +* [BusPirate/Bus_Pirate](https://github.com/BusPirate/Bus_Pirate) + ```powershell + cd Bus_Pirate/package/BPv4-firmware/pirate-loader-v4-source/pirate-loader_lnx + sudo ./pirate-loader_lnx --dev=/dev/ttyACM0 --hex=../BPv4-firmware-v6.3-r2151.hex + ``` + + +## Examples + +Dump firmware over SPI using a Bus Pirate ```powershell # Identify EEPROM chip @@ -22,4 +27,6 @@ sudo flashrom -p Buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -c (Chip name) -r ( ## References -* [Bus Pirate Unboxing - Toolkit - Hacker Warehouse - 4 juin 2018](https://youtu.be/lP8vMvBu3Bg) \ No newline at end of file +* [Bus Pirate Unboxing - Toolkit - Hacker Warehouse - 4 juin 2018](https://youtu.be/lP8vMvBu3Bg) +* [Bus Pirate 5 REV 10 Hardware](https://hardware.buspirate.com/) +* [Ph0wn, my first IoT CTF - Part 2 - Sebastien Andrivet - 19 December 2018](https://sebastien.andrivet.com/fr/posts/ph0wn-my-first-iot-ctf-part-2/) \ No newline at end of file diff --git a/docs/gadgets/flipper-zero.md b/docs/gadgets/flipper-zero.md index 8f1a6f47..1d72b425 100644 --- a/docs/gadgets/flipper-zero.md +++ b/docs/gadgets/flipper-zero.md @@ -2,7 +2,7 @@ ![FlipperZero](../assets/image_flipper_cover.png) -## **Firmwares** +## Firmwares * [Flipper Zero Firmware](https://github.com/flipperdevices/flipperzero-firmware) * [Flipper Zero Unleashed Firmware](https://github.com/Eng1n33r/flipperzero-firmware) @@ -32,9 +32,15 @@ * [Flipper Zero: Want some good news? - Penthertz](https://www.youtube.com/watch?v=tB0eYatvu0k) * [Flipper Zero: is this for you? Follow our 1st tests! - Penthertz](https://www.youtube.com/watch?v=W5YYObSBUno) + ## Tutorials and Resources * [Flipper Zero Hacking 101 - pingywon](https://flipper.pingywon.com/flipper/) * [Flipper Zero Playground - UberGuidoZ](https://github.com/UberGuidoZ/Flipper) * [Flashing Flipper Zero with RogueMaster CFW](https://interestingsoup.com/n00b-guide-flashing-flipper-zero-to-rougemaster/) -* [Unleashed Firmware - Update firmware](https://github.com/DarkFlippers/unleashed-firmware/blob/dev/documentation/HowToInstall.md) \ No newline at end of file +* [Unleashed Firmware - Update firmware](https://github.com/DarkFlippers/unleashed-firmware/blob/dev/documentation/HowToInstall.md) + + +## References + +* [The Ultimate Guide / CheatSheet to Flipper Zero - Ilias Mavropoulos - 17/01/2024](https://infosecwriteups.com/the-ultimate-guide-cheatsheet-to-flipper-zero-d4c42d79d32c) \ No newline at end of file diff --git a/docs/gadgets/hydrabus.md b/docs/gadgets/hydrabus.md index aa8b961c..916df6d4 100644 --- a/docs/gadgets/hydrabus.md +++ b/docs/gadgets/hydrabus.md @@ -1,6 +1,6 @@ # HydraBus -![HydraBUS - Pin Assignment](https://hydrabus.com/wp-content/uploads/2024/01/HydraBus_1_0_HydraFW_Default_PinAssignment_A4-1024x724.jpg) +![HydraBUS - Pin Assignment](../assets/hydrabus_pin_assignment.jpg) ## Features @@ -16,11 +16,17 @@ External interactions: - UART - I2C - CAN/LIN Bus +- SUMP +- JTAG - SPI Bus - SD/SDIO - USB Bus - ADC / DAC (Analog / Digital) - GPIO +- NFC +- Wiegand +- NAND flash +- 1-wire,2-wire,3-wire ## Firmware @@ -29,16 +35,50 @@ External interactions: * [hydrabus/hydrafw_hydranfc_shield_v2](https://github.com/hydrabus/hydrafw_hydranfc_shield_v2) - HydraFW dedicated to HydraBus v1 / HydraNFC Shield v2 * [bvernoux/blackmagic](https://github.com/bvernoux/blackmagic) - In application debugger for ARM Cortex microcontrollers -Commands examples: -```ps1 -show system/memory/threads -``` +## Commands + +* Basic info: `show system` + ```ps1> show system + HydraFW (HydraBus) v0.11-1-g4d74500 2023-05-09 + sysTime: 0x000d82dd. + cyclecounter: 0x76ac02b9 cycles. + cyclecounter64: 0x0000000076ac02cb cycles. + 10ms delay: 1680035 cycles. + ``` + +* Determine the port name: `ls -l /dev/tty*` +* Interact witht the HydraBus: `screen /dev/ttyACM0` +* Switch to SPI mode: `spi` +* Determine the pin for SPI: `show pins` + + +## Syntax + +| Value | Description | +|-------|-------------| +| [ | Chip select (CS) active (low) | +| ] | CS disable (high) | +| r | Read one byte by sending dummy byte (0xff). r:1...255 for bulk reads | +| hd | Read one byte by sending dummy byte (0xff). hd:1...4294967295 for bulk reads. Displays a hexdump of the result | +| w | Followed by values to write byte(s). w:1...255 for bulk writes | +| 0b | Write this binary value. Format is 0b00000000 for a byte, but partial bytes are also fine: 0b1001 | +| 0 | Write this Octal value. Format is prefixed by a 0 (values from 000 to 077) | +| " | Write an ASCII-encoded string | +| 0h/0x | Write this HEX value. Format is 0h01 or 0x01. Partial bytes are fine: 0xA. A-F can be lower-case or capital letters | +| 0-255 | Write this decimal value. Any number not preceded by 0x, 0h, or 0b is interpreted as a decimal value | + +Examples: + +* Read Identification (0x9F): `[ 0x9F r:3 ]` +* Read Data (0x03) at the address (0x00:3) and read 32 bytes (hd:32) `[ 0x03 0x00:3 hd:32 ]` ## References +* [HydraBus/HydraFW wiki - Benjamin Vernoux - Jan 21, 2021](https://github.com/hydrabus/hydrafw/wiki/) * [HydraBus v1.0 Specifications - HydraBus](https://hydrabus.com/hydrabus-1-0-specifications) * [HydraBus Assembly Video - Lab401 - 30 may 2017](https://youtu.be/9lFEPG8EG6w) * [BlackAlps17: Hydrabus: Lowering the entry fee to the IoT bugfest - Benjamin Vernoux - 2 dec. 2017](https://www.youtube.com/watch?v=theYbzPhYH8) -* [HydraBus - An Open Source Platform - RMLL Sec 2017](https://archives.pass-the-salt.org/RMLL%20Security%20Tracks/2017/slides/RMLL-Sec-2017-hydrabus.pdf) \ No newline at end of file +* [HydraBus - An Open Source Platform - RMLL Sec 2017](https://archives.pass-the-salt.org/RMLL%20Security%20Tracks/2017/slides/RMLL-Sec-2017-hydrabus.pdf) +* [Ph0wn, my first IoT CTF - Part 3 - Sebastien Andrivet - Dec. 19, 2018](https://sebastien.andrivet.com/en/posts/ph0wn-my-first-iot-ctf-part-3/) \ No newline at end of file diff --git a/docs/gadgets/m5stack.md b/docs/gadgets/m5stack.md new file mode 100644 index 00000000..7e5305f9 --- /dev/null +++ b/docs/gadgets/m5stack.md @@ -0,0 +1,44 @@ +# Evil M5Core2 + +> Evil-M5Core2 is an easy Evil portal and rogue app deployement software designed to work on M5Stack Core2. + +![Evil-M5Core2](https://raw.githubusercontent.com/7h30th3r0n3/Evil-M5Core2/main/Github-Img/menu-1.jpg) + + +## Features + +* **WiFi Network Scanning**: Identify and display nearby WiFi networks. +* **Network Cloning**: Check information and replicate networks for in-depth analysis. +* **Captive Portal Management**: Create and operate a captive portal to prompt users with a page upon connection. +* **Credential Handling**: Capture and manage portal credentials. +* **Remote Web Server**: Monitor the device remotely via a simple web interface that can provide credentials and upload portal that store file on SD card. +* **Sniffing probes**: