Thursday, March 8, 2018

Pentest via cellular network (I): Global IoT SIM Card


- Layout for this exercise (Smartphone and Raspberry Pi / SIM card / Modem):

1 - Introduction

- The goal of this series of five exercises is to demonstrate how to perform a remote penetration testing (port scanning) with a Raspberry Pi device and a modem using an SMS (Short Message Service) message via a cellular network, instead of an usual Internet connection.

- For that purpose a smartphone communicates with a SIM card incorporated to a modem that is inserted into the USB port of a Raspberry Pi 3 Model B device.

- This project could be applied in scenarios where no reliable connectivity to the Internet is available, since cellular networks ensure connectivity at all times and in any place.

The project is presented through successive steps, beginning with the introduction of the hardware elements used, and continuing with the applications and programming needed to complete it.

2 - Raspberry Pi 3  with Raspbian Stretch

- As said before, in this exercise a Raspberry Pi 3 Model B device is used, loaded with the operating system Raspbian Stretch:

3 - Hologram Global IoT SIM Card

- Hologram is an USA based company that provides flexible tools for securely connecting IoT devices:

- The Hologram IoT SIM platform sells the Global IoT SIM Card

The Global SIM Card can be bought online at a price of $5 and it is delivered to home via the usual postal service:

- Once the SIM Card is available an online activation is required. 

- To activate the SIM card, first of all a Hologram account must be created:

-  Once logged in, from the Dashboard the SIM is activated by first time:

- The SIM number is written on the back of the card and it must be entered (added) as below:

- Starting with the Developer data plan:

- Taking Zone 1 for the USA:


- The cost is $0 for the first month:

- Activating the card:

- The activation takes some minutes until the card reaches the Live status:

- Setting the name whitelist to the device:

- Regarding the Billing, some money should be added to the balance for later buying the number of the phone, that will be necessary for sending/receiving SMS messages:

- After some money is in the balance, a phone number can be purchased at a cheap price of $1:

- A phone number is achieved, linked to the recently activated SIM card:

Tuesday, February 27, 2018

Metasploit Loader (III): loader64.exe (x64_64 bits)

ANTIVIRUS EVASION /Metasploit Loader (III): loader64.exe (x64_64 bits)

- Layout for this exercise:

- This exercise is based in the previous one:

1 - Adapting the source code to the x64_64 bits architecture

- The goal of this exercise is to adapt previous example of Windows 10 x86_32 bits to the x64_64 bits architecture.

- Let's create a new file main64.c where changes will be implemented.

- The technical explanation of why and how to modifiy the source code for the new architecture is here:

- For the x86_32 bits architecture:

- For the x64_64 bits architecture:

- To sum it up, the x64_64 bits architecture uses 10 Bytes for the RDI register: a \x48 hexadecimal must be prepended, keeping the bytes of the x86_32 bits case (BF 78 56 34 12), and ending up with \x00s.

- Editing main64.c to reflect these changes:

- The first change is to amplify the buffer up to 10 Bytes. The old code:

- The new code:

- The second change is to prepend  with 0x48. The old code:

- The new code:

- Also, updating the buffer expansion from 5 to 10, as before. Old code:

- New code:

- Finally, the whole altered section looks like this:

- Cross-compiling with mingw32 (version for x64_64 bits):

- A new executable loader64.exe is created:

2 - Running the payload at the victim side

- Setting a simple web server at Kali:

- Downloading the executable loader64.exe to Windows 10:

- Setting up a Metasploit handler session at Kali machine:

- However, when running loader64.exe at Windows 10 the file stops working:

- Also, a Meterpreter session is created but it dies after a few instants:

- Why does this handler session fail? 

- The reason is that the payload was established for the x86_32 bits architecture, what is not correct because in this exercise we are dealing with x64_64 bits:

- So, the payload must be replaced with the version for x64_64 bits (let's notice the /x64):

- Repeating the whole process now the attack is successful. Establishing a Metasploit handler session on Kali:

- Running loader64.exe from the victim Windows 10 x64_64 bits:

- Finally the meterpreter session is successfully generated:


- Checking the Anti Virus evasion rate

- Checking loader64.exe against Virus Total a rate of 95.5% of evasion success is achieved:

- Checking loader64.exe against No Distribute, a rate of 100% of evasion success is achieved: