Erethon's corner

Random thoughts of mine

Making a RS-232/UART Adaptor

A couple of months ago I wanted to experiment with the serial console of an old router I had laying around. Not wanting to buy a UART to RS-232 adaptor, I decided to make one myself. After all, I had some spare MAX3232 left over from a previous project (for which I still haven’t blogged).

I just followed the schematic provided by the datasheet and 15 minutes of soldering later, this was the end result.

images

images

Gotta love these cute little perfboards!

I’ve tested it both with a RapPI and the aforementioned router and it works great. I was able to get a serial console on the router using the serial headers on the pcb. The manufacturer had even marked the TX/RX pin holes, so there was no need for me to go serial hunting.

Now, I’m waiting for some FTDI FT232-RL chips to arrive to make a USB adaptor instead of a RS-232 one. I know you can buy one on ebay for 3 bucks, but where is the fun in that?

Octopress Here I Come!

I decided to port my blog to Octopress and move away from Wordpress after all these years. The reason for this is twofold:

  • I’ve really gotten used to working with vim, git, github and the surrounding workflow.
  • Static site generators are all the rage currently, so who am I to miss out?

Why Octopress and not something based on Python like Pelican or Nikola? I simply decided to do something that will get me out of my comfort zone and also teach me something new. I already know how to use venv, let’s see what RVM has to offer.

Raspi + SDR + ADS-B = Awesome

A lot of people have combined a RasPi and a SDR dongle to get a low power consumption ADS-B tracker. Tomasz Miklas has created an image for the Raspberry Pi, that has everything that is needed to run your own aircraft tracking “service” already set up. I’ve finally had a chance to experiment with it and this will be my short review.

First of all, I have to say I’m really sorry to Tomasz, because he send me the image at the 10th of October to test it out before releasing it publicly and I’m posting this two months later. Sorry mate.

Tomasz, has a well written post explaining how the image works , so I’ll skip the details. All tests were performed using a dongle with a R820T chip and the stock omnidirectional antenna. Since I moved recently, I didn’t have the time to construct a proper antenna, yet even with such an antenna the result were pretty good.

So, you download the image, dd it to a SD card, plug your SDR dongle, power it on, point your browser to the IP the RasPi obtained through DHCP and … and everything simply works out of the box. At least it did for me.

I was really surprised by how lightweight the whole setup was. After one and a half hours of uptime, two clients connected to the server and, receiving messages from two planes, the RasPi reported that it only used 30 megs of RAM and the CPU was pinned at 35% the whole time, with 4-5% of it being htop itself. The process using the CPU was of course dump1090, which does all the heavy lifting. Unfortunately, due to the time I tested the image (4 AM) and my location, there weren’t many planes (two simultaneously at max), so I don’t know how dump1090 behaves under a lot of load/traffic.

As mentioned above, I was using the stock antenna that came with the SDR dongle, but I was still able to get a signal from planes that were 72km away on average! On some of my previous tests under Windows and ADSB#, I only got 28km of range. A lot of things have changed since then though, mainly my new house and my antenna placement, or perhaps the old one was a Faraday cage? Either way, for the time being, I’ll leave the RasPi running and further report on its performance after a bit of testing.

If you own a RasPi and a SDR dongle, give the image a try. It may not be something you haven’t seen or done already, but it certainly is the easiest way to monitor ADS-B traffic, at least to my knowing. I know, I’ll be keeping a copy of the image in a SD card because it’s so handy.

An Into to SDR

For the past two months I’ve been reading about SDR and everything related to radio telecommunications. For those that don’t know what SDR is (and are too bored to click the previous link), Software Defined Radio is a system that implements hardware subsystems of a typical radio in software. People have been designing their own SDRs with FPGAs for quite some time now, but in the last year there has been a huge “revolution”. It turns out that a lot of cheap USB digital TV tuners based on the Realtek RTL2832U chip can be tuned at a wide range of frequencies.

For a list of supported devices you can check this page. I’ve bought two devices to experiment with, one is an EzTV 645 using the FC0013 chip, while the other one is using the Rafael Micro R820T chip (bought it from ebay for about 8 euro). I mainly bought them to experiment with ADS-B and NOAA weather satellites. Due to university assignments I didn’t have the time for the latter, but I’ve spent some mornings watching airplanes taking on and off from a nearby airport. Other interesting things to listen to are: ATC, ATIS, pager traffic, car keyfobs and anything else that is above in your chip range. As mentioned earlier, due to the lack of time, for the time being I’ve only experimented with ADS-B traffic.