Sniff and store on SD near probes. +* **Karma Attack**: Try a simple Karma Attack on a captured probe. +* **Automated Karma Attack**: Try Karma Attack on near probe automatically + + +## Firmwares + +* Firmware: [7h30th3r0n3/Evil-M5Core2](https://github.com/7h30th3r0n3/Evil-M5Core2) + +**Requirements**: + +* `M5Stack` boards manager +* `M5Unified` library + + +**Install**: + +* Connect your `M5Core2` to your computer. +* Open the `Arduino IDE` and load the provided code. +* Ensure `M5unified` and `adafruit_neopixel` libraries are installed. +* Ensure `esp32` and `M5stack` board are installed. (Error occur with esp32 `3.0.0-alpha3`, please use esp32 `v2.0.14` and below) +* Place SD file content needed on the SD card. (IMG startup and sites folder) +* Upload the script to your `M5Core2` device. +* Restart the device if needed. + + +## References + +* [Evil-M5Core2 v1.1.3 - Serial Command - Github Project](https://github.com/7h30th3r0n3/Evil-M5Core2) +* [Evil Portal Meets Marauder on M5Stack!! Evil-M5Core2 Is the Best of Both Worlds! - Talking Sasquach - 7 jan 2024](https://youtu.be/jcVm4cysmnE) \ No newline at end of file diff --git a/docs/other/links-and-hardware-kits.md b/docs/other/links-and-hardware-kits.md index 23bbd634..2c544618 100644 --- a/docs/other/links-and-hardware-kits.md +++ b/docs/other/links-and-hardware-kits.md @@ -34,8 +34,9 @@ ## Twitch & Streaming -* [Twitch/virtualabs](https://www.twitch.tv/virtualabs) -* [VirtuVOD - VOD of twitch.tv/virtualabs](https://www.youtube.com/@VirtuVOD) +* [Twitch - virtualabs](https://www.twitch.tv/virtualabs) +* [Youtube - VirtuVOD - VOD of twitch.tv/virtualabs](https://www.youtube.com/@VirtuVOD) +* [Youtube - WHID We Hack In Disguise](https://www.youtube.com/@whid_ninja) ## Books diff --git a/docs/protocols/bluetooth.md b/docs/protocols/bluetooth.md index 4a75d79d..d5431951 100644 --- a/docs/protocols/bluetooth.md +++ b/docs/protocols/bluetooth.md @@ -1,10 +1,8 @@ # Bluetooth -### Challenge +## Bluetooth configuration -* BLE HackMe (https://www.microsoft.com/store/apps/9N7PNVS9J1B7) - works with nRF Connect (Android), [Introduction\_to\_BLE\_security](http://smartlockpicking.com/slides/HITB\_Cyberweek\_2020\_A\_Practical\_Introduction\_to\_BLE\_security.pdf) / https://github.com/smartlockpicking/BLE\_HackMe - -### Bluetooth configuration for Kali Linux +Configuration for Kali Linux ```powershell $ sudo apt-get install bluetooth blueman bluez @@ -13,10 +11,10 @@ $ sudo hciconfig hci0 up $ sudo hcitool lescan 00:1A:7D:DA:71:06 Ph0wn Beacon -25:55:84:20:73:70 (unknown +25:55:84:20:73:70 (unknown) ``` -Apt doesn't have a recent version of bluez, recompile it with the following lines. +`apt` doesn't have a recent version of bluez, recompile it with the following lines. ```powershell wget https://www.kernel.org/pub/linux/bluetooth/bluez-5.18.tar.xz @@ -28,42 +26,31 @@ make -j8 && sudo make install sudo cp attrib/gatttool /usr/local/bin/ ``` -### Enumerate services and characteristics +## BLE - Enumerate services and characteristics > BLE is based on specification called General Attribute profile (GATT), that defines how communication/data transfer between client and server. -```powershell -sudo apt-get install git build-essential libglib2.0-dev python-setuptools -git clone https://github.com/IanHarvey/bluepy.git -cd bluepy -python setup.py build -sudo python setup.py install -git clone git clone