Transparency Myanmar

transparency.myanmar@gmail.com


Reversing Device Signals with RFCrack for Red Teaming


This blog was researched and automated by:
@Ficti0n 
@GarrGhar 
Mostly because someone didn't want to pay for a new clicker that was lost LOL

Websites:
Console Cowboys: http://consolecowboys.com 
CC Labs: http://cclabs.io

CC Labs Github for RFCrack Code:
https://github.com/cclabsInc/RFCrack


Contrived Scenario: 

Bob was tasked to break into XYZ  corporation, so he pulled up the facility on google maps to see what the layout was. He was looking for any possible entry paths into the company headquarters. Online maps showed that the whole facility was surrounded by a security access gate. Not much else could be determined remotely so bob decided to take a drive to the facility and get a closer look. 

Bob parked down the street in view of the entry gate. Upon arrival he noted the gate was un-manned and cars were rolling up to the gate typing in an access code or simply driving up to the gate as it opening automatically.  Interestingly there was some kind of wireless technology in use. 

How do we go from watching a car go through a gate, to having a physical device that opens the gate?  

We will take a look at reversing a signal from an actual gate to program a remote with the proper RF signal.  Learning how to perform these steps manually to get a better understanding of how RF remotes work in conjunction with automating processes with RFCrack. 

Items used in this blog: 

Garage Remote Clicker: https://goo.gl/7fDQ2N
YardStick One: https://goo.gl/wd88sr
RTL SDR: https://goo.gl/B5uUAR


 







Walkthrough Video: 




Remotely sniffing signals for later analysis: 

In the the previous blogs, we sniffed signals and replayed them to perform actions. In this blog we are going to take a look at a signal and reverse it to create a physical device that will act as a replacement for the original device. Depending on the scenario this may be a better approach if you plan to enter the facility off hours when there is no signal to capture or you don't want to look suspicious. 

Recon:

Lets first use the scanning functionality in RFCrack to find known frequencies. We need to understand the frequencies that gates usually use. This way we can set our scanner to a limited number of frequencies to rotate through. The smaller rage of frequencies used will provide a better chance of capturing a signal when a car opens the target gate. This would be beneficial if the scanning device is left unattended within a dropbox created with something like a Kali on a Raspberry Pi. One could access it from a good distance away by setting up a wifi hotspot or cellular connection.

Based on research remotes tend to use 315Mhz, 390Mhz, 433Mhz and a few other frequencies. So in our case we will start up RFCrack on those likely used frequencies and just let it run. We can also look up the FCID of our clicker to see what Frequencies manufactures are using. Although not standardized, similar technologies tend to use similar configurations. Below is from the data sheet located at https://fccid.io/HBW7922/Test-Report/test-report-1755584 which indicates that if this gate is compatible with a universal remote it should be using the 300,310, 315, 372, 390 Frequencies. Most notably the 310, 315 and 390 as the others are only on a couple configurations. 




RFCrack Scanning: 

Since the most used ranges are 310, 315, 390 within our universal clicker, lets set RFCrack scanner to rotate through those and scan for signals.  If a number of cars go through the gate and there are no captures we can adjust the scanner later over our wifi connection from a distance. 

Destroy:RFCrack ficti0n$ python RFCrack.py -k -f 310000000 315000000 390000000
Currently Scanning: 310000000 To cancel hit enter and wait a few seconds

Currently Scanning: 315000000 To cancel hit enter and wait a few seconds

Currently Scanning: 390000000 To cancel hit enter and wait a few seconds

e0000000000104007ffe0000003000001f0fffe0fffc01ff803ff007fe0fffc1fff83fff07ffe0007c00000000000000000000000000000000000000000000e0007f037fe007fc00ff801ff07ffe0fffe1fffc3fff0001f00000000000000000000000000000000000000000000003809f641fff801ff003fe00ffc1fff83fff07ffe0fffc000f80000000000000000000000000000000000000000000003c0bff01bdf003fe007fc00ff83fff07ffe0fffc1fff8001f0000000000000000000000000000000000000000000000380000000000000000002007ac115001fff07ffe0fffc000f8000000000000000000000000000000000000000
Currently Scanning: 433000000 To cancel hit enter and wait a few seconds


Example of logging output: 

From the above output you will see that a frequency was found on 390. However, if you had left this running for a few hours you could easily see all of the output in the log file located in your RFCrack/scanning_logs directory.  For example the following captures were found in the log file in an easily parseable format: 