I’ve done all my testing in Windows 7 using SDR# and ADSB# in conjunction with Virtual Radar Server. So far, using the stock antenna with both dongles, the one with the R820T is performing way better than the FC0013 one. There is less noise and it’s better at picking signals from afar. Moreover, it has a better tuning range, although it differs from dongle to dongle and it depends more or less on your luck.

I live fairly close to an airport so I get a good signal of any plane taking on or off. The maximum range I’ve achieved with the R820T dongle and stock antenna (omnidirectional) is 28km. I’ve checked the results I get against flightradar24.com and they are spot on. One feature of ADSB# I like is the ability to share your findings with servers that accept ADS-B traffic, like contributing to flightradar24.com.

I won’t go in more details at the moment, since I’m tight on time, but for those of you that are interested in getting a SDR capable dongle, do some research first. Not all dongles have what is called an esd protection diode. As its name implies, it’s a diode (a passive component allowing current to flow in one direction only, like a check valve) that protects against electrostatic discharge. A lot of people have “fried” their dongles because they didn’t have aid diodes. By leaving the antenna outside, the wind can create static charge on the antenna and fry the chip inside the dongle. Both of my dongles came with those diodes, but if you plan on buying one, read some comments first or if buying from ebay ask the seller for a picture of the dongle. The diodes are the ittle black things I’ve circled in red near the antenna connector.

For those of you that want more info on ADS-B I suggest watching this amazing talk by Render Man (http://www.renderlab.net).

images

images

images

My Kippo Findings After Three Months

Three months ago I installed Kippo in a low end VPS of mine. About a month after that, I got bored of manually checking kippo everyday so I made a small script to automate the process. Fast forward another two months and here we’re.

In three months time, I had 122.487 bruteforce attempts from 339 different IPs. Of said attempts, 130 were successful on finding the correct password(s). I set up Kippo to accept two different easy-to-guess passwords for the root account. People interacted with the honeypot (as in logged in and tried to download files, etc) only 16 times out of those 130. The rest were just bots logging in and logging out.

The first command every attacker runs after logging in is w, followed by cat /proc/cpuinfo. Ten out of the sixteen attackers logged out after seeing the results of /proc/cpuinfo. I guess people know about Kippo and recognize it by /proc/cpuinfo. After noticing that, I changed mine – something I suggest everyone to do as Kippo by default is easily identified. There were a few hits where people thought it’s an actual server and not a honeypot and tried downloading some of their tools. I disabled wget but made it look like it’s there, so it was funny seeing them figuring out why they can’t download their files.

Unfortunately, I haven’t come across any new web shell; only some IRC bots, so nothing interesting to post about there.

Of the 122.487 previously mentioned attempts, I’ve gathered 30.048 unique passwords (around 29.500 if you don’t count extra whitespace) and 8.525 usernames. I run both of the lists containing passwords and usernames against pipal. By far (49.12%) the most used username is root followed by test (0.8%).

For more details on both of the reports check my Kippo findings page.

Making an Ugly Ethernet Tap

A long time ago, I saw this in the Hak5 store. After reading about it in mossmann’s blog, I found somewhat interesting that using this easily built device you can HACK THE PLANET.

An ethernet tap is a passive device used to monitor traffic between two hosts using a third one. For more info on network taps read here.

The idea behind it is very simple, but in order to understand it we must first understand how data is transmitted through the ethernet cable. The ethernet cable, commonly called Cat 5 contains four pairs of twisted wires. 100BASE-TX (fast ethernet) only uses two pairs of these wires, one pair for transmitting data (TX) and one for receiving (RX). So, in order to intercept the data sent from one of the hosts, we just need to connect the host’s TX line with our RX one. Likewise, to intercept incoming data to the host, we need to connect the host’s RX line with our RX line.

Note that we can’t connect both the host’s TX and RX in the same RX line, since fast ethernet is full duplex. To overcome this we need to use two taps, one for the received data and one for the transmitted.

(For more details on how to make one, read these two posts: #1, #2)

After a bit of soldering, this is what I ended up with.

images

images

The two ports near the euro coin are to be connected on the pc and the router, while the other two ports are for intercepting the traffic. As stated previously, one is for the transmitted data and the other for the received. To use them both at once, you need either a pc with two network cards or an ethernet to usb adapter.

Arp Spoofing With Python

I decided to reinvent the wheel by making an ARP spoofer in python using raw packets, thinking it would be a nice practice.

What is ARP, ARP spoofing/poisoning, ARP cache?? How do they work and why should we care? Since all of these things have been written and explained before, in a better way than I could explain them, here you go.

You can find the script here. It’s more like a proof of concept than a fully working program, since I haven’t really tested it in more than two computers, so I don’t know if it’ll work for sure. Its purpose is purely instructional. The script is licensed under the MIT license so you are free to change/modify it to your heart’s content.