https://github.com/hackgnar/bleah -cd bleah -python setup.py build -sudo python setup.py install - -sudo bleah -b $MAC -e -``` - -Using bettercap - -```powershell -sudo bettercap -eval "net.recon off; events.stream off; ble.recon on" -ble.show -ble.enum 04:52:de:ad:be:ef -``` +* Using [bettercap/bettercap](https://github.com/bettercap/bettercap) + ```powershell + sudo bettercap -eval "net.recon off; events.stream off; ble.recon on" + ble.show + ble.enum 04:52:de:ad:be:ef + ``` -Using expliot +* Using [expliot_framework/expliot](https://expliot.readthedocs.io/en/latest/index.html) + ```powershell + # List of Services + run ble.generic.scan -a -s + # List of characteristics + run ble.generic.scan -a -c + ``` -```powershell -# List of Services -run ble.generic.scan -a -s -# List of characteristics -run ble.generic.scan -a -c -``` +* Using [hackgnar/bleah](https://github.com/hackgnar/bleah) + ```powershell + sudo bleah -b $MAC -e + ``` -Using gatttool, we can enumerate the services and their characteristics, use `sudo gatttool -b $MAC -I` to have an interactive gatttool shell: +Using [bluez/gatttool](https://manpages.debian.org/unstable/bluez/gatttool.1.en.html), we can enumerate the services and their characteristics, use `sudo gatttool -b $MAC -I` to have an interactive gatttool shell: * Services: They are set of provided features and associated behaviors to interact with the peripheral. Each service contains a collection of characteristics. * Characteristics: Characteristics are defined attribute types that contain a single logical value @@ -83,7 +70,8 @@ handle = 0x0002, char properties = 0x20, char value handle = 0x0003, uuid = 0000 handle = 0x0015, char properties = 0x02, char value handle = 0x0016, uuid = 00002a00-0000-1000-8000-00805f9b34fb ``` -### Read BLE data + +## BLE - Read data Read data with gatttool @@ -103,47 +91,50 @@ Characteristic value/descriptor: 44 65 63 72 79 70 74 20 74 68 65 20 6d 65 73 73 $ gatttool -b $MAC --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n' ``` -### Read BLE notification/indication +## BLE - Read notification/indication ```powershell $ gatttool -b $MAC -a 0x0040 --char-write-req --value=0100 --listen $ gatttool -b $MAC -a 0x0044 --char-write-req --value=0200 --listen ``` -### Write BLE data -Write data with bettercap +## BLE - Write data -```powershell -ble.recon on -ble.write 04:52:de:ad:be:ef 234bfbd5e3b34536a3fe723620d4b78d ffffffffffffffff -``` +* Using [bettercap/bettercap](https://github.com/bettercap/bettercap) + ```powershell + ble.recon on + ble.write 04:52:de:ad:be:ef 234bfbd5e3b34536a3fe723620d4b78d ffffffffffffffff + ``` -Write data with gatttool +* Using [bluez/gatttool](#) + ```powershell + $ gatttool -b $MAC --char-write-req -a 0x002c -n $(echo -n "12345678901234567890"|xxd -ps) -```powershell -$ gatttool -b $MAC --char-write-req -a 0x002c -n $(echo -n "12345678901234567890"|xxd -ps) + # With char-write, we perform a Write Command and don't expect a response from the server + # With char-write-req, we perform a Write Request and expect a response from the server + $ gatttool -b $MAC -a 0x0050 --char-write-req --value=$(echo -n 'hello' | xxd -p) -# With char-write, we perform a Write Command and don't expect a response from the server -# With char-write-req, we perform a Write Request and expect a response from the server -$ gatttool -b $MAC -a 0x0050 --char-write-req --value=$(echo -n 'hello' | xxd -p) + # inside gatttool shell + [00:1A:7D:DA:71:06][LE]> char-write-req 0x000c 476f6f64205061646177616e21212121 + [00:1A:7D:DA:71:06][LE]> char-read-hnd 0x000c + Characteristic value/descriptor: 43 6f 6e [...] 