anita Create Malicious QR Codes to Hack Phones & Other Scanners « Null Byte = WonderHowTo
Create Malicious QR Codes to Hack
Phones & Other Scanners
R codes are everywhere, from product packaging to airline boarding passes, making the
scanners that read them a juicy target for hackers. Thanks to flaws in many of these proprietary
scanning devices, it's possible to exploit common vulnerabilities using exploits packed into
custom QR codes.
A tool called QRGen can create malicious QR codes and even encode custom-made payloads
These attacks are potent because humans can't read or understand the information contained in a
QR code without scanning it, potentially exposing any device used to attempt to decipher the code
to the exploit contained within, Even QR code scanners like smartphones can be vulnerable to
these kinds of attacks, as QR codes were found to be
+ Don't Miss: t
hitpssinul-byte.wondertowto,comnow-tolereate-malicous-qt-codes-hack-phones-other-scanners-0197416/ anenina Create Malicious OR Codes to Hack Phones & Other Scanners « Null Byte: WonderHowTo
What Are QR Codes?
QR codes are machine-readable data formats that are useful for anything that needs to be
scanned automatically. Before QR codes, there were several other formats called linear barcodes,
which also stored data in a way that was easy for machines to read. You've probably seen a UPC
barcode like the one below on products, as it's often used to identify items for sale so cashiers
can scan them to enable faster checkout,
360008291450" 2
The UPC barcode, or Universal Product Code, has been in use since 1974. Its purpose is primarily
in retail and encodes a series of numbers only, making it limited in application. While many
different types of linear barcodes exist, they aren't able to store a lot of information. Applications
like shipping and automobile manufacture required a standard that would hold more data.
0
2D Barcodes for More Data
The answer to the limitation of linear barcodes was 2D barcodes, which offer more storage
resistance to having physical damage affect the information contained within. Some of the first 2D
codes looked like the one below, which is still widely used today.
hitpssnul-byte.wondertowto.comMow-tolreate-malicious-ar-codes-hack-phones-other-scanners-0197416/ anesii Create Malicious QR Codes to Hack Phones & Other Scanners « Null Byte: WonderHowTo
a QR code
, you may
ear barcode
417 format
ode up to
‘By 7
Maoh dah
PDF417 codes like above can encode text, numbers, files, and actual data bytes, and they're more
resistant to errors than linear barcodes. Companies like FedEx use a combination of PDF417 and
other barcodes on packing slips to automate delivery and tracking.
What Can Codes Do with More Data?
QR codes started in the automotive industry as a way to keep track of cars as they were being
manufactured but quickly grew in popularity outside that industry. Similar to other 2D codes, QR
codes can pack a ton of data and can even work when reduced in resolution or otherwise
damaged.
hitpssinul-byte.wondertowto,commnow-tolreate-malicious-qt-codes-hack-phones-other-scanners-0197416/ anesii Create Malicious QR Codes to Hack Phones & Other Scanners « Null Byte: WonderHowTo
1 lot more
ctions when
g them to
he following
atically.
Anyone scanning the QR code on an Android device would find themselves automatically signed
in to the encoded Wi-Fi network. To get a handle on how much data a QR code can pack, take a
look at this code:
PC Mer ee Un eee a
le (abbreviated fron Quick Response code) is a type of matrix barcode (or two-dinen:
eng oa eee Ue eee sees st a aS
eset Stream et SU RC MEt Re eC ae ceeae oE eS
er eee noe eee eer are eee)
The technology has seen frequent use in Japan and South Korea; the United Kingdom is the s
a One eee eR CCL cert eet ears)
including both connercial tracking applications and convenience-oriented applications aine
Cer are eon rms cece add a vCard contact to the user's dev:
can generate and print their own QR codes for others to scan and use by visiting one
hitpssnul-byte.wonderhowto.comnow-tolereate-malicous-qt-codes-hack-phones-other-scanners-0197416/ anesnrvz021 ‘cma Malous QR Codes to Hack Phones & Other Scanners « Nu Byte = Wonderow To
The text contained in the image is larger than the QR code itself! The capacity makes QR codes
both powerful and dangerous because humans can't understand the data inside them without
scanning them first.
