People spend a lot of time preparing for effective dictionary attack. Common User Passwords Profiler (CUPP) is made to simplify this attack method that is often used as last resort in penetration testing and forensic crime investigations. A weak password might be very short or only use alphanumeric characters, making decryption simple. A weak password can also be one that is easily guessed by someone profiling the user, such as a birthday, nickname, address, name of a pet or relative, or a common word such as God, love, money or password.

Going through different combinations and algorithms, CUPP can predict specific target passwords by exploiting human vulnerabilities. In password creation, as in many aspects of life, everybody tends to the original solution, but thanks to human nature, we all tend to originality in the same way, leading to almost absolute predictability.

Common User Passwords Profiler version 3 comes with some fixes and new options!

Download cupp v3

Thorsten has presented our Keykeriki v2 work for the first time to a broader audience at the CanSecWest 2010 conference in Vancouver.

Practical Exploitation of Modern Wireless Devices is the title of the presentation and introduces the Keykeriki v2 as a (HW and SW) toolkit to sniff and inject traffic to a broad range of wireless devices, which are using the NRF24 series transceivers of Nordic Semiconductor.
Click here to download the slideset.

As promised during the talk, we release a first debug-  and developement version of the hardware layout here. The corresponding firmware sourcecode and binary is available here – this version allows attacking current models of the Microsoft Keyboards, that are using these chips. The code is a first release and is limited on purpose to this scenario (keyboard sniffing and remote command execution). Hopefully we can extend its layout to evolve to a software based, inexpensive software defined radio for 2.4GHz frequencies.

And no.. this is NOT limited to keyboards, only the released code is. We will update the rest of the Keykeriki section when Thorsten is back home. A detailed HOWTO will follow Thorsten on his way back to Europe.

During a little research we found again a nice little unique weakness in the beloved Blackberries. After a lot of stuff is published related to unsigned / signed trojaned application possibility… here is the way to distribute them (For your research education only!). You can actually force the blackberries to use the rogue access-point for Internet browsing without having special user interaction. The blackberry will not be able to reach is Enterprise server and so he decides to fail open. :-)

Blackberry Jacking from Max Moser on Vimeo.

No clue what would be possible with over the air installation or website embedded blackberry apps. Please drop us a line if you work on this topic. We might continue our journey as well..maybe joining forces?

P.S. If the allow hotspot browsing policy is set to disallow then it the BB is cut off when the GPRS/EDGE/HSDA connection goes down. Maybe it would be better if the default policy was set to disallow but it is configurable. – Lets face it, you wont be able to use hostspots at all (Even when your enterprise server is available) if you switch that one on. RIM was very helpful and pointed out the “disallow hotspot browsing” policy setting…..

… Modern Wireless Devices

Several months ago, we published all information that is necessary to build an own wireless keyboard sniffer. We called it Keykeriki and we also have a project page for this stuff. This keyboard sniffing device is able to capture and decrypt keystrokes, sent by Microsoft and Logitech 27 MHz based keyboards. And we got stuck there, somehow. We prepared PCBs for you and we still have some, but: We don’t know if it’s worth ordering more PCBs right now, at least there are still several people out there, interested in getting such a PCB for building this device. But why shouldn’t it not worth ordering more PCBs right now..? Well, we did some more research as briefly announced on the project page. If you wrote us an email, it might be still not answered yet… well, we’re sorry about this, but we were really, really close to completion of this project – every day. For the past six months.

We just thought: “let’s just wait a few days and we will write answers to all those emails anyway!”.

What happened?

In November 2009 we had a talk regarding 2.4GHz based wireless keyboard security at DeepSec Security Conference in Vienna. We analyzed several modern, state of the art keyboards and realized that they all have something in common: They’re all using some kind of proprietary protocol, based on a free 2.4GHz band. All of them we have analyzed (several Microsoft and Logitech devices, Siemens-Fujitsu, etc) uses a Nordic Semiconductor SoC transceiver which also implements (and hides) the complete Layer-2, the MAC layer. Using the so-called “Enhanced Shockburst™ Technology” data rates up to 2mbit/sec are possible at very low power consumption, by minimizing the on-air time. Those devices do not allow a direct access to Layer-2 by design, one must know the MAC-address in order to configure and use a Nordic Semiconductor transceiver properly. Otherwise the SoC threats Shockburst Frames without correct destination address as noise. Despite the fact that we need to brute-force guess a correct MAC address (which is possible within several hours) we analyzed the payload, sent by the keyboards.