2e + ``` -# inside gatttool shell -[00:1A:7D:DA:71:06][LE]> char-write-req 0x000c 476f6f64205061646177616e21212121 -[00:1A:7D:DA:71:06][LE]> char-read-hnd 0x000c -Characteristic value/descriptor: 43 6f 6e [...] 2e -``` -### Change Bluetooth MAC +## Bluetooth MAC + +Change the Bluetooth MAC address ```powershell $ bdaddr -r 11:22:33:44:55:66 $ gatttool -I -b E8:77:6D:8B:09:96 -t random ``` -### Sniff Bluetooth communication -#### Using Ubertooth +## Sniff Bluetooth communication + +### Using Ubertooth :warning: You need 3 ubertooth. @@ -153,16 +144,28 @@ ubertooth-btle -U 1 -A 38 -f -c bulb_38.pcap ubertooth-btle -U 2 -A 39 -f -c bulb_39.pcap ``` -#### Using Micro::Bit +### Using Micro::Bit + +* [WEAPONIZING THE BBC MICRO:BIT - DAMIEN CAUQUIL / VIRTUALABS - DEF CON 25 - JULY 28, 2017](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20Damien-Cauquil-Weaponizing-the-BBC-MicroBit.pdf) -* https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20Damien-Cauquil-Weaponizing-the-BBC-MicroBit.pdf -#### Using Android HCI +### Using Android HCI Enable the Bluetooth HCI log on the device via Developer Options—also from the SDK, there is a helpful tool called the **Bluetooth HCI snoop log** (available after version 4.4) -> It works like a hook in the stack to capture all the HCI packets in a file. For most Android devices, the log file is at /sdcard/btsnoop\_hci.log or /sdcard/oem\_log/btsnoop/ +> It works like a hook in the stack to capture all the HCI packets in a file. For most Android devices, the log file is at `/sdcard/btsnoop_hci.log` or `/sdcard/oem_log/btsnoop/` ```powershell $ adb pull /sdcard/oem_log/btsnoop/.log ``` + + +## Challenges + +* [BLE HackMe](https://www.microsoft.com/store/apps/9N7PNVS9J1B7) - works with nRF Connect (Android), + + +## References + +* [A Practical Introduction to Bluetooth Low Energy security without any special hardware - Slawomir Jasek - 19 November 2020](https://www.smartlockpicking.com/slides/HITB_Cyberweek_2020_A_Practical_Introduction_To_BLE_Security.pdf) +* [Denial of Pleasure: Attacking Unusual BLE Targets with a Flipper Zero - Matteo Mandolini & Luca Bongiorni](https://www.whid.ninja/blog/denial-of-pleasure-attacking-unusual-ble-targets-with-a-flipper-zero) \ No newline at end of file diff --git a/docs/protocols/zigbee.md b/docs/protocols/zigbee.md index 4eb06233..2f47dffd 100644 --- a/docs/protocols/zigbee.md +++ b/docs/protocols/zigbee.md @@ -8,7 +8,7 @@ * [riverloopsec/killerbee](https://github.com/riverloopsec/killerbee) - IEEE 802.15.4/ZigBee Security Research Toolkit -## ZigBee Default Trust Center Link Key +## Default Trust Center Link Key Zigbee includes several layers of security, including AES-128 encryption, to ensure that data is transmitted securely across the network. @@ -22,6 +22,7 @@ You can use it in Wireshark: Edit > Preferences > Protocols > Zigbee NWK, then " Example: [CVE-2020-28952 - Athom Homey Static and Well-known Keys](https://yougottahackthat.com/blog/1260/athom-homey-security-static-and-well-known-keys-cve-2020-28952) + ## References * [AN1233: Zigbee Security - Silabs](https://www.silabs.com/documents/public/application-notes/an1233-zigbee-security.pdf)