Is That Hardware in Your Toolkit, or Are You Just Happy to See Me?

just about time so why don't we go ahead and get started so our last speaker of the day for the blue track is mr jeff murray uh i've known jeff for uh many years now jeff when we first meet it was probably you know four or five years ago csra hackers yeah actually i think uh atlanta maybe maybe i think right around then so um jeff's a very sharp guy he's into a whole bunch of things i think i think his twitter feed used to say something like into infosec all of it so he's into offense defense hacking anything you can name so he's a very interesting guy he's got a lot of cool research going on and he's going to

present some of that today so here to present is that hardware in your tool kit mr jeff murray please join me in welcoming him

ken how is everybody doing okay yeah you're here um since i can find them i brought about 20 face dancer boards um if you want to actually solder up your own you can do that uh i'm actually going to suggest to doug did you run out already okay there you go i i will forewarn you that you know what we live in the allergy capital of the world and uh some about like this on the allergy meds right now um but uh i think we should actually try and have a hardware hacking village sure next year um sorry i'm all over it um so i sent a tweet out and yeah it's funny my my pug has more

twitter followers than me um if you go out and you follow kill the pug he's got like 4 000 and something uh followers i have like maybe 50 or something but i sent a tweet out that basically about a year and a half ago that said that if you are not integrating hardware into your both red teamwork blue teaming in a year or two you're gonna be behind and that's basically kind of the focus of this talk i tried to come up with some kind of humorous thing i was at a dongle in your pocket or you and then decided okay well i don't know i don't know the target audience very well but um

so let your mind wander with jokes as you can see i am a amateur radio operator kk4 etk if you are not into amateur radio and you picture uh amateur radio folks as people 400 pounds in there doing morse code you are sorely mistaken as far as poverty is right now and then there i am on twitter standard disclaimer in no way shape or form am i speaking for any previous or current employer that's it there are when we get into the sdr piece there are things that you could go out and listen to on the airwaves that are illegal they are um you and things like listening in on your neighbor's cell or cordless phone things like that

yeah that's kind of shaky these days i think so i say shaky because it's up to you look it up uh the the baby monitor that's uh on next door that's your thing so what i want to do is actually chat about some hardware specifically software-defined radios some hardware exploitation uh specifically things like using the good pet to go in and actually do jpeg enumeration and try and hack or let's just say improve your wireless access or improve um your your android phone uh can bus because everybody needs to tweak their ride or if you're like me i go in at about once every couple of weeks my check engine light comes off so i went in and i i asked the guy i'm

like okay what what the hell's going on with the light and he's like well it's an oxygen sensor i'm like do we need that well you you've got four i'm like do i need it how much is it gonna cost me it's about 150 200 bucks to fix okay i don't need it so i actually um how i take advantage of the can bus as i go and i shut my check engine light off every two weeks and i read the codes to make sure that it's not something catastrophic where my car is about ready to you know bite the dust we're gonna need some other stuff as far as some usb hacking can i have the face

dancer boards i don't know what i just did with them i brought lots and lots of treats to vanna white as far as different tools that i use what i have learned actually here's the face sensor boards um what i have learned just about usb is this totally gets out of the hacking realm but the fact that usb disk access is actually using scuzzy on the back end i mean how old is scuzzy i mean i i'm old enough to know that you had to actually you had scuzzy device 0 1 two three four the card had to be zero i see some heads nodding there yeah that's how usb is talking in the back

end of your your phone right um uh bonus feature if we have time we're gonna get in some of these new cool little itty bitty uh unix computers one was given away earlier the raspberry pi uh the people black but this is the goal and this was the premise of the talk was i'm cheap i don't want a limited budget and that's not my wife but my wife does say that i have to account for my my hobby so i like to stay below 50 bucks on this stuff so let's start with software find radio uh rtl sdr um any of you watch the hack five podcast videos they've been doing a great great job on that

