anita Create Malicious QR Codes to Hack Phones & Other Scanners « Null Byte = WonderHowTo Create Malicious QR Codes to Hack Phones & Other Scanners R codes are everywhere, from product packaging to airline boarding passes, making the scanners that read them a juicy target for hackers. Thanks to flaws in many of these proprietary scanning devices, it's possible to exploit common vulnerabilities using exploits packed into custom QR codes. A tool called QRGen can create malicious QR codes and even encode custom-made payloads These attacks are potent because humans can't read or understand the information contained in a QR code without scanning it, potentially exposing any device used to attempt to decipher the code to the exploit contained within, Even QR code scanners like smartphones can be vulnerable to these kinds of attacks, as QR codes were found to be + Don't Miss: t hitpssinul-byte.wondertowto,comnow-tolereate-malicous-qt-codes-hack-phones-other-scanners-0197416/ anenina Create Malicious OR Codes to Hack Phones & Other Scanners « Null Byte: WonderHowTo What Are QR Codes? QR codes are machine-readable data formats that are useful for anything that needs to be scanned automatically. Before QR codes, there were several other formats called linear barcodes, which also stored data in a way that was easy for machines to read. You've probably seen a UPC barcode like the one below on products, as it's often used to identify items for sale so cashiers can scan them to enable faster checkout, 360008291450" 2 The UPC barcode, or Universal Product Code, has been in use since 1974. Its purpose is primarily in retail and encodes a series of numbers only, making it limited in application. While many different types of linear barcodes exist, they aren't able to store a lot of information. Applications like shipping and automobile manufacture required a standard that would hold more data. 0 2D Barcodes for More Data The answer to the limitation of linear barcodes was 2D barcodes, which offer more storage resistance to having physical damage affect the information contained within. Some of the first 2D codes looked like the one below, which is still widely used today. hitpssnul-byte.wondertowto.comMow-tolreate-malicious-ar-codes-hack-phones-other-scanners-0197416/ anesii Create Malicious QR Codes to Hack Phones & Other Scanners « Null Byte: WonderHowTo a QR code , you may ear barcode 417 format ode up to ‘By 7 Maoh dah PDF417 codes like above can encode text, numbers, files, and actual data bytes, and they're more resistant to errors than linear barcodes. Companies like FedEx use a combination of PDF417 and other barcodes on packing slips to automate delivery and tracking. What Can Codes Do with More Data? QR codes started in the automotive industry as a way to keep track of cars as they were being manufactured but quickly grew in popularity outside that industry. Similar to other 2D codes, QR codes can pack a ton of data and can even work when reduced in resolution or otherwise damaged. hitpssinul-byte.wondertowto,commnow-tolreate-malicious-qt-codes-hack-phones-other-scanners-0197416/ anesii Create Malicious QR Codes to Hack Phones & Other Scanners « Null Byte: WonderHowTo 1 lot more ctions when g them to he following atically. Anyone scanning the QR code on an Android device would find themselves automatically signed in to the encoded Wi-Fi network. To get a handle on how much data a QR code can pack, take a look at this code: PC Mer ee Un eee a le (abbreviated fron Quick Response code) is a type of matrix barcode (or two-dinen: eng oa eee Ue eee sees st a aS eset Stream et SU RC MEt Re eC ae ceeae oE eS er eee noe eee eer are eee) The technology has seen frequent use in Japan and South Korea; the United Kingdom is the s a One eee eR CCL cert eet ears) including both connercial tracking applications and convenience-oriented applications aine Cer are eon rms cece add a vCard contact to the user's dev: can generate and print their own QR codes for others to scan and use by visiting one hitpssnul-byte.wonderhowto.comnow-tolereate-malicous-qt-codes-hack-phones-other-scanners-0197416/ anesnrvz021 ‘cma Malous QR Codes to Hack Phones & Other Scanners « Nu Byte = Wonderow To The text contained in the image is larger than the QR code itself! The capacity makes QR codes both powerful and dangerous because humans can't understand the data inside them without scanning them first. QRgen for QR Code Hacking Because a human can't spot a malicious QR code before actually scanning it, the relatively large payload of a QR code can work to a hacker's advantage, especially when combined with vulnerable devices. The tool welll use today to create these is called QRGen. It will take a payload and encode it into a QR code using Python. QRGen comes with a built-in library that contains lots of popular exploits, which is extremely useful if you have time to sit down with the same device you're looking to exploit and find out which one works. For a pentester looking to audit anything that uses a QR code scanner, merely buying the same scanner and running through the exploits can lead you to get the scanner to behave in unexpected ways. The categories of payloads available on QRGen can be accessed by using the -I flag and a number while running the script. The number and payload type are listed below. 0 :SQL Injections 2XSS : Command Injection :Format String 1 XXE : String Fuzzing SSI Injection LEI / Directory Traversal 2 3 4 5 6 7 To create a bunch of malicious QR codes that include string fuzzing payloads, I'd just need to run QRGenpy 15 to create many codes for testing. What You'll Need To use QRGen, you'll need Python3 installed. Because it's cross-platform, it should be possible to do on any operating system. You'll also need a few Python libraries, including qrcode, Pillow, and argparse, which welll install during the setup. hitpssnul-byte.wondertowto.comMowtolreate-malicious-ar-codes-hack-phones-other-scanners-0197416/ siznina Create Malicious GR Codes to Hack Phones & Other Scanners « Null Byte = WonderHowTo ~$ cd QRGen ca ee Coe ee ae Now, you'll need to make sure we have all the required libraries installed. To do so, we'll run the installation file with the following command. Pcie CeO eens ro Sac Collecting qrcode (from -r requirements.txt (line 1)) Perptretursins epee er Rare coe UE cee eestor Coes caesar sete eC gel y/ 4 (expres ae ee ie ee eee ner PersCceruriins ey /ceeC ee rn eee Ry eT ieee SOS SBE Obit. ert eee ee er TT eee meet ey COREL Sea acl Generate Malicious QR Codes from a Payload Type Now, you should be able to run the script by typing python qrgen.py. Te TER ae) cr Ce Pree ee er Pee eee eee Ecce CEE EL EL) 888 88b, "88 88" "Vee! CnC ee ce Cre eso ements] chron ear htpssinul-byte.wonderrowto,comMowtolereate-malicous-at-codes-hack-phones-other-scanners-0197416/ m2nina Create Malicious QR Codes to Hack Phones & Other Scanners « Null Byte = WonderHowTo Cerise td Rmaeteurd cod Se Ueasurt Seas t wai aa oN Ue oe eres ae er eae eye COSC Aig eet) AROS O Re ae Rates CeCe cae --List {0,1,2,3,4,5,6,7}, -1 Sa eee eC eCs Peseta corres ESCs ae GRU TL Loe g As you can see, it's pretty simple to create payloads. To start, let's create a payload containing format string payloads. To do so, run QRGen with the following argument. Coro ere ere Seg cca b PC eam COC a eur sC Reo e Cae en grt Cy eee cue rec eCLTE Seas a Sac ee A series of QR codes will be generated, and the last one that was created will open automatically. hitpssnul-byte.wonderhowto,commnow-tolroate-malicious-at-codes-hack-phones-other-scanners-0197416/ ansii Create Malicious QR Codes to Hack Phones & Other Scanners « Null Byte: WonderHowTo li) \ere they are Pop crpeaas ro ay Esotrr ea etre cece oe ese meee a 4 Eater ear cece Eager pope er eee Peery Pee Cer Cs ae Cet en ee eC era ae gC re ae gcc ogee ee Pept a meee een ae gC ead paver eG Pept en ae gee ere ae gered OPC OPC eC a eC ad peer Ce Cet ea eg Cee ae geen Encode Custom Payloads To encode a custom payload, we can first create a text file containing what we want to encode. Each line will be a new payload. First, we can create a next text file by typing nano hadstuff.txt to create a text file. Sew Ce CUR sata aed