diff --git a/docs/assets/Esp32.png b/docs/assets/esp32-pin20.png similarity index 100% rename from docs/assets/Esp32.png rename to docs/assets/esp32-pin20.png diff --git a/docs/assets/esp32-pinout.png b/docs/assets/esp32-pinout.png new file mode 100644 index 00000000..e9bfeeaf Binary files /dev/null and b/docs/assets/esp32-pinout.png differ diff --git a/docs/assets/flipper-gpio.png b/docs/assets/flipper-gpio.png new file mode 100644 index 00000000..e8aea889 Binary files /dev/null and b/docs/assets/flipper-gpio.png differ diff --git a/docs/gadgets/bus-pirate.md b/docs/gadgets/bus-pirate.md index 60cce632..fd336b07 100644 --- a/docs/gadgets/bus-pirate.md +++ b/docs/gadgets/bus-pirate.md @@ -29,4 +29,5 @@ sudo flashrom -p Buspirate_spi:dev=/dev/ttyUSB0,spispeed=1M -c (Chip name) -r ( * [Bus Pirate Unboxing - Toolkit - Hacker Warehouse - 4 juin 2018](https://youtu.be/lP8vMvBu3Bg) * [Bus Pirate 5 REV 10 Hardware](https://hardware.buspirate.com/) -* [Ph0wn, my first IoT CTF - Part 2 - Sebastien Andrivet - 19 December 2018](https://sebastien.andrivet.com/fr/posts/ph0wn-my-first-iot-ctf-part-2/) \ No newline at end of file +* [Ph0wn, my first IoT CTF - Part 2 - Sebastien Andrivet - 19 December 2018](https://sebastien.andrivet.com/fr/posts/ph0wn-my-first-iot-ctf-part-2/) +* [Hardware Hacking: Plunder With a Bus Pirate - Brian Berg - February 15, 2024](https://trustedsec.com/blog/hardware-hacking-plunder-with-a-bus-pirate) \ No newline at end of file diff --git a/docs/gadgets/esp32.md b/docs/gadgets/esp32.md index a05cd0fe..aa139d9f 100644 --- a/docs/gadgets/esp32.md +++ b/docs/gadgets/esp32.md @@ -1,15 +1,30 @@ # ESP32 +![ESP32](../assets/esp32-pinout.png) + + ## Tools * [espressif/esptool](https://github.com/espressif/esptool) - Espressif SoC serial bootloader utility * [jmswrnr/esp32knife](https://github.com/jmswrnr/esp32knife) - Tools for ESP32 firmware dissection - +* [scientifichackers/ampy](https://github.com/scientifichackers/ampy) - Utility to interact with a MicroPython board over a serial connection +* [ESPWebTool](https://esp.huhn.me/) - Flash your ESP32 or ESP8266 through your browser. ## Flashing The ESP32 microprocessor uses the Xtensa instruction set, use `Tensilica Xtensa 32-bit little-endian` in Ghidra. +* Flash a new firmware with `espressif/esptool` + ```ps1 + esptool.py -p /dev/ttyUSB0 -b 460800 --before default_reset --after hard_reset --chip esp32 write_flash --flash_mode dio --flash_size 2MB --flash_freq 40m 0x1000 build/bootloader/bootloader.bin 0x8000 build/partition_table/partition-table.bin 0x10000 build/ble_ctf.bin + esptool.py -p /dev/ttyS5 -b 115200 --after hard_reset write_flash --flash_mode dio --flash_freq 40m --flash_size detect 0x8000 build/partition_table/partition-table.bin 0x1000 build/bootloader/bootloader.bin 0x10000 build/esp32-wifi-penetration-tool.bin + ``` + +* Flash a new firmware with `scientifichackers/ampy` (MicroPython) + ```ps1 + ampy --port /dev/ttyUSB0 put bla.py + ``` + * Dump the flash ```ps1 esptool -p COM7 -b 115200 read_flash 0 0x400000 flash.bin @@ -27,7 +42,9 @@ The ESP32 microprocessor uses the Xtensa instruction set, use `Tensilica Xtensa esptool -p COM7 -b 115200 write_flash 0x10000 ./patched.part.3.factory.fixed ``` + ## References * [ESP32-reversing - BlackVS](https://github.com/BlackVS/ESP32-reversing) - +* [ESP32 Wi-Fi Penetration Tool - GitHub - Exploring possibilities of ESP32 platform