See If You Can Find It

Sunday, May 16, 2021

Addressing A Potential Issue: Beyond The Ad

    Look.. We all hate ads. I can count on one hand the number of times I've voluntarily re-watched an ad that I just saw (3). I even have a little device (Pi-hole) in my house to keep most ads out of my network. But the ads aren't the problem in Ford's most recent venture. Although, I have to ask.. Why, Ford? We have enough of this marketing media force-fed to our steadily liquefying brains as it is.

The Problem: Security and Safety

    If you didn't care to click on the embedded link, I'll give you a tl;dr. Ford has patented an infotainment system for their vehicles that are designed to interact with billboards, to bring the advertisement closer to you and give you more information about the product/company. Not only is this annoying, but I think it's easy to see where this could be dangerous. Say you're navigating several lanes of busy traffic, you see a popup on your dash to let you know that Nacho Fries are back. You merge into another vehicle because you were distracted. Now this gets even more complicated, could you, having been distracted by this popup you didn't ask for, really be at fault for the accident? Could this lead to lawsuits? What if you're headed to an important business meeting, relying on GPS for navigation in a town you've never been to, when the popup re-arranges your screen, causing you to miss your exit? There are tons of 'what if' situations that come to mind with this technology and the distractions it could bring. But the problems don't stop there.

Theoretically Compromised

    Here's where it gets worse. Much worse... Say we can figure out how to deface and manipulate the billboard in such a way that your infotainment system opens something other than what was intended. Drivers could be shown graphic content or shady competitors could force their ads into our screens. Depending on how the content is retrieved, malicious files could be downloaded to your device or you could be sent to a malicious site. But wait... There's more. You might be thinking the biggest issue here is that you have to pay Darkside 3-5 Bitcoin to unlock the infotainment system, or you have to get it replaced because it only plays "Never Gonna Give You Up". That's probably the least of your worries.


    Beyond manipulating the image, there are other vectors for attack. There are communication modules referenced by the patent, which "couples to and receives the billboard interface". There are GPS modules in this design as well for multiple purposes. There are obviously databases where information and interfaces will be stored for retrieval. Let your imagination run wild here.

    Most, if not all, electronic components on modern vehicles are connected to the CAN (Controller Area Network) bus. For the technical folks, this thing operates like a hub. For everyone else, everything talks to everything else. Everything can access anything and everything. If someone were to get into your head unit, they're now sitting pretty to listen in on the rest of your vehicle's CAN. They could listen in and record the data that goes through when you apply your brakes, accelerate, and steer. This could be then manipulated, and replayed by an attacker, causing you to brake 60-0 in front of a semi they made you cut off, or take a hard left going over a bridge.

Make Your Own Decision

    I'm not going to say any of this stuff would be exactly easy to do. In fact, a large scale implementation would probably be quite difficult to attack as they will probably have security considerations designed with the product (I hope..). But do your own research, see how you feel about this for yourself. I'm not here to tell you how to feel, these are just my thoughts. I'll be honest, I haven't even read the full patent yet (although I am making my way through it). Take a look at this plain white bread, toasted... dry: Ford Patent.




Thanks for reading!

Dedsec Zombie:

Distracted Driving:

Jeep Hackers:

Blues Brothers:

Tuesday, September 22, 2020

WLAN Security 2 - Maintenance and Utilization



Welcome back to KaosSec!


Before we get started, I just wanted to apologize for not having this up when I said I would. Between work, school, being with my son, studying for certifications, and taking part in Trace Labs, I didn't have the time I had hoped. But since we're here now, thank you for reading!


Now, let's take a look at some more things you should consider with your wireless network. Again, this is not an all-inclusive guide. However, this should get you going pretty well until you're ready to take a deeper dive.



Maintaining is of the utmost importance - whether it applies to your network, your body, or your car - if you don't maintain, all of your hard work has been for nothing.

To start off with, you need to maintain a record of some sort on how many devices there are on your network at any given time. Make sure you know what kind of devices there are - phones, laptops, desktops, IoT devices, etc. Additionally, keep track of WHO is using these devices. If you keep up with this, it will be easier to spot an intruder in the future.

Keep networking and end user devices up to date. We've all been there. No one wants to restart their computer to let an update run its course. But it's a necessary part of tech-life. If you don't keep your devices up to date, you could potentially be leaving a gaping hole for intruders to walk right in. 

Conduct periodic scans in order to detect unauthorized devices, including rogue access points or evil-twins.

Monitor your traffic and devices. Get familiar with wireshark - take a look at what's happening on your network. Go through any event logs in your antivirus. It wouldn't hurt to have a free SIEM running either.


