asoa’s blog

If your iPhone came with 4.02.13_G (aka 1.1.2) OUT OF THE BOX then do NOT use this unlock as it does not work with bootloaders other than BOOT03.09_M3S2. New iPhones (and all U.K. and German iPhones) come out of the box with BOOT04.06_M3S2.

Here’s the instructions for you to update your iPhone to the latest firmware and then to unlock it. (IMPORTANT: DO NOT SKIP ANY STEP OR INTERCHANGE THEIR ORDER).

Downgrade the baseband firmware:

1. Make sure Modem version is 04.02.13_G in Settings ? General ? About.

2. Set Settings ? General ? Auto Lock ? Never

3. Start Installer and install BSD SubSystem found in System Category.

4. Go to Sources and tap edit and add http://i.unlock.no/

5. Now install “BB Downgrader (1.1.2)” found in Unlocking Tools category. This will take around 5 minutes.

6. When done, restore your phone to get 1.1.1 firmware reinstalled. (You can do this using iTunes. choose firmware manually)

7. When phone have been restored, you can Activate using the following method.

Bypass activation and prepare phone for software installation

1. Make sure you have a SIM-card with PIN turned off, and power on your phone (the supplied AT&T card works fine).

2. On the activation screen, slide for emergency and dial: *#301# to make the phone call itself. (If the incoming call dialog quickly disappears but it keeps ringing, just dial 0 (remove *#301# first), and it will call itself)

3. Answer the call, and tap on Hold

4. Phone will call it self again, tap Decline. You will now be returned to the normal dialer.

5. Tap on contacts, and tap the + icon to add a new. The only info you are going to add to this contact are two URL’s. To add a URL, tap Add new URL. The first URL is prefs followed by a colon: prefs: and the second is jailbreakme.com. Tap Save.

6. Your contact now has two “web pages” - tap on the first one (prefs:). This will take you to the settings dialog. The reason you want this, is because you need to connect to a Wi-Fi network, so tap on Wi-Fi, and get connected to a network, and make sure the icon on top of the screen is indicating that you are connected. While you are in the settings dialog, you should also set: General ? Auto-Lock ? Never.

7. Now, press the home button, and again, slide for emergency dial 0, Answer the call, Hold and Decline the new call so that you get to the contacts. Tap on your contact (No Name), and this time tap on the other home page, jailbreakme.com

8. Safari will launch and show you a web page. Read through the text, before you Install AppSnapp

9. Phone will return to activation screen, but don’t panic, just wait.

10. Phone should automatically restart after almost a minute or two.

11. When the phone starts again, it should no longer say slide for emergency, but rather Slide to unlock It means it was successful! Activation is now bypassed, and phone prepared for software installation!

At this stage you will have a working 1.1.1/04.01.13_G iPhone in sim unlocked status.

This is what you need to do to make it a 1.1.2/04.02.13_G:

1. Run Oktoprep via Installer

2. Update to 1.1.2 via iTunes, after update leave iPhone connected till iTunes “see it” then close iTunes.

3. Jailbreak (http://conceitedsoftware.com/iphone/1.1.2-jailbreak.zip)
3.a Install BSD Subsystem via Installer

4. In Installer add rep.frenchiphone.com or hacktheiphone.com/1.xml to your installer source and then Install AnySIM 1.2.1u from the installer. Reboot iPhone!

5. Put the iPhone in Airplane Mode!!! Run AnySIM1.2.1u! After its completed, go to Settings—>Airplane Mode set to OFF, now u will get a signal bars!

6. !!! IMPORTANT !!!

If u’re outside US, SMS and Phone will NOT work,right away tho. To “FIX IT” install iWorld via Installer(in Tweaks 1.1.2), run it, choose your country, reboot(do it manualy if auto doesn’t work)

By now you will have a 1.1.2/04.02.13_G (latest firmware) iPhone in sim unlocked status. You can start using your phone right away.