QRgen for QR Code Hacking
Because a human can't spot a malicious QR code before actually scanning it, the relatively large
payload of a QR code can work to a hacker's advantage, especially when combined with
vulnerable devices. The tool welll use today to create these is called QRGen. It will take a payload
and encode it into a QR code using Python.
QRGen comes with a built-in library that contains lots of popular exploits, which is extremely
useful if you have time to sit down with the same device you're looking to exploit and find out
which one works. For a pentester looking to audit anything that uses a QR code scanner, merely
buying the same scanner and running through the exploits can lead you to get the scanner to
behave in unexpected ways.
The categories of payloads available on QRGen can be accessed by using the -I flag and a number
while running the script. The number and payload type are listed below.
0 :SQL Injections
2XSS
: Command Injection
:Format String
1 XXE
: String Fuzzing
SSI Injection
LEI / Directory Traversal
2
3
4
5
6
7
To create a bunch of malicious QR codes that include string fuzzing payloads, I'd just need to run
QRGenpy 15 to create many codes for testing.
What You'll Need
To use QRGen, you'll need Python3 installed. Because it's cross-platform, it should be possible to
do on any operating system. You'll also need a few Python libraries, including qrcode, Pillow, and
argparse, which welll install during the setup.
hitpssnul-byte.wondertowto.comMowtolreate-malicious-ar-codes-hack-phones-other-scanners-0197416/ siznina Create Malicious GR Codes to Hack Phones & Other Scanners « Null Byte = WonderHowTo
~$ cd QRGen
ca ee
Coe ee ae
Now, you'll need to make sure we have all the required libraries installed. To do so, we'll run the
installation file with the following command.
Pcie CeO eens ro Sac
Collecting qrcode (from -r requirements.txt (line 1))
Perptretursins epee er Rare coe UE cee eestor
Coes caesar sete eC gel y/ 4
(expres ae ee ie ee eee ner
PersCceruriins ey /ceeC ee rn eee Ry eT
ieee
SOS SBE Obit. ert eee ee er TT
eee meet ey COREL Sea acl
Generate Malicious QR Codes from a Payload Type
Now, you should be able to run the script by typing python qrgen.py.
Te TER ae)
cr Ce
Pree ee er
Pee eee eee
Ecce CEE EL EL)
888 88b, "88 88" "Vee!
CnC ee ce
Cre eso
ements]
chron
ear
htpssinul-byte.wonderrowto,comMowtolereate-malicous-at-codes-hack-phones-other-scanners-0197416/
m2nina Create Malicious QR Codes to Hack Phones & Other Scanners « Null Byte = WonderHowTo
Cerise td
Rmaeteurd
cod
Se Ueasurt
Seas t
wai aa
oN Ue oe eres ae er eae eye
COSC Aig
eet) AROS O Re ae Rates
CeCe cae
--List {0,1,2,3,4,5,6,7}, -1
Sa eee eC eCs
Peseta corres
ESCs ae GRU TL Loe g
As you can see, it's pretty simple to create payloads. To start, let's create a payload containing
format string payloads. To do so, run QRGen with the following argument.
Coro
ere
ere
Seg
cca
b
PC eam
COC a
eur sC Reo e
Cae en grt
Cy eee cue rec eCLTE
Seas a Sac ee
A series of QR codes will be generated, and the last one that was created will open automatically.
hitpssnul-byte.wonderhowto,commnow-tolroate-malicious-at-codes-hack-phones-other-scanners-0197416/ ansii Create Malicious QR Codes to Hack Phones & Other Scanners « Null Byte: WonderHowTo
li)
\ere they are
Pop crpeaas ro ay
Esotrr ea etre
cece oe ese meee a 4 Eater ear
cece Eager pope er eee Peery
Pee Cer Cs ae Cet en ee eC era ae gC re ae gcc
ogee ee Pept a meee een ae gC ead
paver eG Pept en ae gee ere ae gered
OPC OPC eC a eC ad
peer Ce Cet ea eg Cee ae geen
Encode Custom Payloads
To encode a custom payload, we can first create a text file containing what we want to encode.
Each line will be a new payload. First, we can create a next text file by typing nano hadstuff.txt to
create a text file.