When utilizing your network, you want to take as many precautions as you can (well, without making the network unusable). If you aren't cautious with how you're using the network you're on, you aren't performing defense-in-depth.

Disable automatic connections. Seriously. If you have automatic connections enabled, you're spraying out your network info any time you're away - as well as any other network you've forgotten to delete.

Utilize a VPN and/or anonymizer on the network. Having your own private connection on the network will prevent attackers from intercepting your data. Utilizing an anonymizer (such as orbot on Android) will help prevent anyone outside the network from identifying you.


 Don't share your credentials. You're most likely to be targeted by someone who knows you personally and is close to you. If this person has your credentials, it's that much easier for them to wreak havoc on your life.

Use a password manager - you should be using unique passwords/passphrases on all of your accounts. You don't want an attacker having access to everything if they get one password. But how are you supposed to remember all of those passwords? You don't. Utilizing a password manager not only keeps you from having to constantly reset your unique passwords, but it also saves time when logging in.

Understand what phishing is and how to recognize it. If an attacker is successful in their phishing attempt, it doesn't matter what technical controls you have in place. They're in. They own you. It's going to be quite the challenge to recover from.

Thank you for reading, please let me know what you think!

All images were sourced from unsplash, and all metadata has been left intact. Feel free to examine this and thank the author!

Monday, September 7, 2020

WLAN Security 1 - Setup, Configuration, Sharing, and Physical Security

Happy Monday everyone! I hope you've all had a good and safe Labor Day. Today I'm going to talk about WLAN (Wireless Local Area Network) Security. What you're going to read here is not an all inclusive guide, but it should set you up pretty well. Keep in mind that a lot of this is geared towards home use, but many concepts can be applied to business as well.

Getting Set Up

When worrying about our equipment, most of us at home are just going to use whatever our ISP (Internet Service Provider) provides, but it's not a bad idea to go out and purchase different equipment and give them their stuff back. With this being said, you should always get your equipment from well-known, reputable vendors. Doing this lowers the risk of occurrence of supply-chain attacks. These larger vendors will also have the resources necessary to provide support for their products as well as provide necessary security patches to their equipment.


You should also consider the age of the device(s) you're purchasing. You typically do not want equipment that has just been released, as this gear will most likely have bugs and security flaws. This isn't exactly priority for those putting these devices on the shelf, they're more worried about profit up front. Additionally, you most definitely will not want to use anything that's outdated. That 20 year old modem you found for free at a garage sale? Don't even think about it. Legacy devices, systems, and software typically are not supported by vendors. This means that any vulnerabilities and flaws found with them will not be fixed. It's time to move on to bigger and better things. Looking at you, Vladimir Putin (or anyone else still using WinXP).


Now that you have your equipment and you're all plugged in, it's time to begin securely configuring your devices. For starters, change all of the defaults that come on the router. Change your default password to login to the router, change the network name, change the network password/passphrase. For businesses, don't name your wireless network in a way that is indicative of what it's being used for. When you're changing your credentials for the network, be sure to utilize best practices- a passphrase consisting of more than 2 words, lower-case and upper-case letters, numbers, as well as special characters.

Once you've changed all of the default information, it's time to get a little more technical. Or as technical as you can be with a home router's GUI. For starters, disable broadcasting off your SSID (Service Set Identifier). Keep in mind, this is not a security measure, there are still ways an attacker can get your SSID. This is advice I give as it's a step towards defense-in-depth. Next, you'll want to lower the power levels of your signal. You don't want your neighbors being able to have great reception of your network, and you don't want an attacker to come wardriving through your neighborhood and picking up your network from the street. Now you'll need to disable your WPS (Wi-Fi Protected Setup) push button. If you don't want someone on your network that's visiting or perhaps performing maintenance, a button could thwart all other actions. There is also an attack called a pixie-dust attack that relies on this feature.


The last bit of configurations you'll need to check on are your security protocols. For authentication, you're going to want to use WPA2 (Wi-Fi Protected Access) (or WPA3 when it's available). Anything prior to WPA2 is going to be very easy to crack. Next you'll need to disable UPnP (Universal Plug-n-Play). The utilization of UPnP allows applications to essentially unlock the way into your network at any point. If malicious software were to find its way on your systems, you can see how this would be a problem. Lastly, you'll need to protect your management frames wherever possible. To do this you'll need to use a standard called 802.11w. Different vendors will call this different things on their equipment, so just dig around and see what's available.


