Jason Gardner's Cybersecurity Research Blog

Advanced Detection and Mitigation of Rogue Base Stations Using RayHunter & a Rooted 4G Hotspot //////////////////////////////////////////////////////////////////////////// // As mobile networks become increasingly sophisticated, so do the tools // // and techniques used by adversaries to exploit them. // // // // Rogue base stations, also known as IMSI catchers or stingrays, // // pose a critical threat to mobile networks. They are capable of // // intercepting communications, tracking devices, and even launching // // denial-of-service attacks. // // // // Tools like RayHunter are invaluable for detecting such threats // // by analyzing LTE paging messages and other signaling activities. // ///////////////////////////...

This blog post covers an interesting vulnerability that was just discovered earlier this year and an open source free tool that was created to automate testing for this vulnerability in Bluetooth devices.  I will preface this with the warning that this is of course done in my personal testing lab environment with my own devices for learning and demonstration purposes. I am in no way encouraging that these tools, snippets of code or techniques be used maliciously as there can be very serious legal consequences for those that use these hacking tricks nefariously. However, in a personal testing lab environment I think this is great for learning and allows someone to quickly be able to confirm or deny if their personal devices are truly standing up to the Bluetooth CVE of CVE-2023-45866 . CVE-2023-45866 is described as an issue where the " Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept...

Legal Disclaimer: GSM Research and Passive Traffic Monitoring ‘The information provided in this blog is for educational and informational purposes only. The author and publisher of this blog are not responsible for any misuse, illegal activities, or damages that may arise from the use of the information provided herein. The author conducted research using two Samsung phones and a BladeRF with YateBTS to create a small-scale GSM network for the purpose of analyzing and intercepting traffic. It is important to note that intercepting or tampering with wireless communication without proper authorization is illegal in many jurisdictions. The author undertook this research within a controlled and lawful environment, and any techniques or findings described in this blog should not be replicated or applied in unauthorized or illegal activities. The author strongly advises against engaging in any illegal activities, including but not limited to intercepting or tampering with wireless communicat...

So to start off I repurposed the first honeypot I had created a couple of months ago. This was quite similar to flashing the microSD the first time so I won't go into the details again. You can read more about Kali for Raspberry PI here . This is really cool because once you flash the Kali image onto the SSD with the addition of a battery pack you have now created a portable Kali machine that is ready to take with you on all sorts of adventures. Please remember to only test on things that you have permission to do so. An easy way is to just test against your own devices and I will show a few examples below of some fun things I found going a little deeper into my security research on Wi-Fi. So in the first honeypot I created before I had simple logging capabilities if a rogue device where to connect to my access point. I had at least a mac address and minimal information about the device. So that was interesting but I wanted to go a bit further and see what else you could do. I d...

This was a fun project to work on and build out. I learned a few new interesting tricks along the way. I started with this tutorial from 2013 by Andy Smith . However, a few things have changed with hostapd that I had to figure out through debugging. Also, the configuration of the nginx server as well as dnsmasq were slightly different for me using the new Raspbian Buster for Raspberry Pi 4.  This should save you some time if you follow my trick tips later on in the article that I found by searching through various message boards and googling error messages as I did debugging to get this working properly. I have gone over setting up nginx servers in previous articles so if you need help with getting started these may be helpful. So first things first. I started with a canakit and assembled the raspberry pi with the appropriate heat sinks and a little fan set to a standard speed. The speed is adjusted by how you install the wiring. If you haven't done this before you can follow the ...

So in preparation for the OSCP and to get better at understanding security vulnerabilities I have been doing what are commonly referred to as capture the flag challenges. Here I will go over a unique vulnerability that allows remote access to a "user.txt" file and a "root.txt" file. The root.txt file can only be acquired remotely if I can gain remote command execution as the root or system user. Since this is a Linux based system I will be trying to escalate my privileges up to root so I can control the system and do the file retrieval.  The biggest and initial step is enumeration. So far I just know there is a box with an IPv4 address of 10.10.10.140. From the name I can assume perhaps that this is a shop of some kind but that is all the initial information given. In essence this CTF is mirroring what you would refer to as black box testing in a security or penetration testing job. Here perhaps a shop owner is concerned about their security and would like to see wh...