Today was LevelUp, Bugcrowd's first Virtual Hacking Conference. With 2 seperate streams over 8 hours, the schedule was jammed packed with interesting talks and knowledge drops across topics including web, mobile, IoT and even car hacking.

Waking up at 1:30am (AEST) to get some Bulletproof coffee in before it started, I think I briefly moved once from the couch in the whole session. The rest was solid and intent focus on the topics, trying to keep up with all of the amazing content, while also taking notes (~1200 lines worth!), and dropping out tweets at the same time. I don't think i've been as engaged or intently focussed on something for such a long period in a long time. Testament to the quality of the conference!

One of the common themes of the conference today (besides all the tech knowledge) was that of community and sharing. This is something that speaks to my core, and one of the things that I love about the security industry. How people can be so open, be willing to share their knowledge, and humbly learn in return. Such a great way to bring everyone up across the board, and super grateful for it.

There are a few places you can get connected with bug bounty hunters / security researchers that I wanted to list here:

Twitter! This sort of goes without saying given how active the security community is here. But with regards to this conference and related things, check out Bugcrowd's hashtag: #ItTakesACrowd Also make sure to follow @Bugcrowd, and if you'd like to see more from me (when I rarely but occasionally tweet) you can find me at @_devalias (always feel free to say hi!)

Bug Bounty World A community for bug-bounty enthusiasts, open to all. Twitter: @bugbounty_world (#bugbountyworld)

Bug Bounty Forum A community of bug bounty researchers, including slack channel and more! Twitter: @bugbountyforum GitHub: bugbountyforum

Bugcrowd Forum Make sure to also check out the discussions over at the Bugcrowd forum.



In light of that theme, I wanted to share what I have from today, not only so I remember what I saw, but so that everyone else has the opportunity to see some of the great stuff that was presented today. This post will be largely my raw and unedited notes, with any future posts likely to be more structured/refined.

It's also worth noting that every talk from both streams was recorded, and will be published to YouTube within the next week or so, so keep an eye out for that! I'll probably update this page when they're released, and I intend to write some more thorough blog posts based on each session when I have a chance to go back through it all at a slower pace, so keep an eye out for those!

Do you have any awesome resources, comments, or things to add? I'd love for you to share in the comments below!

Overview of this post

Videos

Schedule Stream 1 Stream 2

Raw Notes Welcome + Kickoff (Sam Houston) How to Hack Web v2 (Jason Haddix) How to Fail at Bug Bounty (Caleb Kinney) Giving Back to the Community (ZSeano) Doing Recon Like a Boss (Ben Sadeghipour) Hidden in Plain Site: Disclosing Information via Your APIs (Peter Yaworski) Targeting for Bug Bounty Research (Matthew Conway) How does unicode affect our Security? (Christopher Bleckmann-Dreher, @schniggie) Hacking Internet of Things for Bug Bounties (Aditya Gupta) Intro to Car Hacking (Alan Mond)

Thanks!

Videos

Schedule

Just in case the schedule goes offline sometime in the future, here are the main bits for posterity:

Stream 1

Welcome Welcome + Kickoff, Sam Houston (20min) Welcome, State of Bug Bounty & The Future of Crowdsourced Securit, Casey Ellis (60min) How to Hack Web v2, Jason Haddix (50min)

General Bug bounty and Web Hacking How to Fail at Bug Bounty, Caleb Kinney (25min) Giving Back to the Community, ZSeano (45min) Doing Recon Like a Boss, Ben Sadeghipour (25min)

Web Hacking Hidden in Plain Site: Disclosing Information via Your APIs, Peter Yaworski (25min) Targeting for Bug Bounty Research, Matthew Conway (25min) How does unicode affect our Security?, Christopher Bleckmann-Dreher @schniggie (45min)

Hardware Hacking Hacking Internet of Things for Bug Bounties, Aditya Gupta (45min) Intro to Car Hacking, Alan Mond (25min) MarkDoom: How I Hacked Every Major IDE in 2 Weeks, Matt Austin (45min)

Ending Ceremony Final Words, JHaddix w/intro from Sam (30min)



Stream 2

Web Hacking and Mobile Hacking OWASP iGoat – A Self Learning Tool for iOS App Pentesting and Security, Swaroop Yermalkar (25min) Esoteric sub-domain enumeration techniques, Bharath (45min) Finding Hidden Gems in Old Programs, Yappare (25min)

Mobile Hacking and API Hacking Breaking Mobile App Protection Mechanisms, Ben Actis (45min) Reverse Engineering Mobile Apps, Emily Walls (25min) Identifying and Evading Android Protections, Tim Strazzere (45min) Do you like fuzzing? Why I built fuzzapi to fuzz REST APIs for profit, Abhijeth Dugginapeddi (25min) Advanced Android Bug Bounty skills, Ben Actis (45min)

Browser Hacking Browser Exploitation for Fun and Profit, Dhiraj Mishra (25min)



Raw Notes

The following are my raw notes from todays session. Apologies in advance for the format..