Something I have heard a few people discuss with differing opinions is whether or not to share your network with others. If you're considering this in your business environment, this might be a more complicated discussion than for home use. However, in either situation, it's perfectly fine to share your wireless network. Here are some things you should do when sharing your network:

1: Create a separate VLAN (Virtual Local Area Network), or utilize guest network at home, for your guests. This will keep guests from accessing your primary network and any sensitive resources/systems that they shouldn't have access to.

2: Restrict what kind of content your guests can access. You wouldn't want someone downloading pornography on your corporate network, or accessing malicious sites thus infecting your network. By restricting content you can keep your this guest network (as well as your primary) clean and safe.

3: Restrict protocols that can be utilized. If you allow protocols such as FTP to be utilized, what's to stop an attacker to transfer malicious files? You should also force secure protocols such as HTTPS so that it is harder for attackers to intercept information.



Physical Security

We're talking about wireless networks here. So you may have done a double take when you read this heading (or the title). But physical security is one of the most important aspects of any secure setup. You should always keep any and all networking equipment either out of reach from someone unauthorized, or in plain view where it would be hard for someone snooping around to go unnoticed. You should also monitor for anyone that may be attempting to wardrive, or go around collecting network information to record and possibly attempt to crack at a later date.

Part 2 Coming Soon...

I hope you've enjoyed reading! Next week I'll be publishing another article covering the rest of the topics you should consider when operating on a secure wireless network. In the meantime, please let me know what you think!!

All images seen here have been sourced from Unsplash. All metadata should be intact if you would like to examine it to thank the creators.

Tuesday, August 4, 2020

HACK THIS SITE!(Basic final)

Hello everyone! Today, I'm going to finish up the "basic" challenges from HTS!


So for this challenge, you have to actually go back to basic 8, as that's where this operates from. Here, we need to use some more SSI, just like we did in basic 8, but this time, we need to use a little directory traversal (and maybe just some common sense). So we know we're in ../../8 right now, what if it's just sequential? Let's give it a try.

Looks like we have a winner! Navigate to that php file, and grab your password!


Don't let this challenge scare you away. You don't need to be a JS wizz in order to complete this. You do however, need to understand what a cookie is.

To begin with, I'm going to enter something in the password field to see how it handles the input. You can type whatever you'd like, I typed "letmein". Here was the response:

Yeah, we'll see about that... There are a few ways you can handle this, and the easiest (in my opinion) is through a Firefox extension called Cookie Manager. With this, I'm going to edit the properties of the cookies that this site gives when you attempt to authenticate. Notice there was no mention of a password file like the other challenges. So, go ahead and launch Cookie Manager:

You should be greeted with something like this:

See that bit that says "level10_authorized" and the "no" value next to it? You're going to use the edit button at the far right side to change that to a yes.

Once you save this value, go back to the page that told you you're unauthorized, and refresh the page. This will cause the site to query that cookie again, and from here, you should be done!

Basic 11 - End of Basic

We're finally to the end of the basic challenges on Hack This Site! By now you should have some basic familiarity with legacy (or poorly configured) web applications. Let's get started.

Okay, so for starters, when creating a web page, one thing that's hard to protect against is directory traversal. If you have something public facing, someone will find it. Let's check for an index page, at "/index".

That's interesting. Another song title. Let's google it... Elton John? From here, out of curiosity, I added ".php" to the end of "index", and got a password form! Let's give Dirbuster a spin to check for any other directories that may be available. You can use any list you want, most should be fine.

Dependent on your list and other settings, you'll eventually get some directories. One of those is "/e". Take a look. Eventually you'll spell out the rest of "elton". From here, some basic knowledge of apache helps. In apache, we have the option for a file called ".htaccess", this allows for quick configuration changes. Now let's see if that exists under "/e/l/t/o/n/".
Here, we have "DaAnswer.*" that looks interesting. Add "DaAnswer" to the end of "/e/l/t/o/n/". Don't let it fool you, the password is right in front of your face. They're literally telling you the password.
(password == somewhere)

Go back to 11/index.php and input the password you found (it will probably be different when you do it).

You're all done with the basic challenges, congratulations!! On to bigger and better things!

Friday, July 10, 2020

Tools for Android: WiGLE

Hi! I hope you're having a good weekend. Here's some more wireless and Android for you!

If you've ever started to even think about hacking WiFi, then you may have heard of wardriving and warchalking. If not, you've probably at least thought of the concept before. Warchalking is the practice of identifying wireless networks and marking areas around where the signal was found (be it on the side of a building, on the ground, you name it) and letting hackers or otherwise know about its existence and whether or not there's any security to it. Wardriving on the other hand, is driving around and identifying networks with high power antennas, collecting data such as channel, average signal strength, security type, or if it's an open network. This data can then be used to identify targets.