um rtl sdr and actually if we have time i'm gonna plug this guy in and do it this guy right here you can get it for nine bucks on ebay software to find radio uh specifically i recommend the new elect uh rtl 282 2832 u-chip essentially what this is is in europe they came up with these dongles to watch their version of digital tv so an enterprising gentleman kind of was digging around going wow you know really we're just listening to radio right it's all rf so uh i actually came up with this whole rtl sdr concept where um this guy is a software client radio he's got everything hardware wise that you need other than an antenna

to listen to radios listen to anything going over the airwaves specifically what you get is you get this guy and you get this little crab again which ain't gonna do much for you mine unfortunately you know i don't like magnets in my laptop bag so they they pour mine up but this plugs into here that goes into there you download sdr sharp or one of the other applications we're going to go into and from 30 megahertz and up to about 1.6 you're you're on the air now it's receive only but the cool thing is is that in i'm standing for nine bucks on ebay it's a beautiful thing i will be posting all these without a ton of links one of

the things i hate about watching some talks and i loved about the last stop was that okay you know there's 40 minutes of this and then you know kind of the last 10 minutes is a big thing this is what we did and that's it so i have about 15 backup slides that i will be posting with more links irc links things like that but um specifically this site here goes into everything you would ever want to know about these domains and there's a ton of them out there um specifically these guys the rtlsdr.com site goes into what to actually look for as far as the chipset installing software different software they have a blog that they update two

three times a day sometimes it's it's great stuff um other notables again they violate the 49 spending limit is funky pro donald pro plus the cool thing about this guy is a ham radio guy like me i like to go below 30 megahertz i like hf vhf spectrum i like going out and you know trying to see if i can decode that stanx stuff where the the russian ships are talking to whoever or the old rtty stuff that stuff's still around a lot of that is still out there but it's hf so the rtl sdr in this guy really doesn't go much below 30 megahertz uh phone 2 pro dongle plus goes 240 kilohertz let's see 150 kilohertz up to 1.9

gigahertz the issue is is there's a gap because of the chip that he used um but it's 124 125 pounds so uh when i was doing these slides last week um that was right around 200 bucks but you get pretty good pretty good range there um who has not heard of the hack rf at this point okay good michael osmond is a stud when i grow up i want to be mike osman i mean he he is he is awesome um just in general just to take what he's done as far as knowledge and in a short amount of time turned into the the rf stub that he he is and a hardware stud that he is it's it's

amazing so he's got the hack rf1 it's actually shipping now now the thing is is the base model is 299 but then you've got other accessories that you'll add one of them being an up converter because he does not go down below um 10 megahertz so if you want to go down below 10 megahertz you'll buy what's called an up converter same thing with the rtl sdr scr dongle you can buy an up converter that will get you access pretty much down to you know two three kilohertz uh half rf.newalk.com that's where he's selling his stuff now his blog has a ton of information very cool thing about the hack r app and about mike blossman in general yes i'm a

fan boy is that it's all open source if you want to you could build your own i actually have one i'm aware of one person building one it's all those smd parts so the little adv things that you really can barely see with the naked eye so i would personally not recommend it but it is what it is okay the usrp 70 megahertz is six gigahertz the cool thing about the usrp is that the bandwidth is huge so you're listening to um a huge amount of bandwidth i'm trying to remember i think it's 120 megahertz of bandwidth at time so if you think about that what's what's fm now it's 80 to 108 roughly megahertz

so you're listening to more than the fm band all right they're on your screen you just bring it all in um edis.com these guys were really the the ones that kind of outside of the military kind of kicked off the whole software-defined radio business or paradigm i think if you want to call it that but it's it's expensive i mean it is expensive um as far as applications go yeah i go both ways um i'm a windows guy i'm a linux guy i'm not a mac guy because again i'm a budget minded person i'm not hyperloop and can't afford a mac like a lot of you guys but on windows sdr sharp which is the one

