I was doing some testing with freeradius and suddenly nothing worked with
the following error in debug mode:
(7) eap_peap: ERROR: TLS Alert read:fatal:certificate expired
(7) eap_peap: TLS_accept: Need to read more data: error
(7) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired
I checked the certificate and renewed it. The normal autorenewal processes had
not run since the previous
tests with radius and 802.1x authentication on wifi
so that wasn't unexpected but this still didn't solve it: I kept getting the
error message.
After some deep searching why it worked before I saw I had requested that
certificate in a different way where I had the chain with only
ISRG Root X1 because
sendmail gave me SSL verification failures after the DST Root CA expired.
So I did the same as I did before: I configured dehydrated (my preferred
ACME client) on the radius testmachine to use the LetsEncrypt issuer chain
without the DST Root CA cross signature, with the following in
/etc/dehydrated/config :
I wanted to grab the root filesystem image from the flash memory of the
Cab.Link CLS-D4E2WX1 cable modem/router.
The way to do this was the same as with Grabbing the firmware from the Corinex CXWC-HD200-WNeH and extracting the root filesystem
although I decided to just dump the root filesystem image and not the
entire flash memory.
So the box was opened again, the usb serial interface connected to the
uart pins on Cab.Link CLS-D4E2WX1
I found earlier and the boot stopped in the U-Boot process.
First step was to determine where in the memory map the root filesystem
image would be. This took a bit of calculation. From the bootup messages
there are two important hints:
So the kernel image is booted from address 0x9f670000 and it's in the
MTD partition at 0x000000670000. This makes the guess that the rootfs
image from 0x000000050000 will live at memory location
0x9f050000 and has a size of 0x620000 so the approach is to
dump 0x620000 bytes starting at that memory location. The command to do that
in U-Boot:
Naast het gebruiken van bitcoin om
mensen af te persen
is er altijd ook de optie om in te breken op bitcoin accounts om de buttcoins
van anderen te stelen. Het voordeel van het niet gebruiken van banken voor
geldzaken is dat je ook niet de mogelijkheid hebt om misdaad met geld te
onderzoeken dus als je de buttcoins kan stelen kun je er mee wegkomen.
Vandaag ontving ik een phishing mail die van 'Bitvavo' zou zijn, wat blijkbaar
iets doet met buttcoins en andere cryptocurrencies. Verder hebben de criminelen
goed opgelet bij phishing mails voor banken en gebruiken ze de standaard
methodes van phishing: urgentie, voldoen aan regelgeving en een simpele
handeling om toegang te krijgen tot je rekening. Met als toegevoegde stap de
qrcode zodat je niet zomaar een url-analyzer af kan laten gaan op je mail en je
de phishing site (dus de 'verificatiestappen') opent in je mobiele browser en
minder makkelijk dingen kan controleren.
Het spoor:
De qrcode scant naar http://lnkiy.in/VKwZG
Redirect: https://360corporatetours.com/wp-admin/images/bit.php deze url ziet er uit als een gehackte wordpress site.
Hier komt een html redirect naar: https://bitvavo.22497-4837.s2.webspace.re/
En dat ziet er erg uit als een bitvavo login page.
Update 2023-01-12
Ik heb ondertussen geleerd dat het prima mogelijk is om bitcoin te traceren,
dit is de primaire activiteit van het bedrijf 'Chainalysis'. In de Darknet
diaries podcast is dit uitgebreid besproken in de aflevering
Welcome To Video - Darknet Diaries.
De aflevering gaat over een groot onderzoek waarin bitcoin chain analysis het
mogelijk maakte om verdachten op te sporen.
My enthusiast stories about getting uart access on the previous cable router
devices are causing more hardware to come my way to play with.
This time two Corinex HD200 CableLAN Wall Mount Adapter CXC-HD200-WMEe units
showed up. They are compact interfaces for ethernet-over-cable according to
Corinex standards. The size and the status leds remind me a lot of
devolo powerline units
which I used years ago to get network in our garden shed.
After voiding the warranty by breaking the sticker and unscrewing the two
screws the case doesn't want to open yet. Some force is needed, plastic tabs in
the corners kept it closed. I notice there is one very compact board with
everything including the power supply. There is a clear demarcation on the
board between the power supply area and the rest with slits in the board on
parts of this line. Two other screws hold the board to the case and after
removing those I can take it out. There are wires from the board to the power
plug and a coax cable to the F connector for the coax cable.
There is probably a main system on a chip (SoC) but it's hiding under a
heatsink. Most components are surface mount devices (SMD).
On the other side of the board I see a RTL8201EN ethernet chip near the
RJ45 network connector. And an EM638165TS-6IG chip which turns out to be
64 Mbit of Synchronous DRAM. And a 25L3206E, 32 Mbit serial flash.
For now I have no idea if this device has a UART somewhere. The only row
of 4 small soldering pads didn't give me continuity to any part that I
thought would be at the electric ground level so no idea whether that is
the UART or not.
