Wednesday, July 10, 2019

Calculate proper length of antenna for better signal

To increase signal quality, make sure the antenna length matches the frequency you are receiving at. I've had a 20-40 db increase in signal just by extending or retracting my antenna a couple of inches. A simple process is this:

  1. Have on hand a ruler with centimeter markings (I use a retractable tailor tape measure)
  2. Open your calculator and do 300 / your_frequency (in mhz) = wavelength
  3. wavelength / 2 = how many meters long a half wave dipole would be. If this is too long, divide by 2 again to get the length of a quaterwave dipole in meters.
  4. Extend the length of your antenna (I use ANT500s from my SDRs) to one of those lengths using your ruler. You should prefer half wave, but quarter wave is fine too.
For example, I'm listening on the national calling frequency for APRS (144.390) i'd do the following:
  1. 300 / 144 = 2.08
  2. 2.08 / 2 = 1.04 (half wave dipole length, way too long for my ANT500)
  3. 1.04 / 2 = 0.52 (quarter wave dipole, 52 centimeters can be done easily)
  4. Measure out 52 centimeters on the tape measure, use it as a guide to extend the antenna to the proper height.

How to loopback audio from one app to another for SDR

Piping the decoded audio from one application to another can be super annoying in linux. Fortunately there is a utility in apt that makes it dead easy (at least on Ubuntu). Simple steps:

  • apt install pavucontrol
  • start your applications (gqrx/fldigi/direwolf/whatever)
  • execute pavucontrol
  • In the "Playback" tab, make sure your "output" app is showing up and bouncing the sound meter
  • In the "Recording" tab, make sure your "receiving" app is showing up. Click the sound card button and select the "monitor" entry
  • Should start working immediately.
For FLDIGI to show up it needs to start recording from the sound card, I had to go to Configure > Sound Card > Audio > Devices > select "PortAudio" > leave capture and playback at "default"

Decoding APRS via SDR

APRS uses packet radio and FLDIGI doesnt support it for some ungodly reason. You can chain a few tools together to get the decoded output.

  1. Plug in and attach your RTLSDR, or whatever, to your VM
  2. start up GQRX, start receiving
  3. Tune to 144.390 to get an APRS signal (North American calling freq for APRS)
  4. Set the following: 
    • Filter Width: Wide
    • Filter Shape: Sharp
    • Mode: Narrow FM
    • AGC: Fast
    • set the squelch to silence the noise
  5. In the audio section, hit the "UDP" button which should start streaming the audio over UDP port 7355.
  6. In another tab: apt install direwolf
  7. direwolf -r 48000 udp:7355
You should get output like below:

Tuesday, April 2, 2019

Google/AWS/Azure IP Ranges

Google Cloud, Amazon AWS, and Microsoft Azure publish their IP ranges for their cloud platforms.

     curl | grep 'ip_prefix' | cut -d '"' -f 4

Microsoft Azure:
     cat PublicIPs_20190401.xml | grep 'IpRange Subnet='| cut -d '"' -f2

Google Cloud:
DNS txt records for:
     for netblock in $(dig txt +short | tr " " "\n" | grep include | cut -f 2 -d :); do dig txt +short $netblock; done | tr " " "\n" | grep ip4: | cut -d ':' -f2

Friday, January 18, 2019

Productivity Tactic: Fear Masked as Procrastination

I pride myself on noticing patterns in life. A particular pattern I've noticed in myself as well many others is this: Procrastination is pain avoidance. Now that may seem obvious in certain regards but what definitely wasn't obvious is that procrastination is really a manifestation of fear.

Think about it - you have an idea, a great idea, an exciting idea, you start fleshing out a couple details and get confident enough to start. You're about an hour in and then you find yourself having a desire to check Twitter, or reddit, or watch youtube videos, or check the fridge, or whatever else other than doing that thing. Why?

Well I noticed those moments arise almost exclusively when I'm about to start something unknown. Something a little uncomfortable. Something that doesn't bother me consciously, but subconsciously the fear of that unknown (and ultimately the fear of potentially failing at it) takes a toll on the momentum. That's when my body steers towards the familiar, the quick doses of dopamine from Facebook feeds, videogames, youtube, or a snack. These things are nothing more than escapist tricks from tackling that unknown problem.

So how do I battle it? The first is placing a mental breakpoint on those activities and then consciously asking myself: Am I avoiding my work? about 90% of the time the answer is yes. I then think back on the task my mind was avoiding and then get a little angry at it for effectively insulting me. Making me think I couldn't tackle it. Screw you man. You don't win this one.

The next step is to start tearing the task down, piece by piece until the individual tasks are so stupid and minuscule that it's impossible to fear or be uncomfortable with them. I did this with code projects, with report writing, with finances, with everything. It's an incredibly powerful tactic I recommend to everyone.

We are animals, rational thought is not something we were made for. We must understand the causes of our motivations, our emotions, our desires, and our thoughts if we ever stand a chance at making our lives collectively better.

Socrates was right, one of the best things a person can do is know thyself.

Friday, December 21, 2018

Python - Choose a Function at Random

If you need to randomly select from a number of defined functions, this is a simple way to achieve that:

import random

def function_A(some_var):
    return("{} - A".format(some_var))

def function_B(some_var):
    return("{} - B".format(some_var))

def function_C(some_var):
    return("{} - C".format(some_var))

#Run a random function with the input of "blahblah"
random.choice([function_A, function_B, function_C])("blahblah")
#do it as many times as you'd like, and you'll get different results
random.choice([function_A, function_B, function_C])("blahblah")
random.choice([function_A, function_B, function_C])("blahblah")
random.choice([function_A, function_B, function_C])("blahblah")
random.choice([function_A, function_B, function_C])("blahblah")

Friday, December 14, 2018

SSH Port Forwards In Simpler Terms

I love SSH, I love port forwards, I love all they allow you to do. I hate my memory and all it forgets to do. I decided to write the following so I can easily recall the syntax and meaning for SSH port forwards (-L & -R).