Welcome + Kickoff (Sam Houston)

http://twitter.com/samhouston Stream 1, mostly web, switches to hardware later Stream 2, mostly mobile hacking Tweet with #ItTakesACrowd and @BugCrowd http://www.bugbountyworld.com, new slack, bugcrowd channel ## Welcome, State of Bug Bounty & The Future of Crowdsourced Security (Casey Ellis) Casey Ellis, Founder/CEO of Bugcrowd https://twitter.com/caseyjohnellis casey@bugcrowd.com @caseyjohnellis #ItTakesACrowd

How to Hack Web v2 (Jason Haddix)

Head of Trust and Security at Bugcrowd https://twitter.com/jhaddix https://securityaegis.com https://blog.bugcrowd.com/author/jason-haddix The Bug Hunters Methodology (Def Con 23) distilling a lot of learnings over the years google it for the video The Bug Hunters Methodology v2 XXS, SSTI, SSRF, code/command injection, fuzzing, tooling API testing, object deserialisation, XXE in v2.5 Light reading: Web Application Hackers Handbook OWASP Testing Guide Web Hacking 101 Breaking into information security Mastering modern web penetration esting Discovery Enumall (recon-ng, alt-dns wrapper, etc) Sub scraping https://github.com/aboul3la/Sublist3r scrapes search engines/etc for mentions of domains sources are different from enumall anshumanbh/brutesubs set of docker images that include multiple tools inc enumall and sublister along with gobuster and altdns run against a domain you want need to modify config/docker scripts to add custom bits disable bruteforce for enumall did a presentation about this topic recently (TODO) mandatoryprogrammer/cloudflare_enum anshumanbh/censys.py Subdomain bruteforcing Like: subbrute, gobuster, massdns, dns-parallel-prober, blacksheepwall gobuster (21m) and massdns (1.5m) are quick massdns found more quicker, but more false positives could feed massdns stuff into gobuster to reduce? blechschmidt/massdns all.txt: https://gist.github.com/jhaddix/86A06C5DC309D085/80A018C66354A056 https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056 list of all the dns brute lists in one Acquisitions crunchbase protected by distil bot protection can write a tool to beat that Port scanning nmap is great, but don't try and scan 65536 hosts with the default port list massscan doesn't provide a default port list use nmaps (giant list of ports) https://twitter.com/_devalias/status/886280729327312896 Visual identification https://github.com/ChrisTruncer/EyeWitness checks HTTP(S), RDP and a couple of other protocols too https://github.com/breenmachine/httpscreenshot another tool Platform identification and CVE searching retire.js, wappalyzer, builtwith https://vulners.com/ combine a lot of CVE/etc sources https://github.com/vulnersCom/burp-vulners-scanner search in scope domains find versions/etc link to vulns for lower than that version get list of CVE's that might be related Content discovery/directory bruting TBHMv1 wordlists: seclists, raft, digger_wordlists patator wpscan cmsmap https://github.com/maurosoria/dirsearch https://github.com/OJ/gobuster super fast burp content discovery in burp pro pretty good, but sort of bogs down java danielmiessler/RobotsDisallowed Parameter bruting? https://github.com/maK-/parameth This tool can be used to brute discover GET and POST parameters PortSwigger/backslash-powered-scanner /resources/params good wordlist XSS TBHMv1 polyglot strings, seclists, flash reversing, common input vectors TBHMv2 blind XSS sleepy puppy (python) xss hunter (python) ground control (ruby, small) polyglots xss mindmap Blind XSS input may eventually end up on some backend app and executes somewhere use a payload that loads JS need a framework to catch it XSSHunter payload gathers a lot of really useful data Polyglots injection string that executes in multuple contexts may bypass multiple filters starting to integrate in lots of scanners 0xS0bky/HackVault unleashing an ultimate xss polyglot Jackmasa's XSS Mindmap breaks down attacks based on context PoC's ideas for all sorts of things used to just be in Japanese ported recently to english huge image file (svg) https://github.com/jackmasa seems to have a bunch of projects worth looking at https://github.com/jackmasa/XSS.png/tree/master Server Side Template Injection (SSTI) engine identification wappalyzer, builtwith, vulners scanner test fuzzing tooling tplmap + burp extension backslash powered scanner? tl;dr: send some template payload and check for result {{2*3}} epinna/tplmap code/server side template injection detection/exploitation other SSTI resources lots of links Server Side Request Forgery (SSRF) look for any paths/urls referenced wilded/psychoPATH will release a tool with his Def Con talk in a week can bypass filtering blacklists using alternate IP encoding SSRF bible: https://www.reddit.com/r/netsec/comments/2tpfz7/ssrf_bible_cheatsheet_by_onsec/ protocol/schema mappings exploit examples update coming soon, BlackHat US-17? SSRF resources many links including BishopFox link: burp, collaborate and listen Code Inject, Command Injection, Future of Fuzzing SQLi polyglot, seclists, swlmap, params, tooling, resources https://github.com/commixproject/commix CMDi supports PHP code injection custo modules powershell and python shells Burp backslash powered scanner generic payloads multi-tiered checks responses basically gives you an idea of where it might be useful to look supports testers rather than replacing them! watch the video THEN read the paper see link Infrastructure and coding subdomain takeover register, control traffic that goes there lists a bunch of services most often vuln github autoSubTakeover HostileSubBruteforcer tko-subs Article: Deep dive into AWS S3.. yasinS/sandcastle michernriksen gitrob dxa4481/truffleHog Domain Discovery at Def Con DefCon hunt tool jhaddix/tbhm The Bug Hunters Methodology jhaddix@bugcrowd.com