Although there are two units they don't want to talk to each other over a coax
cable with F connectors. The manuals I can find state clearly that they want to
see a Corinex Ethernet over cable master device. The person that gave them to
me has experience with these devices and their implementation of the standards
and stated to me Corinex ethernet over cable devices only talk to Corinex
ethernet over cable masters.
In August 2022 I received a report of a cross-site scripting vulnerability in The Virtual Bookcase
and the reporter of the vulnerability never replied after I told him there was
no financial reward for reporting bugs.
In November the bug report became public at openbugbounty:
virtualbookcase.com Cross Site Scripting Vulnerability Report ID: OBB-2858037 - Open Bug Bounty
so this confirms my theory of what the vulnerability was. Which I have fixed,
but this isn't visible at openbugbounty.
In this case the vulnerability wasn't severe and with the little amount of
information I had from the report plus the access logs I was able to fix it.
But in other cases the vulnerability may be more complex and the site-owner
who deals with a report like this can't just analyze the logfiles to get an
idea of where the vulnerability might be.
I don't think the world becomes a safer place if information about
vulnerabilities is only available if you pay for it.
The About the Project of the Open Bug Bounty project
seems to promote actual 'bounty':
A website owner can express a gratitude to a researcher for reporting
vulnerability in a way s/he considers the most appropriate and proportional to
the researcher's efforts and help.
As a matter of example, Google pays from $7,500 to $100 per XSS vulnerability
submitted by security researchers. But Google is Google, you may adjust your
remuneration range to any amounts comfortable for you.
At the same time demanding a bounty before disclosing the bug is not ok on
this platform. From the same 'About' page:
We always encourage the researchers to be respectful, responsive and polite, to
provide website owners with all reasonable help and assistance.
If a researcher violates the enacted standards of ethics and good faith
including but not limited to:
demanding remuneration to delete a submission
demanding remuneration to disclose vulnerability details
such submissions will be immediately deleted from our platform.
I hope the next vulnerability disclosure causes less irritation.
On 9 December this year was the annual SURFcert Capture The Flag (CTF) event.
The end result is that team "I'm not a robot" from Radbout University Nijmegen won
with the most points.
When I participate in a CTF, I like to keep notes and write about my
experiences and what I learned solving the challenges. Being on the 'other'
side creating the challenges is as much fun, but while creating the challenges
you have to be really silent about it. For me personally it is extra
challenging because one of the regular SURFcert CTF players works with me in
the same team.
But sometimes designing a challenge and making it happen gives the same great
feeling as actually solving it! This was the case with the challenge that
ended up as Scan the radio on the SURFcert CTF. The name of
the challenge was somewhat confusing by design: there was a challenge which
was designed to make people use a 1990s style ghettoblaster radio,
there was a challenge mentioning 'broadcast' which was actually about
names of wifi networks and this challenge. All three were marked 'physical'
with a description of the challenge.
For this challenge I wanted to create an NFC tag that could be read easily.
I found out information can be put in NFC tags using the NDEF standard (NFC
Data Exchange Format) which has options to embed URLs, options to start
certain apps or simple strings. I wanted a simple string with a flag as
our flag format was SCF2022- plus 32 characters uppercase. I found out the
developer of proxmark is working on NDEF support but it is all quite new.
At this point I was worried I had to write my own code and use parts from a
fresh library to get an NDEF message on a card. I did bring some MiFare classic
cards home to test on. But searching for information I came across
NDEF and Magic Mifare Cards with the very important remark:
My suggestion would be to get an Android phone
with nxp reader chip (there are many) and use tagwriter from NXP to format and
write ndef data to the Mifare classic chip.
I do have NFC TagWriter by NXP
on a smartphone, I just haven't used it a lot.
And indeed it was really easy to create an NDEF dataset with a string,
write this to a MiFare classic and read this with an Android phone with NFC
support, even without opening the NXP TagInfo application.
So that was an easy challenge to make, a lot easier than I first thought.
Or was it? The final test would be to read this on an Apple iphone too.
And there came the snag, the Apple iphone doesn't work with MiFare classic
tags somehow. But the person who helped me test it had another tag with an
NDEF message on it, and that worked fine. So the conclusion was that another
type of tag would work better. Luckily one of the other people of the team
creating the SURFcert CTF has a big collection of NFC tags and it turned
out the tag given out by Tweakers reads fine on Android and iphone.
So that's how the 'scan the radio' challenge was to notice the clearly not
from 1992 tweakers tag on the ghettoblaster radio, scan it with the standard
NFC support in a smartphone or use NXP TagInfo and find the flag.
While creating this challenge I also tried writing information to the tags
which were given out / sold about 15 years ago which looked like a circle with
a hex serial number. I always assumed they were just a serial number to look up
in a database. But they turned out to be actual NDEF tags with the hex serial
number on the outside as an URL:
For the tag with 04B7CC193E2580 on the outside: protocol 01 http://wwwuri field ttag.be/m/04B7CC193E2580
But ttag.be has changed owners since this was active and it's now
redirecting to 609.es which is a real-estate agent in Spain. I guess
everybody who scans a round tag with a serial number wonders how they end up
with a real-estate agent.