that i use it's free so you go out and you buy yourself a 20 dongle download sdr sharp and you're up and running it has a crap ton of plugins for it there's a scanner plug-in there's a plug-in to the code adsb traffic so you have your own little air traffic controller set up where you can actually listen to the transponders from the airplanes as they fly through your flight across the sky um trying to think this there's a ton of plug-ins um getting back to here these guys are in pretty much the authority on all those different plugins any of the new plugins that come out they will blog about them and um less less count

there were over 20 different plugins everything from a scanner plug-in so just like the old scanners or they're still around where you want to scan from 100 megahertz to 800 megahertz and anything that breaks the squelcher basically has something there you want to know about it just record it kind of like doing a rf version of a war dial there's a plugin for that for sdr shark it was open source and then what happened is a lot of people started ripping off his code and um putting them up on and wrapping it into applications for really now let's just set a customer crappy uh kickstarter app um kickstarter project so you want closed source but you run really great api so

you can write your own plugin he's got plug-in source code out there you can just go crazy uh hd sdr a lot of people actually prefer the interface on hd sdr and if we have time and i think we're going to because we're going pretty quick we'll bring up sdr sharp but it has hooks into a lot of the amateur radio transmission apps so you can listen uh via hd sdr in via your little 20 dongle and then have a transmit only and hd sdr will actually handle all that the mic inputs and everything for you so you're essentially other than the transmission piece and the receive hardware everything else is being handled software that's really the

key thing about software defined radio is that all we're really doing is we're just acquiring that signal and all that signal processing and everything is all happening via software with the speed of computers being the way they are we can do that um i'm doing that with my little raspberry pi he kind of took a header uh this morning so he's looking kind of rough um but i have a this guy was up in my attic for a while he has a dumbbell plugged in as part of the uh hartfield sdr suite it will actually stream the data across the network seeing how this guy way up um away from all the rf all the

you know static or you know just all the emf and all that and then transmit write that down right down your network um so one cool thing about hd sdr though i haven't somebody hasn't written a plug-in for it yet is scheduling a recording so you you could almost have kind of like your own sdr dvr for if there's particular you know i listen to certain programs on npr and most of them have the podcast but in particular some of them don't so i have a little raspberry pi at home and hcs and it's streaming over hd sdr wakes up every once in a while and listens and records the wave file so i can listen to it

later so i'm making my own podcast um it's not internet stream it's coming over the airwaves try either app they're both free whichever one you prefer um again i'm going to buzz through this i think we'll actually maybe have time the key thing i want to point out is that other than the bunk cube pro funky dongle pro plus the rtl 232 28 2832 uh dongles show up just as they are they show up as tv tuners well we don't want them to be a tv tuner we want them to be a rtl sdr dongle but then an application like sdr sharp can then turn around and actually decode the information coming in so an application called zavig

actually allows you to go in and say hey nope you're not an rtl or you're not a tv tuner anymore you are a usb device and then from there sdr sharp can pick it up and you can go from there with linux i haven't really had any issues with the dongles again my my raspberry pi loves the dongle um there was a joke there and i i said it and i didn't even didn't even realize it not okay good new radio it is a beast it is a beast but it gets you the closest to the hardware um getting down to the edits and stuff yeah that's in the thousands of dollars have a good day um

the thing is is the new radio allows you to write specific blocks that do specific things so essentially just like if you were to solder up your own radio that's what these new radio blocks are supports pretty much everything anything that you possibly can do in the rf world you could do in the new radio again this is just the software side so we've already received it with our dongle and or some type of software-defined radio hardware uh the thing is it's got a hell of a steep learning curve i i i bring it up all the time and i will sit there and play with it for a little while and then my brain starts

kind of hurting a lot and my ears start leaking and i'm like i fire up sdr sharp on the windows box and i'm i'm cooking um but michael osmond if you were here doing that has some superb sdr tutorials that he's coming out with as part of the kickstarter that he did for hack rf he promised one of the stretch goals was to come up with a bunch of uh sdr tutorials and he's using the new radio um balance an australian guy that was the first one to basically map his whole entire airspace and publish it to the internet um with software defined radio he actually works for edis now so again their devices are thousands of dollars