How to Fail at Bug Bounty (Caleb Kinney)

Twitter: @aphire Blog: http://bountyhuntersguild.com GitHub: calebkinney OrOneEqualsOne Lessons learned during bug bounties Conferences: rushing to see talks, not networking Failed to read the bug bounty program brief rules of engagement scope focus areas out of scope excluded vuln types rewards/incentives disclosure rules Failed to show impact used to submit every bug, priority often wasn't in thought process understand vulnerability prioritisation and explain it to program owners P1 - Critical P2 - Severe P3 - Moderate P4 - Low P5 - Informational / Won't Fix can you combine a self-XSS with CSRF to up the priority? Failed to understant criticality submitting a won't fix will hurt your average vuln score utilize the Bugcrowd Vulnerability Rating Taxonomy Failed to understand the application eg. 'vuln' that is a feature of the application research the application and ask questions cross-reference functions between different platforms (eg mobile/web) Failed to plan for private programs Don't ignore the start time, may make you hit many duplicates Schedule time to work on the program as soon as it's published Failed to plan for blacklisting have a way to get a new IP address or use a VPN/proxy Bug Bounty != Penetration Test Part time hunt tips wide scopes acquisitions/mergers assume automated scanning recon, recon, recon subdomain bruteforcing, port-scanning, google dorking censys.io shodan.io burp extensions reflected parameters https://github.com/allfro/BurpKit used Webkit to better render responses in burp JS Co2 payload lists polyglots! community read, give back, collaborate Hunting makes me a better tester understand whats important attuned to emergent security trends challenge for more technical exploits etc.. Personal mobile recon setup iPhone with Blink Shell doesn't require jailbreak DietPi with MOSH (jump mox) Port Fowarding personal recon script Sublist3r, domain, knock, eyewitness wraps a bunch of things and combines https://github.com/OrOneEqualsOne/Recon next gen will be a webapp to help Bug Bounty Resources https://twitter.com/_devalias/status/886295129807396865