Note: The credits for the iPhone unlocks goes to iPhone Dev/Elite Teams.

My first article explains the steps to activate/jailbreak and unlock a new iPhone to firmware 1.1.1. This article instead explains the steps to revirginize an iPhone which has been unlocked with AnySim 1.0 and most other unlocking tools apart from Iphonesimfree and AnySim 1.1

To revirginize.

01. Download the BSD subsytem.
02. Donwload the tools (virginizer_pack) to flash the baseband.
03. Connect the iPhone to WiFi so that you can access it over WiFi
04. Copy the BSD Subsytem and virginizer_pack to the iPhone using SCP
05. SSH to iPhone
06. Backup the seczone
07. Run the virginizing tools to flash baseband to the original 03.14.08

Now I have a virgin iPhone.

08. Using iTunes update the firmware to 1.1.1
09. Activate iPhone using Independence.
10. Jailbreak iPhone (this would be done automatically in step 09).
11. Install SSH on iPhone via Independence.

Now to unlock the iPhone so that it works on my non AT&T sim.

12. Download AnySim 1.1
13. Copy AnySim 1.1 to the iPhone using Independence
14. Run AnySim 1.1 and follow instructions.

Hooray, now I have revirginized an iPhone which was unlocked using AnySim 1.0 earlier and activated, jailbreaked and unlocked it with firmware 1.1.1 which works on my non AT&T sim.

Unlocking iPhone is just a snap if you are familiar with the unix commands and use Mac OS X.

My first try was with a total new iPhone (firmware 1.1.1). Find below the steps I used to activate, jailbreak and unlock the iPhone with 1.1.1 update.

01. Used my non AT&T sim in the phone.
02. Use Independence to take the iPhone to Recovery mode.
03. Download the firmware 1.0.2 from Apple site.
04. Restore the 1.0.2 firmware to the iPhone using iTunes.
05. Wait for iTunes to finish, once done Quit iTunes.
06. Launch Independence again to get the iPhone out of recovery mode.

Now I have the iPhone in firmware 1.0.2

Now to upgrade it back to 1.1.1 so that I can activate/jailbreak the iPhone.

(Please note that if you have used anySIM 1.0 or other older free SIM unlocking solutions (anything except for anySIM 1.1. and iPhoneSimFree) to SIM unlock your phone, and you upgrade to 1.1.1, it will wipe out the SIM unlock and render the phone and text message part of your phone inoperable. Everything else will work though).

07. Launch Independence and activate the iPhone.
08. Use Independence to Jailbreak the iPhone.
09. Install SSH on iPhone via Independence.
10. Connect the iPhone to WiFi so that I can access iPhone over WiFi.
11. Do a Pre 1.1.1 upgrade using Independence.
12. Using iTunes update the firmware to 1.1.1
13. Activate iPhone using Independence.
14. Jailbreak iPhone (this would be done automatically in step 13).
15. Install SSH on iPhone via Independence.

Now to unlock the iPhone so that it works on my non AT&T sim.

16. Download AnySim 1.1
17. Copy AnySim 1.1 to the iPhone using Independence
18. Run AnySim 1.1 and follow instructions.

Hooray, now I have an activated, jailbreaked and unlocked iPhone with firmware 1.1.1 which works on my non AT&T sim.

Brainbench’s advanced assessment products and services make it easy for you to predict employee success by identifying the best match to the essential aspects of the job. Brainbench offers various assessment products for both employment testing and pre-employment testing, including personality assessments, aptitude tests, and skills tests. Brainbench assessments can be delivered as either proctored or online testing.

Do not cheat to yourself and do an assessment. I did my assessment and here goes my transcript.

My Brainbench Transcript

It was my first visit to Colombo during May 2006 and I came with my colleagues for a business meeting and stopped at Colombo City Hotel which offers Affordable Star Class Accommodation in Colombo. The hotel is situated in the heart of the city of Colombo adjoining the World Trade Centre and the port of Colombo in close proximity to all Commercial Banks and Government Institutions. It was a perfect destination for a business traveler.