Destroy:RFCrack ficti0n$ cd scanning_logs/
Destroy:scanning_logs ficti0n$ ls
Dec25_14:58:45.log Dec25_21:17:14.log Jan03_20:12:56.log
Destroy:scanning_logs ficti0n$ cat Dec25_21\:17\:14.log
A signal was found on :390000000
c0000000000000000000000000008000000000000ef801fe003fe0fffc1fff83fff07ffe0007c0000000000000000000000000000000000000000000001c0000000000000000050003fe0fbfc1fffc3fff83fff0003e00000000000000000000000000000000000000000000007c1fff83fff003fe007fc00ff83fff07ffe0fffc1fff8001f00000000000000000000000000000000000000000000003e0fffc1fff801ff003fe007fc1fff83fff07ffe0fffc000f80000000000000000000000000000000000000000000001f07ffe0dffc00ff803ff007fe0fffc1fff83fff07ffe0007c000000000000000000000000000000000000000000
A signal was found on :390000000
e0000000000104007ffe0000003000001f0fffe0fffc01ff803ff007fe0fffc1fff83fff07ffe0007c00000000000000000000000000000000000000000000e0007f037fe007fc00ff801ff07ffe0fffe1fffc3fff0001f00000000000000000000000000000000000000000000003809f641fff801ff003fe00ffc1fff83fff07ffe0fffc000f80000000000000000000000000000000000000000000003c0bff01bdf003fe007fc00ff83fff07ffe0fffc1fff8001f0000000000000000000000000000000000000000000000380000000000000000002007ac115001fff07ffe0fffc000f8000000000000000000000000000000000000000



Analyzing the signal to determine toggle switches: 

Ok sweet, now we have a valid signal which will open the gate. Of course we could just replay this and open the gate, but we are going to create a physical device we can pass along to whoever needs entry regardless if they understand RF. No need to fumble around with a computer and look suspicious.  Also replaying a signal with RFCrack is just to easy, nothing new to learn taking the easy route. 

The first thing we are going to do is graph the capture and take a look at the wave pattern it creates. This can give us a lot of clues that might prove beneficial in figuring out the toggle switch pattern found in remotes. There are a few ways we can do this. If you don't have a yardstick at home you can capture the initial signal with your cheap RTL-SDR dongle as we did in the first RF blog. We could then open it in audacity. This signal is shown below. 



Let RFCrack Plot the Signal For you: 

The other option is let RFCrack help you out by taking a signal from the log output above and let RFCrack plot it for you.  This saves time and allows you to use only one piece of hardware for all of the work.  This can easily be done with the following command: 

Destroy:RFCrack ficti0n$ python RFCrack.py -n -g -u 1f0fffe0fffc01ff803ff007fe0fffc1fff83fff07ffe0007c
-n = No yardstick attached
-g = graph a single signal
-u = Use this piece of data




From the graph output we see 2 distinct crest lengths and some junk at either end we can throw away. These 2 unique crests correspond to our toggle switch positions of up/down giving us the following 2 possible scenarios using a 9 toggle switch remote based on the 9 crests above: 

Possible toggle switch scenarios:

  1. down down up up up down down down down
  2. up up down down down up up up up 

Configuring a remote: 

Proper toggle switch configuration allows us to program a universal remote that sends a signal to the gate. However even with the proper toggle switch configuration the remote has many different signals it sends based on the manufacturer or type of signal.  In order to figure out which configuration the gate is using without physically watching the gate open, we will rely on local signal analysis/comparison.  

Programming a remote is done by clicking the device with the proper toggle switch configuration until the gate opens and the correct manufacturer is configured. Since we don't have access to the gate after capturing the initial signal we will instead compare each signal from he remote to the original captured signal. 


Comparing Signals: 

This can be done a few ways, one way is to use an RTLSDR and capture all of the presses followed by visually comparing the output in audacity. Instead I prefer to use one tool and automate this process with RFCrack so that on each click of the device we can compare a signal with the original capture. Since there are multiple signals sent with each click it will analyze all of them and provide a percent likelihood of match of all the signals in that click followed by a comparing the highest % match graph for visual confirmation. If you are seeing a 80-90% match you should have the correct signal match.  

Note:  Not every click will show output as some clicks will be on different frequencies, these don't matter since our recon confirmed the gate is communicating on 390Mhz. 

In order to analyze the signals in real time you will need to open up your clicker and set the proper toggle switch settings followed by setting up a sniffer and live analysis with RFCrack: 

Open up 2 terminals and use the following commands: 

#Setup a sniffer on 390mhz
  Setup sniffer:      python RFCrack.py -k -c -f 390000000.     
#Monitor the log file, and provide the gates original signal
  Setup Analysis:     python RFCrack.py -c -u 1f0fffe0fffc01ff803ff007fe0fffc1fff83fff07ffe0007c -n.  

Cmd switches used
-k = known frequency
-c = compare mode
-f = frequency
-n = no yardstick needed for analysis

Make sure your remote is configured for one of the possible toggle configurations determined above. In the below example I am using the first configuration, any extra toggles left in the down position: (down down up up up down down down down)




Analyze Your Clicks: 

Now with the two terminals open and running click the reset switch to the bottom left and hold till it flashes. Then keep clicking the left button and viewing the output in the sniffing analysis terminal which will provide the comparisons as graphs are loaded to validate the output.  If you click the device and no output is seen, all that means is that the device is communicating on a frequency which we are not listening on.  We don't care about those signals since they don't pertain to our target. 

At around the 11th click you will see high likelihood of a match and a graph which is near identical. A few click outputs are shown below with the graph from the last output with a 97% match.  It will always graph the highest percentage within a click.  Sometimes there will be blank graphs when the data is wacky and doesn't work so well. This is fine since we don't care about wacky data. 

You will notice the previous clicks did not show even close to a match, so its pretty easy to determine which is the right manufacture and setup for your target gate. Now just click the right hand button on the remote and it should be configured with the gates setup even though you are in another location setting up for your test. 

For Visual of the last signal comparison go to ./imageOutput/LiveComparison.png
----------Start Signals In Press--------------
Percent Chance of Match for press is: 0.05
Percent Chance of Match for press is: 0.14
Percent Chance of Match for press is: 0.14
Percent Chance of Match for press is: 0.12
----------End Signals In Press------------
For Visual of the last signal comparison go to ./imageOutput/LiveComparison.png
----------Start Signals In Press--------------
Percent Chance of Match for press is: 0.14
Percent Chance of Match for press is: 0.20
Percent Chance of Match for press is: 0.19
Percent Chance of Match for press is: 0.25
----------End Signals In Press------------
For Visual of the last signal comparison go to ./imageOutput/LiveComparison.png
----------Start Signals In Press--------------
Percent Chance of Match for press is: 0.93
Percent Chance of Match for press is: 0.93
Percent Chance of Match for press is: 0.97
Percent Chance of Match for press is: 0.90
Percent Chance of Match for press is: 0.88
Percent Chance of Match for press is: 0.44
----------End Signals In Press------------
For Visual of the last signal comparison go to ./imageOutput/LiveComparison.png


Graph Comparison Output for 97% Match: 







Conclusion: 


You have now walked through successfully reversing a toggle switch remote for a security gate. You took a raw signal and created a working device using only a Yardstick and RFCrack.  This was just a quick tutorial on leveraging the skillsets you gained in previous blogs in order to learn how to analyze  RF signals within embedded devices. There are many scenarios these same techniques could assist in.  We also covered a few new features in RF crack regarding logging, graphing and comparing signals.  These are just a few of the features which have been added since the initial release. For more info and other features check the wiki. 

Continue reading


  1. Usb Pentest Tools
  2. Hacker Tools Windows
  3. Hacker Tools For Pc
  4. Hacking Tools 2020
  5. What Are Hacking Tools
  6. Hack Tools Online
  7. Hacker Tools Free Download
  8. Hack And Tools
  9. Ethical Hacker Tools
  10. Hacking Tools Github
  11. Hacking Tools For Games
  12. Github Hacking Tools
  13. Ethical Hacker Tools
  14. Pentest Tools Apk
  15. Pentest Tools For Ubuntu
  16. Hack Apps
  17. Hack Tools 2019
  18. Pentest Tools Download
  19. Hack Tool Apk
  20. How To Make Hacking Tools
  21. Pentest Tools Url Fuzzer
  22. Hacker Tools Free Download
  23. Pentest Tools Subdomain
  24. Hack Rom Tools
  25. Pentest Tools Open Source
  26. Termux Hacking Tools 2019
  27. Beginner Hacker Tools
  28. Tools 4 Hack
  29. Pentest Tools Website Vulnerability
  30. Hack Tools For Windows
  31. Nsa Hack Tools
  32. Hacker Tools For Pc
  33. How To Make Hacking Tools
  34. Hacker Tools
  35. Hacker Tools Online
  36. Pentest Tools Open Source
  37. Hacker Security Tools
  38. Game Hacking
  39. Hacker Tools For Ios
  40. Hacks And Tools
  41. Nsa Hack Tools Download
  42. Pentest Reporting Tools
  43. Hacker Tools List
  44. Hacking Tools For Games
  45. Pentest Tools Apk
  46. Hacking Tools For Kali Linux
  47. Github Hacking Tools
  48. Hacker Tools For Ios
  49. Hacker Tools For Mac
  50. Pentest Tools Website Vulnerability
  51. World No 1 Hacker Software

WHAT IS FOOTPRITING AND INFORMATION GATHERING IN HACKING?