Giving Back to the Community (ZSeano)

https://twitter.com/zseano http://zseano.com tutorials, blog posts, etc full time bug bounty, ranked #2 on bugcrowd 25 years old Overview Finding first bug, chaining to higher priority Recon: what are you missing Big bounties for a living, and staying sane Open URL Redirects easy to find aboutads.info, run burp whilst opting out google dorking inurl:refirect inurl:& bypasses will release a lit of bypasses later making them more useful chain to account takeover via misconfigured oauth check their facebook app mobile app logs in via FB with app_token make sure to url encode the redirect_url Stored XSS + Oauth redirect user to stored XSS page, JS executes, grab oauth token and login to users account key things people miss bypassing filters generally use some form of regex fuzz as much as possible plan to update zseano.com with section on bypasses not checking for oauth systems in place try vulnerable parameter on as many endpoints as possible eg. one param on one program used througout the web application burp intruder against all endpoints, etc check their mobile app sometimes use oauth, FB login google logins tend to be more secure redirect oauth to stored XSS In future, want to do more talks on more topics Recon: go back in time waybackmachine search for old files like robots.txt https://gist.github.com/mhmdiaa waybackurls waybackrobots tool idea scraping website from years back for URLs/links/etc eg. burp-wayback-spider .js files are your friends way things work, paths discovery of new endpoints hardcoded app secrets sometimes user information built a couple of tool Burp copy selected URLs copy links in selected items zScanner burp spider to discover endpoints copy ites found, import to inputscanner visits each url, extracts all input names + ids and links to js files outputs to burp intruder format mass test XSS/sql/etc outputs 3 files, ready for burp intruder getoutput.txt postoutput.txt posthostoutput.txt use output from zScanner with JS-Scan visit each .js file, extract URLs using regex displays results on page easier to see whats in files without manually reading didn't plan on releasing these until recently Finding bugs full time remain calm, take a step back see if someone has found something similar don't be afraid to ask people be professional, waiting to be paid can be annoying be smart, learn where to spend your time test programs before diving in look at disclosed reports bugcrowd are managed programs managed programs on hackerone/synack can be good too you don't need an update every week, unless its a P1 chain bugs to achieve the highest possible impact usually leads to bigger payout collaborate You WILL have bad days. Take time to relax, collect your thoughts, then keep going. re-test endpoints, re-visit certain areas of a site can either report on the old bug, or open a new report depends how much time you put in Find a program you love that treats you fair and give it your all Sharing is caring! If the program allows for it, share your bugs! People need to fuzz more Store all vulnerable paramets found in a text file Include your bug bounty name/how to contact/etc in your user agent Have a few blog posts in the works

Doing Recon Like a Boss (Ben Sadeghipour)

https://twitter.com/Nahamsec Agenda Overview Traditional way (brute forcing) AWS Abusing Github Asset identification Why bigger attack surface more bugs more bounties more problems Bruteforcing tools sublist3r, enumall, massdns, altdns, brutesubs, dns-parallel-prober, dnscan, knockpy, tko-subs, HostileSubBruteforce find a patterns .dev, .corp, .stage brute force again different permutations/environment Amazon Web Services look for S3 buckets site:s3.amazonaws.com + ... use google for patterns GitHub automate your work Automation create a list of subdomains create a list of environments automate catch them all new tool: Amazon S3 Bucket finder other tools: sandcastle, bucket_finder hopefully will release on github sometime next week AWS Recon, what could go wrong S3 bucket not owned by company may be out of scope S3 bucket without sensitive info 3rd party apps Github Recon environments (dev, stage, prod) secret keys (API_key, AWS_Secret, etc) internal credentials API endpoints Domain patterns example "foo.com" "dev" "dev.foo.com" "bar.com" API_key "bar.com" password "api.bar.com" google dork site:"github.com" "org" tools gitrob git-all-secrets truffleHog git-secrets repo-supervisor do it manually.. Asset identifcation censys.io look for SSL certificates "company" + internal shodan.io search by hostname filter for ports 8443, 8080, 8180, etc title: "dashboard [jenkins]" product:Tomcat hostname:corp.levelup.com etc buy book by shodan creator for $5 archive.org review source find old endpoints/functionality look for JS files exploit them! .js files endpoints credentials/tokens subdomains (inc internal) new tool being released next week All tools included in this talk will be on the bugbountyforum website Personal tools will be released next week Burp 'should' be able to do JS parsing stuff in reality, seems to not work as well as it should can be easier to make external tools, do them your own way, etc hope someone takes this tool (when released) and create a burp plugin for it another tool (might get released) crawl website, download all JS files locally