Sew Ce CUR sata aed
In that text file, we can put our payload. The one below is a fork bomb. Will it work on a QR code
scanner? Who knows,
We can save it by pressing Control X, then hit ¥ and Enter to confirm your save. Now, you should
see a text file containing your payload.
hitpssinul-byte.wonderowto,commowtolreate-malicous-qt-codes-hack-phones-other-scanners-0197416/ onenina Create Malicious QR Codes to Hack Phones & Other Scanners « Null Byte = WonderHowTo
Hacking QR Codes with QRGen to Attack Scanning Devices [Tutorial]
Install QRGen
To start with QRGen, welll need to download the repository from GitHub. Welll do that by running
the command below in a terminal window.
co)
eC COLOR
erst MeL aCe
86 (delta 26), reused 4 (delta 1), pack-
: 108% (86/86), done.
Once the repo finishes downloading, change (cd) into its directory and list (/s) its contents to find
the requirements file.
hitpssnul-byte.wonderhowto.comMow-tolreate-malicious-at-codes-hack-phones-other-scanners-0197416/ ennina Create Malicious GR Codes to Hack Phones & Other Scanners « Null Byte = WonderHowTo
eed
CeCe ad eed
Poececec acid peer a
PSocece CN er 4 4
Poca tec are -PNg or
Soerrer ay
Peer een ay
aCe Usa
POMC CNay
Soccer
eee ea eat Perry
To write your payload to a QR code, we'll use the -W flag. Assuming your payload fie is called
“badstuff.txt," the command to do so should look like below (remember to change back to the
QRGen directory beforehand).
Sc or
~/QRGen$ python3 qrgen.py -w '/username/QRGen/genqr/badstuff.txt'
erro
cere
ere erry
See ee Se eee)
PoaeT ee)
a
Eo a ay
PVC eee ee sUrry
mou esc eo cee
ate eae
Cee eee cere Ly eCre
See ceestr aoe Sa es
ogee eed
CeCe Cay
oCrre recy
POMC eat
POMC REe art
POAC Cecurt
OBC eee
PSoter eed
Pottery
Pottery
Poca ary
4
4
For my fork bomb payload, it generates the QR code below, which will pop up.
ORO
rae
htpssnul-byte.wondertowto,commnow-tolreate-malicous-qt-codes-hack-phones-other-scanners-0197416/
sonenina ‘Create Malicious QR Codes to Hack Phones & Other Scanners « Null Byte : WonderHowTo
Not All QR Codes Are Wise to Scan
QR codes can encode a lot of information, and as we've leamed today, they can even be
formatted to cause a device to perform actions like connecting to a Wi-Fi network. That makes
scanning a QR code risky, as a person has no way of reading the information before exposing your
device to whatever payload is contained inside. If you scan a QR code that seems suspicious, pay
attention to what the code is attempting to launch, and do not connect to a Wi-Fi network or
navigate to a link that's shortened.
While most QR codes should be safe to scan on a smartphone, scanning payloads we generated
today on a device for scanning tickets or boarding passes may result in some bizarre behavior
from the device. Do not scan payloads on a scanner you need working immediately after for an
event or work — or any scanner you do not have permission to test — as some of these payloads
may cause the scanner to stop working.
Thope you enjoyed this guide to generating malicious QR codes to exploit scanning devices! If you
have any questions about this tutorial on QR codes or you have a comment, there's the comments
section below, and feel free to reach me on Twitter @KodyKinzie,
Don't Miss: Uncover Hidden Subdomains to Reveal Internal Services with CT-
Exposer
‘Want to start making money as a white hat hacker? jump-start your hacking career with our 2020
Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get over
60 hours of training from cybersecurity professionals.
Buy Now (90% off) >
Our Best Hacking & Security Guides
New Null Byte posts — delivered straight to your inbox.
hitpssnul-byte.wonderhowto.comMow-tolereate-malicious-ar-codes-hack-phones-other-scanners-0197416/ nenina Create Malicious QR Codes to Hack Phones & Other Scanners « Null Byte = WonderHowTo
Your Email
Tate
Don't Miss:
Seo E eC VCH
SEee racer
SN er Sue YTS
Sere aay SCrd7)
Portia ne
Oa ECan seen og?)
Eye cpeetces Us OAT
Pere SU Cn CELCCe ys
‘ite you acknowledge and agree to our terms of use & privacy policy.
eLearn eau OE ents
hitpssnul-byte.wonderhowto.comMow-tolreate-malicious-ar-codes-hack-phones-other-scanners-0197416/ rane