Here goes a location map of the hotel.

I was at Room 405 and I can see Hilton, The World Trade Centre and the Bank of Ceylon building clearly from my room. The hotel does have ADSL and paid Wi-Fi Internet but I thought to try and see if there are any Free Wi-Fi’s around which I can go online and check my mail for free.

I just opened my iBook and immediately found an access point with the SSID of tsunami which is wide open and free to access. I use to check my mails, chat directly from my room for the 3 days we stayed at the hotel. The speed was unbelievable and the speed which I get back at home is not even comparable to the speeds which I get from here. It took me less than a minute to download a 29mb file from the ROL server.

My second trip to Colombo was for taking wife for the delivery of our baby. We came to Colombo on 2nd December and decided to stop at Colombo City Hotel once again before I could find a place for us to stay here for 2 months. This time we were at Room 306 and I get almost the same view from the hotel room as my previous trip.

I opened my iBook and fired up KisMac to check for the available networks. KisMac came up with 22 wireless networks out of which 16 has no security, 3 WEP encrypted and 3 WPA encrypted. This means 73% either is not aware about wireless security or do not bother to secure their networks. Guess what! These networks could be from some big office in the World Trade Center! Here goes the screenshot of KisMac while scanning.

This time the signal from tsunami was very weak and I had to find another one which allows me to go online with a stable connection. I was able to connect to both the aztech newtork and the Firecracker55 network. In order not to leech the total bandwidth of a single connection, I connected my Compaq laptop running Windows XP Pro to the Firecracker55 for my wife to use and connected my iBook to the aztech network.

I was connected to aztech but yet I cannot go online. I fired up Firefox and tried to connect to the gateway IP of this aztech network. There goes the ADSL router configurations page. I was able to login even without a password. In the configurations page I found that the ADSL interface of the router is not up. In order to bring the interface up, I pressed the connect button on the configurations page and opened a new tab in Firefox and browsed to google.com to see if I am online. I’m online. There I see my google.lk page.

When ever I get a free time, I tried to peek into the security of the other networks which I could see. I found out that even though linksys does not use a security it has MAC filtering on in order to connect to only allowed wireless devices which has their MAC address in its database. I had the MAC Address changer which I have discussed in my earlier post which I used to change the MAC address of my windows laptop to see if I can connect to the linksys network. Here again I was able to bypass the MAC filtering implemented on the linksys network.

Don’t you think this people should be aware of such security issues before implementing wireless networks like this?

Many of the wireless networks I have come across around Male’ during our wardriving are lulled into the false sense of security that if they have WEP and MAC address filters set up on their Access Points / Wireless Routers they are secure.

They are totally mistaken; WEP is easy to break and MAC filters are even easier to by pass.

For those of you Windows users, Code Project has written a freeware MAC Address changer which is available at the Code Project site.

MAC Address Changer is very easy and simple to use. Using this tool is as simple as choosing your desired network card from the drop down combo box, entering a new MAC address, then press the Change MAC ID button.

Try it out to see how easy it is to circumvent the MAC filtering rules you setup on your Access Points and Wireless Routers.

This is the details of a social engineering attack pulled on Dhiraagu (for a good cause again).

What is Social Engineering?

Social Engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of the people to obtain information with or without the use of technology.

The texts in italics in this article are extracts from the book “Art of Deception” by Kevin D. Mitnick that gives you details of the tricks of social engineering attacks used in the case.

A friend of mine has called me to help him with his ADSL connection which keeps on dropping the signal every 2 seconds. They have recently moved to this new building and Dhiraagu has moved their ADSL also to this new building. I went to meet at him around 17:30 hrs on a Thursday.

I asked my friend for the username and password of the ADSL router which he has in order to find out what could be wrong. He didn’t have that information as usual with most of us who doesnt keep those type of information in a safe place. I then asked him whether he has the ADSL username and password in case if I have to reset the router back to factory settings to access it. He didn’t have that either.