Hidden in Plain Site: Disclosing Information via Your APIs (Peter Yaworski)

https://twitter.com/yaworsk Application Security Engineer at Shopify Wrote Web Hacking 101 Hopefully Real World Web Hacking via No starch press Overview What we're talking about Why we care Why it happens How you find it Examples What we're talking about API's that reveal personal info or app sensitive info Focus on API's that render info to page source, parsed by react/angular/etc Why we care Easy Impacts range from benign to critical Sometimes they can be chained together Why it happens automation of repetitive tasks code abstraction easy to make mistakes, incur technical debt Automation eg. rails is great at automating repetitive tasks, generate scaffold Will generate HTML view, but also .json endpoint for API You could remove those from the HTML view, won't see the information But can still get the full data from the API endpoint May not realise you need to edit the json file as well Code abstraction eg. merging all json fields add new secret field manually, haven't updated json file, so fine but using json merge, the new param will be exposed How do you find it initial recon identify software on site wappalyzer look for rails, angular, react eg rails sites follow certain patterns watch your proxy history look for gian json blobs in page sources watch for API calls mobile apps http://www.leanpub.com/web-hacking-101 http://www.shopify.com/careers

Targeting for Bug Bounty Research (Matthew Conway)

Lead product security engineer: Heroku, Salesforce https://twitter.com/mattreduce Focuses Efficient, repeatable discovery Judge targets on measurable criteria Keep flexible/portable records Put it into use Reconnaissance Stage When to enumerate start first, return to Why spend time on info gathering? don't miss a target/vuln better coverage for program owner deep understanding yields great findings Enumeration methods Before you find problems, you need to find all the places they live need to cast the net wide Enumerating hosts information sources dns for info, but also vulns eg. subdomain takeovers, exfil data, command&control github may identify api's/etc rapid7 project sonar scans the whole public internet, seeing what's vulnerable google search hosts software running secret pages google certificate transparency report can find hosts through subdomains company registered certs for beta access if a company with bug bounty program has beta program, try it test new features follow them on twitter, other social media, be aware of what they put out there other open sites dnsdumpster threatcrowd thratminer https everywhere atlas look for opportunities to repurpose tools online techniques google queries site:foo.com find results from subdomains not on list yet brute forcing try common subdomains bonus points for expanding with own wordlist from crawling own targets own scripts automate this + anything else you can dns tools dig, host dnsrecon dnsenum dnsmap recon-ng more framework than a script, like metasploit for recon altdns (shubs) read shubs blog: high frequency bug hunting https://github.com/jhaddix/domain Setup script for Regon-ng/altdns Recording results CSV file, SQL database get creative choose what to catalog domain type think about what you'd like to know when choosing the next target you want to work on Find, Fix, Finish, Exploit, Analyze (F3EA) cycle https://github.com/infosec-au/assetnote-poc push notifications for passive DNS data cleaning up data write some scripts to run against hosts screenshots validating possible targets SSL certificates used by that host common cookie names across hosts distinctive HTTP headers, fragments, etc logo images copyright lines privacy policy links contact information google analytics tracking codes Using target data understanding ownership some sites give subdomains out to customers just because it's on a subdomain of that company, may not be an app they control eg company.github.io subdomains that point to external services eg. blog.company.com find out who owns the host before you hack it consider scope may be explicitly in/out of scope sometimes may be implicitly in scope based on rules of engagement what now enumerate services look for vulnerabilities Summary find out everything you can, keep good notes Respect program scope, remember pitfalls Automate as much as you can

How does unicode affect our Security? (Christopher Bleckmann-Dreher, @schniggie)