but and they use gnu radio for the software so the cool thing is he wrote a bunch of tutorials so between him and osman they're really making the new radio accessible but again for the casual user um radio again it's kind of a beast it does more than i think most people need it to do linux and mac oh by the way linux and mac so i know some of you guys are linux and mac i kind of glossed over that these are windows only radio kind of runs on windows pretty crappy um you have the raw rtl sdr software itself the original tools that the osmocon guys came up with and again huge props to them

i'm using the rtl tcp to actually stream the data from my raspberry pi so that i can receive it on my little windows box and on my little phone um they have a wiki out there and even better is hat5 has been doing quite a few uh rtl sdr videos now and in particular um episode 1703 that was a couple of weeks ago they actually went into some of these command line tools the cool thing though is a gentleman wrote gqrx which is actually a gui front end where it kind of rides on top of gnu radio it looks just like sdr sharp hds hd sdr a lot of the other software tools that's very easy to use

um okay kind of software to find radio because really this is hardware in general um how many of you heard of the blueprint okay bluetooth hacking again michael osmond um yeah the thing is is there are a lot of um hardware tools out there that allow you to sniff bluetooth but you are pretty much going to sell your firstborn into white slavery to be able to afford the damn things and so then michael osman came out with the ubertooth and it works it works great um it is under cont the software side is under continuous development now um a lot of the bluetooth low um i'm gonna screw this up uh bluetooth low energy they're writing a lot of software

support for that now too so you know you got the bluetooth in your in your sneakers as you run down the road you can actually set that with your ubertooth now greatscopegadgets is mike's site and um 119 i'd buy it from the half five store doing about the cheapest plus i think they kind of deserve your money okay hardware exploration so travis goodspeed uh when i grew up if i can't be tr uh michael osmond i wanna be travis goodspeed um i won't how many of you have seen travis bisbee or at least video the travis kids be go out and watching youtube travis good feet and i realize he's going to be posted on the internet so i i hope he

sees this dude has hair he's got dread clear down to the the top of the crack of this honey and they are amazing um and they they don't seem to ever change they're like these huge red ropes travis good dude um the good fat is now we're switching gears if i need to hack into a hardware device using something like jpag or i need to talk to via i squared c anything like that the goods that allows me to do that it's just a usb dongle um very flexible you can get pcbs from travis or this is what i would suggest you do because i built two is the third one i bought from adafruit for 49.95 the

reason being is my soldering of smd parts little ap parts are is not really what it should be and so adafruit um luke lemur does a great job with adafruit you can buy it from there on the canvas side we have the canvas shield from sparkfun i should actually be breaking out some of these and vanna whitens for you

uh

bear with me

okay this is my little canvas shield that i used to turn the check engine light off on my car

okay so it does sit on top of an arduino but all the code and everything it is a skping.com.uk etc again i'll be publishing these this guy's 39.95 you get a 10 arduino off of ebay and then the cable is about nine bucks from smartphone it's the uh hoodie bd2 you know right underneath your dash comes right into this guy and then you're viewing it on an lcd you can also connect directly in via right here and hit the thing via your laptop or you can turn around and actually write all the data to an sd card right here they are continuously upgrading and updating these sketches and there is the good doctor also which is

actually built off the good fat that travis did i soldered one up and didn't find it as easy to use and the software wasn't there the arduino is just easy to use how many of you have seen or used an arduino okay this isn't part of it i didn't have a slide on this but this is an arduino this is where probably 90 of the makers have gotten their introduced introduction to hardware this guy is anywhere from nine dollars to about 30 depends on whether you buy the official one or you buy one off ebay but 5 volts or off of usb and then in you can plug this guy in and with about three lines of code