Short summary of some findings:

• Logitech uses the 128-bit AES crypto hardware of Nordic Semiconductor’s transceiver chip. The methods used here are already broken in theory; I guess it simply needs some more spare-time for also being broken in practice ;-)
• Microsoft also uses 128-bit AES hardware crypto-enabled transceiver chips, but… they rather implemented their own high-secure crypto-algorithm in software, and also a secret checksum algorithm! Well, duh – lessons learned from the past: They don’t use the secret XOR-with-one-random-byte-algorithm anymore. Since they ship their devices with hardware-crypto enabled SoCs, implementing a secret XOR-with-five-nonrandom(MAC address)-byte-algorithm goes without saying. That’s right, five byte XOR key equals the constant MAC address which must (!) be known by anyone who wants to send/receive to/from a specific device anyway!
• Siemens Fujitsu – no crypto
• No-Name devices – *yawn*

At this point we just followed the brute-force attack scenario and attached a Nordic Semi transceiver module to the existing Keykeriki device. Only one simple modification is necessary, to attach the module to the pins on the right side of the Atmel AVR. And this simple modification is exactly the reason for the delay, that’s why we got stuck in a situation trying both: moving forward at the same time whilst moving backward (for staying compatible) and providing better error correction for the 27MHz stuff.

2.4GHz range tests inhouse

In the end we were able to (of course) read, and also send data to the PC. We implemented a very simple remote command injection exploit demo by sending “Windows-R + cmd.exe + Return”. Well, there are several technical details which will be described in our new whitepaper, but at least we were able to execute commands remotely over a distance of 75m in-house.

The attack and also information about the Logitech crypto is briefly described in our presentation slides of DeepSec Conference 2009 and will be detailed in our upcoming whitepaper.

Keykeriki V2

Now – and that’s the news – we are also able to perform all attacks also using zero-knowledge approaches. We build a new generation Keykeriki V2 which is based on an ARM Cortex-M3 microcontroller. We decided to let off the concept of a super-universal Keykeriki device and build a new one that is able to process data at higher speed.

Dev/Prototype version of Keykeriki V2

Our goal was to enable attacks using zero-knowledge approaches without expensive radio equipment. The new tool may also prepare the base for complete new threat scenarios through those low-cost 2.4GHz SoC devices! We don’t want to publish many information about the new hard- and software right now. The news will be detailed at our talk at CanSecWest 2010 in Vancouver, Canada. We’re going to release the successor to the Keykeriki during the conference. The working title is “Vogelgrippe” and it will be able to capture raw “Enhanced Shockburst™” frames, therefore being able capturing keystrokes of any wireless keyboard which uses the 2.4GHz Enhanced Shockburst™ Technology. The hardware will be as tiny and handy as the first generation Keykeriki, therefore not larger than a packet of cigarettes.

The abstract of our talk at CanSecWest 2010 will be available later. CanSecWest 2010 will be held March 24.-26.March 2010 in Vancouver, Canada. Many thanks to Dreamlab Technologies AG for supporting this project!

shasum: 097249cf3339011e036ceebcd192e3595437eaed

It was great fun again to see how Keykeriki devices are built by many people with different soldering skill levels. SMD soldering is not very difficult if you got the right tools and some patience to learn. Most of the devices already run. For protecting the individuals, i added some filters to the faces, but the iPhone camera is so bad, I doubt it would make that much of a difference.

As you might already noticed the world’s most famous security linux distribution has a new home: http://www.backtrack-linux.org.

Yeah, we did it, and yes it was fun! But like every good thing in life also BackTrack and Remote-Exploit.org have changed. The community around BackTrack has grown and fresh young developers together with one of the core founders pushed the distro into a larger scope while the team Remote-Exploit decided to go back to basics: Researching and publishing of our new ideas and projects….
back to fun!

Max and Martin