Hacking QR Codes with QRGen to Attack Scanning Devices [Tutorial]

00:00

QR codes are everywhere and today we'll

00:03

explore a tool that can help us hack

00:05

devices that can scan them on this

00:06

episode of cyber weapons lab

00:09

[Music]

00:15

[Applause]

00:18

[Music]

00:29

if you've been to a concert lately you

00:32

might have noticed one thing that most

00:33

of the tickets have in common and that

00:34

is QR codes now the reason that QR codes

00:38

are everywhere is because they're easy

00:40

to create they're easy to use and most

00:42

people have devices that are capable of

00:44

reading them because of this there's

00:46

also a variety of different custom tools

00:48

that things like grocery stores or

00:49

ticket scanners will use in order to

00:51

read QR codes and often these devices

00:54

will have vulnerabilities because

00:55

they're usually not updated very often

00:57

now today we're going to look at a tool

00:59

that will basically encode some popular

01:01

exploits into QR codes hoping that when

01:05

a device scans it it'll read it and then

01:07

actually execute the code now in order

01:09

to do this we'll need to have Python and

01:11

if you have any trouble setting this up

01:13

you can also check out the null byte

01:14

article linked in the description as

01:16

soon as you have a Linux system ready to

01:18

go with Python installed then we're

01:20

ready to begin today we're going to use

01:24

a tool called QR gen and this is really

01:27

interesting because there's a lot of

01:29

devices that are customized for various

01:30

applications that might be running

01:32

services that are vulnerable to various

01:34

types of attacks now this is also super

01:37

easy to install and in order to do so

01:40

you'll just need a Linux system although

01:42

I actually have not tried this on Mac OS

01:43

and it may work as well but because it's

01:46

Python I figured I would try it on Kali

01:48

Linux and lo and behold it worked the

01:49

first time without any complications

01:51

except one little quirk in the way that

01:53

this is written and that's actually the

01:55

execution script is not right that's it

01:58

says QR code pi it's QR Gen dot pi but

02:00

aside from that these instruction

02:01

instructions are actually kind of a

02:03

breeze to set up so first we are going

02:06

to copy this and in a fresh terminal

02:08

window we're going to paste the git

02:10

clone command and here it's gonna fail

02:13

because I already have this path but if

02:15

you didn't have this installed then it

02:16

would download everything in the github

02:19

directory to your folder that you're

02:22

currently in so once we CD change

02:25

directory into hue our gen we can type

02:29

LS and see all the various files that

02:31

are there

02:31

and there is a requirements text file

02:34

which is really useful because it has

02:36

all the various libraries that we'll

02:37

need to run this so if we want to do it

02:40

easily we can follow the instructions

02:42

here and use pip3 install tack

02:44

requirements text which is a easy way of

02:47

using pep 3 or if you just have pep you

02:49

can use Python 3 tack em pip install

02:52

tack our requirements text obviously the

02:54

first one is a little bit shorter so I

02:56

like it more so once we do this it

03:00

should go through and make sure we have

03:01

all the various libraries we need to use

03:03

this Python tool when it finishes

03:05

installing then we should be able to

03:06

just run it and see what happens so

03:09

again if we that's actually just still

03:11

there we can see it's QR Gen dot pi so

03:22

after running Python 3 Q our agenda PI

03:24

we can see that we can now select one of

03:27

two different options either a word list

03:29

or tock elf or a number now this is

03:33

where things get interesting because it

03:34

has a built-in list of various different

03:37

payloads that could be useful depending

03:38

on what you're going after now this

03:41

could be cross-site scripting SQL

03:43

injections or a variety of different

03:44

other things so we're going to use I

03:46

guess let's see maybe a command

03:48

injection as an example of the various

03:51

types of QR codes you can generate that

03:52

might be malicious depending on whether

03:54

or not a particular device is vulnerable

03:56

now I also want to show off the word

03:59

list feature if we want to create a new

04:01

wordlist we can say nano word list dot

04:06

text and type in a couple random

04:08

payloads these aren't real

04:22

and then I'll add another one

04:35

all right now we have our malicious code

04:38

it looks really bad we'll save it and if

04:42

I type LS again we should now see we

04:44

have our word list text so if we want to

04:47

go back up and run Python 3 QR code QR

04:51

Gen hi tak W and then requirements dot

04:56

text it should generate some QR codes

04:59

let's see-oh need to be together it

05:03

should generate some QR codes based on

05:05

the payloads that we ourselves created

05:08

and we'll test that in a little bit when

05:09

we test some of the malicious ones that

05:11

we generate as well now the next thing

05:14

we can do is actually use the tak l

05:16

option to select one of the preinstalled

05:18

lists which include a variety of