once you download the ide which is free you know this little led blinking but from there i actually built a little shield that sits on top of this that does a morse code transmission again i'm a legal amateur radio operator and it's just a beacon it just says there it says my call sign out the whole thing took maybe it was a weekend and i'm not that great at hardware and i'm not the phd stud but these guys here are very cheap this is what everybody was using really until the raspberry pi's came out once the raspberry pi's came out which how many of you have heard of the raspberry pie okay maybe you have a b-plus

so how many of you are going to or have ran into issues with the b and one to b plus instead okay the big thing with the b plus is that it gives you more usb ports um the bad thing is the composite video went away so the cool little screen that i have doesn't work with it anymore you know it's not the rca type jack anymore yeah it's a way of doing that audio jack it does both but i'm not quite sure what cable you need to make that look yeah the from from what i've seen there's a there's a special cable and it does both now where before it was separate so they

saved some space but the cool thing about the raspberry pi is that adafruit just came out with plans and everything to where you've got a touch tft display and then you're using the raspberry pi camera and you're making your own camera you're writing everything to the um sd card the cool thing about the raspberry pi also is that it does boot up an sd card i've got four different sd cards i've got cali that boots on off one i've got arc linux on one i've got a special amateur radio distribution that i'm running on the other and i've got others in various stages of disrepair that i'm working on from time to time but it boots off uh

um sd card and it's good stuff

so as far as the arduino as far as the arduino compared to the raspberry pi thing if you're a linux person um just spend the money get a raspberry pi again it qualifies it's under 49. uh the thing with the that i ran into with the raspberry pi is that timing just doing time sensitive how do i put this um the way it deals with time and you're going to put these up on the internet when they get pillory but um is different um and how you do some of the um it's different um let's just say that i'm trying to be careful because i should have said no don't put these up uh face dancer

okay this thing's awesome built off the good bed um here's mine right here cool thing about it is it allows usb devices to be emulated in python how many of you've heard of the face dancer before no way oh this is awesome okay so essentially what you've got is you've got the target and you've got the hose or essentially the victim so what this allows you to do is it allows you to write usb endpoints in python for example um just a quick demo that i was prepared to do i brought my switch and everything but i don't think we'll have time for it is actually mounting a iso file as a usb thumb drive and again watching that

actual scuzzy traffic going back and forth taking certain devices that normally you would pay via usb and actually having this guy in the middle so if the firmware is encrypted for instance or they're doing something funny you're actually signing seeing the raw data stream coming across this guy so this guy's sole purpose in life is essentially to provide a way for you to write a usb device in python um the cool thing about it too is and how many of you are python developers okay um some people were were kind of pissy because uh travis and a couple of other folks rewrote everything into python 3 classes so um but the classes are out there and again

i i love this thing if you go back and you look at my twitter feed i just have been just having a hell of a time kind of fun um the thing is is the native tools that travis came up with a guy named annie davis there's actually a defcon pop on it and a black cat asia top on it he wrote a tool called umap that actually makes the face dancer even easier to use and so i would encourage you to go out and look at that and then brad's got a get github repo out there to where he's got some scripts that helps with some of the data that you can capture via the face dancer and iterates

it out and does a very nice job so when i was digging around trying to figure out the face dancer to begin with i did have some problems finding some examples so um the google eventually did start coming up with some good links and things like that here's some very good ones here you can build it for 49 or you can buy the base dancer for 149. again i'll give you the board or the parts uh the parts are actually the link off of this site here for the parts you can build your own

okay so i was prepared to actually then get in and start talking about raspberry pi be able bone all these other little mini computers but if you want we can see if my sdr demo works

okay so again 20 bucks plug this guy in

i couldn't even get a signal in here so we'll see how this goes

again sd sdr sharp is free so what you can see here is a bunch of the different modes we've got narrow fm am lower sideband upper sideband you want to just get the raw data stream you can do that um cw or morse code um let's just go ahead and click play let's see what we can pick up in here like what we're looking for i don't know if you can hear that but pat benatar hit me with your best shot this is off the crappy antenna so um i have one that i um i listen to shortwave on is but if you look at this what we've got is this waterfall here and you can actually see the fm