I called up Dhiraagu 123 from my mobile (which has no relation to the address where the ADSL was connected) and directly told the guy that I don’t have my username and password of my ADSL connection and the only information which I can give him is the address where the ADSL is connected to.

The Direct Attack: Just Asking for It

Anybody gutsy enough to call and claim to be the owner or whatever will likely to be taken at his word. Unless it’s obvious that he doesn’t know the terminology, or if he’s nervous and stumbles over his words, or in some other way doesn’t sound authentic, he may not even be asked a single question to verify his claim. That’s exactly what happened here with the support person.

The guy looked up the database and simply gave me the username, I then asked for the password, he gave me the same. Then I asked him for the username of the ADSL router (which Dhiraagu provides), he gave me the username and password for the router too.

The Direct Attack: Just Asking for It

Knowledge of a company’s lingo, and of its corporate structure—its various office and departments, what each does and what information each has—is part of the essential bag of tricks of the successful social engineer.

What if somebody uses Social Engineering to harm these organisations and its customers?

A few days back I have been assigned a project to get back a domain from a couple of guys who took over it. The project also has a limited time to complete.

The main purpose of me attending to this job is to prove to my friends, colleagues and associates that anything can be achieved if you set it in your mind no matter how difficult the process is. Also this was an opportunity for me to try and test my social engineering (for a good cause) and technological skills.

What is Social Engineering?

Social Engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of the people to obtain information with or without the use of technology.

The following is a real case of social engineering. I have changed the names of the domain, the registrar and some other things in order not to reveal the real identities involved. The texts in italics in this article are extracts from the book “Art of Deception” by Kevin D. Mitnick that gives you details of the tricks of social engineering attacks used in the case.

Project: Getting back the domain.com
Project Code Name: domain
Type of work: Combination of Technology and Social Engineering.

Details:

Domain.com has been taken over by someone and it has to be retrieved back at the earliest.

Tasks:
1. Getting the domain back

How it was done:

Looking at the situation from different angles, it was believed that the best approach to this task would be to attempt a combination of technology and social engineering attack rather than a technological one alone.

Getting the Domain.

Contacted the Domain Registrar to see how the Administrative email can be changed as soon as possible to retrieve the password for the domain.

Played the sympathy role with a story of an ex administrator taking away all the passwords when he left the company. Also played dumb to get the support guy to give me specific information on how to fill in the form to reset the administrative account.

Can You Help Me?

The attacker asking the organisation’s support personnel to walk him through the steps of carrying out a form filling process he didn’t know how to do. A powerful and effective turning of the tables, this is equivalent of asking the owner of a store to help you carry a box containing items you’ve just stolen from his shelves out to your car.

The Administrative email was successfully changed and the domain password was retrieved. After login to the system using this password, I came to know I was in for more trouble as this domain account resides in another main account (known as One Click Domain Manager or OCDM account). The password to this OCDM account still resides with the guys who took over this domain.

The next attempt was to see how powerful this so called OCDM account is. In order to learn about this OCDM account, its capabilities and how the total system works, I created my own OCDM account. This led me to learn all the capabilities of this OCDM account.

After using the OCDM account for a couple of minutes, I found out that a domain can be imported into an OCDM if I know the password of that domain. Since I have the password to the domain.com, I tried importing it into my OCDM account and came to know that the domain domain.com has to be first removed from the original OCDM account in which it resides now. Then only I would be able to import it into my OCDM account.

I took advantage of the above by finding out the details of how the OCDM accounts work and the lingo and asking directly for it.

Trust:

It’s natural for people to have a higher degree of acceptance for anyone who claims to be a fellow employee, customer and who knows the company procedures and lingo.