Today, there's an amazing place called WiGLE. Here, tons of people have gone around, collected information about networks, and uploaded it to a database on the site. You can even host your own local database. Now you may be thinking, how is this allowed? I'll be honest. I don't know all the details or legalities when it comes to the collection of this data. However, I can tell you it does have its ethical uses. I'll give you a scenario. Say you have a known malicious actor, you've successfully exploited their mobile device or laptop, and have a program feeding you some data. Some of that data is MAC addresses of access points or BSSID. As I mentioned before, WiGLE has a database full of wireless networks and information about them. All you have to do is plug in that MAC/BSSID and if it's ever been scanned and uploaded, you'll be able to identify an area your target is located in.

Another idea for you, say you want to identify what channels your neighbors are operating on so you can configure yours to eliminate interference. Or, you want to be proactive and identify which neighbors have weak security on their APs so that you can educate them. Sounds great, right? Well, as the new age saying goes, there's an app for that. So pull out your Android device and download WiGLE from your preferred app store.


As you may already be able to tell, WiGLE has many useful features, and their mobile app is no different. Once you've got it installed, go ahead and launch it. You should see something like this:
Lot's of useful information here! First, at the top, notice you have a latitude, longitude, and altitude. Then go down to the networks, the green lock signifies WPA2 is being utilized (it's also stated underneath the hardware name). Under the lock, you'll see signal strength, then the MAC/BSSID, channel, and technologies in use. This app has also been updated in the past few years to identify Bluetooth and BLE signals as well as mobile cell towers!

Alright, now tap the bar menu at the top left, go to settings and sign in/register for an account. Once that's done you can search their database. From here, you can search for all access points with the name "walmart" or anything else you can think of.
From here you can even get a location where the networks are identified, try it out!

You may have also noticed that you can search by BSSID, I've identified a network with the BSSID of 00:13:10:d3:f5:be that is probably trying to trick people into connecting to it. Take a look:
Notice the typo here. Now it could be as simple as that, but I'm going to air on the side of caution and say it's not.

WiGLE's website is also an incredible resource for CTF's! Anyways, I hope you've enjoyed this little review. Be responsible, have fun!

Sunday, July 5, 2020


Welcome back! This time, we're going to go over some more of the basic challenges over on Hack This Site!

Basic 5

This one is basically the same as basic 4, you're gonna take a look at the code for the webpage, and then replace Sam's email with yours. The program is supposed to more secure through referer validation, but it still isn't secure enough to protect from this simple "hack". So long as you use your HTS email, you should get the password and then see the following upon submission:

Basic 6

Now we start getting into some pretty interesting stuff. Let's play with the field to encrypt a string here. I'm going to use the "encrypted password" and pass it through, just to see what happens.
Look at that! The first character remained the same.. but wait, the 2nd character increased in value by 1.. and the 3rd increased by two?? But what if.. Hm.
Yes, I was right. The first digit remains the same, the 2nd increases by 1, 3rd by 2, 4th by 3, and so on.. (you could also think of it the terms of an array, postition 0= + 0, position 1 = + 1, etc). But where are these symbols coming from? They're ASCII characters. You'll use the "char column" in an ASCII chart such as the one below, and just move down a position to find the value you're looking for: f to e, 8 to 7, etc..
For my decrypted password, I got "f5166ba5". Note that yours will be different as your encrypted password will be different. From here just submit and move on!

Basic 7
This one is much more simple than it seems. It says that he uses a script, but you basically have direct access to the terminal.. If you're familiar with unix/linux, go ahead and give it a whirl. If not, we're just going to give the command a year to process, and then add the "ls" command to it to list the contents of the current directory this "script" is operating in. Take a look:
And oh man, Sam... You messed up bud.
Go ahead and navigate to that php file with your browser and you'll get your password to move on to the next challenge.

Basic 8
SSI.. Server-Side Includes. Having fun yet? If you aren't familiar with SSI, take a look at this article from OWASP.

Let's try a couple of commands using SSI. First, I'm going to take a look at what's in the current directory with "<!--#exec cmd="ls"-- >
Hmmm.. I don't see anything that stands out from this. Let's see what directory we're actually in, we'll do this with "<!--#exec cmd="pwd" -->"
Well.. Looks like we aren't supposed to know where we are.. (although, it does tell you in the URL bar)
Hmmm... Let's just try to see what's in the root directory. We'll do this with "<!--#exec cmd="ls .." -->"
That looks like success to me! Go ahead and navigate to that first .php file and you'll get your password to move on!
That's it for today! I hope you enjoyed it! Next time, keep your eye out for a way on to the Easter egg page.