05:20

different common exploits for maybe an

05:22

unpatched service that's using SQL or

05:24

something that might be vulnerable to

05:26

something like string fuzzing now I

05:29

guess let's see we'll select number two

05:31

for command injection and we'll tie tack

05:34

L and then just - and we'll see if we

05:37

can get this to generate some malicious

05:39

QR codes for us to test now if I go to

05:43

the folder I might even be able to see

05:44

these being created and as you can see

05:48

we have a whole bunch of QR codes if the

05:50

system is creating right now and if we

05:52

go we can see there we go we have a lot

05:55

of different malicious QR codes we can

05:56

now test so this is the perfect testbed

05:59

for anyone who wants to take a device

06:01

and test it so we're gonna go ahead and

06:03

take an Android phone and see if we can

06:05

read these and if so what it actually

06:06

sees I don't expect it will be able to

06:09

actually exploit it but if we were

06:10

running something like a ticket scanner

06:11

or something at a grocery store it's

06:13

likely we would be able to induce some

06:15

strange behavior

06:17

all right so now we're going to go ahead

06:19

and test the payloads that we created

06:21

and to do that we'll use this QR code

06:24

reader and see what we can actually pull

06:26

out of the payloads and it pulls them

06:28

out rather quickly so I'm gonna have to

06:29

limit the ones that I have on screen so

06:31

it doesn't just immediately grab them so

06:33

let's go ahead and pick one of the first

06:34

ones we did and we can see that this is

06:37

QR code it actually actually wasn't able

06:40

to display all the way oh we can see the

06:44

pipe character so this is actually it

06:46

looks like it's interpreting it I

06:47

remember typing the pipe character into

06:49

the payloads that we generated and as we

06:54

read these we can see that they are

06:55

unusual or like break characters you can

07:05

see this is a trying to get it to escape

07:08

and then try to ping something so if

07:10

something has network activity this one

07:12

is trying to et Cie into a password

07:14

directory and it could display the

07:15

password to the device on the screen

07:17

this is requesting the ID of the device

07:20

so as you can see these usually consist

07:22

of something like a pipe symbol

07:24

something that is trying to get us to be

07:27

able to either access more parts of the

07:30

device that we shouldn't have access to

07:32

or actually do something that we're just

07:34

really not supposed to do and here we go

07:36

that's some really malicious looking

07:40

code that will probably get us deeper

07:43

into maybe a database or some other

07:46

thing that uses structured calls that is

07:48

an expecting a call like this and would

07:50

escape it and then attempt to run

07:52

something like this such as this dollar

07:54

sign and then in closed string Who am I

07:57

so as you can see there are a bunch of

08:00

different malicious things that we could

08:03

now run on something that we have

08:04

permission to and potentially discover a

08:06

number of different problems in the way

08:09

that this device is configured that

08:10

could allow someone with a single

08:12

malicious timaya command to get a whole

08:14

bunch of free tickets a special price on

08:16

groceries or some other thing that you

08:17

didn't intend on when you design your

08:19

system so this is a great way of making

08:22

sure that there aren't any

08:23

vulnerabilities in a QR code

08:25

implementation or if you're a pen tester

08:27

maybe find an interesting

08:29

way of exploiting something that nobody

08:31

else has thought of through a network

08:33

connected device that maybe whoa this is

08:36

a big one a network connected device

08:38

that maybe uses something like QR codes

08:43

in order to process stuff so this is I

08:45

think a really exciting project and the

08:47

more exploits you can think of the more

08:48

you can cram into this because it's

08:50

highly customizable and allows you to

08:52

create payloads for whatever you want

08:55

QR gen can create a lot of different QR

08:58

codes that may or may not be effective

09:00

against a particular device that scans

09:02

QR codes now this could be a ticket

09:05

scanner it could be a supermarket

09:06

scanner or it could be someone's cell

09:08

phone but in general it's not a great

09:10

idea to test this against something

09:11

really critical or something you don't

09:13

have permission to because depending on

09:14

the payload it could potentially disable

09:16

it or cause it to display erratic

09:18

behavior if you're at work and choose to

09:20

test this on your ticket scanner right

09:22

before a big concert you could get in a

09:24

lot of trouble so please make sure that

09:26

your permission to do so and that you're

09:27

not testing this on a critical device

09:29

that's about to be used if you have any

09:31

problems testing this you can check out

09:33

the null byte article link in the

09:34

description and you can also hit me up

09:36

on Twitter if you have any ideas for

09:37

future episodes that's all we have for

09:40

this episode of cyber weapons lab make

09:42

sure to LIKE comment and subscribe and

09:43

we'll see you next time