I called up Domain Registrar support again and told the support guy that I am having problems logging into my OCDM and that I have been managing my domain from the domain password. Also I have explained to him that I have created another OCDM and that I need to move my domain (domain.com) into it. I then explained to him that I am unable to do so as it resides in the old OCDM account which I am unable to access as I have forgotten the password for it. The very helpful support guy Mr. …… (He feels sorry and bends the rules a little to help the poor customer) had assured to me that he will remove my domain from my old OCDM so that I can import it to my OCDM.

The Direct Attack: Just Asking for It

Knowledge of a company’s lingo, and of its corporate structure—its various office and departments, what each does and what information each has—is part of the essential bag of tricks of the successful social engineer.

After waiting for 4 hours for it to be removed from the old OCDM, I called up the Domain Registrar support again and told the support guy that I need to get my domain removed from the old OCDM and that I have been assured by his colleague Mr. ….. before 4 hours that he will do it and but it has not been done yet. (Feeling guilty about what his co-worker couldn’t do, he bends the rules a little to help out a fellow employee who couldn’t provide support to this customer). This support guy assured to me that it will be done in 5 minutes and he proved that by removing it from the old OCDM. At last I was able to move the domain to my new OCDM and become the total control for the domain.

Using Sympathy, Guilt and Intimidation

Anybody gutsy enough to call and claim to be the owner or whatever will likely to be taken at his word. Unless it’s obvious that he doesn’t know the terminology, or if he’s nervous and stumbles over his words, or in some other way doesn’t sound authentic, he may not even be asked a single question to verify his claim. That’s exactly what happened here with two different support personnel.

Now that the domain is in my full control and that the job is completed.

Conclusion

The impossible was made possible after all with a few tricks of social engineering and learning a bit of technology.

During this process, I found out that every organization or company be it government or private is vulnerable to such social engineering attacks. The organization for which I did this work was also vulnerable to such attacks.

A boring week with nothing much to do or to celebrate, I connected a RF splitter to the J-SAT cable at our home to split the CATV cable and connected a cable modem. The cable did not lock as the power was way too low due to the splittings. We had another cable from MESCO which doesn’t have any splits. So I just split that into two and then connected the cable modem. Bingo, my modem signal is locked. Before I go any further let me try to give you all some info about the type of VPNs ROL uses now.

ROL is running on PPTP-VPNs now! What is a PPTP-VPN?

PPTP VPNs offer legacy authentication mechanisms such as PAP, CHAP, MS-CHAP, and MS-CHAPv2, with the strongest being MS-CHAPv2. MS-CHAPv2 is also used in Cisco’s LEAP and EAP-FAST phase-0. MS-CHAPv2 can be broken using the ASLEAP cracking tool for Linux and Windows. A tutorial exploiting the weakness of PPTP-VPN with Asleap and Auditor can be found here

PPTP tunnels use an IP connection to form an encrypted tunnel for data transport. The tunnel has its own IP subnet (in the case of ROL, 202.21.*.), and after the tunnel is formed between client and server, a static route is entered into both hosts so that all future data traffic is sent through the tunnel. However, the original IP subnet (in the case of ROL on jsat cable, 10.99.*.) on the Hybrid Fibre Coax (HFC) network can still be used for data transfer, such as port scanners and other hacking tools. The high-speed connectivity over the HFC network not only makes it quicker, easier and cheaper for customers to get the service but also enables Whackers (black hat hackers) to enjoy a number of open ports and services that are in the pipeline. Without a personal firewall in place, the client and server devices are still open to IP attacks.

PPTP uses Microsoft Point-to-Point Encryption, which uses the RC4 stream cipher. While MPPE-128 is a reasonably strong encryption scheme, it’s the authentication mechanism (MS-CHAPv2) that makes PPTP weak.

Connecting to ROL HFC Network:

Then I connected an Ethernet cable between my laptop and the modem and got an IP from the 10.99. range (original IP subnet). Fired up Nmap to see if there are any open ports and found some machines with port 80 open, ran Firefox and connected to one of those machines. Firefox brought me to a web page of some sort of web server called WAMPP with access to a MySQL database. I was even able to create my own databases without any authentications. Could this be a machine of an individual user? Could this be a machine of ROL? I leave it for the readers to do their own research and find out for themselves. (Hint: There are other interesting ports too!)

