Tag Archives: hacking

Wifi tricks (public and limited networks)

(use your own discretion/risk)

When connecting to public Wi-Fi, watch what you are doing, it can be dangerous.
(Use a VPN whenever you can, like OpenVPN or Zerotier.)

But it also can be fun to have a look on those networks.

Sometimes there are IP camera’s you can find.
Use an App like Android TinyCam to scan for camera’s

I found at least 5 this way. Getting access, is something else.
One had access to RTSP without password. 🙂
But I found IP camera’s in the wild using a default password also.
(Just google for default passwords. Don’t know the brand of the device? Sometimes you can use the OUI (Organizationally Unique Identifier) part of the Mac Address to find the brand)

Other fun things to scan for are devices you can cast to!

At one time I was in Woerden, getting my Car fixed.
I started working on my Laptop using their guest Wi-Fi.
And checking out the network, I saw some TVs with Casting enabled.
Let’s Cast a Youtube video with a fireplace to it.
Next moment, the display behind the desks started playing the video.
The guys behind the desk were not facing the display.

I tried to revert my test, but I could not found/start the original cast stream.
I told them to get this fixed, and the network security.

Another idea is to scan for hidden camera’s in Hotels or B&Bs.
(There are more tricks to find these, like Flir/IR)

Some Hotels or B&B have a paid Wifi or a one device only policy.

Some tricks for that are:

Using a device which acts as an Access Point/Router.

I started using this trick with a Ravpower (RP-WD01)

I used this device to copy my Nikon photos to an external storage device.

I patched the OS on this Linux device.
Now it autocopied files from sdcard to usb-drive when inserted.

But it also could act as an AccessPoint.
Laptops/tablets and phones can connect using this hotspot.

After that I used a WD device in the same way.

After that I made a mini AP using a Raspberry PI.

When connecting with the first device which was a phone, I wanted to switch to an accesspoint.
So I spoofed the MAC address of the my AP, because it was mac-address locked in the B&B’s main access point.

Now it’s even easier, current mobile phone’s have dual Wi-Fi interfaces.
Connecting to an AP and at the same time setting up a hotspot is a breeze.
(Not that this is needed any more, Wi-Fi is not limited to one device any more. And mobile internet is almost everywhere)

Some access points still require payment, or you don’t know the password.

Some tricks below (use wisely):

Access point with a captive portal:
These are not protected initially.
But you have to enter a username/password to gain access to the internet.

  1. Try to start a VPN client (without logging into the captive portal)
    Sometimes those ports are not blocked.
    (Even more change to use UDP instead of TCP, try zerotier)
  2. Sometimes only DNS works though those AP’s.
    Then you could use a DNS tunnel. This is a method to embed your network traffic in DNS packages. (Note: you have to make your own DNS tunnel server!) https://github.com/yarrick/iodine
  3. Copy the Captive Portal website, write some logging code. And start AP using the same SSID you want the credentials for.
    Get close to someone using the real AP, so they try to log into your fake AP, using their credentials.
    (This is also illegal, and I won’t post code to do this.)

Fixing a WD My passport not working in New Zealand

I’ve got a backup disk for my photos.
You can connect it via USB and has a SDCard slot for your camera SDCards.
You can also connect to is using it as a Wifi Access Point.
(You can even install twonky!)

The cardreader should automatically copy a inserted card to its internal harddrive.
I’ve tested this at home, but here in New Zealand it woudn’t work.

So i started investigating.
(I was in the middle of nowhere, so I could not search for answers.)

I’ve got the juice ssh client on my phone.
Connecting to the AP will give you a IP, but whats the IP from de WD?
Just use JuiceSSH to make a local connection (to your android) first.
And type: ip neigh
This will give you the ip from neighbouring devices, thats only one .. the WD.

Connect to the WD with ssh using root@IPNUMMER (password should be same as you configured the device with)

Looking at the logs gave me some idea where the problem was.

It would not mount the sdcard! Why, that one is working.
(In de Nikon Camera and using a cardreader with OTG on my android)

I first wrote my own mounter and copy program. That worked, so i could at least backup my photos.
Now I could search for the problem.

My backup script named “script”

mkdir /tmp/fash ; mount /dev/mmcblk0p1 /tmp/fash mounts okay!

The sdmount.sh has a problem, it uses the timezone in its script.
This will work when in GMT+12 -> GMT-12.
But we are in NZ .. thats GMT+13

Removing some checks in above script (sdmount.sh)
(Adding timeoffset_min=8)
Made the script work for me again.
When I got home from our trip, I flashed a new firmware version on the device, which corrected the problem.

Reverse engineering a alpha ticker led scoller

Cobra from the Icecrew got his hands on some Led scrollers.

But they only had a windows program to controll these, so we started some reverseengineering.

First we had to make a serial cable.
(Now we could easily use a logic analyser with protocol decoding)

Next i made a sniffer .. because we only had a windows program to control the display.
So we used a windows machine to control the display by serial, and using a read line to a linux machine to stiff the serial traffic

After some tinkering .. we got this

So we wrote some software to control it using Linux

Some code

# Get the attention of the sign
print "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
# Tell the sign to print the message
$message = "���������������������    ";
print "\001" . "Z" . "01" . "\002" . "AA" . "\x1B" . " b" . $message . "\004";
#print "\001" . "Z" . "01" . "\002" . "AA" . "\x1B" . " a" . $message . 

print "\0\0\0\0\0\001" . "Z" . "00" . "\002" . "AA" . "\x1B" . " b" . "Test Message" . "\004";

# Get the attention of the sign
print "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0";
# Tell the sign to print the message
$message = "<<<<<<<<<<<<<<<<";
#print "\001" . "Z" . "01" . "\002" . "AA" . "\x1B" . " b" . $message . "\004";
print "\001" . "Z" . "01" . "\002" . "AA" . "\x1B" . " a" . $message . "\004";

A few days later i wrote a controller using glade. (Could not find more code)

Some time later we found some datasheets which could have helped!