RFID Wallets/Sleeves. How much Security do they provide?

With the increasing amount of RFID technology creeping into everyday life.  Just how much data can be obtained from your wallet?  At Pentura we undertook a small experiment where using standard off-the-shelf products, we would attempt to obtain personal information leaked from RFID enabled devices: UK Passport UK Bank Cards Debit/Credit Access Control Tokens Our experiment used standard unmodified off-the-shelf RFID equipment: 13.56MHz ACR-122U Reader Proxmark3 with LF antenna Proxmark3…

WiFi Pineapple; Decrypting SSL Traffic on Mobile Applications

Introduction Most people view the WiFi Pineapple as in intrusive piece of kit. Marketed as a WiFi device that can trick unsuspecting clients to connect to the AccessPoint (AP) because the device is sending out Probe responses that match devices Probe requests.  From there a victim is then susceptible to Man-in-The-Middle (MiTM) attacks, interception and traffic manipulation.  The device has been famously used on Channel 4’s Derren Browns Apocalypse (http://en.wikipedia.org/wiki/Derren_Brown:_Apocalypse),…

Proxmark3 Client Native on Android | InteliSecure

Proxmark3 Client Native on Android A member of the Proxmark3 community known as Asper has managed to cross-compile the proxmark3 client for the Android platform.  Depending on the model of your phone (it needs to be rooted), and so long as you have (or can install) the cdc-acm kernel module.  This eliminates the need for custom ROMs or even a chrooted environment (such as a chrooted Kali install). You can…

IR Blue – Cheap Open Source Thermal Imaging

For those that missed it RHWorkshop started a Kickstarter project back in December 2012; to build an Open Source, Cheap and Affordable Thermal Imaging Camera, for use with Apple IOS or Android devices.  Thermal Imaging Cameras typically cost approximately $1,500USD,  this device costs $160USD (just over 10% of the value, compared to a professional piece of kit).

USB Rubber Ducky – Part 2: Attack of the HID

Background The USB Rubber Ducky was introduced in our previous post “The Return of USB Auto-Run Attacks“.  This is the first of many follow-ups, that introduce new attack scenarios and the increase in functionality, that really makes this tiny device a big part of the hearts of penetration testers. Brute-force attacks…

The Return of USB “Auto-Run” Attacks

Background USB Autorun attacks became the rage back in 2005.  Hak5 created a project to increase awareness of this security issue called USB-Hacksaw, originally a U3 device that would auto-run a series of programs.  This could be used from general system administration tasks, or potential malicious tasks; such as installing back-doors and running password collection programs.  Shortly, Vendors like Microsoft started to remove Auto-run capabilities to prevent more serious malware…

Introduction to Pen-testing Android Applications Part 1…

Hello All, I am going to discuss the basics of penetration testing Android applications over a series of blog posts. I recently did my first mobile app test and would like share my experiences of it. I also hope that these posts will provide some insight into the way mobile applications (specifically on the Android platform) can be tested. This particular post will cover the concept of performing a Man…