https://twitter.com/schniggie?lang=en Pentester, german car manufacturer Retired bughunter ASCII 7-bit, 128 characters ISO-8859-? ASCII compatible 8-bit, 256 characters Multiple standards Unicode multibyte character set fully ASCII/ISO-8859 compatible Different encodings (UTF-8, UTF-16, UTF-32, UTF-EBCDIC, ..) more like a database, links between copoint to character + some attributes Basic Multilingual Plan 65k chars Astral plans 1mil+ characters Unicode Encodings different encodings use different bytes to store characters Security implications - Length Length of UTF-8 string vs size of the string When allocating memory, etc Security implications - JavaScript compare comparing 2 strings that look the same to the eye 'ma\xF1ana' == 'man\u0303ana' -> false length of strings differ Security implications - JavaScript regex /foo.bar/.test('fooPOOEMOJIbar') regex . should match 1 character \s\S matches whitespace, not whole of astral symbols multi-byte emoji current JS in most browsers is ECMScript5 had trouble with chars in astral planes not completely supported by default some workarounds for it http://scriptular.com regex javascript application can test it Security implications - MySQL vs UTF-8 create table, charset set to utf8 update table fooPOObar shows a warning, incorrect string value selecting back the entry, column name is only the prefix before poo emoji solution: set database to utf8mb4 Security implications - Internationalised Domain Names Stored as ascii strings using punycode eg. email spoofing using special characters UTF8 symbols that look identical Use punycode converter Register the converted domain real world attack scenarios an attack released earlier this year to spoof apple.com/etc not meant to be able to mix character sets in domain registrations google registrar seemed to allow it browsers realised that displaying UTF8 in the domain is bad now show the punycode instead Unicode character - Right to left overide can rename the file using ruby File.rename \xe2\x80 able to rename exe file to a file that looks like it has the extension .ppt old attack, known since Windows 98 or so, still works today.. Crashing every iOS and OSX device 2013, vulnerable to an arabic string https://arstechnica.com/apple/2013/08/rendering-bug-crashes-os-x-and-ios-apps-with-string-of-arabic-characters/ Backend != Backend Frontend may allow UTF8 Backend may not be expecting it exception from backend Spotify account hijacking Allowed unicode usernames Register an account with a superscript word of an existing account user Trigger forget password function Password reset canonical'ises the username Sent him the password reset link Using that, used the canonicalised name again Was the victim user Reset password on that user Phabricator bypass Facebook, like github Error, email at that domain not allowed MySQL add foo@attacker.comPOO@fb.com POO is the new %00 Summary for developer verify methods, functions, frameworks handle unicode input validation should handle unicode verify all system and interconnection can handle unicode POO is the new %00

Hacking Internet of Things for Bug Bounties (Aditya Gupta)

https://twitter.com/adi1391 https://twitter.com/_devalias/status/886339682958680064 Run attify, pentesting IoT devices Author: "Learning Pentesting for Andorid Devices" Book: IoT hackers handbook, this month IoT pentesting guide to be released after this talk Why if not, missing great stuff best to do in 2017 easy targets higher barrier of entry enormous growth soon be prepared Examples IoT fridge that sends spam email Smart home compromised Hardcoded password in a medical device Shodan for scada things Controlling mining trucks What what to look for during IoT big bounties When you look at a device figure out possible attack vectors look closely pentesting mindset components entrypoints communication protocols exposed ports Once you have a target compromise the whole target don't just look at one small part, whole thing micro and macro where would be most vulnerable? start there How how to find vulns that companies will pay for "Hacking IoT is not a 'black magic' It can be learnt. Too less resources." How to start IoT bug bounty hunting attack surface mapping hacking the embedded device hacking firmware may not be available, but can dump from device hacking mobile/web/cloud components hacking radio communications Attack Surface Mapping - Step 1 https://twitter.com/_devalias/status/886341534450307072 Recon understanding device visible ports components communication mediums Available info google datasheets support groups community center social engineering FCC ID Attack Surface Mapping - Step 2 https://twitter.com/_devalias/status/886341954404929536 map attack surface (architecture diagram) entrypoints commuications additional web endpoints protocol/standard specifications Creating an architecture diagram Looking at a device FCC ID mentioned on the back of the device required for any radio communication device sold in US https://fccid.io/ eg. EW780-8913-00 https://fccid.io/EW780-8913-00 gives you frequencies, internal/external pictures, etc can look for JTAG/etc ports What next? perform exploits be systematic often one component leads to another device -> dump firmware How to approach embedded -> firmware/web/mobile -> communication Hack the embedded device open device physical tamper protections, special screws, etc get a good screwdriver kit look at chipsets USB microscope phone flashlight identify things, label them dig deep look for exposed ports UART are easy to find/export multimeter to test Tx, Rx, GND connect to attify badg or USB-TTL identify baudrate run minicom for shell access screen can be used to connect to a TTY sudo screen /dev/ttyUSB0 .. JTAG can be harder than UART can be scattered across board JTAGulator or arduino nano flashed with JTAGEnum easily identify pinouts for JTAG https://twitter.com/_devalias/status/886344370944786432 Hacking Embedded Devices - Debug JTAG Dump Flash look for flash chips read compoent sheet/datasheet may need to solder to adapter, pins are tiny then can dump flash NAND glitching generate fault scenario, have it behave in unexpected way drops to bootloader shell can set bootloader flags, eg single user mode Other attacks too Firmware Hacking Easy to find basic vulns Good at RE -> lots of stuff to find Learn ARM and MIPS RE Sensitive hardcoded values, API keys, encryption mechanisms, etc Firmware methodology binwalk extracts filesystem firmwalker identifies interesting things to look at Firmware-Mod-Kit allows filesystem modifications, then flash back to device Detect if device allows firmware modifications, security checks, etc Encryption? XOR with empty space will give you the key itself Hardcoded sensitive values eg. creds to ftp update server, etc Can find all sorts of things api keys, backdoors, SSL certs, staging URLs, etc Quick binary analysis in IDA can see harcoded creds command injection vulns ROP etc Analysing mobile apps native libraries can store secrets file, readelf IDA demo version can dissass ARM binaries look at functions, eg. encryption understand the app code Hacking communication look at mobile app -> device communication MQTT? CoAP? view resources unauthed? publish messages/subscribe topics? MQTT works on pub/sub topic might be able to subscribe to * Hacking radio radio analysis/exploitation needs special hardware depends on protocol BLE/ZigBee most common Hacking Zigbee attify killerbee zbstumbler zbdump zbreplay etc Hacking BLE ubertooth, BLE sniffer sniff traggic see what handles being written rewrite handles using gatttool Pentest methodology focus on 'attacker simulated exploitation' rather than pentest look at macro and micro 95% success rate, critical vulns, devices compromised follow the guide https://www.iotpentestingguide.com/ https://twitter.com/_devalias/status/886350210724646912 https://twitter.com/_devalias/status/886350674266537984 https://twitter.com/_devalias/status/886350817741094912