Footpriting is the technique used for gathering information about computer systems and the entities they belongs too. 
To get this information, a hacker might use various tools and technologies.

Basically it is the first step where hacker gather as much information as possible to find the way for cracking the whole system or target or atleast decide what types of attacks will be more suitable for the target.

Footpriting can be both passive and active.

Reviewing a company's website is an example of passive footprinting, 
whereas attempting to gain access to sensititve information through social engineering is an example of active information gathering.

During this phase hacking, a hacker can collect the following information>- Domain name
-IP Addresses
-Namespaces
-Employee information 
-Phone numbers
-E-mails 
Job information

Tip-You can use http://www.whois.com/ website to get detailed information about a domain name information including its owner,its registrar, date of registration, expiry, name servers owner's contact information etc.

Use of  Footprinting & Information Gathering in People Searching-
Now a days its very easy to find anyone with his/her full name in social media sites like Facebook, Instragram,Twitter,Linkdedin to gather information about date of birth,birthplace, real photos, education detail, hobbies, relationship status etc.

There are several sites like PIPL,PeekYou, Transport Sites such as mptransport,uptransport etc and Job placement Sites such as Shine.com,Naukari.com , Monster.com etc which are very useful for hacker to collect information about anyone.  
Hacker collect the information about you from your Resume which you uploaded on job placement site for seeking a job as well as  hacker collect the information from your vehicle number also from transport sites to know about the owner of vehicle, adderess etc then after they make plan how to attack on victim to earn money after know about him/her from collecting information.




INFORMATION GATHERING-It is the process of collecting the information from different places about any individual company,organization, server, ip address or person.
Most of the hacker spend his time in this process.

Information gathering plays a vital role for both investigating and attacking purposes.This is one of the best way to collect victim data and find the vulnerability and loopholes to get unauthorized modifications,deletion and unauthorized access.



More information

Automating the automation is still a challenge, but in some cases it's possible under certain situations.

In 2017 I created logic-evolver, one of my experiments for creating logic automatically or better said evolving logic automatically.

In some way, the computer create its own program that satisfies a set of tests defined by a human.

https://github.com/sha0coder/logic-evolver

This implementation in rust, contains a fast cpu emulator than can execute one million instructions in less than two seconds. And a simple genetic algorithm to do the evolution.


Here we create the genetic algorithm, and configure a population of 1000 individuals, and the top 5 to crossover. We run the genetic algorithm with 500 cycles maximum.
Note that in this case the population are programs initially random until take the correct shape.


An evaluation function is provided in the run method as well, and looks like this:




The evaluation function receives a CPU object, to compute a test you need to set the initial parameters, run the program and set a scoring regarding the return value.