to attack on nearby Wi-Fi networks](https://github.com/risinek/esp32-wifi-penetration-tool) +* [ESP32 Wi-Fi Penetration Tool - Documentation - Exploring possibilities of ESP32 platform to attack on nearby Wi-Fi networks](https://risinek.github.io/esp32-wifi-penetration-tool/) \ No newline at end of file diff --git a/docs/gadgets/flipper-zero.md b/docs/gadgets/flipper-zero.md index 1d72b425..47844d43 100644 --- a/docs/gadgets/flipper-zero.md +++ b/docs/gadgets/flipper-zero.md @@ -7,8 +7,8 @@ * [Flipper Zero Firmware](https://github.com/flipperdevices/flipperzero-firmware) * [Flipper Zero Unleashed Firmware](https://github.com/Eng1n33r/flipperzero-firmware) * [Flipper Zero FW RogueMaster](https://github.com/RogueMaster/flipperzero-firmware-wPlugins) +* [Flipper Zero Xtreme-Firmware](https://github.com/Flipper-XFW/Xtreme-Firmware) -* [Awesome FlipperZero](https://github.com/djsime1/awesome-flipperzero) ### Firmware Update - PC @@ -27,6 +27,11 @@ * [RogueMaster/flipperzero-firmware-wPlugins - Web Update](https://lab.flipper.net/?url=https%3A%2F%2Frogue-master.net%2F%3Ffile%3DRM0322-1504-0.79.2-22158b0.tgz&channel=RM0322-1504-0.79.2-22158b0&version=0.79.2) +## GPIO + +![GPIO Flipper](../assets/flipper-gpio.png) + + ## Videos * [Flipper Zero: Want some good news? - Penthertz](https://www.youtube.com/watch?v=tB0eYatvu0k) @@ -43,4 +48,5 @@ ## References -* [The Ultimate Guide / CheatSheet to Flipper Zero - Ilias Mavropoulos - 17/01/2024](https://infosecwriteups.com/the-ultimate-guide-cheatsheet-to-flipper-zero-d4c42d79d32c) \ No newline at end of file +* [The Ultimate Guide / CheatSheet to Flipper Zero - Ilias Mavropoulos - 17/01/2024](https://infosecwriteups.com/the-ultimate-guide-cheatsheet-to-flipper-zero-d4c42d79d32c) +* [djsime1/Awesome FlipperZero - šŸ¬ A collection of awesome resources for the Flipper Zero device](https://github.com/djsime1/awesome-flipperzero) diff --git a/docs/protocols/bluetooth.md b/docs/protocols/bluetooth.md index d5431951..aaf78709 100644 --- a/docs/protocols/bluetooth.md +++ b/docs/protocols/bluetooth.md @@ -1,20 +1,34 @@ # Bluetooth +## Tools + +* [bettercap/bettercap](https://github.com/bettercap/bettercap) +* [expliot_framework/expliot](https://expliot.readthedocs.io/en/latest/index.html) +* [hackgnar/bleah](https://github.com/hackgnar/bleah) +* [bluez/gatttool](https://manpages.debian.org/unstable/bluez/gatttool.1.en.html) +* [securing/gattacker](https://github.com/securing/gattacker) + + ## Bluetooth configuration -Configuration for Kali Linux +Requirements and configuration for Kali Linux. ```powershell $ sudo apt-get install bluetooth blueman bluez $ sudo systemctl start bluetooth $ sudo hciconfig hci0 up +``` + +Enumerate Bluetooth devices +```powershell $ sudo hcitool lescan 00:1A:7D:DA:71:06 Ph0wn Beacon 25:55:84:20:73:70 (unknown) ``` -`apt` doesn't have a recent version of bluez, recompile it with the following lines. +> [!CAUTION] +> `apt` doesn't have a recent version of bluez, recompile it with the following lines. ```powershell wget https://www.kernel.org/pub/linux/bluetooth/bluez-5.18.tar.xz @@ -26,6 +40,7 @@ make -j8 && sudo make install sudo cp attrib/gatttool /usr/local/bin/ ``` + ## BLE - Enumerate services and characteristics > BLE is based on specification called General Attribute profile (GATT), that defines how communication/data transfer between client and server. @@ -78,19 +93,29 @@ Read data