Before turning my mind to other interesting ports. I got stumbled into ROL’s Subscriber Management Software which runs on IP 202.21.176.234 externally and IP 192.168.50.1 internally. They run really interesting software called Log2Space from Spacecom Technologies Limited, India. Those of you who are interested in learning how this software works could see a demo of it on the Spacecom website. Click here for a demo.

Did some further scanning and ran a couple of tools by pressing keys and buttons here and there and I couldn’t even believe my eyes on where I end up. Where was I walking into wearing the dark black court? In fact I was in a position to map the whole network with more than 20 different segments and was also in a position to throw off individual users or a whole bunch of users from the network by pressing a couple of buttons. For those of you who are interested in the logical design of the ROL network you may download this Visio network map of ROL.

For a second I thought, is this the security we talk about? Is this the industry standards and practices that ROL follows as required of an ISP (Internet Service Provider)?

A word to the tech team at ROL: Don’t mislead your Managing Director in to thinking that you have the best security that is up to the industry standards. Humans do make mistakes. Humans learn by their mistakes. So admit your mistakes to your boss, get the issues resolved internally or externally and then learn from that experience rather than trying to hide the facts and mislead your own boss. If you mislead him, he will unknowingly mislead the general public.

Some of us might think that we need a rocket scientist who has a law degree to perform such a task but in reality somebody who has a little bit of networking knowledge with a few network tools could perform such a task in a few minutes

Introduction:

This tutorial explains how to crack most WEP encrypted Access Points out there. The tools used will be as follows:

Airodump
Aireplay
Aircrack

As for wireless cards, i recommend any Prism , Orinoco , or Atheros based cards (i used the Atheros based card mentioned above).

Getting Started:

Let’s see, First thing you are going to want to do is charge your laptop to the top (aireplay and aircrack drain the battery quite a bit) Next you are going to want to load up your favourite live CD (i used Auditor final) or Linux OS, then stumble across a encrypted WLAN, use Kismet to do so.

First off you are going to want to set your wireless card to the right mode, depending on what chipset depends on what commands you have got to use:

Since my Proxim card uses madwifi, I have to place the card in pure 802.11b mode first:

iwpriv ath0 mode 2

Then change the card into monitor mode

iwconfig ath0 mode monitor

Then bring the card up

ifconfig ath0 up

Going for the kill:

Open a terminal window and fire up Airodump to sniff the packtes.

airodump ath0 tocrack

Ok so now you have got a stream of packets from your target, you see the IV column, those are whats known as ‘weak key’ packets, we want as many of them as we can get (500k+ is a nice number, the more the better). Now we are going to capture a ‘weak key’ packet from on the network we are targeting and going to flood the Access Point with it in hope that we get lots of ‘weak key’ replies sent out so we can eventually crack the password. So now open another terminal window and execute aireplay

aireplay -i ath0


Here we are going to grab a few packets from the Access Point until we catch a ‘weak key’ packet which then aireplay will ask you if you want to use to then flood the Access Point with that packet. when it asks you if it can use one of the packets hit ‘y’ then return, but do not choose a packet with a destination address of FF:FF:FF:FF:FF:FF

If you flick back to your terminal with airodump running you should see the packets being captured will increase by a huge amount and with that the IV packets should also be increasing pretty damn fast aswell, if all went well in about 10mins you should have enough packets to then dump into aircrack.

Run aircrack to crack the wep from the captured file.

aircrack -q 3 -f 2 tocrack.cap

What i did there was set aircrack to read my packet file called tocrack.cap (what airodump creates). If all goes well you will get the key in a few mins.

Happy WarDriving.

Note: some portions of the texts of this article are extracted from the WEP Cracking by UmInAsHoE.