QR codes are everywhere and today we'll explore a tool that can help us hack devices that can scan them in this article.
If you've been to a concert lately you might have noticed one thing that most of the tickets have in common and that is QR codes. Now the reason that QR codes are everywhere is because they're easy to create, they're easy to use and most people have devices that are capable of reading them. Because of this there's also a variety of different custom tools that things like grocery stores or ticket scanners will use in order to read QR codes and often these devices will have vulnerabilities because they're usually not updated very often.
Introduction
Now today we're going to look at a tool that will basically encode some popular exploits into QR codes hoping that when a device scans it it'll read it and then actually execute the code. Now in order to do this we'll need to have Python and if you have any trouble setting this up you can also check out this article.
As soon as you have a Linux system ready to go with Python installed then we're ready to begin. Today we're going to use a tool called QRGen and this is really interesting because there's a lot of devices that are customized for various applications that might be running services that are vulnerable to various types of attacks now this is also super easy to install and in order to do so you'll just need a Linux system although I actually have not tried this on Mac OS and it may work as well but because it's Python I figured I would try it on Kali Linux and lo and behold it worked the first time without any complications. Do I highly recommend you all to use Kali Linux.
Steps of Installation:-
So first open a fresh terminal window and
1. git clone https://github.com/h0nus/QRGen
(To clone the tool in your system)
2. cd QRGen (To get into QRgen directory)
3. ls (To see the various files loaded in QRgen Folder)
4. pip3 install -r requirements.txt or python3 -m pip install -r requirements.txt (To install the necessary requirement libraries of QRgen)
When it finishes installing then you should be able to just run it.
5. python3 qrgen.py (To start QRGen)
After running this command you must be able to see can that you can now select one of two different options either a wordlist or -l (which means a number from the list they facilitate us with)
Making QR code of the Pre-provided Payloads
Now this is where things get interesting because it has a built-in list of various different payloads that could be useful depending on what you're going after. Now the next thing you can do is actually use the -l option to select one of the preinstalled lists which include a variety of different common exploits for maybe an unpatched service that's using SQL or something that might be vulnerable to something like string fuzzing.
Now I guess let's see we'll select number two for command injection
>> python3 qrgen.py -l 2 (To generate some malicious QR codes for us to test. ... You can use any option other than 2)
Now if you go to the folder you will be able to see QR codes being created and you can see that you have a whole bunch of QR codes. You can see there that you have a lot of different malicious QR codes. You can now test so this is the perfect testbed for anyone who wants to take a device and test it.
Making QR code of our own Payloads
Now I also want to show off the word list feature if we want to create a new wordlist.
1. nano wordlist.txt (To open Nano Editor in Terminal)
2. Type in a couple random payloads and once you have completed your malicious code save it.
Now if you type ls again you should now see you have your wordlist text.
3. Now go back up and run python3 qrgen.py -w requirements.txt
It should generate some QR codes based on the payloads that you yourself created and you can test that with any Scanning device including your Mobile Phone.
Conclusion
QRgen can create a lot of different QR codes that may or may not be effective against a particular device that scans QR codes now this could be a ticket scanner, it could be a supermarket scanner or it could be someone's cell phone but in general it's not a great idea to test this against something really critical or something you don't have permission to because depending on the payload it could potentially disable it or cause it to display erratic behavior. If you're at work and choose to test this on your ticket scanner right before a big concert you could get in a lot of trouble so please make sure that your permission to do so and that you're not testing this on a critical device that's about to be used.
If you have any problems testing this you can comment below the article and you can also hit me up on INSTAGRAM.
So that's it for now, See you all in next Article.
0 Comments