with gatttool ```powershell $ sudo gatttool -b $MAC -I [00:1A:7D:DA:71:06][LE]> connect +``` -# list characteristics -[00:1A:7D:DA:71:06][LE]> characteristics -handle: 0x000b, char properties: 0x0a, char value handle: 0x000c, uuid: 4b796c6f-5265-6e49-7342-61644a656469 +* List characteristics -# read characteristic at char handle -[00:1A:7D:DA:71:06][LE]> char-read-hnd 0x000c -Characteristic value/descriptor: 44 65 63 72 79 70 74 20 74 68 65 20 6d 65 73 73 61 67 65 2c 20 77 72 69 74 65 20 74 68 65 20 64 65 63 72 79 70 74 65 64 20 76 61 6c 75 65 20 61 6e 64 20 72 65 61 64 20 62 61 63 6b 20 74 68 65 20 72 65 73 70 6f 6e 73 65 20 74 6f 20 66 6c 61 67 2e 20 45 6e 63 72 79 70 74 65 64 20 6d 65 73 73 61 67 65 3a 20 63 34 64 33 32 38 36 35 37 61 39 64 62 33 64 66 65 39 31 64 33 36 36 36 62 39 34 31 62 33 36 31 + ```powershell + [00:1A:7D:DA:71:06][LE]> characteristics + handle: 0x000b, char properties: 0x0a, char value handle: 0x000c, uuid: 4b796c6f-5265-6e49-7342-61644a656469 + ``` -# one liner +* Read characteristic at char handle + + ```powershell + [00:1A:7D:DA:71:06][LE]> char-read-hnd 0x000c + Characteristic value/descriptor: 44 65 63 72 79 70 74 20 74 68 65 20 6d 65 73 73 61 67 65 2c 20 77 72 69 74 65 20 74 68 65 20 64 65 63 72 79 70 74 65 64 20 76 61 6c 75 65 20 61 6e 64 20 72 65 61 64 20 62 61 63 6b 20 74 68 65 20 72 65 73 70 6f 6e 73 65 20 74 6f 20 66 6c 61 67 2e 20 45 6e 63 72 79 70 74 65 64 20 6d 65 73 73 61 67 65 3a 20 63 34 64 33 32 38 36 35 37 61 39 64 62 33 64 66 65 39 31 64 33 36 36 36 62 39 34 31 62 33 36 31 + ``` + +One liner to read a characteristic + +```powershell $ gatttool -b $MAC --char-read -a 0x002a|awk -F':' '{print $2}'|tr -d ' '|xxd -r -p;printf '\n' ``` + ## BLE - Read notification/indication ```powershell @@ -144,6 +169,7 @@ ubertooth-btle -U 1 -A 38 -f -c bulb_38.pcap ubertooth-btle -U 2 -A 39 -f -c bulb_39.pcap ``` + ### Using Micro::Bit * [WEAPONIZING THE BBC MICRO:BIT - DAMIEN CAUQUIL / VIRTUALABS - DEF CON 25 - JULY 28, 2017](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20Damien-Cauquil-Weaponizing-the-BBC-MicroBit.pdf) @@ -163,9 +189,13 @@ $ adb pull /sdcard/oem_log/btsnoop/.log ## Challenges * [BLE HackMe](https://www.microsoft.com/store/apps/9N7PNVS9J1B7) - works with nRF Connect (Android), +* [hackgnar/ble_ctf](https://github.com/hackgnar/ble_ctf) - A Bluetooth low energy capture the flag ## References * [A Practical Introduction to Bluetooth Low Energy security without any special hardware - Slawomir Jasek - 19 November 2020](https://www.smartlockpicking.com/slides/HITB_Cyberweek_2020_A_Practical_Introduction_To_BLE_Security.pdf) -* [Denial of Pleasure: Attacking Unusual BLE Targets with a Flipper Zero - Matteo Mandolini & Luca Bongiorni](https://www.whid.ninja/blog/denial-of-pleasure-attacking-unusual-ble-targets-with-a-flipper-zero) \ No newline at end of file +* [Denial of Pleasure: Attacking Unusual BLE Targets with a Flipper Zero - Matteo Mandolini & Luca Bongiorni](https://www.whid.ninja/blog/denial-of-pleasure-attacking-unusual-ble-targets-with-a-flipper-zero) +* [BLE CTF - wiki.elvis.science - Embedded Lab Vienna for IOT & Security](https://wiki.elvis.science/index.php?title=BLE_CTF) +* [BLUETOOTH LOW ENERGY CTF - WRITE UP - ECLECTIC KOALA](https://blog.tclaverie.eu/posts/bluetooth-low-energy-ctf---write-up/) +* [BLECTF, a "Capture The Flag" hardware platform based on Bluetooth Low Energy BLE + Write-Up - Hacker de Cabecera febrero 04, 2020](https://www.hackerdecabecera.com/2020/02/blectf-capture-flag-hardware-platafom.html) \ No newline at end of file diff --git a/docs/protocols/zigbee.md b/docs/protocols/zigbee.md index 2f47dffd..71ca529d 100644 --- a/docs/protocols/zigbee.md +++ b/docs/protocols/zigbee.md @@ -1,11 +1,15 @@ # ZigBee -> Zigbee is a specification for a suite of high-level communication protocols using low-power digital radios. It's designed for use in areas like home automation, medical data collection, industrial control systems, and other applications that require secure and reliable wireless communication. +> Zigbee is a specification for a suite of high-level communication protocols using low-power digital radios. It's designed for use in areas like home automation, medical data collection, industrial control systems, and other applications that require secure and reliable wireless communication. + +Zigbee is an IEEE 802.15.4-based, wireless networking standard, which is basically used for two-way communication between sensors and control systems. Zigbee is a short-range wireless communication standard like Bluetooth and Wi-Fi while covering a range of 10 to 100 meters. ## Tools * [riverloopsec/killerbee](https://github.com/riverloopsec/killerbee) - IEEE 802.15.4/ZigBee Security Research Toolkit +* [APIMote](https://www.attify-store.com/products/apimote) - The ApiMote is a ZigBee security research hardware intended for researchers, students, utility companies, etc. to use for learning about and evaluating the security of IEEE 802.15.4/ZigBee systems as authorized. +* [Cognosec/SecBee](https://github.com/Cognosec/SecBee) (archived) - SecBee is a ZigBee security testing tool developed by Cognosec to test ZigBee implementations for security issues ## Default Trust Center Link Key @@ -27,4 +31,9 @@ Example: [CVE-2020-28952 - Athom Homey Static and Well-known Keys](https://yougo * [AN1233: Zigbee Security - Silabs](https://www.silabs.com/documents/public/application-notes/an1233-zigbee-security.pdf) * [Zigbee Security 101 (Architecture And Security Issues) - February 11, 2023 - dattatray](https://payatu.com/blog/zigbee-security-101/) -* [Tout, tout, tout vous saurez tout sur le ZigBee / MISC nĀ°86 - July 2016 - Kovacs Nicolas](https://connect.ed-diamond.com/MISC/misc-086/tout-tout-tout-vous-saurez-tout-sur-le-zigbee) \ No newline at end of file +* [Tout, tout, tout vous saurez tout sur le ZigBee / MISC nĀ°86 - July 2016 - Kovacs Nicolas](https://connect.ed-diamond.com/MISC/misc-086/tout-tout-tout-vous-saurez-tout-sur-le-zigbee) +* [ZIGBEE SECURITY: BASICS (PART 2) - Vishruta Rudresh - November 8, 2017](https://research.kudelskisecurity.com/2017/11/08/zigbee-security-basics-part-2/) +* [ZIGBEE SECURITY: BASICS (PART 3) - Vishruta Rudresh - November 21, 2017](https://research.kudelskisecurity.com/2017/11/21/zigbee-security-basics-part-3/) +* [Understanding Zigbee and Wireless Mesh Networking - Ray Felch - 27 Aug 2021](https://www.blackhillsinfosec.com/understanding-zigbee-and-wireless-mesh-networking/) +* [ZigBee Penetration Testing: Strengthen Your IoT Security - RF Security - 12/08/2022](https://www.offensive-wireless.com/zigbee-penetration-testing/) +* [pCTF 2011 #32 That's no bluetooth - STALKR - TUESDAY, APRIL 26, 2011](https://blog.stalkr.net/2011/04/pctf-2011-32-thats-no-bluetooth.html) \ No newline at end of file