Firstly, both use the same syntax (order of parameters doesn't matter):

ssh root@someVPS -i ~/.ssh/whateverKey -L localhost:2323:localhost:2424
ssh root@someVPS -i ~/.ssh/whateverKey -R localhost:2323:localhost:2424

Even though they are both basically From:To, They have different meanings because -L & -R have different contexts.

-L localhost:2323:localhost:2424 means:

  • Create a listening socket on my local laptop (the client) listening at localhost:2323
  • Any connection coming into that socket (on my local laptop) send over the SSH connection to the VPS's "localhost:2424" - assuming some app or something is listening on the server on 2424 so this connection is actually useful.
  • Can be more easily understood as "-L LocalContextIP:LocalPort:RemoteContextIP:RemotePort"
-R localhost:2323:localhost:2424 means the inverse:
  • Create a listening socket on the VPS at localhost:2323
  • Any connection into that socket (on the remote VPS) send over the SSH connection to the Laptop's "localhost:2424"
  • Can be more easily understood as "-R RemoteContextIP:RemotePort:LocalContextIP:LocalPort"
It's important to note that this isnt restricted to localhost. You can "bounce" connections either way just by changing the "To:" location.

Bounce a connection from my laptop to my VPS and out to google? sure
ssh root@someVPS -i ~/.ssh/whateverKey -L

Bounce a connection from my VPS to my laptop and out to google? sure
ssh root@someVPS -i ~/.ssh/whateverKey -R

-L & -R are really doing nothing more than telling you the direction that the traffic flows. -L is from client -> server and -R is from server -> client. 

I use the term "Context" here because that's really what it is. It consults the machine's IPs/Hostnames/whatever that is local to _that_ machine.

This means that if my VPS has an entry in /etc/hosts for " yoloswag" and my Laptop has an entry for " yoloswag" - they will mean different things depending on where in the command you place "yoloswag"

There, now I won't have to second guess myself everytime I try to create a reverse tunnel through 8 different boxes.

Stupid SSH Trick:
So if you understood what I just wrote then you should say to yourself: "wait, doesnt that mean I can forever have two tunnels passing data back and forth forever" - yes. Yes you can. And it's dumb. Here's how it works:

First anything coming on your laptops localhost:3030 gets sent out to the VPS's localhost:3131
ssh yolohax -L localhost:3030:localhost:3131
Second, anything coming into your VPS's localhost:3131, send out to your Laptops:3030:
ssh yolohax -R localhost:3131:localhost:3030

Go ahead and try it, watch your network usage. Once you issue your first transmission (echo infinitelooplol | ncat localhost 3030) you should get a constant .5-1.5Kbps in both directions. Ctrl-c'ing it won't help because it's stuck in tunnel loop. You have to kill one of the tunnels for it to end.

Wednesday, November 28, 2018

Keep Track Of Your Source IP

Pentesters/RedTeamers often need to track their outgoing IPs for Blue Teams to be able to correlate activity and know if an attack is shceduled activity or something else.

Below is a script that will reach out, grab your public IP, and if it's different from the last entry, enter it into a log file. I use crontab to execute it at the top of every minute.
# This script records changes to your external IP to a log file with timestamp
# Install:
# crontab -e
# * * * * * /Users/MYUSERNAME/WHEREVER/
# And then change the iplogfileloc below to where you want the logfile to save.

# You should have an iplog.txt with contents like this:
# $ cat iplog.txt
# Wed Nov 28 12:56:40 MST 2018 --
# Wed Nov 28 13:00:07 MST 2018 --

# Change the below location to what you want

myip=$(curl 2> /dev/null| grep origin | awk '{print $2}' | tr -d '"')

#create file if it doesnt exist
[ -f ${iplogfileloc} ] || touch ${iplogfileloc}

if ! cat ${iplogfileloc} | tail -1 | grep ${myip} > /dev/null ; then
    # if your IP has changed, add it to the file
    echo $(date) '--' ${myip} >> ${iplogfileloc}

Now you can change IPs via VPN or whatever and always be able to refer to it later. The only edge case is if you change IPs multiple times within one minute, but that should be rare and accounted for in sprays.

Monday, November 26, 2018

Ways to Enumerate Users

A couple of methods to identify usernames that can then be used in other areas of a pentest are below. I added as many as I could think of. I limited it to ones mostly seen from the public Internet.

Tuesday, September 18, 2018

Saner Bash Commands Inside Python

As great as Python is, sometimes the dev's make really weird decisions regarding defaults. A perfect example is running shell commands inside Python 3+. For some reason the dev thought it was a good idea to make the subprocess "run" method _not_ capture the output from stdout or stderr by default. I find this incredibly annoying and it constantly result in me having to look up the syntax since I always forget it.

I decided to instead have this little helper function to encapsulate what I consider to be saner defaults. I decode the bytes into utf8 since thats the output for 99% of all bash commands.

#!/usr/bin/env python3
import subprocess

def run_cmd(cmd):
    result =, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    result.stdout = result.stdout.decode('utf8')
    result.stderr = result.stderr.decode('utf8')
    return result

Running that function will execute whatever command you pass it (insecure, but use it appropriately) and returns an object that you can then check the return code, stdout, and stderr.

So now, it's just:

In [25]: if 'root' in run_cmd('whoami').stdout:
   ....:             print("you are root")
you are root