More info


  1. Physical Pentest Tools
  2. Hacking Tools Download
  3. Hacking Tools Usb
  4. Hacks And Tools
  5. Pentest Tools Online
  6. Pentest Tools Open Source
  7. Hacker Tools Apk Download
  8. Pentest Tools Windows
  9. Hack Tools
  10. Pentest Tools Find Subdomains
  11. Hack Tools 2019
  12. Hacking Tools Online
  13. Pentest Automation Tools
  14. Hacking Tools 2020
  15. Hack Tools 2019
  16. Hacker Hardware Tools
  17. Hacking Tools Usb
  18. Pentest Tools Framework
  19. What Are Hacking Tools
  20. Hacking Tools Windows 10
  21. Pentest Recon Tools
  22. Hacking Tools For Kali Linux
  23. Hak5 Tools
  24. Pentest Tools Website Vulnerability
  25. Tools Used For Hacking
  26. Hacker Tools Github
  27. Hacker Tools For Windows
  28. Free Pentest Tools For Windows
  29. Tools For Hacker
  30. Hack Tools 2019
  31. Tools 4 Hack
  32. Hack Tools
  33. Hacking Tools 2019
  34. Hack Tools Pc
  35. Pentest Tools Kali Linux
  36. Best Hacking Tools 2020
  37. Hacker Tools Mac
  38. Hacker
  39. Termux Hacking Tools 2019
  40. Install Pentest Tools Ubuntu
  41. Blackhat Hacker Tools
  42. Hacking Tools Online
  43. Hack Tools For Games
  44. What Is Hacking Tools
  45. How To Install Pentest Tools In Ubuntu
  46. Hacking Tools Software
  47. Hacking Tools For Windows 7
  48. Hacker Hardware Tools
  49. Hacking Tools Pc
  50. Nsa Hack Tools
  51. Hak5 Tools
  52. Android Hack Tools Github
  53. Hack Website Online Tool
  54. Hacking Tools For Games
  55. Hacker Tool Kit
  56. Pentest Tools Framework
  57. Pentest Tools Github
  58. Hack Tools 2019
  59. Hack Tools Download
  60. Hack Tools
  61. Easy Hack Tools
  62. Hacking Tools Download
  63. Hack Website Online Tool
  64. Hack Tool Apk No Root
  65. Hacking Tools
  66. Hack Tools 2019
  67. Hacker Tools For Ios
  68. Pentest Automation Tools
  69. New Hacker Tools
  70. Hacker Tools Windows
  71. Hack Website Online Tool
  72. Hack And Tools
  73. Hacking Tools Free Download
  74. Black Hat Hacker Tools
  75. Pentest Tools For Ubuntu
  76. Hack Tools
  77. Nsa Hacker Tools
  78. Hack Tools For Pc
  79. Tools Used For Hacking
  80. Hacking Tools For Windows
  81. Pentest Tools Linux
  82. Hack Tools Online
  83. Hacker Tools List
  84. Pentest Automation Tools
  85. Hack Tools For Pc
  86. Pentest Tools List
  87. Hack Tools For Pc
  88. Hak5 Tools
  89. Hacker Tools For Mac
  90. Pentest Tools Port Scanner
  91. Pentest Tools Find Subdomains
  92. New Hacker Tools
  93. Hack Tools For Games
  94. Hacking Tools
  95. Pentest Automation Tools
  96. Hack Tools For Mac
  97. Bluetooth Hacking Tools Kali
  98. Hacking Tools For Kali Linux
  99. Pentest Reporting Tools
  100. Android Hack Tools Github
  101. Hack Tools Download
  102. Pentest Tools List
  103. Nsa Hack Tools Download
  104. Hacking Tools For Windows 7
  105. Hacker Tools 2020
  106. Pentest Tools List
  107. Pentest Tools Download
  108. Hack Tools For Games
  109. Pentest Tools List
  110. Physical Pentest Tools
  111. Growth Hacker Tools
  112. Pentest Tools For Windows
  113. Hacker Tools Apk
  114. Hack Tools For Games
  115. Github Hacking Tools
  116. Hacking Tools For Windows 7
  117. Hack Website Online Tool
  118. Black Hat Hacker Tools
  119. What Are Hacking Tools
  120. Growth Hacker Tools
  121. Hacking Tools Pc
  122. Black Hat Hacker Tools
  123. Hack Tools Online
  124. Pentest Tools Apk
  125. Pentest Tools
  126. Hacking Tools And Software
  127. Pentest Tools For Windows
  128. Hacker Tools Apk Download
  129. Hacker Tools
  130. Pentest Tools Alternative
  131. Nsa Hack Tools
  132. Hack Tools Pc
  133. Hacker Techniques Tools And Incident Handling
  134. Hacker Tools Apk
  135. Hacking Tools For Windows 7
  136. Hacking Tools Mac
  137. How To Make Hacking Tools
  138. World No 1 Hacker Software
  139. What Are Hacking Tools
  140. Pentest Tools Online
  141. Hacker Tools Free
  142. Hack Tool Apk
  143. Pentest Tools Alternative
  144. Pentest Tools For Mac
  145. Hacking Tools Pc
  146. Hacker Tools Windows
  147. Usb Pentest Tools
  148. Hacker Tools 2019
  149. Top Pentest Tools
  150. Game Hacking
  151. Hacking Tools Github
  152. Usb Pentest Tools
  153. Hacking Tools Hardware
  154. Hacker Tools Free
  155. Hacker Tool Kit
  156. Pentest Box Tools Download
  157. Hacking Tools For Beginners
  158. New Hacker Tools
  159. Hacking Tools For Windows Free Download