Intro to Car Hacking (Alan Mond)

https://twitter.com/mondalan?lang=en https://twitter.com/carloopio?lang=en Car hacking tool Car Hacking 101 How to get started vehicle networking basics demo build your own testing buck What are the different attack surfaces? Tire pressure monitoring sensor sensor in each tire, connects to car, measures pressure communicates via low frequency radio signal can intercept that signal Bluetooth/wifi hotspot may be open ODBII port underneath steering wheel main entry point for access, but already inside car Infotainment system USB, root access possible, etc How to get started Book: The Car Hacker's Handbook, Craig Smith Free download http://ebook-dl.com/book/5277 Tools, protocols, references What you'll need access to the OBD-II port mandated to be on 'CAN' since 2008 CAN hardware tool USB2CAN microcontroller with CAN controller on it OBD-II to serial (RS-232) cable linux machine rasberry pi, virtual machine on osx OR Carloop basic ($55) open source wireless why not cheap ODB2 dongles from amazon? could.. just a lot of work to use them integrated circuit, converts raw CAN messages to values not getting raw messages Most comprehensive list github.com/jaredthecoder/awesome-vehicle-security https://twitter.com/_devalias/status/886354216968609792 Vehicle networking basics CAN bus connects all modules through 2 wires dashboard, engine, control modules, infotainment system Controller Area Network (CAN) 2 wires, high and low more than 1 CAN bus on vehicle Why focus on CAN? mandated since 2008 well supported in linux more than just diagnostics.. currently not encrypted at all.. signals go from high to low Anatomy of a CAN message arbitration ID IDE: 0 (always for CAN) Data length: 1 byte Data: payload ID and data most important Demo intall can-utils provision CarLoop with can-utils, flash over the air https://www.carloop.io/apps/app-scoketcan cansniffer identify by ID, see what changes in the data see what changes when you do something on the car no documentation out there manufacturers don't want you seeing it straightforward when you start to see it happen though Build your own testing buck can build a test bench for less than $100 Power supply engine control module CAN device adding more modules, can get more interesting data car-part.com tools and resources on http://illmatics.com/carhacking.html https://community.rapid7.com/community/transpo-security/blog/2017/07/11/building-a-car-hacking-development-workbench-part-1 How to access proprietary parameter ID's? harder to decode query/response structure specific to ODB-II need to send specific PID to get it back most people use a scan tool for that brand, use a y-splitter then can capture the request/response Replay of keyfobs from HackRF/similar devices? don't know much about it Difference between tools mentioned and those dropped with jeep hacking research? that paper is a really good read goes through process of decoding each CAN message has some PID's you can look at (for same brand of car) each manufacturer has different 'data dictionaries' for these PIDS all tools very similar, can bus/receiver simple toolchain bugcrowd running car hacking CTF, prize is a truck https://www.carhackingvillage.com/ https://store.carloop.io/

Thanks for reading! Hope you found something useful.

Do you have any awesome resources, comments, or things to add? I'd love for you to share in the comments below! <3