BLEAH – A BLE Scanner For “Smart” Devices Hacking

A BLE scanner for “smart" devices hacking based on the bluepy library, dead easy to use because retarded devices should be dead easy to hack. Explanatory post and screenshots can be found here.How to InstallInstall bluepy from source:git clone bluepypython buildsudo python installThen install bleah:git clone bleahpython buildsudo python installUsageFrom the -h help menu:usage: bleah [-h] [-i HCI] [-t TIMEOUT] [-s SENSITIVITY] [-b MAC] [-f] [-e] [-u UUID] [-d DATA] [-r DATAFILE]optional arguments: -h, –help show this help message and exit -i HCI, –hci HCI HCI device index. -t TIMEOUT, –timeout TIMEOUT Scan delay, 0 for continuous scanning. -s SENSITIVITY, –sensitivity SENSITIVITY dBm threshold. -b MAC, –mac MAC Filter by device address. -f, –force Try to connect even if the device doesn’t allow to. -e, –enumerate Connect to available devices and perform services enumeration. -u UUID, –uuid UUID Write data to this characteristic UUID (requires –mac and –data). -d DATA, –data DATA Data to be written. -r DATAFILE, –datafile DATAFILE Read data to be written from this file.ExamplesKeep scanning for BTLE devices:sudo bleah -t0Connect to a specific device and enumerate all the things:sudo bleah -b "aa:bb:cc:dd:ee:ff" -eWrite the bytes hello world to a specific characteristic of the device:sudo bleah -b "aa:bb:cc:dd:ee:ff" -u "c7d25540-31dd-11e2-81c1-0800200c9a66" -d "hello world"Download BLEAH


Information gathering tool – OSINT

GasMasK is an Information gathering tool. Download git clone Information Gathering ask bing crt dns dogpile github google googleplus instagram linkedin netcraft pgp reddit reverse dns twitter vhosts virustotal whois yahoo yandex youtube ______ __ ___ __ __ / ____/___ ______/ |/ /___ ______/ //_/ / / __/ __ `/ ___/ /|_/ / …


One-Lin3r – Gives you one-liners that aids in penetration testing operations

One-Lin3r is simple and light-weight framework inspired by the web-delivery module in Metasploit.It consists of various one-liners that aids in penetration testing operations:Reverser: Give it IP & port and it returns a reverse shell liner ready for copy & paste.Dropper: Give it an uploaded-backdoor URL and it returns a download-&-execute liner ready for copy & paste.Other: Holds liners with general purpose to help in penetration testing (ex: Mimikatz, Powerup, etc…) on the trending OSes (Windows, Linux, and macOS) “More OSes can be added too".FeaturesSearch for any one-liner in the database by its full name or partially.You can add your own liners by following these steps to create a ".liner" file.Also you can send it to me directly and it will be added in the framework and credited with your name .Autocomplete any framework command and recommendations in case of typos (in case you love hacking like movies ).Command line arguments can be used to give the framework a resource file to load and execute for automation.The ability to reload the database if you added any liner without restarting the framework.You can add any platform to the payloads database just by making a folder in payloads folder and creating a ".liner" file there.More…The payloads database is not that big in the meantime because this the first edition but it will get bigger with updates and contributions.ScreenshotsUsageCommandline argumentsusage: [-h] [-r R] [-x X] [-q]optional arguments: -h, –help show this help message and exit -r Execute a resource file (history file). -x Execute a specific command (use ; for multiples). -q Quit mode (no banner).Framework commandsCommand Description——– ————-help/? Show this help menulist/show List payloads you can use in the Search payloads for a specific oneuse <payload> Use an available payloadinfo <payload> Get information about an available payloadbanner Display bannerreload/refresh Reload the payloads databasecheck Prints the core version and database version then check for them online.history Display command line most important history from the beginningsave_history Save command line history to a fileexit/quit Exit the frameworkInstalling and requirementsTo make the tool work at its best you must have :Python 3.x or 2.x (preferred 3).Linux (Tested on kali rolling) or Windows system (Not tested yet on MacOS but it should work).The requirements mentioned in the next few lines.Installing+For windows : (After downloading ZIP and upzip it)cd One-Lin3r-masterpython -m pip install -r win_requirements.txtpython -h+For Linux:git clone 777 -R One-Lin3rcd One-Lin3rpip install -r requirements.txtpython -hVideo ContactTwitterDownload One-Lin3r


Disclosing stack data (stack frames, GS cookies etc.) from the default heap on Windows

In the previous blog post, I discussed a modest technique to “fix” the default process heap in order to prevent various Windows API functions from crashing, by replacing the corresponding field in PEB (Process Environment Block) with a freshly created heap. This of course assumes that the attacker has already achieved arbitrary code execution, or is […]


Slides about my Windows Metafile research (Ruxcon, PacSec) and fuzzing (Black Hat EU) now public

During the past few weeks, I travelled around the world to give talks at several great security conferences, such as Ruxcon (Melbourne, Australia), PacSec (Tokyo, Japan), Black Hat Europe (London, UK) and finally Security PWNing Conference (Warsaw, Poland). At a majority of the events, I presented the results of my Windows Metafile security research, which […]


Windows Kernel Local Denial-of-Service #3: nt!NtDuplicateToken (Windows 7-8)

This is the third post in a series about unpatched local Windows Kernel Denial-of-Service bugs. The list of previous posts published so far is as follows: Windows Kernel Local Denial-of-Service #2: win32k!NtDCompositionBeginFrame (Windows 8-10) Windows Kernel Local Denial-of-Service #1: win32k!NtUserThunkedMenuItemInfo (Windows 7-10) As opposed to the two issues discussed before, today’s bug is not in the graphical […]


Windows Kernel Local Denial-of-Service #1: win32k!NtUserThunkedMenuItemInfo (Windows 7-10)

Back in 2013, Gynvael and I published the results of our research into discovering so-called double fetch vulnerabilities in operating system kernels, by running them in full software emulation mode inside of an IA-32 emulator called Bochs. The purpose of the emulation (and our custom embedded instrumentation) was to capture detailed information about accesses to user-mode memory […]


Windows Kernel Local Denial-of-Service #4: nt!NtAccessCheck and family (Windows 8-10)

After a short break, we’re back with another local Windows kernel DoS. As a quick reminder, this is the fourth post in the series, and links to the previous ones can be found below: Windows Kernel Local Denial-of-Service #3: nt!NtDuplicateToken (Windows 7-8) Windows Kernel Local Denial-of-Service #2: win32k!NtDCompositionBeginFrame (Windows 8-10) Windows Kernel Local Denial-of-Service #1: […]