modulation um and so you can see you've got two different views there um and let's see what we can kind of find real quick depending on the radio station it will actually decode the um if you've got one of the fans here um

um if i hold this up just a certain way you know

music

hey just saying

just imagine if i what if i hadn't tanked up on all that uh again i couldn't talk earlier we're not going to be able to pick up a lot but um if you've got the stereo they give you the um there we go

we can adjust the contrast if we want to get to try and make things stand out a little bit more

and a lot of them will display just like on your stereo will display the current artist and things like that in some cities you'll actually get traffic reports things like that just to code that same signal um in the backup slides um i'm gonna try her last name uh decoded has decoded a lot of that and figured out the encoding behind it but um i'm told i've got five minutes so again yeah i'm not putting you on the spot but we do it hardware hardwood buildings next next year but in the five minutes that i have any questions and yes i'll put the that number there i've been trying to research is there better antenna alternatives for us yep

and actually one of the things that you're going to end up with

is don't forget if you go out to buy a half hour up you'll um will be a link for that but this essentially takes the connector from one of the dongles and converts it to sma which is you know standard for pretty much anything um and that's pretty much what you want to do because from there um the one that's sitting there hanging out on my wall actually i just wired i just started a long wire to it and i've got um it's about 65 feet long wire and it does a good job or you know just take a roach clip and look to it just take some wires hey honey i bought some roach clips why

oh don't worry about it i've got this radio thing going on

satellite launches a month ago when i was traveling and um that's i forgotten the little connector and so i have my phone cube which has an sma connector and i had a rook clip stuck in there tsa has got it just love me because i got to carry all this with me everywhere i go and then i had just a piece of wire um that was a little construction site next door and a bigger pile of stuff so um just regular long wire as long as you can get it um just the cheap radio shack wire or whatever you've got it's the best um in fact the best wire is if you've got some old cat5 cable

just grab some of it and just take one of the strings that i've heard and one of the wires at the end of that 5p and sorry the b question was can you i haven't seen a lot of tutorials on decoding a

because one other thing on the windows side is there is a product called the virtual audio cable where if you think about it in the physical world we would come out of the radio and then turn around go in with another device maybe that would do some decoding or something like that well now that everything's software based then with the virtual audio cable you can actually set up virtual sound cards virtual audio cables and say go from this device to this device go through this preprocessor go through here it's like 19 um and then there's a free version out now too and there's some other ways that folks have done it with um some of the fancier sound cards and

splitting the and some other things like that um send me a tweet and i'll send you the link and um in fact i'll make sure i get those on the backup slides too in that one just yes the the connector on the sdr is called mcx is the connector type on that so if you go on amazon you can find like mcx sma or bnc little pigtails they're about 10 bucks a piece and they will blow that default antenna that comes with it out of the water yeah i i purposely used that one just to just to show you but i've got um you know all kinds of different lengths of you know size the the one that um that mike uses for

the half rf is a telescoping one and it does a good job but if you're going to get into the short waves and you'll want to

okay so how many fingers am i holding behind my hand

what is it alpha long range i'm sorry

is there somebody here no i think they just that's an in-kind sponsoring gift they ship to us okay well send them a send them a nice note please um let me think uh what is soft what does uh str stand for

okay again i'll have the um i'll have the slides up probably no later than midnight sunday i'm still adding kind of sent me some more irc links but reddit there's a sdr rtlsdr reddit site that is actually a good place to keep your eyes out for stuff too and then follow mike osman on twitter we've done a lot of good stuff great job jeff thanks again to jeff and thanks for you all for uh being here this is the end of the blue track in this room so the last talk of the day is going to be over in the big ballroom where we started this morning so i have just a couple more no

start stickers if anybody is interested come on up and take them from me