calderpwn – calderonpale.com

CatSniffer: Swiss Army for IoT RF Hacking

November 1, 2021December 5, 2021 calderpwn Leave a comment

CatSniffer (😼) is an original multiprotocol, and multiband board made for sniffing, communicating, and attacking IoT (Internet of Things) devices. It was designed as a highly portable USB stick that integrates the new chips TI CC1352, Semtech SX1262, and Microchip SAMD21E17.

This board is a swiss army for IoT security researchers, developers, and enthusiasts. The board can be used with different types of software including third-party sniffers such as SmartRF Packet Sniffer, Sniffle, zigbee2mqtt, Z-Stack-firmware, Ubiqua Protocol Analyzer, our custom firmware, or you can even write your own software for your specific needs.

CatSniffer can operate in 3 different frequencies:

LoRa
Sub 1 GHz
2.4 GHz

Protocols

Thread
Zigbee
Bluetooth 5 Low Energy (BLE)
IEEE 802.15.4g
6LoWPAN (IPv6 over Low power Wireless Personal Area Networks)
Sub 1GHz and patented systems
LoRa/LoRaWAN

Nmap Network Exploration and Security Auditing Cookbook (3rd edition)

September 17, 2021December 5, 2021 calderpwn Leave a comment

The third edition of “Nmap: Network Exploration and Security Auditing Cookbook is out today. Most of the things I’ve learned about Nmap in past years are scattered throughout the book. Shares and Amazon reviews are super appreciated 🙂

The Hacker Mind – Ep19

April 21, 2021April 21, 2021 calderpwn Leave a comment

Beau Woods and I participated on the last episode of the podcast The Hacker Mind. We had a great time chatting about IoT security and our latest book Practical IoT Hacking.

Go listen Episode 19 of The Hacker Mind

Practical IoT Hacking – Early access

December 30, 2020December 30, 2020 calderpwn Leave a comment

Practical IoT Hacking with NoStarch Press

After many months of hard work, Practical IoT Hacking is available now through NoStarch’s Early Access program and print copies are scheduled to be released at the beginning of 2021!

I must say that this was a very interesting project with an awesome multidisciplinary team that contributed to make this book a very solid read for anyone wanting to understand concepts and techniques for IoT security.

Finally, I just want to thank everyone. I really hope you all like what we decided to put on this book and please do spread the word among your friends. It really helps 🙂

Official website: https://nostarch.com/practical-iot-hacking

OWASP LATAM TOUR 2020 MX

June 1, 2020September 5, 2020 calderpwn Leave a comment

Nos vamos a modalidad 100% online. Próximamente más noticias.

BLE captures taken with Nordic device not shown correctly on Wireshark?

May 1, 2020September 5, 2020 calderpwn Leave a comment

Go to Preferences -> Protocols -> DLT_USER -> DLT Table and add a new entry for DLT User 10 (DLT=157) with Payload protocol value as “nordic_ble”. This fix also works with captures from other sniffers, simply adjust the Payload protocol value. For example, Ubertooth captures needs DLT=147 set to btle.

Tips for testing OWASP MSTG-STORAGE-5

April 26, 2020September 5, 2020 calderpwn Leave a comment

MSTG-STORAGE-5 states right now:

Overview

When users type in input fields, the software automatically suggests data. This feature can be very useful for messaging apps. However, the keyboard cache may disclose sensitive information when the user selects an input field that takes this type of information.

Static Analysis

In the layout definition of an activity, you can define TextViews that have XML attributes. If the XML attribute android:inputType is given the value textNoSuggestions, the keyboard cache will not be shown when the input field is selected. The user will have to type everything manually.

<code><code><code><EditText
        android:id="@+id/KeyBoardCache"
        android:inputType="textNoSuggestions"/>
</code></code></code>

Source Code Auditing Tip

But… wait. Are you just looking for the string ‘textNoSuggestions’ when doing static analysis? Don’t forget to also look for ‘InputType.TYPE_TEXT_FLAG_NO_SUGGESTIONS‘ as the input type can be changed dynamically from an Activity. If you are only looking at the XML attributes of Layouts, you are missing out apps that dynamically change it..

Patch coming

By the time you read this my patch to the official OWASP MSTG repository clarifying how to detect it with static analysis better is probably merged. However, you could have read it here first.

Quick notes about Azure Table Storage Injection in Windows Azure Mobile Services

April 25, 2020September 5, 2020 calderpwn Leave a comment

One beautiful afternoon you come across the popular Azure Table Storage service during an assessment. Shit, a NoSQL service hosted on Azure. It must be secure right?Well, again it is up to the developer’s implementation and unsurprisingly, it is possible to use SQL injection (NoSQL injection?) to extract more data than intended if the developers failed at sanitizing parameters.

How do you identify this service?

Look for apps sending requests to *.azure-mobile.net
Requests sent to /tables/
Requests containing the operators shown next included in the request variable ‘filter’

What operators can you use to extract information?

Extract information from other tables using the following supported comparison operators:

eq (Equal)
gt (GreaterThan)
ge (GreaterThanOrEqual)
lt (LessThan)
le (LessThanOrEqual)
ne (NotEqual)

I hope you find the operators reference useful and remember to stay on the hunt ;).
Reference:

Querying tables and entities: https://docs.microsoft.com/en-us/rest/api/storageservices/querying-tables-and-entities#supported-comparison-operators

Another IoT horror story

April 17, 2020September 5, 2020 calderpwn Leave a comment

Last year a smart water bottle got into my hands, and of course, as a curious person I needed to check how secure it was… Unsurprisingly, it was not.

IoT shit
Stay tuned for the full write-up describing issues found in this product in the BLE implementation, the mobile application and more.

Welcome back

March 30, 2020March 30, 2020 calderpwn Leave a comment

Back to regular updates over here. A bunch of the content seems to have gotten lost in the migration. I’ll check later what happened and try to get it back.