In that text file, we can put our payload. The one below is a fork bomb. Will it work on a QR code scanner? Who knows, We can save it by pressing Control X, then hit ¥ and Enter to confirm your save. Now, you should see a text file containing your payload. hitpssinul-byte.wonderowto,commowtolreate-malicous-qt-codes-hack-phones-other-scanners-0197416/ onenina Create Malicious QR Codes to Hack Phones & Other Scanners « Null Byte = WonderHowTo Hacking QR Codes with QRGen to Attack Scanning Devices [Tutorial] Install QRGen To start with QRGen, welll need to download the repository from GitHub. Welll do that by running the command below in a terminal window. co) eC COLOR erst MeL aCe 86 (delta 26), reused 4 (delta 1), pack- : 108% (86/86), done. Once the repo finishes downloading, change (cd) into its directory and list (/s) its contents to find the requirements file. hitpssnul-byte.wonderhowto.comMow-tolreate-malicious-at-codes-hack-phones-other-scanners-0197416/ ennina Create Malicious GR Codes to Hack Phones & Other Scanners « Null Byte = WonderHowTo eed CeCe ad eed Poececec acid peer a PSocece CN er 4 4 Poca tec are -PNg or Soerrer ay Peer een ay aCe Usa POMC CNay Soccer eee ea eat Perry To write your payload to a QR code, we'll use the -W flag. Assuming your payload fie is called “badstuff.txt," the command to do so should look like below (remember to change back to the QRGen directory beforehand). Sc or ~/QRGen$ python3 qrgen.py -w '/username/QRGen/genqr/badstuff.txt' erro cere ere erry See ee Se eee) PoaeT ee) a Eo a ay PVC eee ee sUrry mou esc eo cee ate eae Cee eee cere Ly eCre See ceestr aoe Sa es ogee eed CeCe Cay oCrre recy POMC eat POMC REe art POAC Cecurt OBC eee PSoter eed Pottery Pottery Poca ary 4 4 For my fork bomb payload, it generates the QR code below, which will pop up. ORO rae htpssnul-byte.wondertowto,commnow-tolreate-malicous-qt-codes-hack-phones-other-scanners-0197416/ sonenina ‘Create Malicious QR Codes to Hack Phones & Other Scanners « Null Byte : WonderHowTo Not All QR Codes Are Wise to Scan QR codes can encode a lot of information, and as we've leamed today, they can even be formatted to cause a device to perform actions like connecting to a Wi-Fi network. That makes scanning a QR code risky, as a person has no way of reading the information before exposing your device to whatever payload is contained inside. If you scan a QR code that seems suspicious, pay attention to what the code is attempting to launch, and do not connect to a Wi-Fi network or navigate to a link that's shortened. While most QR codes should be safe to scan on a smartphone, scanning payloads we generated today on a device for scanning tickets or boarding passes may result in some bizarre behavior from the device. Do not scan payloads on a scanner you need working immediately after for an event or work — or any scanner you do not have permission to test — as some of these payloads may cause the scanner to stop working. Thope you enjoyed this guide to generating malicious QR codes to exploit scanning devices! If you have any questions about this tutorial on QR codes or you have a comment, there's the comments section below, and feel free to reach me on Twitter @KodyKinzie, Don't Miss: Uncover Hidden Subdomains to Reveal Internal Services with CT- Exposer ‘Want to start making money as a white hat hacker? jump-start your hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over 60 hours of training from cybersecurity professionals. Buy Now (90% off) > Our Best Hacking & Security Guides New Null Byte posts — delivered straight to your inbox. hitpssnul-byte.wonderhowto.comMow-tolereate-malicious-ar-codes-hack-phones-other-scanners-0197416/ nenina Create Malicious QR Codes to Hack Phones & Other Scanners « Null Byte = WonderHowTo Your Email Tate Don't Miss: Seo E eC VCH SEee racer SN er Sue YTS Sere aay SCrd7) Portia ne Oa ECan seen og?) Eye cpeetces Us OAT Pere SU Cn CELCCe ys ‘ite you acknowledge and agree to our terms of use & privacy policy. eLearn eau OE ents hitpssnul-byte.wonderhowto.comMow-tolreate-malicious-ar-codes-hack-phones-other-scanners-0197416/ rane