Ik heb een tijd niet over de bitcoin afpersingsmails geschreven, maar deze
kwam vandaag voorbij in redelijk goed nederlands. Het leest alsof de originele
taal anders is maar het is goed vertaald zonder kromme zinnen.
Helaas begin ik met slecht nieuws voor je. Enkele maanden geleden heb ik
toegang weten te krijgen tot het apparaat waarmee je nu op het internet zit te
surfen. Sinds die tijd heb ik al je internetactiviteiten bijgehouden.
Omdat je een regelmatige bezoeker bent van pornosites, denk ik dat je nu even
op moet letten. Je hebt je lot namelijk zelf in de hand. Ik zal het simpel
houden, ik via de website die je hebt bezocht toegang gekregen tot je gegevens.
Ik heb een trojan horse geupload naar het driver systeem die zijn fingerprint
meerdere keren per dag blijft updaten, zodat het onmogelijk is voor jouw
antivirus software om hem te detecteren. Bovendien geeft deze me toegang tot je
camera en microfoon. Ook heb ik een back-up gemaakt van alle gegevens,
inclusief foto's, social media, chats en contacten.
Maak het bedrag van 950 USD in BTC over naar mijn Bitcoin-wallet, en ik zal
deze hele situatie laten rusten. Ik garandeer dat ik alle data en video's
permanent zal verwijderen zodra de betaling is ontvangen.
Dat lijkt me een bescheiden en redelijke vergoeding voor al mijn harde werk. Je
kunt zelf wel uitzoeken hoe je Bitcoins kunt kopen met behulp van zoekmachines
als Google of Bing, want dat is allemaal helemaal niet zo moeilijk.
Mijn Bitcoin-portemonnee (BTC): 1CKiipxrHHRz4HFWMxk6Q4v5hGUs7vHPML
Hier staat al een melding van iemand die hetzelfde mailtje heeft ontvangen,
waarmee gelijk duidelijk is dat de afzender helemaal niets heeft maar het leuk
zou vinden als de bitcoin-wallet bijgevuld wordt.
Er staat ook een link naar een site die beweerd je te helpen als je het
slachtoffer wordt van bitcoin-oplichters. Die hulp zorgt er dan voor dat je
twee keer het slachtoffer wordt van bitcoin-oplichters, dus dat is ook niet aan
te raden.
From a perspective of security research I only touched the surface of the
security research on the Corinex CXWC-HD200-WNeH and the
Cab.Link CLS-D4E2WX1
by finding default credentials for telnet.
To get a further insight I need to first enumerate the network attack surface
completely. What services are running, what programs run those services.
The ultimate step would be to build an emulation environment where I can run
the programs from the routers under my control and find out about the programs
and get a first few steps into reverse engineering. With qemu it is possible to
emulate MIPS systems on x86 hardware, so I can build a test environment.
It would need some work to get old enough versions of code and kernels to
create a compatible environment. The Corinex router mentions compilation in
2012 but with Linux kernel 2.6.21 which was released 25 april 2007. The
Cab.Link router mentions compilation in 2013 but uses Linux kernel 2.6.31 which
was released 9 september 2009.
After getting a good look at the
Cab.Link CLS-D4E2WX1
from the outside it was time to void the warranty and open the box. The
two screws are hiding under the little rubber feet at the front side and
after removing those two screws the case opens with a bit of jiggling.
This device has an external 12 volt 1 ampere power supply.
Chips found on the board:
Qualcomm QCA7411L-AL3C - Homeplug AV / IEEE 1901 the ethernet over cable interface I guess
I also see an extra board (leftside of the picture, blue) where the u.fl cable
to the wifi antenna starts. It has a few larger chips but those have a label
over them. I guess one of them must be the CPU because I haven't seen a chip
with that function yet.
The makers of the Cab.Link CLS-D4E2WX1 were kind enough to include 4 pins
labeled J30 (bottom left of the picture) which are a very obvious candidate for
being the uart port. Again the process for find GND, TX, RX and Vcc was done
and the right pins found. With the board in front and the J30 readable the pins
are from left to right TX, RX, GND and 3.3 volt. I name the TX and RX pins from
the view of the system, so I see data transmitted on TX and I send data to RX.
De echte phishing pagina! Eindelijk. Deze stuurt de ingevulde data naar
https://21989-4437.s1.webspace.re/KVK/tmg1.php
Daarna komt een redirect naar https://21989-4437.s1.webspace.re/KVK/2.php en die geeft uiteindelijk een redirect naar
een KVK pagina.
Als ik kijk bij het overzicht Kamer van Koophandel - Fraudehelpdesk
zie ik mijn specifieke bericht er niet tussen staan, maar er is keuze genoeg.
Allemaal fraudepogingen, dus trap hier niet in!